Introduction
With digitalization, cybersecurity has become a critical priority for both the public and private sectors. Updated regulations impose specific obligations on institutions and foresee severe administrative sanctions in case of violations. In addition to the existing legal framework, the Cybersecurity Law Proposal addresses administrative sanctions within a broader scope and introduces new compliance requirements across various sectors.
The Cybersecurity Law Proposal was officially accepted by the Turkish Grand National Assembly (TBMM) on March 12, 2025, becoming legally binding. This new law includes necessary regulations to protect public institutions, professional organizations, private entities, and non-incorporated organizations against cyberattacks. It also aims to strengthen the country’s cybersecurity by establishing comprehensive strategies and policies.
With the enactment of this law, all private sector companies, particularly those with digital infrastructure, will be required to enhance their cybersecurity measures and comply with the specified regulations.
2. Key Objectives of the Cybersecurity Law
The proposed law aims to strengthen cybersecurity by establishing a more comprehensive legal framework. Its key objectives include:
- Identifying and preventing cybersecurity threats,
- Enhancing cyber resilience in both public and private sectors,
- Standardizing incident response procedures,
- Strengthening regulatory oversight and enforcement mechanisms,
- Protecting critical infrastructure and increasing deterrence against cyberattacks.
To achieve these objectives, the law introduces new regulatory bodies such as the Cybersecurity Council and the Cybersecurity Authority, aiming to improve coordination and oversight in cybersecurity matters.
3. Proposed Administrative Sanctions
The proposed law outlines various administrative fines and penalties for individuals and entities that fail to comply with cybersecurity regulations. The key provisions include:
3.1. Failure to Share Information and Obstruction of Audits
Failure to provide requested data, documents, and records to the competent authorities or obstructing cybersecurity audits may result in imprisonment from 1 to 3 years and substantial administrative fines.
3.2. Operating Without Necessary Authorization
Entities engaging in cybersecurity-related activities without obtaining the required licenses or approvals may face imprisonment from 2 to 4 years along with administrative penalties.
3.3. Negligence in Protecting Critical Infrastructure
Organizations responsible for critical infrastructure that fail to implement adequate cybersecurity measures may face imprisonment from 1 to 3 years in addition to significant administrative fines.
3.4. Unauthorized Data Disclosure and Breaches
- Unauthorized disclosure of personal or corporate data may lead to imprisonment from 3 to 5 years.
- If cybercriminals obtain and distribute stolen data, the sentence can be increased to up to 10 years.
- Creating false perceptions of a data breach for the purpose of misleading the public may result in 2 to 5 years of imprisonment.
3.5. Administrative Fines
The proposed law introduces high-value administrative fines for non-compliance:
- Organizations failing to implement cybersecurity measures may face fines ranging from 1 million TL to 10 million TL.
- Companies failing to comply with audit requirements may be fined between 1% of their annual revenue and 20% of their pre-tax profit, subject to independent financial review.
4. Compliance and Recommended Measures
To ensure compliance and avoid administrative sanctions, organizations should take proactive measures, such as:
- Conducting regular cybersecurity audits,
- Establishing incident response plans,
- Enhancing employee awareness through cybersecurity training,
- Ensuring timely reporting of security incidents,
- Implementing secure and compliant technology solutions.
5. Conclusion
The Cybersecurity Law will lead to stricter oversight and more severe penalties in the field of cybersecurity. Organizations must take the necessary steps to align with the updated requirements and mitigate legal risks.
As the Cybersecurity Law proposal is enacted, is introducing a binding legal framework for both public and private sector entities. Unlike previous regulations that primarily focused on state institutions and critical infrastructure, this law will extend its scope to private businesses, service providers, and corporate IT departments.
Companies operating in Turkey must be prepared for stricter cybersecurity obligations and potential administrative sanctions. Compliance with the new regulations will be crucial to mitigate legal and financial risks. As the legislative process progresses, businesses should follow updates closely and take necessary steps to ensure readiness.
Ezginaz Çalışır
Attorney At Law