Introduction
Telecom licensing requirements in Turkey for internet-based services are one of the most important legal issues for technology companies, internet service providers, cloud communication platforms, VoIP providers, hosting companies, data centers, SaaS businesses, IoT platforms, public Wi-Fi providers, foreign digital service providers and investors entering the Turkish market.
Many businesses describe themselves as “internet-based service providers” rather than telecom companies. However, under Turkish law, the legal classification does not depend only on how the company markets itself. A business may fall within the electronic communications regulatory framework if it provides internet access, data transmission, connectivity, electronic communications infrastructure, network operation, communication between users, VoIP services, satellite internet, virtual mobile services, IoT connectivity or similar services.
The main legal framework is Law No. 5809 on Electronic Communications. The Information and Communication Technologies Authority, known as BTK or ICTA, is the main regulatory authority. BTK states that Law No. 5809 covers regulation, authorization, inspection and reconciliation activities related to electronic communications services, devices and systems, and that BTK is responsible for restricting or prohibiting non-compliant services or products and imposing sanctions where necessary.
In Turkish telecom law, the term commonly used in practice as “license” is legally closer to “authorization.” BTK defines authorization as the registration of companies before the Authority for providing electronic communications services or networks, or granting them specific rights and obligations related to electronic communications services. BTK also states that authorization aims to increase market players, create competition, establish security, encourage domestic and foreign investment, ensure efficient use of national resources, protect consumers and ensure services of a certain quality.
For internet-based services, the key question is simple but critical: does the service merely use the internet as a tool, or does it provide an electronic communications service, network or infrastructure? The answer determines whether BTK authorization is required.
Why Licensing Matters for Internet-Based Services in Turkey
Internet-based services are now broader than traditional web pages. They include broadband internet access, cloud communication tools, video conferencing, messaging applications, VoIP, VPN-based corporate connectivity, public Wi-Fi, data center services, hosting, IoT connectivity, smart city platforms, connected vehicles, eSIM solutions, content delivery networks, online gaming infrastructure and digital platforms.
Some of these services may not require telecom authorization if they are purely software, content, e-commerce or internal IT services. However, some may require BTK authorization if they involve electronic communications service provision, internet access, infrastructure operation or transmission of data between users through a regulated network.
This distinction matters because providing regulated services without authorization can lead to administrative sanctions, service suspension, contract disputes, consumer complaints, loss of investor confidence and regulatory barriers. BTK has broad supervisory powers and may monitor operators for compliance with license conditions, equipment standards, sector legislation and spectrum use. BTK may also impose sanctions on operators that do not comply with regulations.
Therefore, internet-based businesses should conduct a telecom licensing analysis before launch, not after receiving a complaint or regulatory request.
Main Legal Framework
The main legal sources for internet-based services in Turkey include:
Law No. 5809 on Electronic Communications.
BTK authorization regulations and Board decisions.
BTK CEVHER application procedures.
Law No. 5651 on internet publications.
Law No. 6698 on the Protection of Personal Data.
Network and information security regulations.
Consumer protection legislation.
Commercial electronic communication rules.
Technical equipment and radio device regulations.
Cybersecurity legislation and administrative practice.
Law No. 5809 is the central law where the business involves electronic communications. Law No. 5651 becomes relevant where the business acts as a content provider, hosting provider, access provider or public internet use provider. KVKK applies where the business processes personal data, including IP addresses, subscriber data, traffic data, location data, account data, customer records or communication metadata.
What Is BTK Authorization?
BTK authorization is the regulatory mechanism that allows a company to provide electronic communications services or operate electronic communications networks or infrastructure in Turkey. It is not merely a commercial registration. It creates legal rights and obligations, including service scope, reporting duties, consumer protection duties, network security obligations, administrative fee payments, audit obligations and compliance with BTK decisions.
BTK’s authorization system recognizes two main forms: authorization through notification and authorization through granting of usage rights. The relevant route depends on whether the service requires scarce resources such as numbers, frequencies or satellite positions.
