With the Cyber Security Law (“Law”), which entered into force on March 19, 2025, a comprehensive legal framework regulating cyber security was established for the first time in Turkey. The Law established the Cyber Security Presidency (“Presidency”) and granted the Presidency extensive powers in determining, implementing and monitoring cyber security policies. Cyber security is considered a national security issue and significant obligations encompassing both the public and private sectors are envisaged.
The opportunities that cyber security companies will gain with the Law and the obligations imposed on them will be discussed under the following headings.
1- Opportunities for Cybersecurity Companies
The Law increases the activities of the public in the field of cybersecurity and creates various commercial opportunities in the private sector. According to the Law, the systems that will be considered as critical infrastructure will be determined by the Presidency and accordingly, various obligations will be imposed on the companies operating in the sector of the said systems. In parallel with the EU practice, it is evaluated that the sectors that are initially planned to be included in the scope of critical infrastructure within the framework of the Law will be determined as follows:
- Energy,
- Transportation,
- Banking and finance,
- Health,
- Water facilities (drinking, purification etc.),
- Electronic communications and digital infrastructures.
The law stipulates that the Presidency will conduct audits regarding cyber security in critical infrastructures, perform various checks including penetration tests, and authorize independent auditors for this purpose. In addition, it is mandatory for cyber security products or services to be certified, and it is stipulated that priority will be given to domestic and national cyber security products. For all these reasons, it is anticipated that with the full implementation of the law, there will be a high demand for independent audit services and certified cyber security products or services from public institutions or organizations and companies operating in critical infrastructure sectors.
2- Obligations of Cybersecurity Companies
The obligations specifically imposed on cybersecurity companies by the law are listed below:
- Export Restriction: The procedures and principles regarding the sale of cybersecurity products, systems, software, hardware and services abroad will be determined by the Presidency. Additional rules regarding exports related to cybersecurity will be foreseen with secondary regulations to be issued within this framework. However, Presidency permission will be required for some export items.
- Control of Investment Processes: All mergers, divisions, share transfers or sales transactions of cybersecurity companies operating in the fields listed above will be reported to the Presidency. Transactions that provide direct or indirect control or decision-making rights over the companies in question are subject to the Presidency’s approval. Therefore, the investment processes of these companies have been transferred to the Presidency’s control.
- Permission to Operate: Companies, associations, federation of associations or foundations operating in the field of cybersecurity must complete their certification, authorization or documentation processes in accordance with secondary regulations to be issued by the Presidency within 2 years from the effective date of the Law. Cybersecurity activities of those who fail to comply with this obligation will be suspended.
- Product or Service Certification: The Presidency will certify cybersecurity products and services to be used in public institutions and organizations and critical infrastructures. Thus, only certified products or services can be used in these places.
In order for the Presidency to fulfill its duties within the framework of the Law, it has very broad access powers such as accessing all kinds of information, documents or data, including log records, and contacting information systems. In addition, the Presidency has the authority to conduct on-site or remote audits. Such requests from the Presidency must be fulfilled urgently.
Cybersecurity companies must immediately report any cyber incidents and vulnerabilities they detect to the Presidency.
The judicial and administrative sanctions foreseen by the Law are shown in the attached table.
3- Evaluation and Recommendations
The law foresees strict obligations for cybersecurity companies. In return, a serious field of activity has been opened up to companies that can meet the obligations. As of the current situation, the following recommendations are presented to cybersecurity companies during the 2-year transition period:
Dividing commercial activities into two as foreign and domestic, and separating foreign and domestic activities (it is thought that the effects of the Law’s restrictions on exports can be mitigated in this way),
Conducting the necessary preliminary studies to comply with the obligations imposed by the Law.
Finally, it is recommended to closely follow the secondary regulations on the subject.
Annex: Table of Relevant Judicial and Administrative Sanctions
Definition of Act Requiring Sanction |
Yaptırım |
| Failure to provide or prevent the receipt of requested information, documents, software, data or hardware within the scope of audits. | 1 to 3 years in prison
500 days to 1500 days of judicial fine (up to 750,000 TL) |
| Operating without obtaining the approval, authorization or permission required by law. | 2 to 4 years imprisonment
1000 days to 2000 days of judicial fine (up to 1,000,000 TL) |
| Failure to comply with confidentiality obligations under the law | 4 to 8 years in prison |
| Abusing duties and powers arising from the law or causing a data breach by acting contrary to the requirements of duty within the scope of protecting critical infrastructures against cyber attacks. | 1 to 3 years in prison |
| Failure to take measures required by legislation regarding cyber security or failure to report cyber incidents or vulnerabilities detected in the area where services are provided. | Administrative fines of 1,000,000 TL to 10,000,000 TL |
| Procurement of cyber security products, systems or services to be used in public institutions or organizations and critical infrastructures from persons not authorized or certified by the Presidency. | Administrative fines of 1,000,000 TL to 10,000,000 TL |
| Cybersecurity companies acting in violation of export restrictions or controls on investment processes | Administrative fines of 10,000,000 TL to 100,000,000 TL |
| Obstructing the audit in any way | Administrative fines of 5% of the gross sales revenue in the independently audited annual financial statements. |