Inside Turkey’s New Cybersecurity Regulation

Most major jurisdictions have established comprehensive data protection frameworks that share similar core principles with varying implementation approaches. The EU’s GDPR has clearly influenced global standards, with direct adaptations seen in the UK GDPR and Brazil’s LGPD and elements reflected in California’s CCPA. These regulations typically focus on transparent data collection practices, individual rights over personal information, breach notification requirements and data minimization principles. Countries like India, Australia and China have developed their own frameworks that, while culturally and legally distinct, address similar fundamental concerns about personal data protection and cross-border data transfers.

Beyond general data protection, many countries have developed specialized regulations for critical sectors and infrastructure. The US demonstrates this approach most clearly with sector-specific laws or standards like HIPAA for healthcare, GLBA for financial services and PCI DSS for payment processing, alongside infrastructure-focused regulations like FISMA for government systems. The EU’s Digital Operational Resilience Act (DORA) similarly targets financial institutions specifically, while China’s multi-layered approach includes specialized measures for data transfers and network security management that reflect its unique governance structure.

Recent trends show increasing focus on mandatory incident reporting, enhanced requirements for critical infrastructure and growing attention to children’s online privacy through regulations like COPPA. Australia’s recent introduction of a statutory tort for privacy invasions and criminal doxing offenses, alongside the EU’s Cyber Resilience Act targeting product lifecycle security, suggest that cybersecurity regulation is evolving toward more comprehensive coverage of digital interactions and enhanced personal remedies for privacy violations.

Turkey’s new cybersecurity regulation

Turkey’s technological breakthroughs, especially in the past 20 years, have also increased the number of internet users in the country. According to research, internet users in Turkey spend an average of 7.5 hours a day on the internet, and about three hours of this time on social media. The number of mobile subscribers has reached 93.3 million, the number of mobile broadband subscribers has reached about 73 million and fixed broadband users have reached approximately 20 million. While the average monthly data consumption of mobile internet users is 16.7 GB, the average monthly usage of fixed broadband subscribers has been measured as 272 GB. This data clearly demonstrates the rapid development of Turkey’s communication infrastructure and the impact of digitalization on daily life.

Conventional wars have given way to hybrid and asymmetrical wars, and primarily state-sponsored cyber attacks by terrorist organizations, organized crime organizations and cyber threat actors acting with individual motivations, have begun to target critical infrastructure like state institutions, energy, finance, health and communication systems, and all kinds of technological devices. 

The increase in the use of cyber attacks as a tool of state policies has blurred the boundaries between war and peace, and countries have turned cyber attacks into a low-cost, high-impact strategy aimed at political, economic and military targets in order to avoid direct military retaliation. In addition, as a result of attacks on supply chains, critical systems in many sectors have collapsed and disruptions have occurred.

A country’s ability to stand out and become a role model in the field of cybersecurity is directly related to the existence of a comprehensive cybersecurity umbrella legislation and the effective functioning of a central authority. An umbrella legislation provides binding standards for public institutions, the private sector and individuals, as well as ensuring the consistency of cybersecurity policies at the national level. It also strengthens a country’s position in the global cybersecurity ecosystem by providing a basic framework for international cooperation and mutual recognition. 

The effective implementation of relevant legislation is made possible by the existence of a central authority. Because a central structure supports the efficient use of resources, rapid and coordinated decision-making mechanisms and also creates a basis for more effective detection of threats, harmonious execution of response processes and focusing on strategic goals.

Before this year, many public institutions, primarily the Ministry of Transport and Infrastructure, the Ministry of Industry and Technology, the Information Technologies and Communication Authority and the Presidency Digital Transformation Office, had responsibilities in the cybersecurity structure in Turkey. In addition, the lack of umbrella legislation created coordination problems in many aspects, such as data security, ecosystem collaborations, legislative regulations, directing incentives and supports, international collaborations, macro policy making and so on. The establishment of umbrella legislation will contribute to Turkey’s rise to the top ranks in global indices.

In this context, this past March, lawmakers passed a comprehensive cybersecurity law.

