Türkiye's First Cyber ​​Security Law Entered Into Force

Turkey has taken an important step to increase its security in the digital world. The Cyber ​​Security Law No. 7545 was published in the Official Gazette dated March 19, 2025 and entered into force. The law provides for national measures against cyber threats and introduces new security standards for public institutions and critical infrastructures.
 
New Regulations Strengthening Cyber ​​Security
 
The purpose of the law was determined as ensuring Türkiye's national security in cyberspace, protecting the public and private sectors from cyber threats, and creating a national cybersecurity strategy. Within the scope of the regulation, a Cybersecurity Board will be established and the Cybersecurity Presidency will be authorized.
 
The scope of the law includes public institutions, critical infrastructures, professional organizations, private companies and individuals. However, military and intelligence activities are excluded from this regulation.
 
Broad Powers for the Cyber ​​Security Presidency
 
According to the new regulation, the Cyber ​​Security Presidency;
 
    To ensure the protection of critical infrastructures against cyber attacks,
    Conducting cyber security audits for public institutions and critical infrastructures,
    Conduct studies to prevent cyber attacks by collecting cyber threat intelligence,
    He/she will manage certification and authorization processes in the field of cyber security.
 
Severe Penalties for Cyber ​​Crimes
 
The law also stipulates severe penalties related to cybersecurity. Those who organize cyberattacks on critical infrastructure will be sentenced to 8 to 12 years in prison, and those who spread leaked data will be sentenced to 10 to 15 years in prison. Additionally, those who spread fake news about data leaks will be sentenced to 2 to 5 years in prison.
 
Audit and Certification Process Begins
 
According to the law, companies and software providers operating in the field of cybersecurity will be subject to an authorization and certification process. Local and national software and hardware to be used in public institutions will be encouraged.
 
According to experts, the new law will strengthen Türkiye's cybersecurity infrastructure and provide more effective protection against cyber threats at the national level.
 
Here is the full CYBER SECURITY LAW published
 
Aim
 
 
 
ARTICLE 1 - (1) The purpose of this Law is to identify and eliminate existing and potential internal and external threats against all elements constituting the national power of the Republic of Turkey in cyberspace, to determine the principles for reducing the possible effects of cyber incidents, to make the necessary arrangements for the protection of public institutions and organizations, professional organizations with the status of public institutions, real and legal persons and organizations without legal personality against cyber attacks, to determine strategies and policies to strengthen the cyber security of the country and to regulate the principles for the establishment of the Cyber ​​Security Board.
 
 
 
Scope
 
 
 
ARTICLE 2 - (1) This Law covers public institutions and organizations, professional organizations with the status of public institutions, real and legal persons and organizations without legal personality that exist, operate and provide services in cyberspace.
 
 
 
(2) Intelligence activities carried out in accordance with the Law on Police Duties and Authorities No. 2559, dated 4/7/1934, the Coast Guard Command Law No. 2692, dated 9/7/1982, the Law on the Organization, Duties and Authorities of the Gendarmerie No. 2803, dated 10/3/1983, and the activities carried out in accordance with the Law on State Intelligence Services and the National Intelligence Organization No. 2937, dated 1/11/1983, and the Turkish Armed Forces Internal Service Law No. 211, dated 4/1/1961 are outside the scope of this Law.
 
 
 
Definitions and abbreviations
 
 
 
ARTICLE 3 - (1) In this Law;
 
 
 
a) Hosting: Keeping information systems in an external data center,
 
 
 
b) President: President of Cyber ​​Security,
 
 
 
c) Presidency: Cyber ​​Security Presidency,
 
 
 
d) Information systems: Hardware, software, systems and all other active or passive components used in the presentation of all kinds of services, transactions and data provided through information and communication technologies,
 
 
 
d) Critical infrastructure: Infrastructures that host information systems that may lead to loss of life, large-scale economic damage, security vulnerabilities or disruption of public order when the confidentiality, integrity or accessibility of the information/data they process is compromised.
 
