Duyurular

Cybersecurity Law No. 7545

The Cybersecurity  Law No. 7545 (" the Law"), which was adopted by the Grand National Assembly of Türkiye on March 12, 2025, was published in the Official Gazette No. 32846 on March 19, 2025, and entered into force as of its publication date.

The Cybersecurity Law No. 7545 consists of 6 sections and 21 articles. In this study, the Law is examined in a "questions & answers" format, addressing its purpose, scope, fundamental principles, as well as the regulations concerning the Cybersecurity Directorate and Board, administrative and criminal sanctions, repealed and amended provisions, compliance requirements, and transitional provisions. These aspects are presented in an overview as follows.

 

  1. What is the Purpose of the Law?

 

  • Detection and elimination of existing and potential internal and external threats directed against all elements constituting the national power of the Republic of Türkiye in cyberspace,
  • Establishment of principles aimed at mitigating the possible impacts of cyber incidents,
  • Implementation of necessary regulations to protect public institutions and organizations, professional organizations with public institution status, natural and legal persons, as well as entities without legal personality, against cyberattacks,
  • Determination of strategies and policies to enhance the country's cybersecurity and regulation of the principles concerning the establishment of the Cybersecurity Board.

 

  1. What is the Scope of the Law? What are the Exemptions?

 

  • The Law covers public institutions and organizations, professional organizations with public institution status, natural and legal persons, as well as entities without legal personality that operate, conduct activities, or provide services in cyberspace.
  • Intelligence activities conducted under Law No. 2559, Law No. 2692, and Law No. 2803, as well as activities carried out pursuant to Law No. 2937 and Law No. 211, are outside the scope of the Cybersecurity Law No. 7545.

 

  1. What are the Fundamental Principles Envisaged in the Law for Ensuring Cybersecurity?

 

  • Cybersecurity is an integral part of national security.
  • The primary objective is to protect critical infrastructure and information systems while ensuring a secure cyberspace.
  • Cybersecurity efforts are conducted based on institutionalization, continuity, and sustainability.
  • Cybersecurity measures must be implemented throughout the entire lifecycle of services and products.
  • Priority is given to domestic and national products in cybersecurity-related efforts.
  • All public institutions, organizations, natural and legal persons are responsible for the implementation of cybersecurity policies and strategies, as well as for taking the necessary measures to prevent cyberattacks or mitigate their effects.
  • Accountability is essential in the execution of cybersecurity processes.
  • Cybersecurity policy and strategy development must follow a continuous improvement approach.
  • Efforts to enhance the capabilities and capacity of qualified human resources in the field of cybersecurity are encouraged.
  • The dissemination of cybersecurity awareness and culture across society is a key objective.
  • The rule of law, fundamental human rights and freedoms, and the protection of privacy are recognized as fundamental principles.

 

  1. What are the Duties of the Cybersecurity Directorate as Defined in the Law?

 

  • Carrying out the tasks specified in the relevant legislation.
  • Conducting activities to enhance the cybersecurity resilience of critical infrastructures and information systems, protecting them against cyberattacks, detecting cyberattacks, preventing potential attacks and mitigating or eliminating their impacts, conducting or commissioning vulnerability assessments, penetration tests, and risk analyses on assets, combating cyber threats, obtaining, generating, and sharing cyber threat intelligence, conducting malware analysis activities.
  • Identifying critical infrastructures, their associated institutions, and locations.
  • Ensuring the maintenance of an inventory of all assets, including data inventories of public institutions and critical infrastructures, and conducting risk analyses on these assets, implementing or enforcing security measures based on the criticality of the assets in public institutions and critical infrastructures.
  • Establishing, commissioning, and overseeing Cyber Incident Response Teams (CIRTs), determining and enhancing their maturity levels, conducting cybersecurity exercises to evaluate their cyber incident response capabilities, coordinating with cyber incident response teams from other countries, promoting and supporting the development of national cybersecurity solutions and intervention tools.
  • Regulating the procedures and principles that cybersecurity service providers must comply with.
  • Establishing, managing, or ensuring the establishment of necessary infrastructures to secure the cybersecurity of public institutions and critical public services, providing secure hosting services to public institutions through protected systems and infrastructures, defining the procedural and operational principles for these activities.
  • Developing cybersecurity standards, reviewing standards prepared by other organizations, providing opinions, approving and publishing them, and overseeing their implementation.
  • Conducting certification and testing processes for cybersecurity-related software, hardware, products, systems, and services, establishing, commissioning, and managing test infrastructures, coordinating with relevant institutions for the certification, authorization, and accreditation of cybersecurity professionals and companies.
  • Conducting cybersecurity audits and enforcing sanctions based on audit results.
  • Setting technical criteria and regulatory frameworks for cybersecurity products and services to be used in public institutions and critical infrastructures, as well as for companies providing these products and services, conducting or overseeing inspections of these entities, defining the qualifications required for auditing institutions, appointing auditing bodies and, when necessary, suspending or revoking their authorizations.

