Türkiye's New Cybersecurity Law No. 7545: Scope, Principles and What It Means for Foreign Businesses
Türkiye's Cybersecurity Law No. 7545, the country's first stand-alone cybersecurity statute, has been in force since 19 March 2025. It treats cybersecurity as part of national security, puts one regulator in charge, and reaches foreign companies based on what they do in Turkish cyberspace, not where they are incorporated. This guide explains who is covered, the core principles, the new Cybersecurity Presidency, the duties that now apply to foreign-owned businesses, and the criminal and administrative penalties, which run up to 100 million TL or 5% of annual gross sales revenue.
What Law No. 7545 Is and Why It Matters
Law No. 7545 (Siber Güvenlik Kanunu) was adopted on 12 March 2025 and took effect on 19 March 2025, the day it was published in the Official Gazette (No. 32846). It is Türkiye's first comprehensive, stand-alone cybersecurity statute.
Before 7545, cybersecurity lived in a patchwork: sector-specific rules, scattered secondary regulation, the computer-crime articles of the Turkish Penal Code (Law No. 5237, TCK Arts. 243-246), and the data-protection regime under the Personal Data Protection Law No. 6698 (KVKK). The new law pulls policy-setting, supervision and enforcement under a single national authority and frames cybersecurity as an inseparable part of national security.
For foreign investors, the key point is reach: the duties do not stop at Turkish-owned companies. The law expressly applies to foreign natural and legal persons that operate, provide services, or maintain a presence in Turkish cyberspace.
Does the Law Apply to Your Company?
The test under Law No. 7545 is activity and presence in Turkish cyberspace, not nationality or place of incorporation. A foreign company with no office in Türkiye can still be caught if it touches Turkish networks, users or data. Use the table below as a first screen, then get a lawyer to confirm your exact position.
| Your situation | Likely position under Law No. 7545 |
|---|---|
| You run a Turkish subsidiary or branch that operates IT systems | In scope as a covered legal entity |
| You sell SaaS or online services to customers in Türkiye | Likely in scope through presence and activity in cyberspace |
| You host data on servers located in Türkiye | Likely in scope |
| You supply or operate systems for a critical-infrastructure sector (see below) | In scope, with the heaviest obligations |
| You only carry out specific intelligence or military activities under their own governing law | Carved out of this regime |
The law covers public institutions, professional organisations with public-institution status, individuals, and legal and unincorporated entities active in cyberspace. If you are deciding whether to enter the market or restructure, our team can advise on setting up or structuring your Turkish entity so that compliance is built in from day one.
The 15 Critical-Infrastructure Sectors
Companies linked to critical infrastructure carry the most extensive duties under the law. The Cybersecurity Board formally designated the critical-infrastructure sectors on 5 May 2026. The 15 sectors are:
- Digital infrastructure
- Digital services
- Electronic communications
- Energy
- Finance
- Food and agriculture
- Manufacturing
- Public services
- Media and crisis communication
- Postal and cargo
- Health
- Defence industry
- Water management
- Transport
- Space
Core Principles Behind the Law
The principles in Law No. 7545 tell you how the regulator is likely to read the more detailed rules. They include:
- National security: cybersecurity is treated as inseparable from Türkiye's national security.
- Institutionalisation and sustainability: security must be built into structures and processes, not handled ad hoc.
- Domestic and national solutions: the use of locally developed, authorised products and services is encouraged.
- Shared responsibility: every actor in the ecosystem is accountable for protecting it.
- Rule of law and fundamental rights: measures must stay lawful, proportionate and respectful of privacy.
The privacy and fundamental-rights principles overlap with the KVKK (Law No. 6698) and the protections in the Turkish Constitution. In practice, you should run cybersecurity compliance and personal-data compliance together. We explain that overlap in our guide to how the KVKK (Law No. 6698) data-protection regime affects your company, and you can see the wider picture of how Türkiye is regulating emerging technologies.
The Cybersecurity Presidency and the Cybersecurity Board
The regime sits under a national authority, the Cybersecurity Presidency (Siber Güvenlik Başkanlığı), established by Presidential Decree No. 177 on 8 January 2025 and attached directly to the Presidency. Türkiye's first Cybersecurity Director was appointed on 24 October 2025, and the Constitutional Court rejected the challenge to Decree No. 177 on 3 June 2025, so the body is firmly in place.