 
 
e) Critical public service: A service that is essential for the maintenance of national, social or economic activities and that is provided with a monopoly or limited substitution throughout the country, and whose interruption or damage may have a significant impact on national security, the social or economic well-being of the country, public order or health, or the provision of other services.
 
 
 
f) Cyber ​​security: The totality of activities that include protecting the information systems that constitute the cyberspace from attacks, ensuring the confidentiality, integrity and accessibility of the data processed in this environment, detecting attacks and cyber incidents, activating reaction and alarm mechanisms against these detections and then returning them to the state before the cyber incident,
 
 
 
g) Cyber ​​incident: Violation of confidentiality, integrity or accessibility of information systems or data,
 
 
 
g) Cyber ​​attack: Intentional actions taken against persons or information systems anywhere in cyberspace in order to eliminate the confidentiality, integrity or accessibility of information systems in cyberspace and the data processed by these systems,
 
 
 
h) Cyber ​​threat: Potential dangers that may cause violations of confidentiality, integrity or accessibility of information systems and data contained in or processed by these systems,
 
 
 
i) Cyber ​​threat intelligence: Information gathered, transformed, analyzed, interpreted or enriched about current or potential cyber threats and cyber attacks against assets in cyberspace,
 
 
 
i) Cyberspace: The environment consisting of all information systems that are directly or indirectly connected to the Internet, electronic communication or computer networks and the networks that connect them to each other,
 
 
 
j) SOME: Cyber ​​incident response team,
 
 
 
k) Asset: All information and information processing facilities that contain data that can be transferred through communication and that are available in electronic or physical environments, the personnel who use or carry the data, and the physical spaces that host the data,
 
 
 
l) Vulnerability: Weaknesses and security gaps of assets in cyberspace that can be exploited by any cyber threat,
 
 
 
expresses.
 
 
 
Basic principles
 
 
 
ARTICLE 4 - (1) The basic principles in ensuring cyber security are as follows:
 
 
 
a) Cyber ​​security is an integral part of national security.
 
 
 
b) The main goal is to protect critical infrastructure and information systems and create a secure cyberspace.
 
 
 
c) Studies on cyber security are carried out on the basis of institutionality, continuity and sustainability.
 
 
 
c) It is essential that cyber security measures are implemented throughout the entire life cycle of services and products.
 
 
 
d) In studies aimed at ensuring cyber security, local and national products are primarily preferred.
 
 
 
e) All public institutions and organizations, real and legal persons are responsible for implementing cyber security policies and strategies and taking necessary measures to prevent cyber attacks or reduce their effects.
 
 
 
f) Accountability is essential in the execution of cyber security processes.
 
 
 
g) Cyber ​​security policy and strategy development studies are carried out with a continuous improvement approach.
 
 
 
g) Studies aimed at increasing the capability and capacity of qualified human resources in the field of cyber security are encouraged.
 
 
 
h) It is aimed to spread cyber security culture throughout society.
 
 
 
i) The principles of the rule of law, fundamental human rights and freedoms and the protection of privacy are accepted as fundamental principles.
 
 
 
CHAPTER TWO
 
 
 
Duties, Powers, Responsibilities, Audits and Cyber ​​Security Board
 
 
 
Duties of the Presidency
 
 
 
ARTICLE 5 - (1) The duties of the Presidency are as follows:
 
 
 
a) To perform the duties included in the relevant legislation.
 
 
 
b) To carry out activities to increase the cyber resilience of critical infrastructures and information systems, to protect them against cyber attacks, to detect cyber attacks, to prevent possible attacks and to reduce or eliminate their effects, to conduct or have conducted vulnerability and penetration tests and risk analyses for assets, to combat cyber threats, to obtain, create and share cyber threat intelligence, and to conduct malware analysis activities.
 
 
 
c) To determine critical infrastructures and the institutions and locations to which they belong.
 
 
 
ç) To ensure that the inventory of all assets of public institutions and organizations and critical infrastructures, including their data inventory, is kept and that risk analysis is carried out for the assets, and to take or have taken security measures according to the criticality of the assets of public institutions and organizations and critical infrastructures.
 
