Cybersecurity Law in Turkey: Obligations of Companies and Public Institutions

Introduction

Cybersecurity Law in Turkey has entered a new era with the enactment of Cybersecurity Law No. 7545. As digital transformation expands across finance, healthcare, transportation, energy, telecommunications, e-commerce, public services and professional service sectors, cybersecurity is no longer a purely technical issue. It has become a legal, administrative, criminal, regulatory and corporate governance matter.

Turkey’s Cybersecurity Law No. 7545 came into force following its publication in the Official Gazette on 19 March 2025. The law aims to protect public institutions, private sector entities, individuals and organizations operating in cyberspace against cyber threats, while establishing a broader national cybersecurity policy structure. Its scope is broad and includes public institutions, professional organizations with public institution status, real persons, legal persons and organizations without legal personality that exist, operate or provide services in cyberspace.

This article provides a comprehensive legal guide to the obligations of companies and public institutions under Turkish Cybersecurity Law. It explains the scope of Law No. 7545, the duties of the Cybersecurity Presidency, cyber incident reporting, risk analysis, audit powers, certification requirements, public institution obligations, critical infrastructure responsibilities, data protection issues, administrative fines and criminal sanctions.

1. Why Cybersecurity Law Matters in Turkey

Cybersecurity is now an essential part of legal risk management. A cyberattack may result in business interruption, personal data breach, loss of customer trust, regulatory investigation, administrative fines, contractual liability, criminal proceedings and civil compensation claims.

Before Law No. 7545, Turkey already had several legal rules relevant to cyber risks. These included the Turkish Penal Code provisions on cybercrimes, Law No. 5651 on internet publications, the Personal Data Protection Law No. 6698, banking regulations, electronic communications rules and sector-specific information security obligations. However, Law No. 7545 created a more centralized and systematic framework specifically addressing cybersecurity governance, incident response, critical infrastructure protection and supervisory powers.

The law identifies cybersecurity as an integral part of national security and emphasizes the protection of critical infrastructure and information systems. It also states that cybersecurity measures should be implemented throughout the life cycle of services and products, and that public institutions, organizations, real persons and legal persons are responsible for implementing cybersecurity policies and strategies and taking necessary measures against cyberattacks.

This approach makes cybersecurity a board-level and management-level responsibility. Companies and public institutions can no longer treat cyber risk as merely an IT department issue.

2. Scope of Cybersecurity Law No. 7545

The scope of Cybersecurity Law No. 7545 is broad. It covers public institutions and organizations, professional organizations with public institution status, real persons, legal persons and organizations without legal personality that exist, operate or provide services in cyberspace. This means that both public and private sector actors may fall within the law’s application area.

For companies, the key point is that the law is not limited to cybersecurity companies. A company that uses information systems to provide services, process data, collect data or operate digitally may be affected by cybersecurity obligations. E-commerce businesses, payment service providers, software companies, cloud service providers, healthcare providers, logistics companies, energy companies, financial institutions, telecommunications providers and professional service firms may all need to assess their position under the law.

For public institutions, the law is even more significant because the state’s digital infrastructure, public databases, citizen services, public procurement systems, health platforms, tax systems and judicial or administrative systems may be considered highly sensitive.

The law also gives special importance to critical infrastructure. Although detailed sectoral designations and secondary regulations are expected to clarify many implementation issues, legal commentary and public materials indicate that sectors such as energy, transportation, electronic communications, finance and essential public services are likely to be highly relevant in practice.

3. The Cybersecurity Presidency and Centralized Governance

A major feature of Law No. 7545 is the central role of the Cybersecurity Presidency. The Presidency is empowered to carry out activities to increase the cyber resilience of critical infrastructure and information systems, protect them against cyberattacks, detect cyberattacks, prevent possible attacks, reduce or eliminate their effects, conduct or commission vulnerability and penetration tests, perform risk analyses, combat cyber threats, generate and share cyber threat intelligence and conduct malware analysis.

The Presidency may also identify critical infrastructures and their responsible institutions, ensure asset inventories and data inventories are kept for public institutions and critical infrastructures, establish or supervise cyber incident response teams, prepare cybersecurity standards, conduct testing and certification of cybersecurity products and services, and carry out cybersecurity audits.