Cybersecurity

Inside Regulators’ View of ‘Reasonable Security’

by Ryan Smyth and Joe Bruemmer

January 21, 2025

Consent orders and AVCs set standards for testing, training and incident response

Read moreDetails

General

The new law regulates the principles for identifying and eliminating internal and external threats to all elements of the Republic of Turkey that constitute its national power in cyberspace, determining the principles for reducing the possible effects of cyber incidents, making the necessary arrangements for protecting public institutions and organizations, professional organizations with the status of public institutions, real and legal persons and organizations without legal personality against cyber attacks, determining strategies and policies to strengthen the country’s cybersecurity and establishing a cybersecurity board, and the general framework regarding the scope of the law has been determined.

Accordingly, the regulation in question will cover public institutions and organizations that have a presence, operate and provide services in cyberspace, professional organizations with the status of public institutions, real and legal persons and organizations without legal personality.

With the regulation in question, cybersecurity will be an inseparable part of national security; the main goal will be to protect critical infrastructure and information systems and to create a secure cyberspace. Studies on cybersecurity will be carried out based on institutionality, continuity and sustainability, and it will be essential to implement cybersecurity measures throughout the entire life cycle of services and products.

Accountability will be the basis for conducting cybersecurity processes

In studies aimed at ensuring cybersecurity, domestic and national products will be preferred first. All public institutions and organizations, real and legal persons will be held responsible for the implementation of cybersecurity policies and strategies and the necessary measures to prevent or reduce the impact of cyberattacks, and accountability will be the basis for conducting cybersecurity processes.

Cybersecurity policy and strategy development studies will be carried out with a continuous development approach, and studies aimed at increasing the capability and capacity of qualified human resources in the field of cybersecurity will be encouraged. It will be aimed to spread the cybersecurity culture throughout society; the principles of the rule of law, fundamental human rights and freedoms, and the protection of privacy will be accepted as fundamental principles.

Protection against cyberattacks

This law also defines the duties of the Cybersecurity Presidency, a newly established regulatory institution. Accordingly, in addition to the duties stipulated in the relevant legislation, the Cybersecurity Presidency will carry out activities aimed at increasing the cyber resilience of critical infrastructures and information systems, protecting them against cyberattacks, detecting cyberattacks, preventing potential attacks and reducing or eliminating their effects.

Within this scope, the institution will conduct or have conducted vulnerability and penetration tests and risk analyses of assets, combat cyber threats, obtain, create and share cyber threat intelligence and conduct malware review activities.

The Cybersecurity Presidency will also be responsible for ensuring that the inventory of all assets, including the data inventory of public institutions and organizations and critical infrastructures, is kept and risk analyses are conducted for assets, and that security measures are taken or have taken according to the criticality of assets owned by public institutions and organizations and critical infrastructures.

The institution also has the responsibility to establish, have established by and supervise a cyber incident response team (CIRT), conduct studies to determine and increase the maturity levels of CIRTs, measure the cyber incident response capabilities of CIRTs by conducting cybersecurity exercises, coordinate with cyber incident response teams of other countries, conduct studies to produce and develop all kinds of cyber intervention tools and national solutions, have them conducted and encourage them.

Records will be subject to study for a maximum of 2 years

According to the law, which also determines the authorities of the Cybersecurity Presidency, the institution will take or have taken the necessary measures to protect those within the scope of the law against cyber attacks and to provide deterrence against the source of these attacks, in addition to the authorities included in the relevant legislation.

In this context, it will be able to provide the installation and integration of software and hardware products that are suitable for information systems, transfer the data and log records produced or collected by these products to the information systems under its management and use the necessary methods and tools for the detection of cyber incidents.

The regulator will be able to provide on-site or remote cyber incident intervention support to those exposed to cyber incidents, track traces of attacks through data, images or log records found in or obtained from cyberspace, examine and prove them, share findings considered to constitute a crime with judicial authorities and other relevant parties, and coordinate with domestic and international stakeholders.

The Cybersecurity Presidency will be able to obtain and evaluate information, documents, data and records and benefit from and contact the archives, electronic data processing centers and communication infrastructure of these, limited to the activities it carries out.

The information, documents, data and records obtained within this scope will be subject to study for a maximum of two years and will be destroyed after the study period. Those who are requested within this scope will not be able to avoid fulfilling the request by citing the provisions of their own legislation.

