Breaking News: Turkey’s New Cybersecurity Law

This blog was originally posted on 14th March, 2025. Further regulatory developments may have occurred after publication. To keep up-to-date with the latest compliance news, sign up to our newsletter.

AUTHORED BY DILA ŞEN, GLOBAL REGULATORY AND REQUIREMENTS COMPLIANCE SPECIALIST, COMPLIANCE & RISKS

On March 12, 2025, the Turkish Grand National Assembly passed the Cybersecurity Law, marking a significant shift in Türkiye’s approach to regulating cybersecurity. While the law has not yet been published in the Official Gazette, it has already become a subject of interest for businesses operating in Türkiye’s digital ecosystem. Below is a comprehensive breakdown of the law and its potential impact on companies. 

The final version has not yet been published. Therefore, this overview is based on the parliamentary committee minutes.

Scope and Key Objectives

The new law establishes a framework for identifying and mitigating cyber threats targeting Türkiye’s national security, critical infrastructures, public institutions, and private entities. It applies to:

• Public institutions and organizations,
• Professional organizations with public institution status,
• Private companies and legal persons operating in cyberspace,
• Organizations without legal personality providing services in cyberspace.

Importantly, intelligence activities conducted by the police, the Coast Guard, the National Intelligence Organization, and the Turkish Armed Forces remain outside the law’s scope.

Scope and Key Provisions and Responsibilities for Companies

The law places significant obligations on companies, particularly those operating critical infrastructures and providing cybersecurity services. Some of the most crucial requirements include:

• Implementation of Cybersecurity Policies: All businesses must adopt cybersecurity strategies and measures to prevent and mitigate cyberattacks.
• Accountability and Compliance: Companies must integrate cybersecurity measures throughout their service lifecycle and be held accountable for any security lapses.
• Cyber Incident Reporting: Organizations must promptly report cybersecurity incidents and vulnerabilities to the newly established Cybersecurity Presidency.
• Preference for Domestic and National Solutions: The law encourages the use of local cybersecurity solutions whenever possible.
• Certification and Audits: Companies providing cybersecurity products and services must obtain certification, authorization, and documentation from the Cybersecurity Presidency. Additionally, public institutions and critical infrastructure operators must source cybersecurity solutions from certified providers.

The Role of the Cybersecurity Presidency

A new regulatory body, the Cybersecurity Presidency, has been established to oversee compliance, enhance cyber resilience, and manage cyber threats. Its key responsibilities include:

• Conducting cybersecurity audits and imposing penalties,
• Defining and overseeing the protection of critical infrastructures,
• Managing Cyber Incident Response Teams (CIRs),
• Overseeing the certification of cybersecurity solutions and professionals,
• Regulating cybersecurity standards and enforcement mechanisms.

Penalties for Non-Compliance

The law introduces stringent penalties for companies and individuals failing to comply with cybersecurity regulations. Some key penalties include:

• Failure to provide requested data to authorities: Imprisonment between 1 and 3 years, plus a judicial fine ranging from 500 to 1,500 days.
• Operating without necessary approvals, authorizations, or permits: Imprisonment between 2 and 4 years, plus a judicial fine ranging from 1,000 to 2,000 days.
• Breach of confidentiality obligations: Imprisonment between 4 and 8 years.
• Unauthorized access, sharing, or sale of leaked personal or critical public data: Imprisonment between 3 and 5 years.
• Spreading false information about cybersecurity incidents to incite fear or target individuals/institutions: Imprisonment between 2 and 5 years.
• Cyberattacks against national cyber infrastructure: Imprisonment between 8 and 12 years; if the acquired data is shared, transferred, or sold, imprisonment between 10 and 15 years.
• Aggravating factors: Sentences increased by one-third if committed by a public official, by half if committed by multiple individuals, and up to double if committed within an organized crime framework.
• Violation of employment restrictions for officials in the relevant authority: Imprisonment between 3 and 5 years.
• Abuse of authority leading to cybersecurity breaches in critical infrastructure: Imprisonment between 1 and 3 years.
• Failure to comply with cybersecurity regulations in data processing and service provision: Administrative fine between 1 million and 10 million TRY.
• Non-compliance with rules on the sale, transfer, or restructuring of cybersecurity-related products and services in critical infrastructure: Administrative fine between 10 million and 100 million TRY.
• Failure to comply with audit obligations for cybersecurity systems: Administrative fine between 100,000 and 1 million TRY; for companies, at least 100,000 TRY, up to 5% of gross annual revenue from independently audited financial statements.

Data Retention and Privacy Implications

The law mandates that companies keep certain cybersecurity-related data and logs for a maximum of two years. After this period, the data must be destroyed unless otherwise required for an investigation. Additionally, companies must comply with Türkiye’s data protection laws, ensuring personal data processing aligns with legal principles and proportionality.

International Collaboration and Export Restrictions

The Cybersecurity Presidency is authorized to engage with international organizations and foreign governments to enhance Türkiye’s cybersecurity framework. However, businesses looking to export cybersecurity products and services must obtain prior approval from the Presidency, and mergers or share transfers in cybersecurity firms require regulatory clearance.

Implications for Businesses and Next Steps 

With the passage of this law, businesses operating in Türkiye must act swiftly to ensure compliance. Some key actions include:

• Conducting internal audits to assess current cybersecurity measures,
• Reviewing data retention policies to align with the new requirements,
• Ensuring compliance with certification and authorization mandates for cybersecurity products and services,
• Strengthening incident response mechanisms and reporting procedures,
• Engaging with legal and cybersecurity experts to understand the full implications of the law.

Türkiye’s Cybersecurity Law introduces a comprehensive framework for strengthening national cybersecurity and enforcing accountability. Companies must proactively address compliance obligations to avoid severe penalties and ensure business continuity. As the law progresses towards official publication and implementation, businesses should stay informed and prepared for upcoming regulations and potential amendments.If your organization requires guidance on compliance with Türkiye’s new Cybersecurity Law, Compliance and Risk’s legal and cybersecurity experts are available to assist you in navigating these new obligations.

Stay Ahead Of Regulatory Changes like Turkey’s New Cybersecurity Law

Want to stay ahead of these regulatory developments?

Accelerate your ability to achieve, maintain & expand market access for all products in global markets with C2P – your key to unlocking market access, trusted by more than 300 of the world’s leading brands.
C2P is an enterprise SaaS platform providing everything you need in one place to achieve your business objectives by proving compliance in over 195 countries.

C2P is purpose-built to be tailored to your specific needs with comprehensive capabilities that enable enterprise-wide management of regulations, standards, requirements and evidence.
Add-on packages help accelerate market access through use-case-specific solutions, global regulatory content, a global team of subject matter experts and professional services.

• Accelerate time-to-market for products
• Reduce non-compliance risks that impact your ability to meet business goals and cause reputational damage
• Enable business continuity by digitizing your compliance process and building corporate memory
• Improve efficiency and enable your team to focus on business critical initiatives rather than manual tasks
• Save time with access to Compliance & Risks’ extensive Knowledge Partner network

A RoHS Exemption Roadmap: Navigating Exemption Renewals and Their Timelines

Join us for an in-depth webinar on the evolving landscape of RoHS exemptions and their renewals!

register now