 
 
d) To establish, have established and supervise SOMEs, to work to determine and increase the maturity levels of SOMEs, to measure the cyber incident response capabilities of SOMEs by conducting cyber security exercises, to coordinate with cyber incident response teams of other countries, to conduct, have conducted and encourage studies to produce and develop all kinds of cyber intervention tools and national solutions.
 
 
 
e) To regulate the procedures and principles that those operating in the field of cyber security must comply with.
 
 
 
f) To establish, have established, operate or have operated the necessary infrastructures in order to ensure the cyber security of public institutions and organizations and critical public services, and to provide or ensure that hosting services are provided to public institutions and organizations over secure systems and infrastructures, and to determine the application procedures and principles for these activities.
 
 
 
g) To prepare standards related to the field of cyber security, to examine the standards prepared by other persons or organizations, to give opinions on them, to accept them as standards if deemed appropriate, to publish them and to monitor their implementation.
 
 
 
g) To carry out testing and certification processes for software, hardware, products, systems and services related to the field of cyber security, to establish, have established and operate test infrastructures for this purpose, and to carry out certification, authorization and documentation processes for cyber security experts and companies in coordination with the relevant institutions.
 
 
 
h) To carry out cyber security audits and impose sanctions based on the results.
 
 
 
i) To determine technical criteria and make legislative arrangements regarding the qualifications that cyber security products and services to be used in public institutions and organizations and critical infrastructures and the businesses that will provide them must have, to conduct or have conducted audits of these, to determine the qualifications that the organizations that will conduct audits must have, to assign these organizations, and to temporarily suspend or cancel the assignment when necessary.
 
 
 
Powers
 
 
 
ARTICLE 6 - (1) The Presidency exercises the following powers while performing its duties:
 
 
 
a) To use the authorities included in the relevant legislation.
 
 
 
b) Takes or causes to be taken the necessary measures to protect those within the scope of this Law against cyber attacks and to provide deterrence against the source of these attacks. In this context, it may provide the installation and integration of software and hardware products found suitable for information systems, transfer the data and log records produced or collected by these products to the information systems under the Presidency's management, and use the necessary methods and tools for the detection of cyber incidents.
 
 
 
c) It may provide on-site or remote cyber incident response support to those within the scope of this Law who are exposed to cyber incidents, may follow traces of attacks through data, images or log records found or obtained in cyberspace, may examine and prove them, may share findings considered to constitute a crime with judicial authorities and other relevant parties, and may coordinate with domestic and international stakeholders.
 
 
 
ç) It may obtain and evaluate information, documents, data and records from those within the scope of this Law, limited to the activities it carries out, and may benefit from their archives, electronic data processing centers and communication infrastructure and establish contact with them. The information, documents, data and records obtained within this scope shall be subject to study for a maximum of two years and shall be destroyed after the study period. Those who are requested within this scope cannot avoid fulfilling the request by citing the provisions of their own legislation.
 
 
 
d) It may collect, store and evaluate log records in information systems. It may prepare reports about them and share them with relevant institutions and organizations.
 
 
 
e) The Presidency may allocate personnel, when necessary, on cyber security issues in coordination with ministries and other public institutions and organizations.
 
 
 
f) It can conduct relations with international organizations and countries on issues within its scope of duty, exchange information, represent our country and ensure coordination, participate in the work of international organizations, follow up on the implementation of decisions taken and ensure the necessary coordination.
 
 
 
g) It may classify institutions, organizations and other relevant real and legal persons and organizations without legal personality within the scope of this Law, and may create provisions covering only a certain part of them when necessary while performing their activities.
 
 
 
g) It may authorize independent auditors and independent audit organizations that perform cyber security audits, and may cancel their authorization temporarily or indefinitely.
 
 
 
h) It determines the criteria for software, hardware, products and services to be used in the information systems of public institutions and organizations and critical infrastructures and that have an impact on cyber security, as well as the procedures and principles regarding notifications to be made to the Presidency.
 