 

  1. Who is the Cyber Security Board composed of?

The Cybersecurity Board consists of the President, Vice President, Minister of Justice, Minister of Foreign Affairs, Minister of Interior, Minister of National Defense, Minister of Industry and Technology, Minister of Transport and Infrastructure, Secretary-General of the National Security Council, Head of the National Intelligence Organization, President of the Defense Industry Agency, and the President of the Cybersecurity Directorate.

 

  1. What are the Regulations Introduced for Cybersecurity Products and Companies?

 

The export of cybersecurity products, systems, software, hardware, and services shall be carried out in accordance with the procedures and principles determined by the Cybersecurity Directorate. For the export of products subject to authorization under these procedures and principles, approval from the Cybersecurity Directorate shall be required.

Companies engaged in the production of cybersecurity products, systems, software, hardware, and services shall notify the Cybersecurity Directorate in the event of mergers, demergers, share transfers, or sales transactions. Transactions that grant direct or indirect control rights or decision-making authority over the company to natural or legal persons, individually or jointly, shall be subject to approval by the Cybersecurity Directorate.

 

  1. What are the Criminal Provisions and Administrative Fines Envisaged in the Law?

 

CRIMINAL PROVISIONS

 

PUNISHMENT

 

 

OBSTRUCTION OF INFORMATION ACCESS: This penalty applies to individuals or entities who fail to provide or obstruct the retrieval of information, documents, software, data, or hardware requested by authorized authorities and audit officers within their duties and powers.

 

Imprisonment of 1 to 3 years + Judicial fine ranging from 500 to 1,500 days

 

UNAUTHORIZED ACTIVITIES: This penalty applies to individuals or entities that operate without obtaining the necessary approval, authorization, or permits required under the applicable legislation.

Imprisonment of 2 to 4 years +Judicial fine ranging from 1,000 to 2,000 days

BREACH OF CONFIDENTIALITY OBLIGATION:

This penalty applies to individuals or entities that fail to fulfill their obligation to maintain confidentiality regarding information they are legally required to protect.

 

Imprisonment of 4 to 8 years

DATA BREACH AND UNAUTHORIZED DISCLOSURE: This penalty applies to individuals or entities who, due to a data leak in cyberspace, make personal data or institutional data classified as critical public service information accessible, share, or offer it for sale, either for free or for a fee, without the consent of the individuals or institutions concerned.

 

 

Imprisonment of 3 to 5 years

DISRUPTION OF CYBER DEFENSE: This penalty applies to individuals or entities who carry out cyberattacks against elements constituting the national cyber power of the Republic of Türkiye or who store, disseminate, transfer, or offer for sale any data obtained as a result of such attacks in cyberspace.

 

If the act does not constitute a more severe offense, imprisonment of 8 to 12 years shall be imposed. Those who disseminate, transfer, or offer for sale the obtained data shall be sentenced to imprisonment of 10 to 15 years.

CREATING AND DISTRIBUTING MISLEADING CONTENT: This penalty applies to individuals who publish or disclose information, documents, and other data obtained through the duties and activities of the Cybersecurity Directorate, except in cases where authorized by the Directorate. The penalty is applicable when the data is disseminated through radio, television, internet, social media, newspapers, magazines, books, and other media channels, including any form of written, visual, auditory, or electronic mass communication tools.

 

 

 

 

Imprisonment of 3 to 5 years

MISUSE OF PUBLIC DUTY: This penalty applies to individuals who misuse their duties and powers arising from this Law or who act contrary to the requirements of their duties in protecting critical infrastructures against cyberattacks, thereby causing a data breach.

 

 

 

Imprisonment of 1 to 3 years

 

 

 

VIOLATION

 

ADMINISTRATIVE FINES

If the required approval from the Cybersecurity Directorate, as specified in Article 18 of the Law, is not obtained, the following administrative fines shall apply.

Administrative fine ranging from TRY 10 million to TRY 100 million.

