The Cybersecurity Law Enters into Force
- Orçun Holta
- Sep 23
- 8 min read
Updated: Oct 4
Introduction
Reviewing the general rationale set out in the Cybersecurity Law Draft and the National Defense Commission Report, it is noted that the total amount of data produced in 2004 was only around 5 exabytes, whereas by 2024 this figure had reached the order of 180 zettabytes (an approximate 36,000-fold increase in data produced during that period). The report emphasizes that data-processing services and solutions have taken on a significant role both in business life and everyday life; that cyberattacks are intensifying globally each day and constitute a complex threat; and that a country’s ability to stand out as a role model in cybersecurity is directly related to the existence of a comprehensive overarching cybersecurity legal framework and the effective functioning of a central authority. The rationale further highlights the importance of activating deterrent sanction mechanisms, encouraging and supporting the adoption and development of domestic and national solutions, and strengthening deterrence by increasing penalties for cybercrimes.
Mirroring global trends in cybersecurity, the report stresses that cybersecurity cannot be achieved by technological measures alone; in order to establish comprehensive protection it must also be addressed through its legal, administrative, and strategic dimensions.
Main Objectives
The primary objectives of the Cybersecurity Law are:
To establish a Cybersecurity Board to determine Turkey’s policies and strategy on cybersecurity;
To ensure that policies developed in the field of cybersecurity are effectively implemented at the national level;
To increase the cyber resilience and cyber maturity levels of public institutions and critical infrastructure entities;
To monitor current technological developments and integrate them into cybersecurity processes;
To centrally monitor, detect, and mitigate cyber security incidents that may occur in the information systems of public institutions and critical infrastructure entities;
To implement action plans and secondary legislation;
To conduct audits and, in particular, to operate effective deterrent sanction mechanisms;
To strengthen the cybersecurity ecosystem;
To regulate standardization, certification and authorization processes;
To ensure deterrence by increasing penalties for cybercrimes.
Key Provisions
Scope
The scope of the Cybersecurity Law encompasses a very broad range of actors operating, providing services, or otherwise present in cyberspace, including: (i) public institutions and organizations, (ii) professional organizations with the status of public institutions, (iii) natural and legal persons, and (iv) entities without legal personality.
Activities conducted under the Law on Police Duties and Authorities, the Coast Guard Command Law, the Law on the Organization, Duties and Powers of the Gendarmerie, laws concerning State Intelligence Services and the National Intelligence Organization, and the Internal Service Law of the Turkish Armed Forces are excluded from the scope.
Fundamental Principles
The Cybersecurity Law sets out eleven fundamental principles for ensuring cybersecurity, which include the following:
Cybersecurity is an integral part of national security.
The protection of critical infrastructure and information systems and the creation of a secure cyberspace are primary objectives.
Cybersecurity work shall be conducted based on institutionalization, continuity, and sustainability.
Cybersecurity measures must be applied throughout the entire lifecycle of services and products.
Preference shall be given, where possible, to domestic and national products in efforts to secure cyberspace.
All public institutions and organizations, as well as natural and legal persons, are responsible for implementing cybersecurity policies and strategies and for taking necessary measures to prevent cyberattacks or reduce their impact.
Accountability is fundamental in the execution of cybersecurity processes.
Cybersecurity policy and strategy development shall be pursued with a continuous improvement approach.
Efforts to increase the capability and capacity of qualified human resources in the field of cybersecurity are encouraged.
The spread of a cybersecurity culture across society is an objective.
The rule of law, protection of fundamental human rights and freedoms, and the safeguarding of privacy shall be respected.
Responsibilities and Cooperation
The Cybersecurity Law defines the duties and responsibilities relating to cybersecurity for those within its scope who use information systems to provide services, collect or process data, or perform similar activities. These include, but are not limited to:
Primarily and promptly providing the Cybersecurity Authority with any requested data, information, documents, hardware, software and any other contributions.
Taking the measures required by law for national security, public order or the proper conduct of public services, and promptly reporting any vulnerabilities or cyber incidents detected in their service areas to the Cybersecurity Authority.
Procuring cybersecurity products, systems and services to be used in public institutions and critical infrastructures from cybersecurity experts, manufacturers or companies authorized and certified by the Cybersecurity Authority.
Obtaining the Cybersecurity Authority’s approval, within the framework of existing regulations, before commencing operations for cybersecurity companies subject to certification, authorization and accreditation.
Implementing the measures and fulfilling the requirements set out in policies, strategies, action plans and other regulatory instruments published by the Cybersecurity Authority aimed at increasing cyber maturity.
Criminal Sanctions and Administrative Fines
Article 16 of the Cybersecurity Law contains provisions on criminal sanctions and administrative fines, while Article 17 sets out the rules for the enforcement of administrative fines.