 
 
i) It determines the minimum security criteria for cyber security software, hardware, products and services. It manages the certification, authorization and documentation processes for real and legal persons who will provide or supply them. It may request that cyber security software, hardware, products and services be brought into compliance with the standards to be determined, and may take measures to prevent the use of those that do not comply with this request.
 
 
 
(2) Within the scope of the work and transactions carried out in accordance with this Law, personal data shall be processed in accordance with the law and the rules of honesty, provided that it is accurate and up-to-date when necessary, for specific, clear and legitimate purposes, in connection with the purpose for which it is processed, limited and proportionate, and kept for the period necessary for the purpose for which it is processed. Personal data and trade secrets to be obtained within the framework of the authorities specified in this Law shall be deleted, destroyed or anonymized ex officio if the reasons requiring access to this data are eliminated.
 
 
 
(3) The procedures and principles regarding the implementation of this article are determined by the regulation to be issued by the President.
 
 
 
Responsibilities and collaboration
 
 
 
ARTICLE 7 - (1) The duties and responsibilities regarding cyber security of those who provide services, collect and process data and carry out similar activities using information systems and are within the scope of this Law are as follows:
 
 
 
a) To forward to the Presidency, in a timely manner, all kinds of data, information, documents, hardware, software and other contributions requested by the Presidency within the scope of its duties and activities.
 
 
 
b) To take the measures prescribed by the legislation for the purpose of national security, public order or proper execution of public services regarding cyber security, and to report to the Presidency any vulnerabilities or cyber incidents detected in the areas in which they provide services without delay.
 
 
 
c) To procure cyber security products, systems and services to be used in public institutions and organizations and critical infrastructures from cyber security experts, manufacturers or companies authorized and certified by the Presidency.
 
 
 
c) To obtain the approval of the Presidency within the framework of existing regulations before cyber security companies subject to certification, authorization and documentation start operating.
 
 
 
d) To fulfill the issues included in the policy, strategy, action plan and other regulatory procedures published by the Presidency to increase cyber maturity and to take the necessary measures.
 
 
 
(2) The Presidency works in cooperation with public institutions and organizations, real and legal persons and unincorporated organizations in carrying out the activities specified in this Law.
 
 
 
Control
 
 
 
ARTICLE 8 - (1) The Presidency may audit any act or transaction falling within the scope of the Law in cases deemed necessary in relation to its duties specified in this Law; it may conduct on-site inspections or have them conducted for this purpose. Inspection covers the activities and transactions of institutions, organizations and other relevant real and legal persons within the scope of this Law, in relation to the provisions of this Law. Presidency personnel, authorized and certified independent auditors and independent audit organizations are authorized to conduct inspections. This authority is exercised by those assigned by the President. Inspections in public institutions and organizations and critical infrastructures are conducted by Presidency personnel or under their supervision.
 
 
 
(2) The Presidency determines the importance and priority principles regarding audit activities and the criteria and application principles to be taken into consideration in risk assessments. Audit activities are carried out in accordance with the program to be established within the scope of importance and priority principles and risk assessments. The Presidency may have audits conducted outside the program for matters deemed necessary to be examined outside the established program.
 
 
 
(3) Civil authorities, police forces and other public institution leaders and officers are obliged to provide all kinds of convenience and assistance to those assigned to carry out investigations or audits.
 
 
 
(4) Those assigned to audit are authorized to examine electronic data, documents, electronic infrastructure, devices, systems, software and hardware, to obtain copies, digital copies or samples of these, to request written or verbal explanations on the subject, to prepare the necessary minutes, and to examine the facilities and their operations, limited to the audit activities they carry out. Those subject to audit must keep the relevant devices, systems, software and hardware open to audit for the given periods, to provide the necessary infrastructure for audit and to take the necessary measures to keep them in working order.
 