It will be applied in the case of failure to take the necessary measures prescribed by the legislation for the proper implementation of national security, public order, or public services related to cybersecurity, failure to report vulnerabilities or cyber incidents identified in their area of service to the Cybersecurity Directorate without delay, and failure to procure cybersecurity products, systems, and services for public institutions and critical infrastructures from cybersecurity experts, manufacturers, or companies authorized and certified by the Directorate.

 

 

 

Administrative fine ranging from TRY 1 million to TRY 10 million.

It will be applied in the case of failure to keep the relevant devices, systems, software, and hardware available for inspection within the given timeframes, failure to provide the necessary infrastructure for inspection, and failure to take the required measures to ensure that they are maintained in working order.

Administrative fine ranging from TRY 100,000 to TRY 1 million.

 

  1. What are the Regulations Amended and Repealed by the Law?

 

  • The Cybersecurity Directorate President will be considered equivalent to the Undersecretary of the Ministry in terms of financial, social rights, and retirement benefits, within the framework specified in this paragraph.
  • The Cybersecurity Directorate has been brought under the scope of Law No. 5018.
  • The Information Technologies and Communications Authority, under the provisions of Article 10, Paragraph 6 of Law No. 5651, has had its authority to carry out activities related to the detection and prevention of cyberattacks within national cybersecurity operations terminated.
  • The Turkey Ministry of Transport and Infrastructure's authority to determine policies, strategies, and objectives for ensuring national cybersecurity, establish procedures and principles for ensuring cybersecurity for public institutions, organizations, and individuals, prepare action plans, coordinate relevant activities, identify critical infrastructures and their associated institutions and locations, establish, commission, and oversee necessary intervention centers, develop and promote the production of cyber intervention tools and national solutions, and carry out efforts to raise awareness, education, and consciousness on cybersecurity, as well as to establish procedures for individuals and organizations in the cybersecurity sector to follow, has been terminated.
  • The Information Technologies and Communications Authority's authority to take and enforce all necessary measures to protect public institutions, organizations, and individuals from cyberattacks and to provide deterrence against such attacks has been removed.
  • The articles in Law No. 5809 regarding the Cyber Security Board have been repealed.

 

  1. What are the Compliance and Transition Provisions Envisaged in the Law?
  • The Information Technologies and Communications Authority and the Digital Transformation Office will transfer all their movable and immovable assets, IT infrastructure, systems, debts and receivables, as well as rights and obligations related to national cybersecurity activities to the Cybersecurity Directorate within six months.
  • Personnel working in the national cybersecurity field may be assigned to the Cybersecurity Directorate upon request, if deemed appropriate. Those who are considered suitable will be assigned to new positions within nine months, taking into account their current titles and educational status. During this process, their service periods in previous institutions will be preserved, and their financial rights will continue according to the previous legislation. Personnel appointed from the Digital Transformation Office will not receive any compensation or annual leave pay according to labor law, but their previous service periods will be considered in the calculation of severance pay.
  • Contracts related to cybersecurity activities, ongoing lawsuits, and enforcement proceedings will be transferred to the Cybersecurity Directorate once personnel appointments are completed.
  • Associations, federations, foundations, and commercial companies working in the field of cybersecurity must complete the certification and authorization processes determined by the Cybersecurity Directorate within one year. Entities that fail to fulfill these obligations may have their legal entities dissolved by a court decision, and companies will be required to remove cybersecurity from their business activities or enter a liquidation process.
  • Detailed regulations regarding the implementation of Cybersecurity Law No. 7545 will be enacted within one year, and during this period, existing regulations will continue to be applied as long as they do not conflict with it.

The Law entered into force on the date it was published in the Official Gazette.
 

You can access the full text of the Law (in Turkish) here.

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr

 

 

All information and documents on our website have been prepared by Zumbul Attorneys at Law for general informational purposes only, in accordance with the Attorneyship Law, other relevant legislation and the Professional Rules of Attorneyship of the Union of Turkish Bar Associations. These publications are not intended for advertising or commercial purposes. The information and documents provided are of a general nature and under no circumstances, do they guarantee or warrant that the content is complete, accurate, up-to-date, or reliable. You should not rely on the information and documents on this website without first consulting a lawyer or expert. The links included in our website’s publications are sourced from publicly available materials and are provided solely for the convenience of visitors in accessing additional information. These links do not constitute any form of recommendation or endorsement of the linked persons, institutions or organizations. The information on this website does not in any way constitute legal advice or establish an attorney-client relationship with visitors to the site. All content on this website is the property of by Zumbul Attorneys at Law, and no content may be copied, reproduced, or used without prior written permission.