INFORMATION NOTE ABOUT THE CYBER SECURITY LAW
The Cyber Security Law (“Law”) was accepted by the TBMM General Assembly on 12.03.2025 and became law. The law includes regulations on cyber security and the principles regarding the establishment of the Cyber Security Board (“Board”). The important regulations included in this Law are mentioned below.
I. Scope of the Law
The law covers (i) public institutions and organizations, (ii) professional organizations with the status of public institutions, (iii) real persons and legal entities, and (iv) organizations without legal personality that operate and provide services in cyberspace.
Intelligence activities carried out in accordance with the Police Duties and Authorities Law, Coast Guard Command Law, Gendarmerie Organization, Duties and Authorities Law, and activities carried out in accordance with the State Intelligence Services and National Intelligence Organization Law and Turkish Armed Forces Internal Service Law are excluded from the scope of the regulation.
II. Purpose of the Law
The main purposes of the Law are as follows:
Detection and elimination of cyber threats
The Cyber Security Presidency (“Presidency”) will detect and eliminate current, potential and past violations and attacks in cyberspace through the Cyber Incident Response Teams (“SOME”) to be established and run by the Presidency and the expert personnel to be employed.
Determining strategies and policies to strengthen cyber security and reduce the possible effects of cyber incidents
The Presidency will determine the binding policies, strategies, action plans and other regulatory procedures published for the development of cyber maturity.
Making deterrent arrangements against cyber attacks
The Law provides for serious prison sentences and judicial and administrative fines for cyber attacks, violations or non-compliance with the Law. (See: Section VII)
Establishment of the Cyber Security Board
A Cyber Security Board will be established, consisting of the President, Vice President, Minister of Justice, Minister of Foreign Affairs, Minister of Interior, Minister of National Defense, Minister of Industry and Technology, Minister of Transportation and Infrastructure, Secretary General of the National Security Council, President of the National Intelligence Organization, President of Defense Industries and President of Cyber Security. The Board will (i) make decisions on policies, strategies, action plans and other regulatory procedures regarding cyber security (ii) make decisions on the implementation of the technology roadmap regarding cyber security prepared by the Presidency throughout the country, (iii) determine the priority areas to be encouraged in the field of cyber security, make decisions on the development of human resources in the field of cyber security, (iv) determine the critical infrastructure sectors and (v) decide on the disputes that may arise between the Presidency and public institutions and organizations.
III. Cyber Security Concepts
The Law defines some basic cybersecurity concepts. These concepts are decisive in determining the scope of the Law.
Critical infrastructure: Infrastructures that host information systems that may lead to loss of life, large-scale economic damage, security gaps or disruption of public order when the confidentiality, integrity or accessibility of the information/data they process is compromised.
Critical public service: A service provided with a monopoly or limited substitute throughout the country that is necessary for the continuation of national, social or economic activities and that may have a significant impact on national security, the social or economic welfare of the country, public order or health or the provision of other services in the event of interruption or damage.
Cyberspace: The environment consisting of all information systems directly or indirectly connected to the Internet, electronic communication or computer networks and the networks that connect them.
Cybersecurity: The set of activities that includes protecting information systems that constitute cyberspace from attacks, securing the confidentiality, integrity and accessibility of data processed in this environment, detecting attacks and cyber incidents, activating response and alarm mechanisms against these detections and then returning them to the state before the cyber incident.
Cyber incident: The violation of the confidentiality, integrity or accessibility of information systems or data processed by these systems.
Cyber attack: The intentional actions taken against a person or information systems anywhere in cyberspace in order to eliminate the confidentiality, integrity or accessibility of information systems in cyberspace and data processed by these systems.
IV. Cyber Security Presidency
The main duties of the Presidency are as follows:
a) To determine critical infrastructures and the institutions and locations they belong to.
b) To establish, have established and supervise SOMEs,
c) To regulate the procedures and principles that those operating in the field of cyber security must comply with and to prepare standards regarding the field of cyber security,
d) To conduct testing and certification processes regarding software, hardware, products, systems and services regarding the field of cyber security,
e) To conduct cyber security audits and impose sanctions according to the results.
f) To determine technical criteria regarding the qualifications that the cyber security products and services to be used in public institutions and organizations and critical infrastructures and the businesses that will provide them must have.