If the service does not require scarce public resources, notification-based authorization may be sufficient. If the service requires numbers, frequencies, satellite positions or other scarce resources, usage rights may be required.
For internet-based services, this distinction may be important. A fixed ISP service may involve authorization as an internet service provider. A satellite internet service may require additional analysis because satellite resources may be involved. A VoIP service using numbers may require numbering analysis. An IoT platform using SIM or eSIM connectivity may require analysis of whether the company itself provides electronic communications or merely purchases connectivity from an authorized operator.
Services Subject to Authorization
BTK’s services subject to authorization page states that functions defined under Law No. 5809, including electronic communications, electronic communications infrastructure, infrastructure operation, electronic communications service and electronic communications network, may be carried out by obtaining authorization from the Authority. The page defines electronic communications broadly as transmission, sending and reception of signs, symbols, sounds, images and data that can be converted into electrical signals through cable, radio, optical, electric, magnetic, electromagnetic, electrochemical, electromechanical and other transmission systems.
This broad definition is highly important for internet-based businesses. A company may fall within the authorization framework even if it does not operate a traditional telephone network. The legal assessment depends on the real function of the service.
Examples of internet-based services that may require careful BTK authorization analysis include:
Internet service provision.
Fixed broadband access.
Fiber internet service.
Wireless internet access.
Satellite internet service.
VoIP and cloud voice services.
Virtual mobile network services.
Corporate data transmission services.
Public Wi-Fi services offered commercially.
IoT connectivity services.
eSIM-based connectivity.
Infrastructure operation.
Wholesale internet access.
Private network services offered to third parties.
A company should not assume that because its service is “internet-based,” it is outside telecom regulation. If the company provides access, transmission, network operation, infrastructure or connectivity to third parties, BTK authorization may become relevant.
Services Not Subject to Authorization
Not every internet-related activity requires BTK authorization. BTK explains that, according to Article 8 of Law No. 5809, the general principle is that electronic communications services, networks or infrastructure should primarily be procured from operators authorized by BTK. However, certain services, networks or infrastructure used exclusively by a natural or legal person for personal or institutional needs within immovable properties under their own use, not extending beyond each property, not used to provide electronic communications services to third parties, not pursued for commercial purposes and not offered to the public, are not subject to authorization. Public institutions may also establish certain networks for their own services under specific laws.
This exception is important for internal corporate networks. For example, a company that builds a closed internal network inside its own factory, office, campus or warehouse for its own institutional needs may not necessarily need telecom authorization if all statutory conditions are satisfied.
However, the exception should be interpreted carefully. If the network is offered to tenants, customers, visitors, affiliates, third parties or the public, or if it is commercialized, the exemption may no longer apply. A hotel, shopping mall, co-working space, municipality or event venue offering public Wi-Fi should not rely automatically on the internal-use exception.
Internet Service Provider Licensing in Turkey
Internet service provider activities are one of the clearest examples of internet-based services that may require BTK authorization. BTK’s end-user tariffs page states that retail-level internet access services to end users are provided by Internet Service Providers authorized by BTK to offer ISP services. The same page explains that ISPs use Türk Telekom infrastructure in certain DSL contexts and that Türk Telekom’s wholesale-level tariffs for ISPs are subject to BTK approval, while retail prices charged by ISPs to end users are not subject to BTK approval under the relevant legislation.
This shows that the Turkish legal system recognizes ISPs as authorized operators. A business that wants to sell internet access to end users under its own brand must review ISP authorization requirements.
ISP authorization may be relevant for fixed broadband, fiber broadband, wireless internet, corporate internet access, satellite internet, wholesale internet resale and certain public Wi-Fi models. The exact authorization route depends on the technical and commercial structure of the service.
An ISP should also consider additional obligations, including consumer contracts, tariff transparency, service quality, cancellation procedures, traffic data handling, Law No. 5651 obligations, cybersecurity, KVKK compliance and administrative fees.