 
 
(5) In order to protect national security, public order, prevent crimes or cyber attacks, searches may be conducted in residences, workplaces and closed areas not open to the public upon a judge’s decision or, in cases where delay is deemed undesirable, upon a written order of the public prosecutor, and copying and seizure operations may be carried out in a manner that will not cause long-term service disruptions and without interruption. A copy of the copy made shall be delivered to the relevant person and this matter shall be recorded in the minutes and signed. In order for these operations to be carried out, it must be shown with the justifications that reasonable grounds have arisen. Searches and copying and seizure operations carried out without a judge’s decision shall be submitted to the approval of the competent judge within twenty-four hours. The judge shall announce his/her decision within forty-eight hours; otherwise, the copies made and the texts to which the analysis has been made shall be destroyed immediately and the seizure shall be lifted automatically. Searches, copying and seizure operations may be conducted in the data centers of authorized data center operators only upon a judge’s decision. The Ankara Criminal Court of Peace shall be authorized and tasked with requests falling within the scope of this paragraph. However, a judge’s decision shall not be sought for public institutions and organizations.
 
 
 
Cyber ​​Security Board
 
 
 
ARTICLE 9 - (1) The Cyber ​​Security Board consists of the President, the Vice President, the Minister of Justice, the Minister of Foreign Affairs, the Minister of Internal Affairs, the Minister of National Defense, the Minister of Industry and Technology, the Minister of Transport and Infrastructure, the Secretary General of the National Security Council, the President of the National Intelligence Organization, the President of Defense Industries and the President of Cyber ​​Security. In cases where the President is not present, the Vice President shall preside over the Board.
 
 
 
(2) In addition to the members, relevant ministers and individuals may be invited to the Board meetings, depending on the nature of the agenda, to obtain information and opinions.
 
 
 
(3) The Board may form commissions and working groups as it deems necessary within the scope of its duties. Commissions and working groups conduct technical studies on issues within the Board's area of ​​responsibility and produce decision proposals. Experts in the field may be invited to the commission and working group meetings to benefit from their opinions.
 
 
 
(4) The duties of the Board are as follows:
 
 
 
a) To make decisions regarding cyber security-related policies, strategies, action plans and other regulatory procedures, and to determine the institutions and organizations that will be exempted from all or part of the decisions taken.
 
 
 
b) To make decisions regarding the nationwide implementation of the technology roadmap regarding cyber security prepared by the Presidency.
 
 
 
c) To determine the priority areas to be encouraged in the field of cyber security and to make decisions regarding the development of human resources in the field of cyber security.
 
 
 
c) To determine critical infrastructure sectors.
 
 
 
d) To make decisions on disputes that may arise between the Presidency and public institutions and organizations.
 
 
 
(5) The secretarial services of the Board are carried out by the Presidency. The working procedures and principles of the Board, commissions and working groups are determined by the regulation to be issued by the President.
 
 
 
CHAPTER THREE
 
 
 
Provisions Regarding Personnel
 
 
 
Employment of contracted expert personnel
 
 
 
ARTICLE 10 - (1) Contracted expert personnel, the number of which will be determined by the President, may be employed to carry out tasks related to ensuring cyber security in the Presidency. The qualifications of these personnel, issues related to their employment such as appointment conditions, and net salaries including all kinds of payments to be given to them shall be determined by the Cyber ​​Security Board by taking into account the tasks to be performed by the relevant persons, not to exceed five times the contract salary ceiling applied to those employed in accordance with Article 4, subparagraph (B) of the Civil Servants Law No. 657 dated 14/7/1965. Personnel within the scope of this paragraph shall be deemed insured within the scope of Article 4, first paragraph, subparagraph (a) of the Social Security and General Health Insurance Law No. 5510 dated 31/5/2006. Subject to the special provisions in the laws, employment in this status does not constitute an acquired right in terms of working in any position, cadre or status in public institutions and organizations at the end of the contract.
 
 
 
(2) In the Presidency; security investigation and archive research are carried out together for all personnel, including those temporarily assigned, in accordance with the Security Investigation and Archive Research Law No. 7315 dated 7/4/2021.
 