Act | Penalty |
Failure to provide, or obstruction of access to, any information, documents, software, data, or hardware requested within the duties and powers of the competent authority and inspection officers (excluding public institutions and organizations). | Imprisonment from 1 to 3 years and a judicial fine from 500 to 1,500 days. |
Conducting activities without obtaining the approvals, authorizations, and permits required by law. | Imprisonment from 2 to 4 years and a judicial fine from 1,000 to 2,000 days. |
Failure to comply with the obligation of confidentiality. | Imprisonment from 4 to 8 years. |
Making personal data or institutional data within the scope of critical public services, previously exposed due to a data leak in cyberspace, available for access (paid or unpaid), sharing, or offering for sale without the consent of the individuals or institutions concerned. | Imprisonment from 3 to 5 years. |
Creating and publishing false content regarding a data breach in cybersecurity, for the purpose of causing public concern, fear, or panic, or of targeting institutions or individuals, despite knowing that no such data breach occurred in cyberspace. | Imprisonment from 2 to 5 years. |
Carrying out a cyberattack against the elements that constitute the national cyber power of the Republic of Turkey, or storing any data obtained as a result of such an attack in cyberspace. | Unless the act constitutes another offense requiring a heavier penalty: imprisonment from 8 to 12 years. |
Disseminating, transmitting elsewhere, or offering for sale any data obtained as a result of a cyberattack against the elements that constitute the national cyber power of the Republic of Turkey. | Imprisonment from 10 to 15 years. |
Aggravating Circumstances: | |
- If the offense is committed by a public official, penalties are increased by one-third, - If committed by more than one person, penalties are increased by one-half. - If committed within the framework of an organization’s activities, penalties are increased by one-half to double. | |
Violation by personnel of the prohibitions set forth in the Cybersecurity Law | Imprisonment from 3 to 5 years. |
Abuse of powers and duties arising from the Cybersecurity Law and causing a data breach by acting contrary to the requirements of duty in protecting critical infrastructures against cyberattacks. | Imprisonment from 1 to 3 years. |
Failure to take measures prescribed by legislation for the protection of national security, public order, or the proper conduct of public services in the field of cybersecurity, and failure to promptly notify the Authority of vulnerabilities or cyber incidents detected in the service area. Failure to procure cybersecurity products, systems, and services to be used in public institutions and critical infrastructures from cybersecurity experts, manufacturers, or companies authorized and certified by the Authority. | Administrative fine from TRY 1,000,000 to TRY 10,000,000. |
Failure to comply with the procedures and principles determined by the Authority regarding cybersecurity products, systems, software, hardware, and services, or failure to obtain the Authority’s approval for exports. Failure of companies producing cybersecurity products, systems, software, hardware, and services to notify the Authority of mergers, demergers, or share transfers, or failure to obtain the Authority’s approval for transactions granting direct or indirect control or decision-making authority over the company. | Administrative fine from TRY 10,000,000 to TRY 100,000,000. |
Failure by entities subject to audits conducted by inspectors authorized by the Authority to make devices, systems, software, and hardware available for inspection within the prescribed timeframes, to provide the necessary infrastructure for inspection, or to take the necessary measures to keep them operational. | Administrative fine from TRY 100,000 to TRY 1,000,000. If the relevant obligations are not fulfilled by commercial companies, the applicable administrative fine shall not be less than TRY 100,000 and may amount to up to 5% of the gross sales revenue stated in their independently audited annual financial statements. |
The application of administrative fines shall be carried out as follows:
Before imposing an administrative fine, the concerned parties shall be requested to submit a defense.
If no defense is submitted within 30 days from the date of notification of the request, it shall be deemed that the concerned party has waived their right to defend.
If an offense requiring an administrative fine is committed more than once before an administrative enforcement decision is made, a single administrative fine shall be imposed on the relevant individual or legal entity, which may be increased up to twice the original amount. If the offense results in a benefit or causes damage, the administrative fine shall not be less than three times and not more than five times the value of that benefit or damage.
Administrative fines must be paid within one month from the date of notification.
Cybersecurity Products and Companies
Cybersecurity products, systems, software, hardware, and services must be produced in accordance with the procedures and principles determined by the Cybersecurity Authority, and the Authority’s approval must be obtained for exports.
Furthermore, mergers, demergers, or share transfers of companies producing cybersecurity products, systems, software, hardware, and services must be notified to the Cybersecurity Authority, and the Authority’s approval must be obtained for transactions granting direct or indirect control or decision-making authority over the company. Failure to obtain approval shall render these transactions invalid.
Conclusion and Assessment
Cyberattacks have the potential to harm a country’s IT systems, communication, energy, and transportation networks, as well as military and economic systems. For this reason, cyberspace—considered by some experts as the fifth domain after land, air, sea, and space—is regarded as an integral component of modern warfare that can affect all four physical domains. Consequently, cybersecurity holds critical importance for all individuals, states, and international organizations. Cyberattacks can impact large populations and disrupt state mechanisms.
Although various laws such as the Electronic Communications Law, Electronic Signature Law, Personal Data Protection Law, and the Turkish Penal Code contain provisions regarding cybersecurity, these regulations have been scattered. The need for a comprehensive, standalone cybersecurity law in Turkey was essential. The Cybersecurity Law and its secondary legislation now address this need and strengthen Turkey’s legal protection in this area.
Given the broad scope of the Cybersecurity Law, many individuals, companies, and institutions have specific responsibilities. While future regulations may clarify these obligations further, the following practices and measures can be applied to avoid reputational damage or penalties:
(i) Raise awareness and compliance with obligations through in-house cybersecurity training.
(ii) Conduct a risk analysis of the company’s current cybersecurity infrastructure, identifying potential vulnerabilities, and take immediate corrective measures where necessary.
(iii) Prepare policies and procedures that act as a guide for employees, and regularly monitor compliance.
(iv) Due to the parallel provisions and penalties under the Cybersecurity Law and the Personal Data Protection Law, companies face dual audit and enforcement risks. Compliance efforts should include regular internal audits and penetration testing to detect possible violations early.
(v) Ensure that software, hardware, and network devices used are state-approved.
Author
