Obligations of Companies under the Cybersecurity Law

10/21/2025

All News
  • Home Page
  • |
  • News
  • |
  • Obligations of Companies under the Cybersecurity Law
The Cybersecurity Law No. 7545, Turkey’s first comprehensive and binding regulation on cybersecurity, entered into force on March 19, 2025. The Law introduces technical and administrative obligations for both public and private sector entities, elevating cybersecurity from a purely technical issue to a matter of corporate responsibility.

1. Introduction and General Framework of the Law

Cybersecurity has transcended being merely a technical matter and has become a critical field for the protection of public order, economic stability, and fundamental rights. With the widespread use of digital infrastructures, cyberattacks targeting information systems have reached a scale that may directly affect the security of individuals, institutions, and states. In parallel, numerous national and international legal and technical frameworks have been adopted to keep pace with these developments, and new legislative initiatives continue to be introduced dynamically.

In this context, the Cybersecurity Law No. 7545 (“Law”), published in the Official Gazette dated 19 March 2025 and numbered 32846, entered into force as the first comprehensive and binding legal instrument on cybersecurity in Türkiye. The Law imposes various technical and administrative obligations on all actors operating within both the public and private sectors.

The Law primarily aims to establish a common language in practice by clarifying key concepts. The Law defines the following terms:

  • "Cybersecurity" refers to all activities aimed at protecting the confidentiality, integrity, and availability of information systems.
  • "Cyberspace" refers to the environment created by digital systems and their users.
  • "Cyber incident" refers to any threat or intervention targeting information systems.

The scope of the Law is notably broad, covering public institutions and organizations, professional bodies with a public legal status, as well as natural and legal persons, including unincorporated entities, that operate or provide services within cyberspace.

Pursuant to the Law, the Cybersecurity Authority ("Authority") has been established under the Presidency and has been granted regulatory, supervisory, risk analysis, and coordination powers. Additionally, the Cybersecurity Board (“Board”), tasked with determining national strategies and sectoral priorities, has also been reactivated.

The technical criteria that will guide implementation, audit procedures, and the details of certain obligations have not yet been determined. Secondary legislation addressing these aspects is expected to be issued within one year following the Law’s entry into force. This transitional period must therefore be closely monitored by companies to ensure their technical and managerial structures are duly aligned with the Law.

2. Main Obligations for Companies

Under Article 7 of the Law, legal entities that provide services or process data through information systems are subject to a broad set of responsibilities, ranging from technical infrastructure to administrative procedures.

  • Obligation to Provide Information and Documents: Companies are required to submit any information, documents, data, and digital materials requested by the Authority in a timely and complete manner.

  • Cybersecurity Measures and Incident/Vulnerability Reporting: Public institutions must take the necessary cybersecurity measures to safeguard national security, public order, and the continuity of public services, and promptly notify the Authority of any security incidents or vulnerabilities identified within their area of service.

  • Cooperation with the Authority: Companies are obliged to implement the measures stipulated in the policies, strategies, and action plans developed by the Authority and to cooperate when required. This obligation also includes making an effective contribution to the coordination of national cybersecurity efforts.

  • Use of Certified Products and Employment of Experts: Public institutions and organizations operating in critical infrastructure sectors are required to procure cybersecurity products and services exclusively from individuals or companies authorized by the Authority. The export of cybersecurity products, systems, software, hardware, and related services is subject to the prior approval of the Authority. Companies developing such products and services must notify the Authority in the event of mergers, demergers, share transfers, or sales. Where such transactions result in sole or joint control or decision-making authority over the company, prior approval of the Authority must be obtained.

  • Prohibition of Unauthorized Activities: Companies seeking to engage in cybersecurity activities within areas subject to certification or authorization must obtain prior approval from the Authority before commencing operations. Otherwise, they will be subject to sanctions for unauthorized activities.

  • Compliance Obligation: Companies are required to act in compliance with the principles, security standards, and regulatory documents to be published by the Authority.

  • Audit Availability: The Authority may, when deemed necessary, audit the information systems and security measures of companies with respect to any acts or transactions falling under Article 8 of the Law. Furthermore, for reasons of national security, public order, or the prevention of cybercrime, searches, copying, and seizures may be conducted in private premises (such as residences, workplaces, and non-public areas) under certain conditions—either by court order or, in cases of urgency, by written order of the public prosecutor. For public institutions and organizations, a court order will not be required; however, for authorized data center operators, such actions may only be carried out with a court order. Following such audits, the Authority may require companies to remedy identified deficiencies and implement additional security measures.

3. Liabilities and Sanctions

The Law not only imposes technical and compliance obligations but also establishes significant sanctions applicable to institutions, company executives, and other natural persons. These sanctions, which may be criminal or administrative in nature, vary depending on the characteristics of the relevant act.

