Newsletters
Türkiye has passed some of the new cybersecurity laws aimed at fortifying the nation's digital infrastructure against internal and external threats.
The legislation establishes a legal framework for identifying and mitigating cyber threats, protecting public institutions and private entities, and formulating national cybersecurity strategies.
The law applies to public institutions, professional organizations with public status, private entities, and non-legal organizations operating in cyberspace.
However, intelligence operations conducted under the Police Duties and Authorities Law, the Coast Guard Command Law, the Gendarmerie Organization, Duties and Authorities Law, the National Intelligence Organization Law, and the Turkish Armed Forces Internal Service Law remain outside its scope.
Key cybersecurity terms such as “hosting,” “cyber event,” “cyber attack,” and “cyber threat intelligence” are officially defined in the legislation.
The law positions cybersecurity as an integral part of national security, emphasizing the protection of critical infrastructure and information systems.
It mandates that cybersecurity efforts be continuous, sustainable and transparent, ensuring accountability at every level.
The newly established Cybersecurity Presidency will be responsible for:
The legislation underscores that cybersecurity strategies will be dynamic, evolving with emerging threats. It prioritizes the development of a qualified workforce in cybersecurity and encourages the adoption of locally developed security solutions.
The Cybersecurity Presidency will also regulate security standards and compliance requirements for cybersecurity professionals, private sector companies, and government agencies.
This includes establishing criteria for cybersecurity products and services, overseeing compliance, and enforcing penalties for non-compliance
The law mandates that cybersecurity-related data, including logs and threat intelligence, be retained for a maximum of two years. Unauthorized entities cannot withhold requested data under existing legal frameworks.
Any collected personal or confidential business data must be deleted, destroyed, or anonymized once its intended use is complete.
A Cybersecurity Council will be formed, comprising key government officials, including the President, Vice President, Ministers of Justice, Defense, Interior, Foreign Affairs, Industry, and Transportation, as well as the heads of the National Intelligence Organization and Cybersecurity Presidency.
The council will:
The Cybersecurity Presidency will serve as the secretariat for the council, ensuring seamless execution of decisions.
The Cybersecurity Presidency is empowered to coordinate with international organizations and foreign governments on cybersecurity matters.
It will also oversee third-party security audits for critical infrastructure providers, ensuring compliance with national security standards.
The Cybersecurity Presidency holds the authority to enforce cybersecurity regulations, including certification, licensing, and security standards for companies providing cybersecurity solutions.
Organizations failing to comply with national cybersecurity directives may face legal penalties and restrictions.
The legislation further stipulates that individuals employed within the Cybersecurity Presidency cannot take positions in cybersecurity-related private sector roles for two years following their departure.
Additionally, all sensitive information acquired during tenure cannot be disclosed unless authorized by law.
Following extensive deliberations, the Turkish Parliament approved 13 articles of the law before adjourning.
The next session is scheduled for March 11 at 3 p.m. in local time, when further provisions of the cybersecurity framework will be discussed.
1 min read
1 min read
