Telecommunication Law in Turkey: Legal Risks for Technology Companies

Introduction

Telecommunication law in Turkey creates significant legal risks for technology companies. Many technology businesses do not define themselves as telecom companies. They may describe their activities as software development, cloud services, SaaS, IoT platforms, mobile applications, e-commerce infrastructure, digital communication tools, hosting, data center services, online gaming, connected devices, messaging platforms, cybersecurity products, call center technologies or smart city solutions. However, under Turkish law, a technology company may still fall within the scope of telecommunications regulation if its business involves electronic communications services, internet access, network operation, infrastructure operation, data transmission, hosting, connectivity, traffic data, user communications or access to online content.

The main regulatory framework is Law No. 5809 on Electronic Communications. BTK states that Law No. 5809 covers regulation, authorization, inspection and reconciliation activities related to electronic communications services, devices and systems. This means that the law may apply not only to traditional telecom operators but also to technology companies whose products or services include communication functions, connectivity infrastructure or regulated electronic communications components.

The main regulatory authority is the Information and Communication Technologies Authority, known as BTK. BTK supervises operators, conducts audits, monitors compliance with license conditions, equipment standards, sector legislation and spectrum usage, and may impose sanctions on operators that fail to comply with regulations. BTK may also conduct financial, technical, legal and administrative supervision.

For technology companies, the key legal risk is misclassification. A company may believe that it is only a software or platform provider, while Turkish law may classify part of its activity as electronic communications, internet access provision, hosting, access provision, content provision, public internet use, personal data processing or cybersecurity-related activity. This mistake may lead to unauthorized operation, administrative fines, service suspension, consumer claims, data protection investigations, access-blocking obligations, contract disputes and reputational damage.

Why Technology Companies Must Care about Turkish Telecom Law

Technology companies must care about Turkish telecom law because digital business models increasingly depend on communications infrastructure. A mobile application may send messages between users. A SaaS platform may provide voice or video communication. A cloud service may host user content. An IoT provider may manage SIM-based connectivity. A cybersecurity company may process network logs. A smart city platform may connect public cameras and sensors. A data center may host platforms subject to Law No. 5651. A foreign technology company may provide services to Turkish users through cloud infrastructure and cross-border data transfers.

In these scenarios, the company may face several layers of legal obligations. Law No. 5809 may apply if electronic communications services or infrastructure are involved. Law No. 5651 may apply if the company is a content provider, hosting provider, access provider or public internet use provider. KVKK may apply if personal data is processed. BTK network and information security rules may apply if the company is an operator or provides regulated connectivity services. Consumer protection law may apply if services are offered to end users. Cybersecurity Law No. 7545 and secondary regulations may become relevant for companies operating in cyberspace, especially where critical systems or cyber incident response obligations are involved.

The practical consequence is clear: technology companies should not wait until they receive a complaint, access-blocking order, BTK request or KVKK investigation. Telecom-related legal risk should be assessed before launching the product in Turkey.

Risk 1: Providing Electronic Communications Services without BTK Authorization

The first and most serious risk is providing electronic communications services without BTK authorization. Under the Turkish authorization regime, companies wishing to provide electronic communications services or establish and operate electronic communications networks or infrastructure must comply with BTK procedures before commencing operations.

BTK’s CEVHER application guidance shows that authorization is not a simple formality. The applicant company must satisfy corporate, capital, management and documentation requirements. BTK requires, among other things, eligibility checks for shareholders and managers, submission of requested documents, and minimum paid-in capital. Pursuant to BTK Board Decision dated 10 March 2026 and numbered 2026/DK-YED/71, the paid-in capital requirement is TRY 2,500,000 for OKTH authorization and TRY 10,000,000 for other authorizations.

This is highly relevant for technology companies offering connectivity-based services. For example, an IoT startup that provides SIM-based connectivity under its own brand, a cloud communications platform offering voice transmission, a wireless internet provider, a satellite connectivity reseller, a private network integrator or a company operating fiber infrastructure may need to evaluate whether BTK authorization is required.