For companies and public institutions, this means that cybersecurity compliance will increasingly involve interaction with a central authority. Organizations may need to respond to information requests, report incidents, cooperate during audits, align with policies and standards, and ensure that their cybersecurity products or services meet certification requirements where applicable.

4. General Cybersecurity Obligations of Companies

Companies operating in cyberspace should evaluate their duties under Article 7 of Law No. 7545. The law requires covered persons and entities that provide services, collect data, process data or conduct similar activities by using information systems to provide requested data, information, documents, hardware, software and other contributions to the Presidency in a timely manner. It also requires them to take legally required cybersecurity measures and notify the Presidency without delay of detected vulnerabilities or cyber incidents in the area where they provide services.

For private companies, this creates several practical obligations:

First, companies must identify whether their services and systems fall within the law’s scope. A business that operates customer portals, payment systems, SaaS platforms, cloud databases, mobile applications or online service infrastructure should not assume that the law is irrelevant.

Second, companies should establish internal cybersecurity governance. This includes assigning responsible teams, documenting risk assessments, adopting incident response procedures and ensuring communication between IT, legal, compliance and management.

Third, companies must be prepared for incident reporting. Since the law requires notification without delay for detected vulnerabilities and cyber incidents, organizations need internal escalation mechanisms. If employees or IT service providers discover a serious vulnerability, malware event, ransomware attack, unauthorized access, data exfiltration or service disruption, the company must be able to evaluate and report the incident promptly.

Fourth, companies should maintain evidence and logs. A company cannot properly respond to a cyber incident if it does not know which systems were accessed, what data was affected or when the incident occurred.

5. Obligations of Public Institutions

Public institutions carry a heightened responsibility because their digital systems often support essential public services. Under Law No. 7545, the Cybersecurity Presidency may establish, operate or ensure the operation of infrastructures necessary to provide cybersecurity for public institutions and critical public services. It may also provide or ensure secure hosting services for public institutions and determine implementation procedures for these activities.

Public institutions must therefore approach cybersecurity as part of public service continuity. Their duties may include maintaining asset inventories, data inventories, risk analyses, incident response capacity, secure procurement practices, log management, vulnerability management and coordination with the Presidency.

The obligation to maintain asset and data inventories is especially important. If a public institution does not know which systems, databases, endpoints, suppliers, applications and data categories it has, it cannot properly assess cyber risk. Public institutions and critical infrastructures are expected to keep inventories of all assets, including data inventories, conduct risk analyses and implement appropriate security measures according to asset criticality.

In practical terms, public institutions should prepare cybersecurity governance files, system maps, vendor lists, data classifications, backup procedures, disaster recovery plans and cyber incident response protocols.

6. Critical Infrastructure Operators

Critical infrastructure operators are likely to face the strictest obligations under Turkish Cybersecurity Law. Critical infrastructures may include systems where disruption could affect public order, national security, economic stability, public health or essential services.

Although sector-specific implementation details continue to develop, the law already provides a strong basis for increased obligations. The Cybersecurity Presidency is authorized to identify critical infrastructures and the institutions and locations to which they belong. It is also authorized to ensure asset inventories and risk analyses for public institutions and critical infrastructures and to take or ensure security measures according to asset criticality.

Critical infrastructure operators should expect obligations relating to:

• asset and data inventories;
• cyber risk assessments;
• incident response teams;
• vulnerability and penetration testing;
• certified cybersecurity products and services;
• secure procurement;
• audit readiness;
• reporting of incidents and vulnerabilities;
• business continuity and disaster recovery;
• supply chain cybersecurity;
• documentation of controls and remedial measures.

For sectors such as energy, transportation, finance, telecommunications, healthcare, public utilities and essential public services, compliance should be treated as a strategic legal priority.

7. Cyber Incident Reporting and Vulnerability Notification

One of the most important obligations under Turkish Cybersecurity Law is the duty to report vulnerabilities and cyber incidents. Organizations covered by the law must notify the Cybersecurity Presidency without delay of detected vulnerabilities or cyber incidents in the area where they provide services.

This obligation is broader than personal data breach reporting. A cyber incident may trigger reporting even if no personal data has been compromised. According to recent comparative legal guidance, the Cybersecurity Law defines a cyber incident as a violation of the confidentiality, integrity or availability of information systems or data, and the duty to report vulnerabilities and incidents applies independently from personal data breach notification rules.

