The Requirements and Sanctions Under Cyber Security Law No. 7545 in Turkey
- Av. Furkan Mert Özkaynak
- Mar 2
- 6 min read
Abbreviations
Abbreviations | Description |
CSL | Cyber Security Law No. 7545 |
Art. | Article |
Directorate | Cybersecurity Directorate |
TL | Turkish Lira |
Introduction
The Cyber Security Law No. 7545 in Turkey (the “CSL”) entered into force on March 19, 2025 in Turkey, upon its publication in the Official Gazette No. 32846. The purpose of the CSL is to prepare private individuals and public institutions in Turkey for cyber-attacks that may occur internally or externally (CSL Art. 1). To achieve this purpose, the CSL imposes various obligations on the persons and institutions covered by it and establishes the Cybersecurity Directorate (“Directorate”).
Scope of the CSL: Almost Everyone Engaged in Digital Activities in Turkey
The CSL covers almost everyone who operates in an environment consisting of all information systems directly or indirectly connected to the internet, electronic communications, or computer networks, as well as the networks connecting them, that is, those who exist in cyberspace (CSL Art. 3/1/i; 2/1). Only intelligence activities are excluded from the scope of the CSL (CSL Art. 2/2).
Cybersecurity Directorate
The most important duty of the Directorate established by the CSL concerning private individuals is to determine whether obligations related to cybersecurity are being complied with and to impose sanctions in the event of a violation (CSL Art. 5/h; 8).
In addition, the Directorate is also responsible for making secondary regulations related to cybersecurity. However, as of the date of writing this article, the Directorate established by Presidential Decree No. 177, which entered into force on January 8, 2025, has not issued any regulations. The existence of Presidential Decree No. 192, which amended Presidential Decree No. 177 and entered into force on December 25, 2025, and the fact that secondary regulations have not yet been implemented, indicate that the Directorate has not yet fully commenced its activities.
Obligations Imposed by the Act and Fines to be Applied in Case of Non-Compliance
The CSL introduces various obligations that may also apply to companies (CSL Art. 7/1; 18). Violations of certain obligations may result in heavy fines of up to 100 million TL or, 5% of the company's turnover or, 3 – 5 years of imprisonment.
Violation | Sanction |
Failure to provide information, documents, software, data, and hardware requested by the competent authorities within the scope of CSL. | Imprisonment 1 – 3 years And Judicial Fine 500 – 1,500 days |
Commencing operations without the approvals, authorizations, or permits deemed necessary by CSL. This obligation applies to cybersecurity companies (CSL 7/1/ç; 18). | Imprisonment 2 – 4 years And Judicial Fine 1,000 – 2,000 days |
Abusing the duties and powers granted by CSL, or causing a data breach by acting contrary to the requirements of one's duties in the context of protecting critical infrastructure against cyberattacks. | Imprisonment 1 – 3 years
|
Failure to take the anticipated measures regarding cybersecurity and failure to report identified vulnerabilities or incidents | Administrative Fine 1.000.000 – 10.000.000 TL |
Not purchasing cyber security products, systems, and services to be used in public institutions and organizations and critical infrastructure from authorized and certified cyber security experts, manufacturers, and companies. | Administrative Fine 1.000.000 – 10.000.000 TL |
Failure to report or obtain approval from the Directorate for transactions and operations related to cybersecurity products and companies | Administrative Fine 10.000.000 – 100.000.000 TL |
Those subject to inspection fail to keep the relevant devices, systems, software, and hardware available for inspection within the specified timeframes, fail to provide the necessary infrastructure for inspection, or fail to take the necessary measures to keep them operational. | Administrative Fine 100.000 – 1.000.000 TL Or Administrative Fine (if the violation was committed by a commercial company) 100.000 TL – 5% of the Company's turnover in the previous year |
Unauthorized sale or making available of data obtained following a data breach | Imprisonment 3 – 5 years |
Creating or disseminating false content about a data breach related to cybersecurity with the intent to cause anxiety, fear, or panic among the public, or to target organizations or individuals, despite knowing that no data breach has occurred. | Imprisonment 2 – 5 years |
Disclosure of information subject to confidentiality obligations obtained in the course of activities carried out by the Directorate. | Imprisonment 4 – 8 years
|
Committing a cyber-attack against the Republic of Turkey or possessing any data obtained as a result of such an attack. | Imprisonment 8 – 12 years Or Imprisonment 10 – 15 years (If the data is distributed) |
