LAW NO. 7545 ON CYBER SECURITY
With the integration of technology into every aspect of life, cyber threats have become a serious national security issue, leading states to assign a special place to cybersecurity in their strategic security policies. In line with this need, Türkiye has enacted Law No. 7545 on Cyber Security ("the Law") with the aim of detecting and neutralizing threats to national security in cyberspace, protecting the public and private sectors against cyber-attacks, establishing principles to mitigate the potential impacts of cyber incidents, and developing strategies and policies to enhance cybersecurity nationwide. The Law was adopted on 12 March 2025, and entered into force upon its publication in the Official Gazette No. 32846 on 19 March 2025.
The Cyber Security Law establishes binding responsibilities on all actors, including the public and private sectors, in ensuring the security of Türkiye’s cyberspace. It provides a comprehensive legal framework encompassing not only technical measures but also institutional oversight and criminal sanctions. Article 4 of the Law, published in the Official Gazette No. 32846 on 19 March 2025, under the title “Fundamental Principles,” emphasizes that cybersecurity is an integral part of national security, and adopts a governance approach based on the protection of critical infrastructures, institutionalization, continuity, and sustainability principles. Furthermore, the Law clearly stipulates the application of security measures throughout the entire lifecycle of products and services, prioritizing domestic and national solutions, and assigns the responsibility for taking necessary precautions to all public institutions, as well as natural and legal persons. Special emphasis is also placed on principles such as accountability, continuous improvement, enhancing the capacity of qualified human resources in cybersecurity, promoting cybersecurity culture across society, and respecting for privacy and fundamental rights.
Article 7 of the Law imposes significant responsibilities on all individuals and legal entities providing services through information systems and mandates institutional cooperation in ensuring cybersecurity. Accordingly, persons and entities within this scope are obliged to provide any data, information, documents, software, and hardware requested by Cyber Security Presidency “the Presidency”, in accordance with its duties and activities, on a priority and timely basis. Furthermore, they are required to immediately report any identified cybersecurity vulnerability or incidents in the area they serve to the Directorate. All cybersecurity products, systems, and services used by public institutions and critical infrastructures must be procured exclusively from individuals or entities authorized by the Directorate. Additionally, companies subject to certification and authorization processes must obtain official approval from the Presidency before commencing their operations, which is another legal obligation In this context, the implementation of the strategy, action plan, and other regulatory measures developed by the Presidency, as well as the adoption of necessary precautions, are the responsibilities of all relevant actors. The Law thus not only imposes individual obligations but also underlines the importance of public coordination, foreseeing the establishment of a continuous cooperation mechanism among the Presidency, public institutions, the private sector, and other organizations.
Pursuant to Article 8 of the Law, the oversight dimension demonstrates that cybersecurity will be supported not only through notifications and obligations but also through effective supervision and sanctions. Under Article 8, the Presidency is empowered to conduct on-site or remote inspections when necessary and to audit IT infrastructures, data, software, and hardware. The audit process may be carried out not only by Presidency personnel but also by authorized independent auditors and audit institutions. In this context, the entities and individuals subject to audit are required to keep their systems ready for audit and to provide the necessary technical infrastructure. Moreover, in cases where delay may be detrimental due to national security or public order concerns, search and seizure procedures may be carried out upon a written order from the public prosecutor, with judicial approval to be obtained subsequently. Notably, the provision that exempts public institutions from requiring a court order creates a legally debatable area, particularly concerning the delicate boundary that must be carefully preserved between judicial and administrative oversight. Meanwhile, the requirement that the auditing process be programmed based on priority and risk principles aims to ensure that the Presidency’s supervisory activities are conducted based on measurable and objective criteria, avoiding arbitrariness. These provisions reflect a modern audit approach that prioritizes not only security but also accountability.
Article 16 of the Law sets out in detail the criminal sanctions to be imposed in cases of violations of cybersecurity obligations and aims to enhance deterrence in this field. Those who fail to provide information or documents to authorized bodies are subject to imprisonment from one to three years along with a judicial fine. Individuals who engage in unauthorized cybersecurity activities are punished with imprisonment ranging from two to four years. In cases of breach of confidentiality obligations, the penalty is imprisonment from four to eight years while the illegal disclosure, sharing, or sale of personal data or institutional data related to critical public services is punishable by imprisonment from three to five years. Moreover, those who knowingly disseminate or create false content regarding non-existent cyber data leaks to incite public fear or panic may face imprisonment from two to five years. Individuals who conduct cyberattacks targeting elements constituting the national cyber power of the Republic of Türkiye —or who retain the data obtained from such attacks in cyberspace— are sentenced to imprisonment from eight to twelve years, unless the act constitutes a more serious offense. If the obtained data is disseminated, transferred, or offered for sale, the penalty may increase to ten to fifteen years. Furthermore, the penalties are increased by one-third if committed by public officials, by half if committed by more than one person, and by up to double if committed within the scope of an organized group. These provisions underscore that cybersecurity is no longer solely a technical field, but one that entails profound legal obligations and accountability.
Conclusion
In today’s rapidly digitalizing world, cybersecurity has transcended its traditional boundaries as a purely technical concern and emerged as a critical pillar in safeguarding public order, national security, and fundamental rights. Law No. 7545 on Cybersecurity establishes extensive obligations, rigorous oversight mechanisms, and significant criminal liabilities on all relevant actors, including both public and private entities. Moving forward, the reinforcement of this legal framework through secondary legislation and its consistent implementation in practice will be pivotal for achieving sustainable success in cybersecurity.