This distinction is critical. A ransomware attack, DDoS attack, service disruption, unauthorized access, malware infection, data integrity incident or vulnerability affecting critical systems may need to be evaluated under Law No. 7545 even if the organization has not confirmed a personal data breach.

Companies should therefore create an internal incident classification system. Every event should be evaluated under at least three questions:

1. Is this a cybersecurity incident under Law No. 7545?
2. Is this a personal data breach under KVKK?
3. Is this also a criminal incident requiring a complaint to the public prosecutor?

The answer may differ for each legal route.

8. Relationship with Personal Data Protection Law

Cybersecurity and personal data protection are closely connected. A cyber incident may involve personal data if customer records, identity numbers, employee files, health data, financial data, passwords, IP logs, e-mail addresses or user account information are accessed, altered, encrypted or transferred.

Law No. 7545 expressly recognizes the importance of personal data and trade secrets. It provides that personal data processed within the scope of cybersecurity activities must be processed lawfully, fairly, for specific and legitimate purposes, limited and proportionate to the purpose, and retained only for the necessary period. It also provides that personal data and trade secrets obtained within the framework of the law must be deleted, destroyed or anonymized when the reasons requiring access disappear.

This means that cybersecurity investigations must be legally controlled. Even where authorities or organizations act for cybersecurity purposes, personal data protection principles remain relevant.

Companies should therefore coordinate cybersecurity compliance with KVKK compliance. Incident response plans should include both cybersecurity reporting and personal data breach assessment. Legal counsel should review whether the incident requires notification to the Cybersecurity Presidency, the Personal Data Protection Authority, affected individuals, contractual counterparties, insurers or sectoral regulators.

9. Procurement and Certified Cybersecurity Products

Law No. 7545 introduces important procurement-related obligations. Public institutions and critical infrastructures must procure cybersecurity products, systems and services from cybersecurity experts, manufacturers or companies authorized and certified by the Cybersecurity Presidency.

This is especially important for public procurement, critical infrastructure projects, managed security services, penetration testing services, security software, hardware, monitoring systems, incident response services and cybersecurity consulting.

Companies operating in the cybersecurity sector must also pay attention to authorization, certification and documentation requirements. Cybersecurity companies subject to certification, authorization and documentation rules must obtain approval before commencing operations within the framework of existing regulations.

The practical consequence is clear: cybersecurity vendors will need to monitor certification requirements closely. Public institutions and critical infrastructure operators should review their vendor contracts and ensure that procurement processes comply with authorization and certification rules once applicable implementation details are in force.

10. Cybersecurity Audits and Inspection Powers

The Cybersecurity Presidency has broad audit powers. It may audit all acts and transactions falling within the scope of the law and conduct or commission on-site inspections. Audits may be carried out by Presidency personnel or authorized independent auditors and audit institutions. For public institutions and critical infrastructures, audits must be conducted by or in the presence of Presidency personnel.

Audit officers may examine data, documents, electronic infrastructure, devices, systems, software and hardware; take copies, digital copies or samples; request written or oral explanations; prepare official minutes; and inspect facilities and operations.

For companies and public institutions, audit readiness is essential. Organizations should maintain written policies, system inventories, risk assessments, incident records, supplier contracts, access control logs, penetration test reports, remediation records, backup procedures and internal governance documents.

A company that has technical controls but no documentation may struggle during an audit. Conversely, a company that has written policies but no actual implementation may also face risk. Cybersecurity compliance requires both practice and proof.

11. Administrative Fines and Criminal Sanctions

Law No. 7545 includes significant administrative and criminal sanctions. Failure to provide requested information, documents, software, data or hardware to authorized bodies, or preventing their collection, may lead to imprisonment and judicial fines. Conducting activities without required approvals, authorizations or permits may also result in imprisonment and judicial fines. Breach of confidentiality obligations may lead to serious imprisonment penalties.

The law also introduces sanctions for making available, sharing or selling personal data or corporate data within the scope of critical public service where such data was previously included in cyberspace due to data leakage; creating or spreading false content about nonexistent data leaks to cause public fear or target institutions; and cyberattacks against elements constituting Turkey’s national power in cyberspace.