Employees working at the Directorate may not take on any role or engage in any activity in the field of cybersecurity without the permission of the Directorate within two years of leaving their position, nor may they publish or disclose any information, documents, or data obtained in the course of their duties at the Directorate without the permission of the Directorate. | Imprisonment 3 – 5 years
|
The penalty imposed for crimes punishable by imprisonment and judicial fine shall be increased by one-third if the crime is committed by a public official, by half if committed by more than one person, and by up to twice the amount if committed within the framework of an organization's activities. (CSL Art. 16/7)
Auditing Procedure
The Cyber Security Directorate may audit any act or transaction falling within the scope of the SGK in matters related to its duties; for this purpose, it may conduct or arrange for on-site inspections. (CSL Art. 8/1)
Those assigned to conduct audits are authorized, within the scope of their audit activities, to examine data, documents, electronic infrastructure, devices, systems, software, and hardware in electronic environments; to take copies, digital images, or samples thereof; to request written or verbal explanations related to the matter; to prepare the necessary records; and to examine facilities and operations. Those subject to audit are required to keep the relevant devices, systems, software, and hardware accessible for audit within the specified timeframes, provide the necessary infrastructure for the audit, and take the necessary measures to keep them in working order. (CSL Art. 8/4)
For the purposes of national security, public order, the prevention of crimes, or the prevention of cyberattacks, searches may be conducted in residences, workplaces, and non-public closed areas upon a judge's decision or, in cases where delay is prejudicial, upon the written order of a public prosecutor. Furthermore, copying and seizure processes may be carried out in a continuous manner that does not cause long-term service disruption. A duplicate of the extracted copy shall be delivered to the relevant person, and this matter shall be recorded in a report and signed. To perform these actions, reasonable grounds must be demonstrated along with their justifications. Searches, copying, and seizure processes conducted without a judge's decision shall be submitted for the approval of the authorized judge within 24 hours. The judge shall announce their decision within 48 hours; otherwise, the extracted copies and transcribed texts shall be immediately destroyed, and the seizure shall be automatically lifted. In the data centers of authorized data center operators, searches, copying, and seizure processes may only be performed via a judge's decision. Regarding requests falling within the scope of this paragraph, the Ankara Criminal Court of Peace is authorized and has jurisdiction. However, a judge's decision is not required for public institutions and organizations. (CSL Art. 8/5)
Procedure for Imposing Administrative Fines
The defense of the relevant party shall be obtained prior to the imposition of administrative fines. In the event that a defense is not submitted within 30 days from the notification date of the request for defense, the relevant party shall be deemed to have waived its right to defense. (CSL Art. 17/1)
In the event it is determined that one of the violations defined in the CSL has been committed multiple times until an administrative sanction decision is rendered, a single administrative fine shall be imposed on the relevant natural or legal person, and the fine to be imposed shall be applied by being increased, not to exceed twofold. (CSL Art. 17/2)
In cases where a benefit is obtained or a loss is caused due to the violation, the amount of the administrative fine to be imposed shall not be less than three times, nor more than five times, the amount of said benefit or loss. (CSL Art. 17/2)
Administrative fines imposed by the Directorate shall be paid within 1 month from the date of notification. (CSL Art. 17/3)
An application for administrative judicial review (administrative litigation) may be filed against decisions regarding administrative fines issued pursuant to the CSL. (CSL Art. 17/5)
Conclusion
The Cybersecurity Law No. 7545 entered into force on March 19, 2025, and prior to the publication of the Law, the Cybersecurity Directorate was established on December 25, 2025, via Presidential Decree No. 177. In our opinion, the Directorate is currently in its organizational phase and has not yet begun exercising the regulatory powers derived from the CSL.
Nevertheless, it is advisable to prepare in advance for potential regulations and audits likely to occur in the future. Indeed, the CSL prescribes severe penalties in the event of certain violations.