Introduction
Cybersecurity compliance for Turkish companies is no longer a purely technical issue handled only by IT departments. It is a legal, operational, regulatory and corporate governance obligation. A single cyber incident may lead to personal data breach notifications, criminal complaints, civil compensation claims, contractual disputes, regulatory investigations, reputational damage, business interruption and loss of customer trust.
Turkish companies face a wide range of cyber risks: ransomware, phishing, business e-mail compromise, fake invoice fraud, employee data theft, unauthorized access to corporate systems, customer database leaks, cloud misconfiguration, malware, spyware, DDoS attacks, social engineering, credential theft and supply-chain compromise. The legal consequences of these risks depend on the nature of the incident, the type of data affected, the company’s sector, whether personal data was compromised and whether the company had reasonable preventive measures in place.
The main legal framework includes the Turkish Personal Data Protection Law No. 6698, known as the KVKK, the Turkish Penal Code provisions on cybercrime and personal data offences, Law No. 5651 on internet publications, and the Cybersecurity Law No. 7545, which entered into force after publication in the Official Gazette on 19 March 2025. Cybersecurity Law No. 7545 created a broader national cybersecurity framework covering public institutions, private legal entities, professional organizations and individuals operating in cyberspace.
This article explains cybersecurity compliance for Turkish companies from a practical legal perspective. It focuses on internal policies, employee training, technical and organizational measures, incident response planning, KVKK breach notification, digital evidence, vendor management, board-level governance and legal risk reduction.
1. Why Cybersecurity Compliance Matters for Turkish Companies
Cybersecurity compliance is important because a company’s legal responsibility is often assessed not only by looking at the cyberattack itself, but also by examining what the company did before, during and after the incident. Regulators, courts, business partners and customers may ask whether the company adopted appropriate technical and organizational measures, trained its employees, controlled access rights, monitored vendors, preserved evidence and responded quickly.
Under KVKK Article 12, data controllers must take all necessary technical and organizational measures to provide an appropriate level of security for preventing unlawful processing of personal data, preventing unlawful access to personal data and ensuring the protection of personal data. This provision is central to cybersecurity compliance because most cyber incidents involve personal data, such as customer records, employee files, identity information, e-mail addresses, phone numbers, IP addresses, payment details or user account data.
A company that cannot show a structured cybersecurity program may face difficulty after a breach. Even if the attacker acted unlawfully, the company may still be questioned about whether it had reasonable safeguards. For this reason, cybersecurity compliance should be treated as a board-level risk management issue rather than a technical afterthought.
2. Legal Framework for Cybersecurity Compliance in Turkey
Cybersecurity compliance in Turkey is not regulated by one single law. Several legal regimes must be considered together.
The KVKK regulates personal data security and breach notification. Article 12 requires data controllers to take necessary measures and to notify relevant parties if processed personal data is obtained by others through unlawful means.
The Personal Data Protection Board’s Decision No. 2019/10 sets out important procedures and principles for personal data breach notifications. The decision requires controllers to document all personal data breaches, including facts, effects and measures taken, and states that processors must notify controllers without delay if personal data held by the processor is unlawfully obtained.
The Cybersecurity Law No. 7545 adds a broader cybersecurity layer. It aims to protect public institutions, individuals and private sector entities from cyber threats and establishes comprehensive policies and strategies to enhance national cybersecurity.
The Turkish Penal Code may apply where the incident involves unlawful access, system interference, data deletion, data transfer, bank card misuse, personal data offences, fraud, blackmail or other crimes.
The Law No. 5651 may become relevant for internet actors, hosting providers, access providers, traffic data and online content-related issues. Hosting and access providers may hold important records in cybercrime investigations, and traffic data can become critical evidence.
3. Internal Cybersecurity Policies
A Turkish company should adopt written internal cybersecurity policies. These policies are not merely internal documents; they can become evidence of compliance after a cyber incident.
A strong cybersecurity policy framework should include:
Information Security Policy: Defines the company’s general cybersecurity principles, roles and responsibilities.
Access Control Policy: Explains who may access which systems, under what conditions and with what approval.
Password and Authentication Policy: Requires strong passwords, multi-factor authentication and secure credential management.
E-Mail and Internet Use Policy: Regulates corporate e-mail, phishing risks, acceptable use, file sharing and suspicious links.
Remote Work Policy: Covers VPN use, device security, public Wi-Fi restrictions and home-office risks.
Personal Data Security Policy: Aligns cybersecurity practices with KVKK obligations.