 
 
Transfer of compulsory service obligations
 
 
 
ARTICLE 11 - (1) The service periods of the personnel employed in the Presidency who have compulsory service obligations to other public institutions and organizations within the scope of the relevant legislation are deducted from the said obligation periods, provided that the consent of the relevant public institution and organization is obtained.
 
 
 
Prohibited provisions
 
 
 
ARTICLE 12 - (1) Those who are on permanent or contract duty at the Presidency and whose relationship with the Presidency is terminated for any reason cannot take on any other official or private duty in the field of cyber security at home or abroad for two years without the consent of the Presidency, and cannot engage in trade in this field, engage in freelance activities and, in particular, cannot be a shareholder or manager in a company operating in this sector.
 
 
 
(2) It is prohibited to publish or disclose any information, documents or similar data obtained within the scope of the duties and activities of the Presidency through radio, television, internet, social media, newspapers, magazines, books and all other media tools and all written, visual, audio and electronic mass communication tools, except in cases authorized by the Presidency.
 
 
 
Obligation to keep secret
 
 
 
ARTICLE 13 - (1) Confidential information, personal data, trade secrets and documents belonging to the public, relevant parties and third parties obtained within the scope of the duties and activities carried out by the Presidency cannot be disclosed to anyone other than the authorities authorized by law and cannot be used for the benefit of real or legal persons.
 
 
 
CHAPTER FOUR
 
 
 
Income and Exemptions
 
 
 
Revenues of the Presidency
 
 
 
ARTICLE 14 - (1) The revenues of the Presidency;
 
 
 
a) Treasury aid to be provided from the general budget,
 
 
 
b) Income obtained from the activities of the Presidency,
 
 
 
c) Revenues obtained from administrative fines imposed by the Presidency,
 
 
 
ç) From the amounts to be transferred up to 10% by the decision of the President from the income of the funds established or to be established by law and decree,
 
 
 
d) Other income,
 
 
 
occurs.
 
 
 
Exemptions
 
 
 
ARTICLE 15 - (1) Transactions to be carried out for all kinds of materials, tools, equipment, machinery, devices and systems to be provided from abroad through import or grant within the scope of the needs of the Presidency and spare parts, raw materials and aid materials to be used in their research, development, training, production, modernization and software, construction, maintenance and repair, and free of charge aid materials received from external sources are exempt from customs duties, funds and duties, fees and stamp duty on papers prepared for these transactions. This exemption is also applied to the transactions of repair, modernization, maintenance, return to origin, exchange and definite exit, temporary exit, free of charge import and entry abroad on behalf of the Presidency.
 
 
 
(2) Permission and certificate of conformity required from public institutions and organizations, real persons and legal entities are not required for the import and export of all kinds of materials, tools, equipment, machinery, devices and systems needed by the Presidency during the execution of its duties.
 
 
 
(3) Public institutions and organizations and other institutions and organizations may temporarily allocate or transfer free of charge to the Presidency any materials, equipment, tools and devices that are in their use and confiscated when needed during the performance of the duties set forth in this Law, regardless of the regulations of other laws on this matter.
 
 
 
CHAPTER FIVE
 
 
 
Application of Penal Provisions and Administrative Fines
 
 
 
Penal provisions and administrative fines
 
 
 
ARTICLE 16 - (1) Those who do not provide the information, documents, software, data and hardware requested by the authorities and inspection officers authorized by this Law, excluding public institutions and organizations, within the scope of their duties and authorities, or who prevent them from being obtained, shall be punished with imprisonment from one to three years and a judicial fine from five hundred days to one thousand five hundred days.
 
 
 
(2) Those who carry out activities without obtaining the required approval, authorization or permissions pursuant to this Law shall be punished with imprisonment from two to four years and a judicial fine from one thousand to two thousand days.
 
 
 
(3) Those who fail to fulfill their obligation of confidentiality are sentenced to imprisonment from four to eight years.
 