The risk is not limited to large operators. Smaller technology companies may also fall within the regulatory perimeter if they provide electronic communications services to third parties. Operating first and asking legal questions later may create serious consequences.

Risk 2: Incorrect Business Model Classification

Technology companies often use commercial labels that do not match legal categories. A business may call itself a “platform,” “solution provider,” “integrator,” “cloud service,” “connectivity layer,” “communication API,” “managed network service” or “IoT dashboard.” However, Turkish law looks at the substance of the activity.

A company should ask the following questions:

Does the service transmit signals, voice, images, messages or data between users?

Does the company provide internet access or network access?

Does it operate infrastructure, routers, antennas, fiber, gateways or communication systems?

Does it allocate SIM cards, eSIM profiles, numbers, IP addresses or connectivity credentials?

Does it provide communication between devices or users?

Does it resell connectivity under its own brand?

Does it host third-party content?

Does it provide public Wi-Fi or shared internet access?

Does it process traffic logs, IP addresses or communication metadata?

If the answer to any of these questions is yes, a telecom, internet law or data protection analysis is necessary. Misclassification may lead to wrong contracts, missing authorizations, inadequate privacy notices, unlawful data retention, failure to implement access-blocking orders or incorrect consumer disclosures.

Risk 3: Law No. 5651 Obligations for Internet Actors

Law No. 5651 is one of the most important legal risk areas for technology companies in Turkey. It regulates content providers, hosting providers, access providers and public internet use providers. A technology company may fall into one or more of these categories even if it does not consider itself an internet law actor.

Under Law No. 5651, a content provider is responsible for the content it makes available on the internet. A hosting provider is not generally obliged to check hosted content or investigate whether hosted content is illegal, but it must remove unlawful content when legally notified under the relevant provisions. Hosting providers must also keep traffic information for their services for a period of not less than one year and not more than two years and ensure the accuracy, integrity and privacy of that information.

Access providers also have obligations. They must block access to illegal content when informed in accordance with the law, keep traffic information for a legally determined period and ensure its accuracy, integrity and privacy. Access providers are not generally obliged to check whether the content accessed through them is unlawful. Law No. 5651 also establishes the Access Providers Association mechanism and states that internet service providers that are not members of the Association cannot operate.

This framework creates risks for cloud companies, hosting platforms, SaaS tools, online marketplaces, social platforms, gaming platforms, public Wi-Fi providers and digital infrastructure companies. If a company hosts user-generated content, it must have notice-and-takedown procedures. If it provides access, it must be ready for access-blocking compliance. If it processes traffic data, it must secure and retain logs properly.

Risk 4: Content Liability and Platform Responsibility

Technology companies that allow users to upload, share, comment, stream, publish or store content face content liability risk. This applies to social media platforms, review websites, marketplaces, video platforms, cloud storage services, forums, online games, messaging communities and collaborative software tools.

The main principle is that the content provider is responsible for its own content. However, platforms may face legal duties when they host third-party content, receive legally valid notices, fail to remove unlawful material, present third-party content as their own, or actively promote illegal content.

The risk is particularly high for content involving defamation, violation of privacy, unlawful personal data disclosure, intellectual property infringement, illegal betting, obscenity, child protection issues, misleading advertising, unfair competition or criminal offences. A platform should not treat content moderation as only a community-management issue. It is also a legal compliance function.

Technology companies operating user-generated content services should implement clear terms of use, complaint channels, content moderation policies, evidence preservation rules, escalation procedures, legal review mechanisms and transparency procedures. A weak moderation system may expose the company to civil claims, administrative sanctions, criminal complaints and reputational harm.