Incident Response Policy: Determines what employees must do when they detect a cyber incident.
Vendor Security Policy: Regulates cloud providers, IT vendors, software suppliers and data processors.
Device and Mobile Security Policy: Covers laptops, phones, removable media and mobile device management.
Data Retention and Deletion Policy: Ensures that data is not kept longer than necessary and is securely destroyed when required.
These policies must be practical. A policy that employees do not understand or follow will not provide real protection. The company should also keep records showing that employees received and acknowledged the policies.
4. Employee Training as a Legal Risk Control
Employee training is one of the most important cybersecurity measures. Many cyber incidents begin with human error: clicking a phishing link, sharing a password, approving a fake invoice, opening a malicious attachment, using weak passwords or sending files to the wrong recipient.
A Turkish company should provide regular employee training on:
Phishing and social engineering.
Business e-mail compromise.
Fake invoice fraud.
Password security.
Multi-factor authentication.
Data classification.
Secure file sharing.
Remote work risks.
Personal data protection.
Incident reporting.
Use of corporate devices.
Suspicious phone calls and fake customer support scams.
Employees in finance, accounting, human resources, IT, customer service and sales should receive role-specific training because they process sensitive information and are common targets. For example, accounting employees must know that supplier bank account changes should never be accepted only by e-mail. HR employees must know how to protect identity documents, payroll files and health-related employee data. IT employees must understand evidence preservation and log retention.
Training should not be a one-time presentation. Companies should repeat training periodically, use simulated phishing exercises, keep attendance records and update training content after real incidents or new attack methods.
5. Access Control and Authorization Management
Access control is a core part of cybersecurity compliance. Many breaches happen because too many employees have unnecessary access to sensitive systems. Others occur because former employees continue to access accounts after termination.
Companies should follow the principle of least privilege. Employees should access only the systems and data necessary for their role. Administrator rights should be limited, monitored and reviewed regularly. Shared accounts should be avoided because they make attribution difficult in investigations.
A strong access control program should include:
Role-based permissions.
Individual user accounts.
Multi-factor authentication.
Regular access reviews.
Immediate revocation after termination.
Logging of privileged activity.
Restrictions on external forwarding.
Segregation of duties in finance and payment systems.
Approval workflow for access changes.
Periodic review of cloud and SaaS permissions.
Former employee access is a major risk. When an employee leaves, the company should disable e-mail, VPN, CRM, ERP, cloud storage, repository, social media admin and remote access rights immediately. Weak offboarding may allow data theft, sabotage or unauthorized monitoring after termination.
6. Technical and Organizational Measures Under KVKK
KVKK Article 12 requires both technical and organizational measures. A cybersecurity compliance program should therefore not rely only on software tools. It should combine technology, governance, policies, training, contracts and monitoring.
Technical measures may include encryption, firewall protection, endpoint detection, anti-malware systems, network segmentation, vulnerability scanning, secure backups, access logs, multi-factor authentication, intrusion detection, secure cloud configuration, data loss prevention and SIEM systems.
Organizational measures may include internal policies, employee training, confidentiality commitments, incident response procedures, vendor due diligence, internal audits, disciplinary procedures, risk assessments, personal data inventories and breach notification workflows.
The Turkish Personal Data Protection Authority’s guidance also emphasizes that data controllers must take necessary technical and administrative measures to prevent unlawful processing, prevent unlawful access and protect personal data.
7. Incident Response Planning
Every Turkish company should have a written cyber incident response plan. A cyber incident response plan determines who does what when an incident occurs. Without a plan, companies lose time, make inconsistent decisions and risk destroying evidence.
A practical incident response plan should include:
Detection and internal reporting channels.
Incident response team members.
Roles of IT, legal, management, HR and communications.
Evidence preservation rules.
System containment procedures.
KVKK breach assessment workflow.
Cybersecurity Law assessment.
Criminal complaint decision process.
Vendor and cloud provider notification steps.
Insurance notification steps.
Customer and employee communication rules.
Post-incident review process.
The plan should be tested through tabletop exercises. A plan that has never been tested may fail during a real ransomware attack or phishing incident.
8. First 24 Hours After a Cyber Incident
The first 24 hours after a cyber incident are critical. Companies must act quickly but carefully. The wrong action may destroy evidence, increase legal exposure or delay mandatory notifications.
The company should immediately:
Record the discovery time.
Preserve logs and alerts.
Identify affected systems.
Contain the incident.
Disable compromised accounts.
Preserve suspicious e-mails with headers.