Principles regarding audit activities

The Cybersecurity Presidency may audit all kinds of acts and transactions within the scope of the regulation and may conduct or have an on-site audit conducted for this purpose, in cases where it deems necessary in relation to its duties specified in the regulation. The audit will cover the activities and transactions of institutions, organizations and other relevant real and legal persons within the scope of this regulation in relation to the provisions of this regulation.

Institution personnel, authorized and certified independent auditors and independent audit organizations will be authorized for the audit and this authority will be used by those assigned by the president.

Inspections in public institutions and organizations and critical infrastructures will be carried out by the Cybersecurity Presidency personnel or under their supervision. The institution will determine the importance and priority principles regarding audit activities and the criteria and implementation principles to be taken into consideration in risk assessments. Audit activities will be carried out in accordance with the program to be created within the scope of importance and priority principles and risk assessments.

Search, copying and seizure

Those assigned with the task of auditing will be authorized to examine electronic data, documents, electronic infrastructure, devices, systems, software and hardware, to obtain copies, digital copies or samples from these, to request written or verbal explanations on the subject, to prepare necessary minutes, to examine the facilities and their operations, within the scope of the audit activities they carry out.

Those subject to auditing will be obliged to keep the relevant devices, systems, software and hardware open to auditing for the given periods, to provide the necessary infrastructure for auditing and to take the necessary measures to keep them in working order.

According to the law, searches can be conducted in residences, workplaces and closed areas not open to the public upon a judge’s decision or, in cases where delay is deemed undesirable, upon a written order of the public prosecutor for the purposes of national security, public order, prevention of crimes or cyber attacks and copying and seizure can be carried out without causing long-term service disruptions and without interruption. A copy of the extracted copy will be delivered to the relevant person, and this matter will be recorded in the minutes and signed.

Searches conducted without a judge’s decision and copying and seizure operations shall be submitted to the approval of the authorized judge within 24 hours. Searches, copying and seizure operations may only be conducted in the data centers of authorized data center operators with a judge’s decision.

The judge shall announce their decision within 48 hours, otherwise the copies made and the texts analyzed shall be destroyed immediately and the seizure shall be lifted automatically. The Ankara Criminal Court of Peace shall be authorized and tasked with requests falling within this scope; however, a judge’s decision shall not be sought for public institutions and organizations.

Cybersecurity board

This law also regulates the members of the cybersecurity board. The board may form commissions and working groups if deemed necessary within the scope of its duties. The commissions and working groups shall conduct technical level studies on issues falling within the scope of the board’s duties and shall develop decision proposals. Experts in the field may be invited to the commission and working group meetings to benefit from their opinions. The board’s duties are as follows:

• To make decisions on cybersecurity-related policies, strategies, action plans and other regulatory procedures and to determine the institutions and organizations that will be exempted from all or part of the decisions taken.
• To make decisions on the implementation of the technology roadmap for cybersecurity prepared by the cybersecurity regulator throughout the country.
• To determine the priority areas to be encouraged in the field of cybersecurity and to make decisions on the development of human resources in the field of cybersecurity.
• To determine the critical infrastructure sectors. To make decisions on possible conflicts between the regulator and public institutions and organizations.

Application of penal provisions and administrative fines

The legislation establishes a comprehensive penalty framework with both criminal and administrative sanctions. Criminal penalties range from one to 15 years imprisonment depending on the severity of the offense, with the most severe sentences reserved for cyber attacks against national infrastructure (eight to 12 years, escalating to 10 to 15 years for data distribution). The law imposes enhanced penalties when crimes are committed by public officials (increased by one-third), multiple perpetrators (increased by half) or organized groups (increased by half to double).

The framework also includes substantial financial penalties for compliance failures. Administrative fines range from 100,000 to 10 million Turkish lira for basic cybersecurity measure violations, escalating up to 100 million lira for failures related to procurement authorization and international sales approval requirements. For commercial entities, fines can reach up to 5% of gross sales revenue when inspection obligations are not met.

The legislation criminalizes both actual cybersecurity breaches and the deliberate spread of false information about data leakages, reflecting the country’s approach to addressing both technical vulnerabilities and information security in the digital space.