Turkish Cyber Crimes Law: A Complete Legal Guide to Cybercrime, Cybersecurity and Digital Evidence in Türkiye

Introduction

Turkish Cyber Crimes Law has become one of the most important areas of criminal, commercial and regulatory law in Türkiye. As individuals, companies, banks, e-commerce platforms, public institutions and critical infrastructure operators increasingly rely on digital systems, cyber incidents are no longer isolated technical problems. They may trigger criminal investigations, administrative fines, civil liability, personal data protection obligations, access blocking measures, cybersecurity audits and cross-border evidence issues.

In Türkiye, cybercrime is not regulated by a single statute only. The legal framework is built on several layers. The Turkish Penal Code No. 5237 criminalizes core cyber offences such as unlawful access to information systems, interference with systems, destruction or alteration of data, misuse of bank or credit cards and possession or distribution of prohibited devices or programs. Law No. 5651 regulates internet publications, content removal, access blocking and obligations of internet actors. The Personal Data Protection Law No. 6698 applies when cyber incidents involve personal data. In addition, Cybersecurity Law No. 7545, published in the Official Gazette on 19 March 2025, introduced a wider national cybersecurity framework covering public institutions, private entities, individuals and organizations operating in cyberspace.

This guide explains Turkish Cyber Crimes Law from a practical legal perspective. It focuses on the main offences, penalties, investigation methods, victim rights, corporate obligations and defence strategies in cybercrime cases in Türkiye.

1. What Is Cybercrime Under Turkish Law?

Cybercrime under Turkish law generally refers to offences committed against or through information systems. A computer, server, mobile phone, cloud account, corporate network, banking system, website, database or social media account may be the subject or instrument of a cybercrime.

The Turkish Penal Code uses the term “information system” broadly. In practice, courts consider whether there is a digital system capable of collecting, storing, processing, transferring or making data available. Therefore, cybercrime cases may involve unauthorized access to e-mail accounts, interference with company servers, ransomware, illegal transfer of customer data, fake banking transactions, phishing, card fraud, social media account takeover, malware, credential theft, log manipulation and digital blackmail.

A key distinction must be made. Some offences are direct cybercrimes, because the protected legal value is the security and integrity of an information system itself. Examples include unlawful access under TCK Article 243 and system interference under TCK Article 244. Other offences are technology-enabled crimes, where digital tools are used to commit a traditional offence, such as fraud, defamation, threats, blackmail, violation of privacy, forgery or unlawful disclosure of personal data.

This distinction matters because the applicable article, penalty range, competent court, evidence assessment and defence strategy may change depending on whether the act targets the system itself or merely uses the internet as a means.

2. Unlawful Access to an Information System: TCK Article 243

One of the central provisions of Turkish Cyber Crimes Law is Article 243 of the Turkish Penal Code. This article criminalizes unlawfully entering all or part of an information system or remaining there without authorization. The basic form of the offence is punishable by imprisonment of up to one year or a judicial fine. If the act concerns systems that may be used against payment, the penalty may be reduced. If data contained in the system is destroyed or altered as a result of the act, imprisonment from six months to two years may apply. Article 243 also criminalizes unlawfully monitoring data transfers within or between information systems by technical means, with imprisonment from one to three years.

In practice, this offence may arise where a person logs into another person’s e-mail account, social media account, cloud storage, business software, database or internal company system without legal authorization. It is not always necessary for the suspect to steal data or cause damage. Unlawful entry or unlawful remaining may be sufficient if the required criminal intent exists.

However, every access is not automatically a crime. Defence arguments often focus on authorization, consent, employment duties, shared passwords, previous access permission, lack of criminal intent, technical impossibility, IP address uncertainty and whether the accused person can actually be linked to the digital activity. For example, if an employee accessed a system within the scope of his or her work authorization, the issue may become a labour, confidentiality or unfair competition dispute rather than a criminal cybercrime case.

The most sensitive point in Article 243 cases is the difference between “access” and “interference.” If the accused only entered an account without changing, deleting or transferring data, Article 243 may be relevant. If data was deleted, altered, blocked, transferred or the system’s operation was disrupted, Article 244 may come into play.

3. System Interference, Data Destruction and Data Alteration: TCK Article 244

TCK Article 244 is more severe than simple unauthorized access because it protects the functioning of information systems and the integrity of data. Under this provision, a person who prevents or disrupts the operation of an information system may be sentenced to imprisonment from one to five years. A person who destroys, changes, makes inaccessible, places data into the system or transfers existing data elsewhere may be sentenced to imprisonment from six months to three years.

This article is frequently applied in cases involving ransomware, deletion of company records, unauthorized database manipulation, website defacement, blocking access to digital platforms, changing customer information, deleting accounting data, interfering with a server or transferring data without permission.