Risk 5: Personal Data Protection and KVKK Compliance

Almost every technology company operating in telecommunications or digital services processes personal data. This may include names, e-mail addresses, phone numbers, IP addresses, device identifiers, location data, account records, payment data, traffic logs, user-generated content, call recordings, message metadata, usage analytics and customer support records.

KVKK defines personal data broadly and sets out strict principles for processing. Personal data must be processed lawfully and fairly, be accurate and kept up to date where necessary, be processed for specified, explicit and legitimate purposes, be relevant, limited and proportionate to the processing purpose, and be retained only for the period required by law or the processing purpose. KVKK also regulates special categories of personal data and cross-border transfers.

For technology companies, the most common KVKK risks are:

Collecting more data than necessary.

Using vague privacy notices.

Relying on invalid consent.

Combining service consent with marketing consent.

Transferring data abroad without a proper legal mechanism.

Using foreign cloud infrastructure without transfer analysis.

Sharing data with vendors without data processing terms.

Failing to respond to data subject requests.

Retaining logs indefinitely.

Failing to notify data breaches.

Processing traffic or location data for analytics or advertising without a valid legal basis.

KVKK compliance should be built into product design. Privacy notices, data inventories, consent management, retention policies, vendor contracts, cross-border transfer mechanisms and breach response procedures should be ready before launch.

Risk 6: Cross-Border Data Transfers

Cross-border data transfer is a particularly important issue for foreign technology companies and Turkish startups using global cloud services. Many technology companies store data outside Turkey, use foreign analytics tools, rely on global CRM systems, process support tickets abroad, use international cybersecurity providers or allow foreign group companies to access Turkish user data.

KVKK Article 9 was amended in 2024 and now regulates cross-border transfers through mechanisms such as adequacy decisions and appropriate safeguards, provided that the relevant processing conditions are met. The law also reserves certain special rules and requires compliance with the procedures and principles for transfers abroad.

For technology companies, this means that using a foreign server or SaaS vendor is not merely an IT procurement decision. It is a data transfer decision. Contracts with cloud providers, analytics tools, payment processors, customer support platforms, cybersecurity vendors and group companies should be reviewed under Turkish data protection rules.

A foreign technology company targeting Turkish users should also consider whether it becomes a data controller under Turkish law. If Turkish users’ personal data is collected, stored, analyzed, transferred or monetized, KVKK compliance may be necessary even if the company has no traditional office in Turkey.

Risk 7: Data Security and Breach Notification

Technology companies face serious data security obligations. KVKK Article 12 requires data controllers to take all necessary technical and organizational measures to provide an appropriate level of security, prevent unlawful processing, prevent unlawful access and ensure personal data protection. Data controllers are also jointly responsible with processors for security measures where processing is carried out by another person on their behalf.

KVKK guidance states that data controllers must conduct necessary audits, must not disclose personal data unlawfully and must not use data for purposes other than the original processing purpose. If processed personal data is obtained by others unlawfully, the controller must notify the data subject and the Board within the shortest time; the Board has interpreted this period as not later than 72 hours after becoming aware of the breach.

For technology companies, this means that cybersecurity must be treated as a legal obligation, not only an engineering issue. A SaaS platform, messaging app, data center, online game, IoT dashboard, cloud platform or telecom API provider should have access controls, encryption, logging, vulnerability management, incident response plans, vendor security reviews, backup procedures and breach notification workflows.

A data breach involving user messages, IP logs, location data, subscriber data, call recordings, payment records or identity information may create KVKK investigations, BTK scrutiny, consumer claims and loss of trust.

Risk 8: Network and Information Security Obligations

Technology companies that operate regulated telecom services or network infrastructure must also consider BTK network and information security obligations. BTK states that the Constitution, Law No. 5809, authorization regulations and operator agreements include obligations related to network and information security. The Regulation on Network and Information Security in the Electronic Communications Sector sets out the procedures and principles that operators must follow.

These rules matter for ISPs, infrastructure operators, mobile virtual network services, satellite communication providers, data transmission services, data centers supporting telecom operations, IoT connectivity providers and private network operators.