Above it sits the Cybersecurity Board (Siber Güvenlik Kurulu), chaired by the President of the Republic (the Vice-President chairs when the President does not attend), which sets strategy and policy. The Presidency's powers include the authority to:
- Issue regulatory acts, standards and binding technical and administrative requirements;
- Conduct inspections and audits of covered entities;
- Impose administrative sanctions and fines;
- Authorise and certify cybersecurity products, services and personnel; and
- Identify critical infrastructures and set obligations specific to them.
A practical consequence is the procurement rule: public institutions and critical-infrastructure operators must use only products and services authorised or certified by the Presidency. Foreign vendors should plan for that authorisation pathway in advance, and factor it into board-level strategy. Where cybersecurity affects deal structure or investment risk, our team provides corporate and M&A advice for foreign investors.
Key Obligations for Businesses
Duties are calibrated by sector and by critical-infrastructure status, but covered organisations should expect a core set:
- Incident notification: report cyber incidents and vulnerabilities to the Presidency without delay (the statutory duty applies; the exact format, thresholds and timeframes await secondary regulation).
- Security measures: implement and maintain technical and administrative safeguards proportionate to the risk.
- Audit cooperation: keep systems available for inspection and give appointed inspectors the access, infrastructure and information they require.
- Use of authorised products: for public bodies and critical infrastructure, procure only Presidency-authorised cybersecurity products and services.
- Governance: embed cybersecurity into board-level risk oversight, with documented policies and clear accountability.
Penalties: Criminal Sentences and Administrative Fines
Law No. 7545 backs its duties with both criminal sentences and administrative fines, so non-compliance is a serious exposure. The criminal offences sit in Article 16 and run alongside the existing computer-crime offences in the Turkish Penal Code (Law No. 5237, Arts. 243-246).
Criminal offences under Article 16
| Conduct | Sentence |
|---|---|
| Refusing or obstructing the provision of requested information, documents, software, data or hardware to the authorities/inspectors | 1-3 years prison + judicial fine of 500-1,500 days |
| Carrying out regulated activity without the required authorisation | 2-4 years prison + judicial fine of 1,000-2,000 days |
| Breaching confidentiality obligations | 4-8 years prison |
| Unlawfully obtaining, leaking or disclosing data on critical public services | 3-5 years prison |
| Cyber-attack on elements of national cyber power | 8-12 years prison |
| Retaining, transmitting or selling data obtained in such an attack | 10-15 years prison |
Article 16 also aggravates these sentences: by one-third where the offender is a public official, and by between one-half and two-fold where the offence is committed within an organisation. The exact sub-article numbering and the treatment of multiple offenders should be confirmed against the current statute before you rely on it.
Administrative fines
The Presidency can impose escalating administrative fines, with the heaviest tiers reserved for critical-infrastructure breaches:
| Breach | Fine |
|---|---|
| Individuals breaching the inspection-cooperation duty | 100,000-1,000,000 TL |
| General breaches of statutory duties | 1,000,000-10,000,000 TL |
| Critical-infrastructure duty breaches | 10,000,000-100,000,000 TL |
| Commercial companies obstructing an audit / failing inspector duties | up to 5% of annual gross sales revenue |
How Law No. 7545 Sits Alongside the KVKK
One cyber incident can trigger two regimes at once. They are separate, with separate regulators and separate fines, so you may owe duties under both for the same event.
| Law No. 7545 (Cybersecurity) | Law No. 6698 (KVKK) | |
|---|---|---|
| Protects | Cyberspace and national security | Personal data and privacy |
| Regulator | Cybersecurity Presidency | Personal Data Protection Authority (KVKK) |
| Typical trigger | Cyber incident, attack, audit failure | Personal-data breach or unlawful processing |
| Enforcement | Criminal sentences + administrative fines (up to 5% of turnover) | Administrative fines + separate criminal exposure under TCK |
Where an attack exposes customers' personal data, you may need to notify the Cybersecurity Presidency and the KVKK authority, on different rules and timetables. Build one incident-response plan that satisfies both. For the data-protection side, see our guide on navigating KVKK compliance, and on the threat landscape, our overview of cybercrime trends and defensive strategies in Türkiye.