Administrative fines are also substantial. Failure to fulfil certain duties and responsibilities under Article 7 may result in administrative fines from one million Turkish Liras to ten million Turkish Liras, while failure to fulfil certain obligations under Article 18 may result in administrative fines from ten million Turkish Liras to one hundred million Turkish Liras. Failure to fulfil certain audit-related obligations may lead to fines from one hundred thousand Turkish Liras to one million Turkish Liras; for commercial companies, the fine may reach up to five percent of gross sales revenue shown in independently audited annual financial statements.

These sanctions show that cybersecurity compliance is no longer optional. Failure to report, cooperate, obtain required approvals, comply with audit obligations or protect critical infrastructure may create serious legal consequences.

12. Relationship with Turkish Penal Code Cybercrime Provisions

Cybersecurity Law No. 7545 does not replace the Turkish Penal Code. Instead, it operates alongside traditional cybercrime provisions. A cyber incident may still involve:

• unlawful access to information systems under TCK Article 243;
• system interference, data deletion or data alteration under TCK Article 244;
• bank or credit card misuse under TCK Article 245;
• prohibited devices or programs under TCK Article 245/A;
• qualified fraud under TCK Article 158;
• personal data crimes under TCK Articles 135–140;
• threats, blackmail, privacy offences or trade secret offences.

For example, a ransomware attack against a private company may constitute system interference under Article 244, while also triggering Cybersecurity Law reporting obligations and KVKK breach assessment. A cyberattack against critical public service data may fall within the heavier sanctions of Law No. 7545 depending on the facts.

Therefore, organizations must not analyze cybersecurity incidents from only one legal angle. A single incident may require regulatory reporting, criminal complaint, civil litigation, data protection notification and contractual notification.

13. Compliance Checklist for Companies

Companies operating in Turkey should consider the following cybersecurity compliance steps:

• Identify whether the company falls within the scope of Law No. 7545.
• Map all information systems, digital services and data flows.
• Prepare an asset inventory and data inventory.
• Conduct cybersecurity risk analysis.
• Adopt written cybersecurity policies.
• Establish an incident response plan.
• Create internal reporting channels for cyber incidents and vulnerabilities.
• Define when and how to notify the Cybersecurity Presidency.
• Coordinate cybersecurity incident response with KVKK breach response.
• Maintain logs and evidence preservation procedures.
• Review contracts with IT vendors, cloud providers and cybersecurity suppliers.
• Ensure public institution or critical infrastructure procurement follows certified provider requirements where applicable.
• Train employees on phishing, ransomware and access control.
• Implement multi-factor authentication and role-based access.
• Test backups and disaster recovery plans.
• Conduct penetration testing with written authorization.
• Prepare audit documentation.
• Assign internal responsibility to legal, IT, compliance and management teams.

The objective is not merely to avoid fines. A strong compliance program reduces operational disruption, protects data, strengthens litigation position and demonstrates corporate diligence.

14. Compliance Checklist for Public Institutions

Public institutions should adopt a more structured approach because their systems may affect public service continuity. Key measures include:

• Complete inventory of information assets and data assets.
• Classification of systems according to criticality.
• Risk analysis for each critical system.
• Secure hosting and infrastructure review.
• Coordination with the Cybersecurity Presidency.
• Establishment or strengthening of cyber incident response teams.
• Procurement from authorized and certified cybersecurity providers where required.
• Continuous monitoring of vulnerabilities.
• Logging, backup and disaster recovery procedures.
• Training of public personnel.
• Incident reporting protocols.
• Regular internal audits.
• Compliance documentation for external inspections.
• Secure handling of personal data and trade secrets.
• Legal review of cybersecurity-related procurement and contracts.

Public institutions must also ensure that cybersecurity measures do not violate fundamental rights, privacy or personal data protection principles. The law itself emphasizes the rule of law, fundamental rights and privacy as basic principles.

15. Incident Response Under Turkish Cybersecurity Law

A proper cyber incident response plan should include both technical and legal steps. When an incident occurs, an organization should identify the incident, contain the threat, preserve evidence, assess legal reporting duties, evaluate personal data impact, notify relevant authorities if required, communicate with stakeholders and document all decisions.

The legal team should be involved early. Delayed legal assessment may result in missed reporting obligations, inconsistent statements, loss of evidence or unnecessary admissions.

