Cyber Security Law Proposal Adopted by the Turkish Grand National Assembly
The Cyber Security Law Numbered 7545 (the Law) was adopted by the Turkish Grand National Assembly (TBMM) on March 12, 2025. The Law establishes a comprehensive legal framework to strengthen Turkiye’s cyber security and detect and eliminate threats.
The key regulations introduced by the Law are summarized below:
- The Law covers public and private legal entities operating in cyberspace. However, intelligence activities carried out by the National Intelligence Organization (MIT), as well as those conducted under the Police Department, Gendarmerie General Command, Turkish Armed Forces, and Coast Guard Command, are excluded from the scope of this regulation.
- Establishing the Cyber Security Presidency (the Presidency) has been approved. The Presidency is responsible for increasing the cyber resilience of critical infrastructures and information systems, preventing and detecting cyber-attacks. Additionally, the Presidency is tasked with establishing, having established, and supervising Cyber Incident Response Teams (SOME), determining cyber security standards and monitoring compliance.
- Establishing the Cyber Security Board (the Board) has been approved. The Board is responsible for making decisions on strategies, action plans, and regulatory actions, identifying critical infrastructure sectors, and determining priority areas for incentives in cyber security.
- The Law stipulates that personal data must be processed lawfully, accurately, and in an up-to-date manner, collected for specific purposes, and stored proportionately. Personal data and trade secrets must be automatically deleted, destroyed, or anonymized when the reasons for access cease to exist.
- Strict sanctions for cyber security violations have been introduced. Violations of confidentiality obligations, unauthorized disclosure of personal or corporate data, dissemination of leaked data, creating public concern, fear, or panic even in the absence of a data breach, and failure to obtain necessary authorizations are subject to criminal fines and imprisonment of up to 15 years. Failure to take necessary precautions or obstruction of audit processes is subject to administrative fines of up to 100 million TL. Commercial companies subject to audit and fail to take necessary measures during inspections will face administrative fines of up to 5% of their annual gross revenue.
- The sale of cyber security products, systems, software, hardware, and services abroad is subject to approval by the Presidency.
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
The European Union Cyber Resilience Act (the CRA), which significantly changes cybersecurity requirements for products with digital components, entered into force on December 10, 2024. This regulation aims to enhance the security of digital products and introduces new obligations for manufacturers, distributors, and importers...
The Council of Europe Framework Convention on Artificial Intelligence, Human Rights, Democracy, and the Rule of Law (CETS No. 225) (Framework Convention) was opened for signature at a conference of Council of Europe Ministers of Justice in Vilnius, Lithuania...
Regulations on Social Media and Internet Contents Through Law No. 7253
The Regulation on the Amendment to the Regulation on Commercial Communication and Commercial Electronic Messages (“Regulation”) entered into force through publication in the Official Gazette dated 28.08.2020 and numbered 31227...
Pursuant to the Regulation on Commercial Communication and Commercial Electronic Messages, the real and legal persons (“Service Provider”) who would like to send commercial electronic messages shall register with the Message Management System and upload previously collected opt-in consents of commercial...
The deadline to register and upload existing consents to the Message Management System (IYS) is postponed through the Public Statement dated 30.11.2020 which is published in the website of Ministry of Trade. Previously, the deadline to register and upload obtained opt-in consents to the Message Management...
European Commission Proposed the Digital Markets Act to the European Parliament