The Cybersecurity Law No. 7545 (“Law”) was published at the Official Gazette dated March 19, 2025 and entered into force as of its publication date.

The purpose of the Law is to strengthen national cybersecurity capacity, protect critical infrastructures, and implement effective measures against cyber threats.

The Law applies to public institutions and organizations, professional organizations with public institution status, natural and legal persons, as well as entities without legal personality that operate, provide services, or maintain a presence in cyberspace.

Further details are provided below:

1. Obligations Regarding Cybersecurity

The Law sets out the duties and responsibilities related to cybersecurity for those falling within its scope who provide services, collect or process data, and carry out similar activities through the use of information systems. These duties and obligations are as follows:

  • To promptly and primarily provide the Cybersecurity Directorate (“Directorate”) with any data, information, documents, hardware, software, and any other form of support requested within the scope of the Directorate’s duties and activities.
  • To take the necessary measures stipulated by the legislation for the purposes of national security, public order, or the proper functioning of public services in relation to cybersecurity, and to immediately notify the Directorate of any vulnerabilities or cyber incidents identified within the area in which they provide services.
  • To procure cybersecurity products, systems, and services to be used by public institutions and organizations, as well as in critical infrastructures, only from cybersecurity experts, manufacturers, or companies authorized and certified by the Directorate.
  • To obtain the Directorate’s approval in accordance with applicable regulations, prior to the commencement of operations by cybersecurity companies that are subject to certification, authorization, and accreditation.
  • To fulfill the matters set forth in the policies, strategies, action plans, and other regulatory instruments issued by the Directorate for the enhancement of cyber maturity and to take the necessary measures.

In addition, the Law assigns the Directorate the authority to establish, have established, and supervise cyber incident response teams on its behalf.

2. Audit Obligations 

  • The Directorate may audit any acts and transactions falling within the scope of the Law whenever it deems necessary in connection with its duties specified under the Law; for this purpose, it may conduct or have others conduct on-site inspections. The audit covers the activities and operations of institutions, organizations, and other relevant natural and legal persons within the scope of the Law, in relation to their compliance with the provisions of the Law. Personnel of the Directorate, as well as certified and authorized independent auditors and independent audit firms are authorized to carry out audits. This authority is exercised by individuals appointed by the Chairman of Cybersecurity. Audits conducted in public institutions and organizations, as well as in critical infrastructures, shall be carried out by or in the presence of the Directorate’s personnel.
  • Individuals assigned to conduct audits shall be authorized, limited with the scope of their audit activities, to examine data and documents in electronic form, electronic infrastructure, devices, systems, software, and hardware; to obtain copies, digital copies, or samples therefrom; to request written or verbal explanations related to the matter; to prepare the necessary records; and to inspect facilities and their operations.
  • Entities subject to audit are obliged to keep the relevant devices, systems, software, and hardware available for inspection within the specified timeframes, to provide the necessary infrastructure for the audit, and to take the necessary measures to ensure their proper functioning.
  • For the purposes of national security, public order, the prevention of crimes or cyberattacks, searches may be conducted in residences, workplaces, and non-public closed areas upon a judge’s order or, in cases where delay would be detrimental, upon a written order of the public prosecutor, and copying and seizure operations may be carried out without interruption in a way not to cause prolonged service disruptions.

3. Additional Obligations for Cybersecurity Companies

    • Under the Law, the sale of cybersecurity products, systems, software, hardware, and services to abroad shall be carried out in accordance with the procedures and principles to be determined by the Directorate. For products subject to authorization as specified in these procedures and principles, the approval of the Directorate must be obtained.
    • Companies that produce cybersecurity products, systems, software, hardware, and services are required to notify the Directorate of any mergers, demergers, share transfers, or sales transactions. Transactions that individually or jointly grant natural or legal persons direct or indirect control or decision-making authority over the company are subject to the approval of the Directorate.
    • Transactions carried out without obtaining the approval of the Directorate shall not have legal validity. The Directorate may request information and documents from institutions and organizations in relation to the transactions to be conducted under this article.

    4. Penal Sanctions

      Both criminal provisions and administrative sanctions are regulated under the Law. Information on these matters is provided below:

      a) Obligation to Provide Information and Documents: Those who fail to provide the information, documents, software, data, and hardware requested by the competent authorities and audit personnel, or who obstruct the acquisition thereof, shall be punished with imprisonment from 1 to 3 years and a judicial fine ranging from 500 to 1,500 days.

      b) Unauthorized Activity: Those who operate without obtaining the approvals, authorizations, or permits required under the Law shall be punished with imprisonment from 2 to 4 years and a judicial fine ranging from 1,000 to 2,000 days.

      c) Confidentiality Obligation: Those who violate their confidentiality obligations shall be sentenced to imprisonment from 4 to 8 years.

      d) Unauthorized Data Sharing: Those who unlawfully share or sell personal data or data related to critical public services shall be sentenced to imprisonment from 3 to 5 years.

      e) Dissemination of Misleading Cybersecurity Information: Those who spread false news regarding data breaches shall be sentenced to imprisonment from 2 to 5 years.

      f) Attacks Targeting Turkey’s Cybersecurity: Individuals who carry out cyberattacks shall be sentenced to imprisonment from 8 to 12 years; and those who disseminate data obtained as a result of such attacks shall be sentenced to imprisonment from 10 to 15 years.

      The penalty to be imposed according to the above provisions shall be increased by 1/3 if the offense is committed by a public official, by 1/2 if committed by multiple persons, and by between 1/2 and 2 times if committed within the framework of an organized group’s activities.

      g) Violation of Prohibited Provisions Applicable to Directorate Personnel: Those who act in violation of the provisions prohibited for the personnel of the Directorate, as listed under the Law, shall be sentenced to imprisonment from 3 to 5 years.

      h) Violation of Protection of Critical Infrastructure: Those who abuse their duties and powers arising from the Law, or who, by acting contrary to the requirements of their duties regarding the protection of critical infrastructures against cyberattacks, cause a data breach, shall be sentenced to imprisonment from 1 to 3 years.

      i) Administrative Fines:

        • An administrative fine ranging from TRY 1 million to TRY 100 million shall be imposed on those who fail to fulfill the duties and obligations set forth under the Law.
        • In cases where entities subject to audit under the Law violate their audit-related obligations, an administrative fine ranging from TRY 100,000 to TRY 1 million shall be imposed.

      If such violation is committed by a commercial company, an administrative fine of up to 5% of the relevant company’s annual gross sales revenue shall be imposed, provided that it is not less than TRY 100,000.

      Please note that, in accordance with the Law, the relevant party will be given an opportunity to submit a defense before any administrative fine is imposed, and detailed procedures regarding this process are also regulated under the Law.

      Should you have any questions, please do not hesitate to contact us.

      Batuhan Şahmay
      Partner | [email protected]
      Özlem Özdemir Yılmaz
      Senior Associate | [email protected]
      Naz Tarım
      Associate | [email protected]