A practical incident response structure should include:

1. Immediate technical containment.
2. Preservation of logs, malware samples and affected systems.
3. Internal escalation to management and legal counsel.
4. Classification under Law No. 7545.
5. KVKK breach assessment.
6. Criminal law assessment.
7. Notification to the Cybersecurity Presidency where required.
8. Notification to the Personal Data Protection Authority where required.
9. Communication with insurers and contractual partners.
10. Remediation and post-incident review.

The organization should document why it did or did not make each notification. This documentation may be important in later audits, investigations or litigation.

16. Cybersecurity Vendors and Service Providers

Cybersecurity service providers have a special position under Law No. 7545. Companies that provide cybersecurity products, software, hardware, systems or services may be subject to certification, authorization, documentation and approval requirements.

The law also regulates certain corporate transactions involving companies producing cybersecurity products, systems, software, hardware and services. Merger, demerger, share transfer or sale transactions must be notified to the Presidency, and transactions providing direct or indirect control rights or decision-making authority over the company are subject to Presidency approval. Transactions carried out without the required approval are not legally valid.

This is particularly important for M&A transactions, venture capital investments, foreign investment, cybersecurity startups, software companies and managed security service providers. Legal due diligence in cybersecurity company transactions should now include Law No. 7545 compliance.

17. Secondary Regulations and Developing Enforcement Practice

Because Law No. 7545 is relatively new, many practical details depend on secondary regulations, sectoral guidance and enforcement practice. Current legal guidance notes that the framework is risk-based rather than a single uniform checklist, and stricter obligations are expected for public institutions, critical infrastructure operators and cybersecurity-sector actors. It also states that further details on certification, incident response teams, log or data inventory retention and specific cyber resilience strategies are expected through implementing regulations.

This uncertainty should not lead companies to wait passively. The primary direction of the law is clear: organizations must take cybersecurity measures, report vulnerabilities and cyber incidents without delay, cooperate with the Presidency, prepare for audits and align with applicable policies.

In other words, even before every secondary detail is finalized, companies and public institutions should build a compliance foundation.

18. Why Legal Assistance Is Important

Cybersecurity compliance requires cooperation between legal, IT, compliance, risk management and senior management. A cyber incident may trigger multiple legal regimes at once. A company may need to report an incident to the Cybersecurity Presidency, notify the Personal Data Protection Authority, file a criminal complaint, inform customers, contact insurers, preserve evidence and respond to contractual counterparties.

A Turkish cybersecurity lawyer can assist with:

• Law No. 7545 compliance analysis;
• incident reporting assessment;
• KVKK breach notification strategy;
• cybersecurity policy drafting;
• vendor contract review;
• public procurement compliance;
• cyber incident response planning;
• internal investigation support;
• criminal complaint preparation;
• audit response;
• administrative fine defence;
• M&A due diligence for cybersecurity companies;
• civil liability and compensation claims.

The most effective approach is preventive. Legal compliance should be built before the cyber incident occurs, not after the damage has already been done.

Conclusion

Cybersecurity Law in Turkey has become a central legal and regulatory issue with the enactment of Law No. 7545. The law applies broadly to public institutions, private companies, real persons, legal persons and organizations operating in cyberspace. It creates obligations relating to cybersecurity measures, incident and vulnerability notification, cooperation with the Cybersecurity Presidency, procurement from certified providers, risk analysis, asset inventories, audits and compliance with national cybersecurity policies.

For companies, the law requires cybersecurity to be treated as a governance and compliance issue. For public institutions, it requires systematic protection of public digital services and critical information systems. For critical infrastructure operators, it signals stricter expectations around resilience, incident response, certified products and audit readiness.

The sanctions under Law No. 7545 are significant, including administrative fines, judicial fines and imprisonment for certain violations. The law also interacts with Turkish Penal Code cybercrime provisions, KVKK, Law No. 5651, sector-specific regulations and civil liability rules.

The key message is simple: cybersecurity is now a legal obligation in Turkey. Companies and public institutions should prepare inventories, conduct risk analyses, establish incident response plans, document measures, train personnel, review vendors, preserve logs and create clear reporting procedures. In the modern digital environment, strong cybersecurity is not only technical protection; it is legal protection, corporate protection and public trust protection.