V. Inspection
The Presidency may inspect all acts and transactions falling within the scope of the Law.
Inspection covers the activities and transactions of institutions, organizations and other relevant real and legal persons within the scope of this Law, related to the provisions of this Law.
Those subject to inspection must take the necessary measures to keep the relevant devices, systems, software and hardware open to inspection for the given periods, to provide the necessary infrastructure for inspection and to keep them in working order.
VI. Responsibilities Envisaged Under the Law
All public institutions and organizations, real and legal persons are responsible for the implementation of cyber security policies and strategies and taking necessary measures to prevent or reduce the effects of cyber attacks.
In studies to ensure cyber security, domestic and national products are primarily preferred.
In addition, it has been regulated in a way that will be binding for those who provide services, collect, process data and conduct similar activities using information systems within the scope of the Law.
• To forward to the Presidency any data, information, document, hardware, software and any other contribution requested by the Presidency within the scope of its duties and activities, in a timely manner.
• To take measures envisaged by the legislation for the purpose of ensuring national security, public order or public service is carried out properly for cyber security, and to report to the Presidency any vulnerabilities or cyber incidents they detect in the areas they provide services, without delay.
• To be used in public institutions and organizations and critical infrastructures cybersecurity products, systems and services To procure from cybersecurity experts, manufacturers or companies authorized and certified by the Presidency.
• To obtain the Presidency’s approval within the framework of existing regulations before starting operations by cyber security companies subject to certification, authorization and documentation.
• To fulfill the issues included in the policy, strategy, action plan developed by the Presidency and other regulatory procedures published and to take the necessary measures.
Penal Sanctions to be Applied Under Law VII
The law has stipulated various prison sentences and judicial and administrative fines. Some important provisions are as follows:
• Those who do not provide information, documents, software, data and hardware requested by the authorities and officials authorized by law or who prevent them from being obtained shall be punished with imprisonment from 1 to 3 years and a judicial fine from 500 to 1500 days. Public institutions and organizations are excluded from this crime.
• Those who operate without obtaining the required approvals, authorizations or permits in accordance with the law are punished with imprisonment from 2 to 4 years and a judicial fine from 1000 to 2000 days.
• Those who access, share or sell personal or critical corporate data that falls within the scope of public service in cyberspace due to a previous data leak without the permission of the relevant person or institution are sentenced to 3 to 5 years in prison.
The provision also states that this action can be carried out for a fee or without consideration.
• Those who create false content as if a data leak occurred or who spread content for this purpose, even though they know that there is no data leak in cyberspace, in order to create anxiety, fear and panic among the public or to target individuals or institutions, are sentenced to 2 to 5 years in prison.
• Those who carry out cyber attacks on the elements that constitute the national power of the Republic of Turkey in cyberspace or who keep any data obtained as a result of this attack in cyberspace are sentenced to 8 to 12 years in prison, unless the act constitutes another crime that requires a more severe penalty. In cases where the data obtained as a result of this attack is distributed in cyberspace, sent to another location or offered for sale, they are sentenced to 10 to 15 years in prison. • Those who abuse their duties and authorities arising from the law and those who cause data breaches by acting contrary to the requirements of their duties within the scope of protecting critical infrastructures against cyber attacks are sentenced to 1 to 3 years in prison.
• Those who fail to fulfill their obligations in terms of companies providing cybersecurity products and services are given an administrative fine of 10,000,000 Turkish Lira to 100,000,000 Turkish Lira.
• Within the scope of the audit provisions, if those subject to audit do not take the necessary measures to keep the relevant devices, systems, software and hardware open to audit for the given periods, to provide the necessary infrastructure for audit and to keep them in working order, an administrative fine of between 100,000 Turkish Lira and 1,000,000 Turkish Lira will be imposed; if these obligations are not fulfilled by commercial companies, an administrative fine of up to 5% of the gross sales revenue in their annual financial statements that have undergone independent auditing, but not less than 100,000 Turkish Lira will be imposed.