What Is Still Coming, and What to Watch
The framework is live, but a large part of the operational detail is not. Treat compliance as a moving target and re-check the position regularly.
- Critical-infrastructure list: formally designated on 5 May 2026 (the 15 sectors above).
- Presidency presence: the official website launched on 14 May 2026, with reporting forms and security bulletins.
- Implementing regulations: the yönetmelik and tebliğ that set thresholds, reporting formats, technical standards and audit procedures had not been published as of mid-2026, past the law's 19 March 2026 deadline.
- Product certification: the authorisation/certification pathway for cybersecurity products is expected to open, with a later statutory horizon (reported as 19 March 2027); foreign vendors should prepare documentation early.
How Foreign Companies Should Prepare
A single enforceable regime changes the compliance picture for any business connected to Türkiye. Practical first steps:
- Assess whether your activity and presence bring you within scope, and whether you touch one of the 15 critical-infrastructure sectors.
- Map Law No. 7545 duties against your KVKK (Law No. 6698) programme and any sector-regulator rules, to close gaps and avoid duplication.
- Stand up an incident-detection and notification process that can report to the Presidency promptly, and keep evidence of each notification.
- Review your technology supply chain and contracts for the authorised-product requirement, especially if you sell to or operate critical infrastructure.
- Put cybersecurity on the board agenda with documented governance, because turnover-based fines and personal criminal exposure make it a strategic risk, not an IT footnote.
Because the secondary regulation under Law No. 7545 is still developing and outcomes turn on the specific facts, a Turkish lawyer should review your position before you rely on any general guidance. Contact Lexin Legal to discuss how the Cybersecurity Law applies to your operations in Türkiye, and explore our full range of legal services for foreigners and investors.
Frequently asked questions
When did Türkiye's Cybersecurity Law No. 7545 enter into force?
Law No. 7545 was adopted on 12 March 2025 and entered into force on 19 March 2025, the day it was published in the Official Gazette (No. 32846). It is Türkiye's first dedicated, comprehensive cybersecurity statute. Many operational details still depend on secondary regulation that, as of mid-2026, had not yet been published.
Does Law No. 7545 apply to foreign companies?
Yes, potentially. The law applies based on activity and presence in Turkish cyberspace rather than nationality. A foreign company that serves Turkish customers, hosts data in Türkiye, or runs operations connected to Turkish networks can fall within scope, and the duties are heaviest for companies linked to the 15 designated critical-infrastructure sectors.
What is the Cybersecurity Presidency?
The Cybersecurity Presidency (Siber Guvenlik Baskanligi) is the national regulator, established by Presidential Decree No. 177 on 8 January 2025 and attached to the Presidency. It issues rules and standards, conducts inspections, imposes fines, authorises cybersecurity products and services, and identifies critical infrastructures. Above it sits the Cybersecurity Board, chaired by the President of the Republic.
What are the penalties under the Cybersecurity Law?
Article 16 sets criminal sentences from 1 to 3 years (refusing to provide requested information to inspectors, with a judicial fine) up to 8 to 12 years for a cyber-attack on national cyber power, and 10 to 15 years for retaining, transmitting or selling data from such an attack. Administrative fines run from 100,000 TL for individuals up to 100,000,000 TL for critical-infrastructure breaches, and up to 5% of annual gross sales revenue where a commercial company obstructs an audit.
How does Law No. 7545 relate to Türkiye's data protection law?
They are separate but overlapping regimes with separate regulators and separate fines. Cybersecurity duties under Law No. 7545 should be managed alongside personal-data duties under the Personal Data Protection Law No. 6698 (KVKK). A single incident can trigger both, on different rules and timetables, so it is best to run one coordinated incident-response plan.
Have the implementing regulations under Law No. 7545 been issued yet?
Not in full. The critical-infrastructure list of 15 sectors was formally designated on 5 May 2026 and the Presidency's website launched on 14 May 2026, but the detailed regulations and communiques setting thresholds, reporting formats and audit procedures had not been published as of mid-2026, past the law's 19 March 2026 deadline. Because this is fast-moving, you should verify the current position before relying on it.