CEVHER Application Process
BTK authorization applications are conducted through the CEVHER System. BTK’s guidance states that applications for initial authorization, additional authorization, authorization renewal, authorization adequacy control period and related processes are conducted through BTK’s CEVHER System. It also states that changes in information submitted by authorized operators must be notified through the Operator Information Update tab, and supporting documents must be uploaded where required.
For internet-based service providers, this means that regulatory compliance continues after authorization. A company must update BTK about relevant corporate, address, management, shareholder, KEP, authorization scope or documentation changes where required.
The CEVHER process also requires corporate preparation. BTK states that a company applying for authorization through notification or usage right together with notification must generally be established as a limited liability company or joint-stock company solely for activities subject to authorization or activities necessary to provide the authorized service. The articles of association must include wording such as providing electronic communications or telecommunications services and/or establishing and operating a network or infrastructure, and should not include unrelated activities such as food, automotive, tourism or construction.
This is especially important for technology companies. Many startups are established with broad articles of association covering software, consultancy, trade, e-commerce and general technology services. Such broad-purpose structures may need amendment before a BTK application.
Paid-In Capital and Corporate Conditions
BTK authorization is linked not only to technical service classification but also to company structure. BTK’s CEVHER application guidance includes minimum paid-in capital and eligibility requirements. Under BTK Board Decision dated 10 March 2026 and numbered 2026/DK-YED/71, the paid-in capital requirement is TRY 2,500,000 for OKTH authorization and TRY 10,000,000 for other authorizations.
The same guidance requires certain shareholder and management eligibility checks. Real person shareholders holding at least ten percent of the company’s shares, persons authorized to manage and represent the legal entity and certain shareholders in legal entity shareholders must not have specified criminal convictions, including certain information systems crimes, crimes against state security, crimes against constitutional order, privacy offences, embezzlement, bribery, fraud, forgery, money laundering, tax evasion and certain violations under Law No. 5809.
Foreign investors and technology founders should pay close attention to these requirements. A company may have a viable commercial model but still fail authorization review if its articles of association, capital, shareholder structure or management records are not compliant.
Administrative Fees
Authorized operators are subject to administrative fee obligations. BTK’s administrative fee page states that the authorization fee consists of administrative fees and usage right fees. It also explains that operators pay an administrative fee amounting to thirty-five ten-thousandths of their previous year’s net sales reflected in the income statement, subject to applicable lower limits. BTK also states that operators must submit approved income statements and that failure to pay administrative fees within the specified periods may lead to cancellation of authorizations.
This is important for internet-based service providers because regulatory cost should be included in the business plan. Licensing is not only an initial filing; it creates recurring financial and reporting obligations.
Startups and foreign companies should include administrative fees, accounting procedures, regulatory reporting and compliance monitoring in their financial model.
Law No. 5651: Hosting, Access and Content Provider Obligations
Even where BTK authorization is not required, an internet-based service may be regulated under Law No. 5651. This law regulates content providers, hosting providers, access providers and public internet use providers.
A content provider is generally responsible for the content it creates, changes or makes available online. A hosting provider provides or operates systems hosting services and content. An access provider enables users to access the internet. These categories create different obligations.
Hosting providers may have traffic data retention and content-removal obligations. Legal translations of Law No. 5651 state that hosting providers must keep traffic information for services they provide for a period not less than one year and not more than two years, as determined by regulation, and ensure the accuracy, integrity and privacy of that information.
Access providers may be required to implement lawful access-blocking decisions and maintain traffic information under the relevant rules. This means that an ISP, public Wi-Fi provider or access-enabling platform must examine Law No. 5651 obligations in addition to BTK authorization.
A SaaS or cloud platform may not need ISP authorization if it merely provides software, but it may still be a hosting provider under Law No. 5651 if it hosts user content or customer data accessible through the internet.
VoIP and Cloud Communication Services
VoIP and cloud communication services are among the most complex internet-based service models. A business may offer voice calls over the internet, video calls, messaging APIs, call center software, cloud PBX, click-to-call services, virtual numbers, SIP trunking or communication APIs embedded into other applications.