Practical network security risks include DDoS attacks, malware propagation, unauthorized network access, insecure APIs, weak customer authentication, SIM swap fraud, exposed admin panels, vulnerable IoT devices, insecure firmware, routing attacks and insufficient monitoring.

A technology company should build a security governance program that includes network monitoring, cyber incident response, technical documentation, access logs, internal responsibility allocation, vendor controls and management reporting. If the company is regulated by BTK, these controls should be audit-ready.

Risk 9: Consumer Rights and Subscriber Complaints

Technology companies that provide services to consumers or end users may face consumer-rights risks. Turkish electronic communications regulation includes consumer protection, transparency, subscription agreements, personal data processing, privacy and service quality principles. The sector is also affected by general consumer protection law and electronic commerce rules.

Common consumer risks include misleading advertisements, unclear subscription terms, unfair cancellation fees, automatic renewals, unauthorized add-on services, hidden modem or device fees, poor service quality, slow internet, failure to terminate subscriptions, continued billing after cancellation and inadequate complaint handling.

Technology companies often underestimate consumer law because they view themselves as B2B or software providers. However, many digital services are sold directly to consumers through mobile apps, web subscriptions, online marketplaces or bundled telecom packages. If the company charges consumers periodically, provides connectivity, offers communication tools or sells digital services, consumer law analysis is necessary.

Consumer-facing technology companies should prepare clear terms of service, tariff tables, cancellation policies, refund rules, complaint channels, data processing notices and evidence of user approvals.

Risk 10: Commercial Electronic Communications and Marketing

Technology companies frequently use SMS, e-mail, push notifications, automated calls, in-app messages and targeted campaigns. These communications may fall under commercial electronic communications law and KVKK.

Marketing risk is particularly high where companies use phone numbers or e-mail addresses collected during registration, purchase or verification for promotional purposes without valid consent. SMS verification codes should not be used to bundle membership approval, personal data consent and marketing consent in a single unclear action. Push notifications should be separated between service notifications and marketing notifications.

A technology company should maintain consent records, opt-out mechanisms, IYS compliance where applicable, marketing preference centers, privacy notices and vendor controls. Marketing teams should not use old lists, scraped data, third-party databases or undocumented consent records.

Risk 11: IoT, 5G, eSIM and Connected Device Risks

Emerging technologies create new telecom-law risks. IoT platforms, connected vehicles, smart city systems, eSIM services, industrial sensors, smart meters, wearables and private 5G networks may involve electronic communications, spectrum use, device conformity, cybersecurity, personal data processing and consumer protection.

An IoT company may not need telecom authorization if it only sells hardware or software. However, if it provides connectivity, manages SIM or eSIM profiles, operates a network, transmits data between devices or resells connectivity, BTK authorization and Law No. 5809 analysis may become necessary.

Connected devices also raise data protection risks. Location data, vehicle data, health-related data, household data, energy consumption data and industrial telemetry may all be sensitive in practice. Product design should include privacy-by-design, security-by-design, firmware update policies, data minimization, consent management and clear user notices.

Risk 12: Technical Equipment and Radio Device Compliance

Technology companies that import, sell or deploy telecom devices may face technical regulation risks. BTK states that Law No. 5809 covers regulation, authorization and inspection activities related to electronic communications devices and systems. It also emphasizes that non-compliant radio equipment may pose risks to the health and safety of end users.

This matters for companies dealing with routers, modems, antennas, IoT modules, radio devices, smart devices, base station equipment, satellite terminals, eSIM devices, industrial gateways and wireless communication equipment.

Equipment that is lawful in another country may still need Turkish conformity review. Technical documentation, CE marking, radio equipment rules, electromagnetic compatibility, cybersecurity updates, importer obligations and market surveillance should be checked before placing products on the Turkish market.