Avoid formatting devices before forensic preservation.
Assess whether personal data is affected.
Notify internal legal and management teams.
Contact cybersecurity experts if necessary.
Review whether vendors are involved.
Determine whether bank or payment systems are affected.
Begin KVKK breach notification assessment.
If the incident involves unauthorized payment transfers, the bank must be notified immediately. If the incident involves personal data, the KVKK assessment must begin at once. If the incident involves criminal conduct, evidence should be preserved for a criminal complaint.
9. KVKK Data Breach Notification
If processed personal data is obtained by others through unlawful means, the data controller must notify the Personal Data Protection Board and affected data subjects within the shortest time. The Board’s Decision No. 2019/10 interprets this period for Board notification as without delay and no later than 72 hours after the controller becomes aware of the breach.
This 72-hour period does not mean that the company must complete its entire forensic investigation before notification. If all information is not available at once, the company may provide information gradually without delay.
The company should assess:
What personal data was affected?
How many individuals were affected?
Was special category personal data involved?
Was the data accessed, copied, deleted, encrypted or published?
When did the incident occur?
When did the company become aware?
What measures were taken?
Were affected persons informed?
Is the incident contained?
Should a criminal complaint be filed?
Even if the company decides not to notify, it should document the reasons for that decision. Documentation is important because the Board may later request an explanation.
10. Digital Evidence Preservation
Digital evidence is essential in cyber incidents. It may prove how the incident occurred, who caused it, what systems were affected, what data was accessed and whether the company acted diligently.
Important evidence includes server logs, firewall logs, VPN logs, cloud access logs, e-mail headers, endpoint alerts, database audit logs, file metadata, screenshots, malware samples, ransom notes, IP addresses, user activity records, backup logs, access control records, employee account history and vendor communications.
Companies should preserve evidence before remediation. For example, deleting a compromised account may erase useful logs. Formatting a laptop may destroy malware evidence. Removing forwarding rules without documenting them may weaken a business e-mail compromise complaint.
In serious incidents, forensic imaging, hash verification and chain-of-custody documentation should be considered. The company should record who collected evidence, when, from which system and how it was stored.
11. Vendor and Cloud Provider Management
Many cyber incidents involve vendors. A cloud provider, payroll company, software provider, call center, marketing agency, IT consultant or hosting provider may process personal data or have access to company systems.
Contracts with vendors should include:
Security obligations.
Incident notification deadlines.
Data breach cooperation duties.
Log preservation duties.
Subprocessor restrictions.
Audit rights.
Data return and deletion obligations.
Confidentiality clauses.
Liability provisions.
Cybersecurity standards.
If a processor suffers a data breach, Decision No. 2019/10 requires the processor to notify the controller without delay. Therefore, vendor contracts should require immediate notification and practical cooperation. A vague contract may leave the company without the information needed for a 72-hour KVKK assessment.
12. Law No. 5651 and Log Obligations
Law No. 5651 may become relevant when a company operates as a hosting provider, access provider, content provider or internet service actor. Traffic data may also be important in cybercrime investigations. Legal commentary on Law No. 5651 notes that hosting providers have obligations to retain traffic data in relation to their hosting services, and access providers also have obligations concerning traffic information.
For companies, logs are not only technical records. They are legal evidence. A company that does not retain logs may struggle to identify an attacker, prove unauthorized access or defend itself before regulators.
Companies should have a log retention policy covering:
Which logs are collected.
How long they are kept.
Who may access them.
How integrity is protected.
How logs are exported after incidents.
Whether timestamps use Turkey time or UTC.
How logs are provided to authorities when legally required.
13. Cybersecurity Law No. 7545 and Company Governance
Cybersecurity Law No. 7545 reinforces the need for companies to treat cybersecurity as a governance issue. The law came into force on 19 March 2025 and aims to protect public and private actors from cyber threats through national cybersecurity strategies and policies.
For companies, this means cybersecurity responsibilities should be addressed by senior management. The board or executive team should understand key cyber risks, approve cybersecurity policies, allocate budget, review incident reports and ensure compliance with applicable obligations.
A governance-oriented cybersecurity program should include:
Cyber risk assessment.
Annual policy review.
Management reporting.
Internal audit.
Vendor risk review.
Incident response testing.
Employee training records.
Cyber insurance review.
Data breach response procedure.
Compliance monitoring.
Cybersecurity should not be treated as an isolated IT cost. It is a legal and business continuity requirement.