The legal classification depends on the service structure. If the company merely provides software enabling communication over infrastructure operated by authorized telecom operators, the analysis may be different. If the company provides electronic communications service to third parties, assigns numbers, routes calls, interconnects with telecom networks or sells voice services, BTK authorization and numbering obligations may become relevant.
VoIP providers should examine:
Whether the service is an electronic communications service.
Whether numbering resources are used.
Whether calls connect to the public telephone network.
Whether the provider controls routing or transmission.
Whether the provider sells communication service under its own brand.
Whether users are in Turkey.
Whether consumer contracts are involved.
Whether call records and traffic data are processed.
A technology company should not rely only on the label “cloud software.” If the core service is communication between users, licensing analysis is necessary.
SaaS, Cloud and Platform Services
Many SaaS and cloud services do not require telecom authorization. For example, accounting software, CRM software, project management tools, document storage, HR software or ordinary cloud applications may not be electronic communications services merely because they operate through the internet.
However, telecom law may become relevant where the SaaS product includes communication features, user messaging, VoIP, video conferencing, SMS gateways, internet access, data transmission infrastructure, hosting, CDN, public connectivity or IoT connectivity.
The correct approach is functional analysis. The company should separate the software layer from the connectivity layer. If the company only provides software and the user’s internet access is provided by an authorized ISP, BTK authorization may not be needed. If the company provides the connection, network, transmission or communication service itself, the situation changes.
SaaS contracts should also allocate telecom-related responsibilities. For example, a cloud communication platform should define who is responsible for lawful use, call records, personal data, official requests, service interruption, traffic data, customer notifications and regulatory compliance.
Public Wi-Fi Services
Public Wi-Fi is a common internet-based service model in hotels, cafes, shopping malls, municipalities, airports, universities, hospitals, co-working spaces and event venues. Public Wi-Fi may raise both telecom authorization and Law No. 5651 issues.
A business offering Wi-Fi only for internal staff use may be different from a business offering internet access to customers, tenants, visitors or the public. Where internet access is offered to third parties, especially as part of a commercial service, the authorization and public internet use provider obligations should be analyzed.
Public Wi-Fi arrangements should address:
Whether the connectivity is provided by an authorized ISP.
Whether the business itself provides internet access.
Whether user authentication is required.
Whether traffic logs must be retained.
Who responds to official requests.
Who implements access-blocking obligations.
How personal data is processed.
How user notices are provided.
How cybersecurity risks are managed.
A hotel or shopping mall should not simply install a router and assume that all legal responsibilities belong to the upstream ISP. The contractual and legal structure must be reviewed.
IoT and Internet-Based Connectivity
IoT services often rely on internet-based connectivity. Devices may transmit data through mobile networks, fixed networks, satellite networks, Wi-Fi, LPWAN or private networks. The legal classification depends on whether the company provides connectivity or only sells devices/software.
An IoT company that only sells sensors and a dashboard may not require telecom authorization if connectivity is provided by an authorized operator and the IoT company does not resell or control electronic communications services. However, an IoT company that provides SIM cards, eSIM profiles, connectivity packages, private network services or data transmission under its own brand may need BTK analysis.
IoT also creates KVKK and cybersecurity risks. Device identifiers, location data, behavioral data, vehicle data, household data, health-related data and industrial data may be personal data or commercially sensitive data. Contracts should define the roles of device manufacturer, connectivity provider, platform provider, cloud host, data controller and data processor.
Data Protection and KVKK Compliance
Internet-based services almost always process personal data. KVKK applies to personal data such as names, phone numbers, e-mail addresses, IP addresses, device identifiers, location data, payment data, account information, traffic logs, customer service records and user-generated content.
KVKK requires personal data to be processed lawfully and fairly, accurately, for specified and legitimate purposes, in a proportionate manner and only for the period required by law or by the processing purpose.
Data controllers must also take all necessary technical and organizational measures to prevent unlawful processing, prevent unlawful access and ensure protection of personal data.
For internet-based services, KVKK compliance should include:
Privacy notices.
Data processing inventory.
Consent mechanisms where required.
Data subject request procedures.
Data retention and deletion policies.