Criminal provisions and administrative fines are regulated under Article 16 of the Law. Accordingly, those who fail to provide the information, documents, hardware, or software requested by the Authority or who obstruct audits shall be subject to imprisonment ranging from one to three years. Those engaging in activities without obtaining the necessary permits or authorizations may be subject to imprisonment ranging from two to four years.

As for administrative fines, companies that violate the provisions of the Law may be liable to an administrative fine ranging from one million to ten million Turkish lira per violation.

Article 17 of the Law sets out the procedures for imposing administrative fines. An administrative fine cannot be imposed without obtaining the defense of the relevant person or entity; however, if the defense is not submitted within thirty days, this right shall be deemed waived. In cases where the same offense is committed repeatedly, the fine may be increased, and if the act causes damage or results in a benefit, the fine may be determined at three to five times the amount of such damage or benefit. Decisions imposing administrative fines may be appealed before the administrative courts.

As demonstrated, these provisions establish a liability regime encompassing not only the technical infrastructure of companies but also their managerial processes. It is therefore of critical importance for executives to duly fulfill their duty of care regarding the companies’ cybersecurity obligations to avoid exposure to potential sanctions.


4. Conclusion and Compliance Recommendations

The Law requires a fundamental change in companies' approach to cybersecurity. Cybersecurity has expanded beyond the responsibilities of technical teams alone and has become a critical compliance matter that must be overseen strategically by the board of directors. The regulations introduced by the Law require companies to be prepared not only against cyberattacks but also for inspections and audits conducted by public authorities. Accordingly, until secondary legislation is enacted, it is crucial for companies to take proactive measures and develop a risk-based security strategy.

To prevent or mitigate risks in practice, companies should first:

  • Review their internal operational audit processes and identify any gaps regarding regulatory compliance. It is recommended to develop comprehensive checklists that regularly assess compliance and monitor all corporate and managerial processes accordingly.

  • Prepare and maintain an up-to-date cybersecurity incident response plan that clearly defines internal responsibilities, emergency action protocols, and technical and communication procedures, ensuring rapid and appropriate responses to potential security vulnerabilities or incidents.

  • Maintain an up-to-date inventory of IT assets, including hardware, software, and information systems, with particular attention to monitoring critical systems.
  • Conduct regular penetration tests on information systems and establish a log management infrastructure to ensure internal security and to demonstrate technical adequacy during potential audits by the Authority.

  • Provide regular cybersecurity awareness training for all employees, measuring participation and effectiveness, to ensure that every department is adequately prepared for potential audits.

  • Assess suppliers and third-party service providers in terms of cybersecurity obligations and explicitly define these obligations in contracts.
  • Appoint a dedicated officer responsible for monitoring compliance with cybersecurity regulations and liaising with the Authority, to ensure the effective implementation of necessary processes.

  • Periodically report cybersecurity compliance status to the board of directors, which is critical for early risk detection and timely preventive actions. Implementing these measures will reduce both operational and legal risks for companies.

It should be emphasized that, since the precise implementation details have not yet been finalized, secondary regulations and audit practices issued by the Authority will determine the system’s boundaries and the interpretation of relevant provisions. Therefore, during this period of uncertainty, companies must proactively review their preparations to ensure timely and effective compliance with the Law’s requirements.

The responsibilities introduced by the Law should be viewed not merely as obligations but also as opportunities to strengthen corporate security, reduce reputational risks, and enhance financial stability and corporate value. Accordingly, companies that manage their cybersecurity processes systematically, as they did with personal data protection, will not only fulfill their legal obligations but also preserve long-term competitive advantage and increase their corporate value. Otherwise, companies caught unprepared may incur costs beyond administrative fines, including audit findings, reputational damage, and operational disruptions, which could result in significantly more severe consequences.


