Cyber Security Law Proposal Adopted by the Turkish Grand National Assembly

The Cyber Security Law Numbered 7545 (the Law) was adopted by the Turkish Grand National Assembly (TBMM) on March 12, 2025. The Law establishes a comprehensive legal framework to strengthen Turkiye’s cyber security and detect and eliminate threats.

The key regulations introduced by the Law are summarized below:

• The Law covers public and private legal entities operating in cyberspace. However, intelligence activities carried out by the National Intelligence Organization (MIT), as well as those conducted under the Police Department, Gendarmerie General Command, Turkish Armed Forces, and Coast Guard Command, are excluded from the scope of this regulation.
• Establishing the Cyber Security Presidency (the Presidency) has been approved. The Presidency is responsible for increasing the cyber resilience of critical infrastructures and information systems, preventing and detecting cyber-attacks. Additionally, the Presidency is tasked with establishing, having established, and supervising Cyber Incident Response Teams (SOME), determining cyber security standards and monitoring compliance.
• Establishing the Cyber Security Board (the Board) has been approved. The Board is responsible for making decisions on strategies, action plans, and regulatory actions, identifying critical infrastructure sectors, and determining priority areas for incentives in cyber security.
• The Law stipulates that personal data must be processed lawfully, accurately, and in an up-to-date manner, collected for specific purposes, and stored proportionately. Personal data and trade secrets must be automatically deleted, destroyed, or anonymized when the reasons for access cease to exist.
• Strict sanctions for cyber security violations have been introduced. Violations of confidentiality obligations, unauthorized disclosure of personal or corporate data, dissemination of leaked data, creating public concern, fear, or panic even in the absence of a data breach, and failure to obtain necessary authorizations are subject to criminal fines and imprisonment of up to 15 years. Failure to take necessary precautions or obstruction of audit processes is subject to administrative fines of up to 100 million TL. Commercial companies subject to audit and fail to take necessary measures during inspections will face administrative fines of up to 5% of their annual gross revenue.
• The sale of cyber security products, systems, software, hardware, and services abroad is subject to approval by the Presidency.