Cross-border transfer analysis.
Vendor and processor agreements.
Cybersecurity measures.
Data breach notification procedures.
Log access controls.
If the service involves traffic data, location data, communication metadata or subscriber data, the privacy risk is higher and stronger safeguards are necessary.
Network and Information Security
BTK’s network and information security framework is relevant to authorized operators and certain service types. BTK states that the Constitution, Law No. 5809, privilege agreements and authorization regulations include obligations related to network and information security. The Regulation on Network and Information Security in the Electronic Communications Sector sets out procedures and principles that operators must comply with.
The same BTK page states that certain obligations apply to all operators, while additional obligations apply to operators holding specific authorization types, including internet service provision, fixed telephone service, virtual mobile network service and satellite communication service, subject to the criteria set by BTK.
Internet-based service providers should therefore implement cybersecurity as a legal compliance requirement. For ISPs, cloud communication providers, IoT connectivity providers and infrastructure operators, cybersecurity failures may trigger BTK scrutiny, KVKK breach notification, consumer claims and contractual liability.
Consumer Rights and Subscriber Contracts
If the internet-based service is offered to consumers, consumer protection rules apply. Internet access subscribers must receive clear information about service scope, price, speed, infrastructure limitations, commitment period, cancellation rights, modem fees, installation costs, technical limitations and complaint channels.
Misleading statements such as “unlimited internet,” “free modem,” “no commitment,” “guaranteed speed” or “no cancellation fee” may create legal risk if the conditions are not clearly disclosed.
Consumer contracts should be written in plain language. For subscription-based digital services, the provider should explain recurring fees, renewal, cancellation, refund policies, service restrictions, data use and support channels.
Internet-based services that combine software, connectivity and hardware should be especially careful. If a consumer buys a smart device that requires a paid internet-based subscription, this dependency should be disclosed clearly.
Foreign Companies Offering Internet-Based Services in Turkey
Foreign companies may face Turkish telecom licensing issues if they target Turkish users, provide services in Turkey, use Turkish numbers, sell connectivity to Turkish customers, host Turkish user content, process Turkish user data or operate infrastructure connected to Turkey.
Foreign companies should first determine whether they need a Turkish legal entity. For regulated electronic communications authorization, BTK corporate conditions generally require a Turkish limited or joint-stock company. For purely software services, a local company may not always be necessary, but KVKK, consumer law, Law No. 5651 and tax issues may still apply.
Foreign businesses should analyze:
Whether the service is an electronic communications service.
Whether BTK authorization is required.
Whether Law No. 5651 applies.
Whether personal data is processed in Turkey.
Whether data is transferred abroad.
Whether Turkish consumer law applies.
Whether local contracts and disclosures are needed.
Whether local technical standards apply.
Whether an authorized Turkish operator partnership is safer.
A foreign company should not assume that compliance with EU or US rules is sufficient for Turkey.
Administrative Sanctions and Legal Risks
BTK has broad audit and sanction powers. It may supervise operators financially, technically, legally and administratively and request information and documents.
Legal risks for internet-based service providers may include:
Operating without BTK authorization.
Providing services outside authorization scope.
Failing to update CEVHER records.
Non-payment of administrative fees.
Failure to comply with consumer rules.
Failure to secure networks.
Failure to protect personal data.
Failure to retain required traffic data.
Non-compliance with access-blocking decisions.
Improper use of numbers or frequencies.
Using non-compliant radio equipment.
Misleading advertising.
Unlawful cross-border data transfers.
Weak contracts with vendors or customers.
Administrative sanctions may be financially significant, but non-financial consequences may be more damaging. These may include authorization cancellation, service restrictions, access blocking, consumer claims, data protection investigations and reputational harm.
Practical Licensing Checklist
A company planning to launch internet-based services in Turkey should follow this checklist:
Define the exact technical and commercial service model.
Identify whether the service involves electronic communications.
Determine whether the company provides access, transmission, network operation or infrastructure.
Check whether BTK authorization is required.
Determine whether notification or usage rights apply.