14. Internal Investigations After Cyber Incidents
After a cyber incident, a company may need an internal investigation. This is especially common in employee data theft, insider misuse, phishing, fake invoice fraud, unauthorized access or suspicious payment approvals.
An internal investigation should be lawful, proportionate and documented. The company should define the scope, preserve evidence, limit access to relevant data, protect employee privacy, avoid unnecessary review of private communications and involve legal counsel where needed.
If the investigation concerns an employee, the company should review employment contracts, IT policies, access permissions, logs, device records, e-mail activity and witness statements. If the incident involves personal data, KVKK obligations should be evaluated at the same time.
A poorly conducted internal investigation may create separate privacy or evidence problems. A well-conducted investigation can support criminal complaints, disciplinary action, civil claims and regulatory defence.
15. Criminal Complaint Strategy
If a cyber incident involves hacking, data theft, fraud, ransomware, system interference, blackmail, DDoS or personal data offences, the company should consider a criminal complaint.
The complaint should include:
Company identity and representative information.
Affected systems.
Incident timeline.
Digital evidence.
Logs and technical findings.
Type of data affected.
Damage suffered.
Suspected persons, if any.
Whether personal data was involved.
Whether financial loss occurred.
Requests for IP records, platform data, bank records or device examination.
Legal qualification under relevant Turkish Penal Code provisions.
A criminal complaint should be technical but readable. It should guide the prosecutor toward concrete evidence. Vague statements such as “our system was hacked” are weaker than a detailed explanation supported by logs, screenshots and forensic findings.
16. Cybersecurity Training for Finance and Accounting Teams
Finance and accounting teams are high-risk departments. They handle bank transfers, supplier payments, invoices, payroll and sensitive financial information. Business e-mail compromise and fake invoice fraud often target these teams.
Training should cover:
Supplier IBAN verification.
Fake invoice indicators.
Executive impersonation.
Urgent payment pressure.
E-mail spoofing.
Full e-mail header preservation.
Dual approval for payments.
Bank fraud reporting.
Suspicious domain names.
Off-platform payment instructions.
A company should never change supplier bank account details based only on e-mail. Verification should be made through a trusted phone number already recorded in company files.
17. HR and Employee Data Security
Human resources departments process highly sensitive employee data, including identity documents, payroll, disciplinary records, health reports, performance files and contact information. A breach in HR systems may trigger serious KVKK issues.
HR teams should be trained on secure file sharing, limited access, retention periods, secure deletion, phishing risks, confidentiality and special category data. Employee files should not be stored in unsecured shared folders or sent through unencrypted channels without need.
HR should also participate in offboarding. When employees leave, HR must coordinate with IT to ensure access rights are removed immediately.
18. Practical Cybersecurity Compliance Checklist
A Turkish company should implement the following compliance measures:
Adopt written cybersecurity policies.
Prepare a KVKK data security policy.
Conduct employee training.
Use multi-factor authentication.
Apply role-based access control.
Restrict administrator rights.
Keep logs and protect log integrity.
Prepare an incident response plan.
Test the plan through exercises.
Maintain secure backups.
Review cloud configurations.
Monitor phishing risks.
Conduct vendor due diligence.
Include breach notification clauses in vendor contracts.
Prepare a KVKK breach notification workflow.
Revoke access immediately after termination.
Preserve digital evidence after incidents.
Consider cyber insurance.
File criminal complaints where appropriate.
Review the program periodically.
This checklist should be adapted to the company’s size, sector, data volume, risk profile and technical infrastructure.
Conclusion
Cybersecurity compliance for Turkish companies requires a structured legal and technical program. Companies must adopt internal policies, train employees, control access rights, manage vendors, prepare incident response plans, preserve digital evidence and assess KVKK notification duties after cyber incidents. Under KVKK Article 12, data controllers must take necessary technical and organizational measures to prevent unlawful processing, prevent unlawful access and protect personal data.
If personal data is obtained unlawfully by others, the company must assess notification to the Personal Data Protection Board and affected persons. Decision No. 2019/10 interprets Board notification as no later than 72 hours after awareness and requires breach documentation. Cybersecurity Law No. 7545 adds a broader governance layer by establishing a national cybersecurity framework that covers public and private actors operating in cyberspace.
For Turkish companies, the strongest legal protection is preparation. A company that has clear policies, trained employees, access controls, vendor contracts, incident response procedures and evidence preservation rules is in a much stronger position after a cyber incident. Cybersecurity is not only about preventing attacks; it is also about proving diligence, responding lawfully and reducing damage when an attack occurs.
Yanıt yok