Risk 13: BTK Audits and Administrative Sanctions

BTK audit risk is critical for technology companies that fall within the electronic communications framework. BTK may supervise compliance with license conditions, equipment standards, sector legislation, spectrum usage, service quality, tariff practices and other regulated areas. The public-service nature of telecommunications and the need to ensure network security and continuity increase the importance of supervision.

Administrative sanctions may arise from unauthorized operation, breach of authorization conditions, failure to submit information, non-compliant tariffs, consumer-rights violations, number portability breaches, spectrum misuse, network security failures, inaccurate regulatory reporting, failure to pay administrative fees or non-compliance with BTK requests.

A technology company should keep audit-ready documentation. This includes corporate records, authorization documents, user contracts, tariff information, privacy notices, consent records, technical logs, cybersecurity policies, incident reports, vendor agreements, customer complaint records and regulatory correspondence.

Risk 14: Contractual Risks in Telecom-Related Technology Projects

Telecom-related technology contracts require special drafting. Ordinary SaaS terms may not be sufficient where the service involves communication infrastructure, service continuity, traffic data, official requests, access-blocking obligations, personal data, cybersecurity incidents or regulated connectivity.

Contracts should clearly regulate:

Scope of service.

Regulatory responsibility.

BTK authorization status.

Data controller and processor roles.

Traffic data handling.

Cross-border transfers.

Cybersecurity standards.

Incident notification.

Service levels and uptime.

Maintenance windows.

Official request procedures.

Content removal and access blocking.

Consumer complaint handling.

Liability limitations.

Indemnity.

Termination for regulatory changes.

Audit rights.

Subcontractor controls.

If the contract does not allocate these responsibilities clearly, disputes may become complex. For example, if a cloud communications platform suffers an outage, the parties may disagree on whether the issue is a telecom service failure, software bug, force majeure, cyberattack or infrastructure provider breach.

Risk 15: Foreign Technology Companies Targeting Turkish Users

Foreign technology companies may face Turkish telecom-law risks even without a large local office. If a company targets Turkish users, offers Turkish-language services, processes Turkish user data, provides communication tools, hosts Turkish content, uses Turkish phone numbers, provides connectivity to devices in Turkey or receives Turkish official requests, local law may become relevant.

Foreign companies should analyze whether they need a Turkish subsidiary, BTK authorization, local representative, KVKK compliance, cross-border transfer mechanisms, Law No. 5651 procedures, Turkish consumer terms, Turkish-language disclosures or local complaint handling.

A foreign company should not assume that compliance with EU, US or Gulf regulations is sufficient. Turkish telecom, internet and data protection rules must be analyzed separately.

Practical Compliance Checklist for Technology Companies

A technology company operating in Turkey should use the following checklist:

Classify the business model legally and technically.

Determine whether Law No. 5809 applies.

Check whether BTK authorization is required.

Identify whether the company is a content provider, hosting provider, access provider or public internet use provider.

Review Law No. 5651 obligations.

Prepare traffic data retention and security procedures where applicable.

Prepare KVKK privacy notices and data inventories.

Analyze cross-border data transfers.

Implement valid consent mechanisms.

Separate service consent from marketing consent.

Prepare data breach notification procedures.

Implement cybersecurity and network security controls.

Review consumer contracts and cancellation policies.

Review equipment conformity if devices are imported or deployed.

Prepare official request handling procedures.

Maintain audit-ready documentation.

Train legal, technical, sales, support and product teams.

Monitor BTK, KVKK and cybersecurity regulatory developments.

Conclusion

Telecommunication law in Turkey creates major legal risks for technology companies because the boundary between telecom services and technology services is increasingly blurred. Software platforms, IoT providers, cloud companies, hosting platforms, communication APIs, online games, smart city solutions, connected vehicles, eSIM services, data centers and cybersecurity companies may all face telecom-related obligations depending on their business model.