Check whether scarce resources such as numbers, frequencies or satellite positions are used.
Review whether a Turkish limited or joint-stock company is required.
Prepare articles of association suitable for telecom activities.
Check paid-in capital requirements.
Review shareholder and management eligibility.
Prepare CEVHER application documents.
Review Law No. 5651 status as content, hosting or access provider.
Prepare traffic data retention procedures where applicable.
Prepare KVKK compliance documents.
Analyze cross-border data transfers.
Implement cybersecurity and network security controls.
Prepare consumer contracts and cancellation procedures.
Review equipment conformity.
Create regulatory reporting and administrative fee calendar.
Prepare audit-ready evidence files.
Conclusion
Telecom licensing requirements in Turkey for internet-based services require careful legal classification. The most important question is whether the service merely uses the internet or whether it provides electronic communications, internet access, data transmission, network operation, infrastructure or connectivity to third parties.
Law No. 5809 and BTK authorization rules are central where the business provides electronic communications services. BTK authorization may require notification, usage rights, CEVHER application, suitable company structure, paid-in capital, shareholder and management eligibility, administrative fee payment and ongoing compliance. ISPs are clearly regulated as authorized operators when providing retail internet access services to end users.
However, licensing analysis does not end with BTK authorization. Internet-based services may also fall under Law No. 5651 as hosting providers, access providers or content providers. They may process personal data under KVKK, face network and information security duties, trigger consumer protection rules and require cybersecurity readiness.
For startups, foreign investors and technology companies, the safest approach is to conduct a regulatory classification before launching the service. A business model that appears to be software, cloud, IoT, VoIP, Wi-Fi or platform-based may still create telecom licensing obligations in Turkey.
Companies that build licensing, privacy, cybersecurity and consumer compliance into their market-entry strategy will reduce legal risk, protect users and operate more sustainably in the Turkish digital economy.
Frequently Asked Questions
What is telecom licensing called in Turkey?
In Turkish electronic communications law, the legally accurate concept is generally “authorization.” BTK defines authorization as registration with the Authority for providing electronic communications services or networks, or granting specific rights and obligations to companies.
Do internet-based services always need BTK authorization?
No. Pure software, ordinary cloud tools or internal IT systems may not require BTK authorization. However, services involving internet access, data transmission, network operation, infrastructure, connectivity, numbering, frequency use or electronic communications services should be reviewed carefully.
Do Internet Service Providers need authorization in Turkey?
Yes. BTK states that retail-level internet access services to end users are provided by ISPs authorized by BTK to offer Internet Service Provider services.
What is the CEVHER System?
CEVHER is BTK’s online system for authorization applications, additional authorization, renewal, adequacy procedures and operator information updates.
What company type is required for BTK authorization?
BTK guidance states that the applicant must generally be established as a limited liability company or joint-stock company for activities subject to authorization or necessary activities for the authorized service.
What is the paid-in capital requirement for authorization?
According to BTK guidance, under Board Decision dated 10 March 2026 and numbered 2026/DK-YED/71, paid-in capital is TRY 2,500,000 for OKTH authorization and TRY 10,000,000 for other authorizations.
Are private internal networks subject to authorization?
Not always. BTK explains that networks used exclusively for personal or institutional needs within immovable properties under the user’s own use, not extending beyond each property, not provided to third parties, not commercialized and not offered to the public are not subject to authorization.
Does Law No. 5651 apply to internet-based services?
Yes, where the company acts as a content provider, hosting provider, access provider or public internet use provider. Hosting providers may have traffic data retention and content-removal obligations.
Does KVKK apply to internet-based services?
Yes, if the service processes personal data such as IP addresses, account information, phone numbers, location data, device identifiers, traffic logs or customer records. KVKK requires lawful processing, purpose limitation, proportionality and data security.
What is the biggest legal risk for internet-based service providers in Turkey?
The biggest risk is misclassification. A company may believe that it is only a software or platform provider, while Turkish law may treat part of its activity as electronic communications, internet access, hosting, access provision or personal data processing.
Yanıt yok