Article 244 may also be relevant in employment-related disputes. Former employees sometimes retain passwords, access corporate systems after termination, delete files, copy client lists or manipulate digital records. In such cases, the prosecutor must carefully determine whether the conduct is merely a civil dispute, breach of contract, unfair competition, theft of trade secrets or a direct cybercrime.

The prosecution must prove the act, the digital link between the suspect and the system, the unlawfulness of the access or interference, the effect on data or system operation and the suspect’s intent. Digital forensic reports, server logs, IP records, device examinations, access timestamps, user credentials, e-mail headers, cloud activity reports and witness statements are often decisive.

For victims, immediate preservation of logs is crucial. Delay may cause loss of evidence, especially because many systems retain logs only for a limited period. Companies should avoid altering the affected system before forensic imaging is completed, because uncontrolled internal investigation may weaken the evidentiary value of digital material.

4. Misuse of Bank or Credit Cards: TCK Article 245

Bank and credit card misuse is one of the most common cyber-related offences in Türkiye. TCK Article 245 covers several forms of card-related criminal activity. Using or causing another person to use a bank or credit card without the cardholder’s consent to obtain benefit may lead to imprisonment from three to six years and a judicial fine. Producing, selling, transferring, purchasing or accepting fake bank or credit cards linked to another person’s bank account may lead to imprisonment from three to seven years and a judicial fine. Using a fake or altered bank or credit card to obtain benefit may lead to imprisonment from four to eight years and a judicial fine.

This provision is highly relevant to phishing, stolen card data, fake payment links, card-not-present fraud, POS fraud, ATM skimming, online shopping fraud and unauthorized banking transactions. It may also overlap with fraud, theft, forgery, laundering of criminal proceeds and membership of a criminal organization, depending on the facts.

In card misuse cases, the investigation usually focuses on the transaction history, merchant records, IP address, delivery address, device information, phone numbers, bank logs, camera recordings, cargo records and whether the suspect actually benefited from the transaction. A person whose identity, bank account or phone number was used by others may need a strong defence supported by technical evidence.

From the victim’s perspective, speed is essential. The card should be blocked immediately, the bank should be notified, transaction objections should be filed, screenshots should be preserved and a criminal complaint should be submitted with all available digital evidence.

5. Prohibited Devices or Programs: TCK Article 245/A

TCK Article 245/A criminalizes certain preparatory acts where devices, computer programs, passwords or security codes are produced, imported, transported, stored, accepted, sold, offered for sale, purchased, given to others or possessed for the purpose of committing cybercrimes or other crimes that can be committed through information systems. The penalty is imprisonment from one to three years and a judicial fine up to five thousand days.

This article may apply to malware kits, phishing panels, credential-stealing software, carding tools, unauthorized password lists, hacking tools specifically created for criminal use and similar instruments. However, the legal analysis must be careful. Many cybersecurity tools can be used for legitimate penetration testing, research, audit and defensive purposes. Therefore, the purpose, context, authorization, professional role of the suspect and actual use of the tool are critical.

For cybersecurity professionals, written authorization is essential before penetration testing, vulnerability scanning or red-team exercises. A lawful security test should be supported by a contract, scope document, target list, permitted methods, testing period, reporting procedure and confidentiality obligations. Without clear authorization, even technically legitimate activity may be misunderstood as unlawful access or preparation for cybercrime.

6. Cybersecurity Law No. 7545 and Its Impact

Cybersecurity Law No. 7545 is a major development in Turkish cybersecurity legislation. The law’s purpose is to identify and eliminate current and potential threats directed at Türkiye’s national power in cyberspace, reduce the effects of cyber incidents, protect public institutions, professional organizations, real and legal persons and organizations without legal personality against cyberattacks, determine national cybersecurity strategies and establish the Cybersecurity Board.

The law has a broad scope. It applies to public institutions, professional organizations with public institution status, real persons, legal persons and organizations without legal personality that exist, operate or provide services in cyberspace. Certain intelligence and military internal service activities are excluded.

The law also defines important concepts such as information systems, critical infrastructure, critical public service and cybersecurity. Critical infrastructure is particularly important because disruption of confidentiality, integrity or availability may cause loss of life, large-scale economic damage, security vulnerabilities or disturbance of public order.

Cybersecurity Law No. 7545 gives the Cybersecurity Presidency significant duties and powers. These include improving the cyber resilience of critical infrastructure and information systems, conducting or commissioning vulnerability and penetration tests, carrying out risk analyses, combating cyber threats, producing and sharing cyber threat intelligence, examining malware, identifying critical infrastructure, establishing and supervising cyber incident response teams and setting standards for cybersecurity products and services.