The most important legal risk is misclassification. A company that thinks it is only a technology provider may in fact be providing electronic communications services, hosting content, enabling internet access, processing traffic data, transferring personal data abroad or operating regulated infrastructure.

The key legal frameworks include Law No. 5809, BTK authorization and audit rules, Law No. 5651, KVKK, network and information security rules, consumer protection principles, commercial electronic communication rules and technical equipment regulations.

For technology companies, legal compliance should be part of product design and market-entry strategy. Waiting until a regulator, customer or court raises the issue may be too late. Companies should classify their services, obtain required authorizations, secure personal data, manage traffic logs, prepare content procedures, protect consumers, draft proper contracts and maintain audit-ready evidence.

As Turkey continues to develop its digital economy through 5G, fiber infrastructure, IoT, cloud services, artificial intelligence, online platforms and connected devices, technology companies will increasingly operate at the intersection of telecom law, internet law, cybersecurity and data protection. Companies that understand this intersection will reduce regulatory risk, protect users and build a stronger legal foundation for growth in the Turkish market.

Frequently Asked Questions

Does Turkish telecommunication law apply only to traditional telecom operators?

No. Turkish telecommunication law may also affect technology companies if they provide electronic communications services, internet access, network operation, infrastructure services, connectivity, hosting, communication tools or traffic-data-related services.

What is the main telecom law in Turkey?

The main legislation is Law No. 5809 on Electronic Communications. BTK states that this law covers regulation, authorization, inspection and reconciliation activities related to electronic communications services, devices and systems.

When does a technology company need BTK authorization?

BTK authorization may be required if the company provides electronic communications services or establishes and operates electronic communications networks or infrastructure. Connectivity, data transmission, internet access, IoT connectivity, satellite communication and infrastructure operation should be reviewed carefully.

What is the paid-in capital requirement for BTK authorization?

According to BTK’s CEVHER guidance, the paid-in capital requirement is TRY 2,500,000 for OKTH authorization and TRY 10,000,000 for other authorizations under BTK Board Decision dated 10 March 2026 and numbered 2026/DK-YED/71.

Can a SaaS or cloud company be subject to Law No. 5651?

Yes. If the company hosts user content, provides access, stores traffic data or offers internet-related services, it may be classified as a hosting provider, content provider, access provider or another regulated actor under Law No. 5651.

Are hosting providers responsible for all hosted content?

Hosting providers are not generally obliged to check hosted content or investigate whether it is unlawful. However, they must remove unlawful content when legally notified under the relevant provisions and must retain traffic information securely.

Does KVKK apply to technology companies?

Yes. If a technology company processes personal data of individuals in Turkey, KVKK may apply. Personal data includes information relating to an identified or identifiable natural person, and KVKK imposes processing principles, security obligations and transfer rules.

What is the breach notification period under KVKK?

The Personal Data Protection Board has interpreted the obligation to notify within the shortest time as no later than 72 hours after becoming aware of a breach.

Can BTK audit technology companies?

BTK may audit operators subject to the electronic communications framework. It may conduct financial, technical, legal and administrative supervision and impose sanctions where operators do not comply with regulations.

What should technology companies do before launching telecom-related services in Turkey?

They should classify the service, assess BTK authorization, review Law No. 5651 status, prepare KVKK compliance, analyze cross-border transfers, implement cybersecurity controls, review consumer terms, check equipment conformity and prepare audit-ready documentation.

Categories:

Yanıt yok

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir

Our Client

We provide a wide range of Turkish legal services to businesses and individuals throughout the world. Our services include comprehensive, updated legal information, professional legal consultation and representation

Our Team

.Our team includes business and trial lawyers experienced in a wide range of legal services across a broad spectrum of industries.

Why Choose Us

We will hold your hand. We will make every effort to ensure that you understand and are comfortable with each step of the legal process.

Open chat
1
Hello Can İ Help you?
Hello
Can i help you?
Call Now Button