Eylül Bengisu Gümüş, Senior Associate
Nejan Yılmaz, Associate



Other News
10/1/2025
An Exemption Criterion Has Been Published by the Personal Data Protection Board for Data Controllers Whose Main Activity Is the Processing of Special Categories of Personal Data Regarding the Obligation to VERBİS Registration
The Personal Data Protection Board (“Board”) has updated the exemption criterion specified in its decision dated 06.07.2023 and numbered 2023/1154, which regulates exemptions from the obligation of data controllers to register with the Data Controllers’ Registry Information System (VERBİS), through its decision dated 04.09.2025 and numbered 2025/1572, published today in the Official Gazette (“Update Decision”).
News| Legal Updates
8/1/2025
How Will the Transition to the Electronic Commercial Ledger System (“ETDS”) Take Place?
With the “Communiqué on the Keeping of Commercial Ledgers Not Related to the Accounting of the Enterprise in Electronic Format” (“Communiqué”), published in the Official Gazette dated 14 February 2025 and numbered 32813, the obligation to keep certain commercial ledgers in electronic format has been introduced for specific companies. The aim is to ensure the secure storage of ledgers in a digital environment, facilitate access and auditing, and reduce the need for notary procedures.
News| Legal Updates
6/30/2025
Principle decision on sending verification code via sms has been published by Personal Data Protection Board
In its principle decision dated 10 June 2025 and numbered 2025/1072 (“Principle Decision”), the Personal Data Protection Board (“Board”) set out the principles regarding the processing of personal data in the context of sending verification codes via SMS to data subjects during the provision of products and services. The Principle Decision is published in the Official Gazette dated 26 June 2025 and numbered 32938 and on the official website of the Personal Data Protection Authority.
News| Legal Updates
5/29/2025
Regulation Amending the Regulation on Distance Contracts Published
The “Regulation Amending the Regulation on Distance Contracts” (“Amendment Regulation”), issued by the Ministry of Trade and published in the Official Gazette dated May 24, 2025, and numbered 32909, introduces new provisions regarding consumers’ right of withdrawal in distance sales contracts. These amendments to the Regulation on Distance Contracts (“”), which was originally enacted based on Articles 48 and 84 of the Law No. 6502 on the Protection of Consumers (“Law”), will come into effect on January 1, 2026.
News| Legal Updates
3/19/2025
COMMUNIQUÉS ON CRYPTO ASSET SERVICE PROVIDERS HAVE BEEN PUBLISHED
The Communiqué on the Establishment and Operational Principles of Crypto Asset Service Providers (III-35/B.1) and the Communiqué on the Working Procedures, Principles, and Capital Adequacy of Crypto Asset Service Providers (III-35/B.2), which have been prepared by the Capital Markets Board (“Board”), have been published in the Official Gazette dated March 13, 2025. These communiqués have set out the procedures and principles regarding the establishment, commencement of operations, activities, and suspension of activities of crypto asset service providers.
News| Legal Updates
1/20/2025
New Regulations Introduced in the Classification of Goods and Services for Trademark Applications Under Communiqué No. 2024/2
The Turkish Patent and Trademark Office (“TÜRKPATENT”) has revised the List of Goods and Services for trademark applications. The changes were published in the Communiqué on the Classification of Goods and Services for Trademark Applications No. 2024/2 (“Communiqué”) in the Official Gazette dated 20 December 2024 and numbered 32758, entering into force as of its publication date. This regulation repealed the previous Communiqué No. 2016/2, published in the Official Gazette dated 30 December 2016 and numbered 29934.
News| Legal Updates
11/8/2024
E-Government Lease Agreement Period Begins
The Ministry of Treasury and Finance (“Ministry”) announced that a new service (“Service”) will be introduced for the execution of lease agreements via e-Government and the Service is planned in two phases.

The first phase was introduced via e-Government as of 04.11.2024 and the second phase is expected to be introduced at the end of the year.
News| Legal Updates
10/23/2024
New Regulations Have Been Introduced Regarding Lease Payments in Residential and Workplaces
With the Income Tax General Communiqué published in the Official Gazette No. 32695 on October 17, 2024, and came into effect on the same date, an obligation for certification (providing with documentation) has been introduced in lease payments related to residential and workplaces, along with penalties for violations of this obligation.
News| Legal Updates
10/16/2024
Significant Amendments Made Regarding Work Permit Evaluation Criteria
In accordance with the annex to the Regulation on the Implementation of the International Workforce Law (“Regulation”) published in the Official Gazette dated 02.02.2022 and numbered 31738, the “Work Permit Evaluation Criteria” used by the Ministry of Labor and Social Security (“Ministry”) during the evaluation process of work permit applications have been updated pursuant to Article 22 of the Regulation.
News| Legal Updates
10/15/2024
Amendments Have Been Made to the Regulation on Business Opening and Operating Licenses
The Regulation Amending the Regulation on Business Opening and Operating Licenses (“Amendment Regulation”), which was published in the Official Gazette No. 32688 dated October 10, 2024, and came into effect on the same date, has introduced several changes to the relevant provisions of the Regulation on Business Opening and Operating Licenses (“Regulation”).
News| Legal Updates
10/9/2024
Amendment to the Communiqué on the Protection of the Value of the Turkish Currency No. 32
Communiqué (Communiqué No: 2024-32/70) Amending the Communiqué on the Decree No: 32686 on the Protection of the Value of Turkish Currency (Communiqué No: 32686) published in the Official Gazette dated 08.10.2024 and numbered 2024-32/70), which entered into force on the date of its publication.
News| Legal Updates
8/8/2024
Important Amendments to the Animal Protection Law and Our Opinions
The Law on Amendments to the Animal Protection Law (“Law Amendment”), which involves changes to the Animal Protection Law No. 5199 (“Law”), was published in the Official Gazette on August 2, 2024, and came into effect on the same date.

This article has been prepared to summarize and comment on the significant changes.
News| Legal Updates
Expertise
Sectors
Insights & News
Insights
Covid-19 Legal Guide
Corporate
Contact Us
Subscribe to our Newsletters
All Rights Reserved. © 2020