The law also contains criminal and administrative sanctions. For example, failure to provide requested information, documents, software, data or hardware to authorized bodies may lead to imprisonment and judicial fines. Operating without required approvals, authorizations or permits may also be punishable. The law further criminalizes certain conduct concerning leaked personal or critical public service data, false data breach content created to cause panic and cyberattacks targeting elements of Türkiye’s national power in cyberspace.

For companies, this means cybersecurity is no longer only an IT issue. It is a legal compliance, corporate governance, risk management and board-level responsibility.

7. Law No. 5651: Internet Content, Access Blocking and Provider Liability

Law No. 5651 is another key part of Turkish Cyber Crimes Law. It regulates the obligations and responsibilities of content providers, hosting providers, access providers and collective use providers, and sets procedures for combating certain offences committed through internet publications.

In practice, Law No. 5651 is relevant where cybercrime intersects with online content. Examples include unlawful publication of personal data, revenge porn, defamation through websites, fake news pages, phishing websites, illegal betting platforms, fraudulent e-commerce pages and impersonation websites.

The law provides mechanisms for removal of content and blocking of access. Hosting providers may be required to remove unlawful content when duly notified under the relevant procedures. They also have traffic data retention and confidentiality obligations within the statutory framework.

For victims, Law No. 5651 may provide faster practical relief than a criminal investigation alone. A criminal complaint may punish the perpetrator, but content removal and access blocking may prevent ongoing damage. Therefore, in internet-based cybercrime matters, the legal strategy should usually combine criminal complaint, content removal, access blocking, personal data complaint and civil compensation claims where necessary.

8. Personal Data Breaches and KVKK Obligations

Many cybercrime cases involve personal data. Customer lists, identity numbers, health data, financial information, login credentials, location data, employee records and private communications may all fall under data protection rules. The Turkish Personal Data Protection Law No. 6698 aims to protect fundamental rights and freedoms, particularly privacy, in relation to personal data processing, and applies to natural persons whose data are processed and to natural or legal persons processing such data by automated or filing-system-based means.

When a cyberattack causes unauthorized access to personal data, the matter may trigger several parallel legal consequences. The perpetrator may face criminal liability. The data controller may face administrative scrutiny if it failed to implement adequate technical and organizational measures. Affected individuals may claim damages. The Personal Data Protection Authority may require breach notification and impose administrative fines where legal conditions are met.

Companies operating in Türkiye should therefore maintain an incident response plan. This plan should include internal reporting channels, forensic preservation, legal assessment, breach notification evaluation, communication with affected persons, coordination with external counsel, cyber insurance notification and remediation steps.

A common mistake is treating a data breach only as a technical event. From a legal perspective, the first hours are critical. The company must preserve evidence, identify the scope of the breach, determine whether personal data is involved, assess notification obligations and avoid statements that may later be used against it.

9. Digital Evidence in Turkish Cybercrime Investigations

Digital evidence is the backbone of cybercrime cases. However, digital evidence is fragile. It can be altered, deleted, overwritten or challenged if not collected properly. Turkish criminal procedure requires lawful evidence collection. Evidence obtained unlawfully may be excluded and may even create separate legal liability.

Important digital evidence may include IP logs, server access records, firewall logs, VPN records, user account activity, device images, hard disk copies, mobile phone extractions, e-mail headers, blockchain transaction records, bank transaction logs, cloud platform records, screenshots, domain registration records, hosting information and social media data.

However, screenshots alone are often insufficient. They should be supported by metadata, URL information, timestamps, notarial determination where appropriate, expert reports, platform records or official responses from service providers. In serious cases, forensic imaging should be performed by qualified experts using methods that preserve hash values and chain of custody.

For suspects, digital evidence should be challenged technically and legally. The defence should examine whether the IP address is dynamic, whether multiple people used the network, whether the device was compromised, whether VPN or proxy services were involved, whether log records are complete, whether timestamps are accurate and whether the alleged account was actually controlled by the accused.

10. Corporate Cybercrime Risks in Türkiye

Companies face cybercrime risks both as victims and potential subjects of investigation. A company may suffer ransomware, data theft, invoice fraud, business e-mail compromise, insider attacks, fake domain registration, phishing, unauthorized access by former employees or manipulation of payment systems.

At the same time, companies may face liability if they fail to protect personal data, ignore cybersecurity obligations, use unlicensed or illegal software, conduct unauthorized monitoring, fail to preserve digital evidence or unlawfully access a competitor’s systems.

A strong corporate cybersecurity legal program should include:

1. Cybersecurity policies and employee training.
2. Access control and password management.
3. Incident response and breach notification procedures.
4. Lawful log retention policies.
5. Personal data processing inventory and KVKK compliance.
6. Vendor and cloud service provider contracts.
7. Penetration testing authorization documents.
8. Internal investigation protocols.
9. Evidence preservation procedures.
10. Coordination between IT, legal, compliance and management.

The National Cybersecurity Strategy and Action Plan for 2024–2028 emphasizes cyber resilience, critical infrastructure protection, public-private cooperation, risk reduction and continuous cybersecurity development. The strategy is structured around 6 strategic objectives, 18 targets and 61 action items.

11. Victim Rights in Turkish Cybercrime Cases

Victims of cybercrime in Türkiye may file a criminal complaint before the public prosecutor’s office. Depending on the nature of the incident, they may also request urgent evidence collection, identification of IP addresses, preservation of logs, search and seizure of devices, expert examination, freezing of suspicious bank transactions and access blocking or content removal.

In financial cybercrime cases, the victim should immediately contact the bank, object to unauthorized transactions, request transaction details and submit all bank records to the prosecutor. In personal data or privacy cases, the victim may also consider an application to the Personal Data Protection Authority or civil claims for material and moral damages.

Where online content continues to cause harm, such as leaked private images, identity data, defamatory posts or fake websites, urgent legal remedies should be used. In many cases, removing the content quickly is as important as punishing the offender.

12. Defence Strategies in Cybercrime Cases

Cybercrime defence requires both criminal law knowledge and technical understanding. A defence based only on denial is rarely sufficient. The defence should analyze the digital evidence, the legal classification of the act, the chain of custody, the suspect’s access rights, intent, causation and whether the alleged conduct corresponds to the charged article.

Common defence points include:

• The accused had lawful authorization or consent.
• The system was accessed by multiple users.
• The IP address does not conclusively identify the accused.
• The device may have been infected or remotely controlled.
• The alleged logs are incomplete or unreliable.
• The act does not constitute Article 244 but, at most, Article 243.
• No data was altered, deleted, transferred or made inaccessible.
• The alleged tool was used for lawful cybersecurity testing.
• The prosecution failed to prove intent beyond reasonable doubt.
• The alleged benefit in card fraud was not obtained by the accused.

A strong defence often requires an independent technical expert opinion. Courts may appoint official experts, but party-submitted technical opinions can help identify contradictions, missing logs, alternative explanations and errors in the prosecution theory.

13. International Dimension of Cybercrime in Türkiye

Cybercrime often crosses borders. Servers may be abroad, suspects may use foreign platforms, data may be stored in cloud systems and victims may be located in different countries. This creates practical difficulties in evidence collection and enforcement.

Turkish authorities may use international cooperation channels, mutual legal assistance requests and platform-specific legal request procedures. However, cross-border evidence may take time. Therefore, victims should preserve all available local evidence immediately, including device data, bank records, screenshots, correspondence, URLs, headers and transaction details.

Companies with international operations should also consider whether a cyber incident triggers foreign data protection obligations, contractual notification duties, sectoral reporting rules or cyber insurance requirements.

14. Why Legal Assistance Matters in Turkish Cybercrime Cases

Cybercrime cases are technically complex and legally sensitive. A poorly prepared complaint may fail to identify the correct offence. A company may lose evidence by conducting an uncontrolled internal investigation. A suspect may face a heavier charge because the technical distinction between access and data interference was not properly explained. A victim may obtain a conviction but fail to secure compensation or content removal.

A Turkish cyber crimes lawyer can assist with criminal complaints, defence petitions, digital evidence strategy, expert review, access blocking requests, data breach response, KVKK compliance, corporate internal investigations and compensation claims.

The most effective approach is usually interdisciplinary. Criminal law, data protection law, IT forensics, cybersecurity governance and civil liability must be evaluated together.

Conclusion

Turkish Cyber Crimes Law is a multi-layered legal field. The Turkish Penal Code punishes core cyber offences such as unlawful access, system interference, data alteration, card misuse and prohibited cyber tools. Law No. 5651 regulates internet content, access blocking and provider obligations. KVKK applies when personal data is affected. Cybersecurity Law No. 7545 adds a broader national cybersecurity framework with new duties, powers and sanctions.

For individuals, cybercrime may mean stolen accounts, financial loss, privacy violations or reputational harm. For companies, it may mean operational disruption, data breach liability, regulatory exposure and criminal investigations. For suspects, it may involve serious imprisonment risks and technically complex evidence.

The central lesson is clear: cyber incidents must be handled quickly, technically and legally. Evidence must be preserved, the correct legal route must be chosen and the matter must be assessed under criminal law, cybersecurity law, data protection law and internet regulation together. In Türkiye’s rapidly evolving digital environment, a careful legal strategy can make the difference between an unresolved technical incident and an effective legal remedy.