 
 
(4) Those who make personal data, which has previously been included in the scope of a critical public service, accessible, shared or sold, without the permission of individuals or institutions, for a fee or free of charge, due to data leakage in cyberspace, are sentenced to imprisonment from three to five years.
 
 
 
(5) Those who create false content claiming that there is a data leak regarding cyber security, in order to create anxiety, fear and panic among the public or to target institutions or individuals, even though they know that there is no data leak in cyberspace, or who spread such content for this purpose, shall be sentenced to imprisonment from two to five years.
 
 
 
 (6) Those who carry out cyber attacks on the elements that constitute the national power of the Republic of Turkey in cyberspace or who keep any data obtained as a result of such attacks in cyberspace shall be sentenced to imprisonment from eight to twelve years, unless the act constitutes another crime that requires a more severe penalty. Those who disseminate any data obtained as a result of such attacks in cyberspace, send them to another location or put them up for sale shall be sentenced to imprisonment from ten to fifteen years.
 
 
 
(7) The penalty to be imposed in accordance with the above paragraphs shall be increased by one third if the crime is committed by a public official, by half if it is committed by more than one person, and by half to two times if it is committed within the scope of the activities of an organization.
 
 
 
(8) Those who act contrary to Article 12 shall be sentenced to imprisonment from three to five years.
 
 
 
(9) Those who abuse their duties and authorities arising from this Law or who cause a data breach by acting contrary to the requirements of their duties within the scope of protecting critical infrastructures against cyber attacks shall be sentenced to imprisonment from one to three years.
 
 
 
(10) Those who do not fulfill their duties and responsibilities in paragraphs (b) and (c) of the first paragraph of Article 7 shall be imposed from one million Turkish Liras to ten million Turkish Liras and those who do not fulfill their duties and responsibilities in Article 18 shall be imposed from ten million Turkish liras to one hundred million Turkish Liras.
 
 
 
(11) Those who do not fulfill their obligations in the fourth paragraph of Article 8 shall be imposed from one hundred thousand Turkish Liras to one million Turkish Liras and if these obligations are not fulfilled by the commercial companies, an administrative fine of the gross sales revenue in the annual financial statements that are not less than one hundred thousand Turkish Liras are not fulfilled by the commercial companies.
 
 
 
Implementation of administrative fines
 
 
 
ARTICLE 17- Before the implementation of the administrative fines, the defense shall be taken to defense within thirty days from the date of notification.
 
 
 
(2) If one of the misdemeanors defined in this law is determined that the administrative sanction is made, the relevant real or legal person shall be imposed on a single administrative fine and the amount of the imposition is increased in a way that is not exceeded.
 
 
 
(3) Administrative fines issued by the Presidency shall be collected by the tax offices in accordance with the provisions of the Law No. 6183 dated 21/7/1953 upon the notification of the institution.
 
 
 
(4) The fifty percent of the administrative fines collected shall be recorded by the general budget share collected from the collection of the general budget;
 
 
 
(5) Administrative judicial decisions may be applied against the administrative fine decisions issued in accordance with this law.
 
 
 
CHAPTER SIX
 
 
 
Miscellaneous and Final Provisions
 
 
 
Cyber ​​Security Products and Companies
 
 
 
ARTICLE 18- Cyber ​​security products are made in accordance with the procedures and principles to be determined by the Presidency.
 
 
 
(2) Cyber ​​Security Procedures, System, Software, Hardware and Services, the merger, division, share transfer or sales transactions shall be notified to the Presidency of the Presidency.
 
 
 
(3) The procedures carried out without the approval of the Presidency shall not be valid for the institutions and organizations within the scope of this article.
 
 
 
(4) The issues regarding the implementation of this article shall be determined by the procedures and principles to be published by the Presidency.
 
 
 
Provisions that have been changed and abolished
 
 
 
ARTICLE 19- (1) The following sentence is added to the third paragraph of Article 34 of the Decree Law No. 375 dated 27/6/1989.
 
 
 
“The President of the Cyber ​​Security is considered to be equivalent to the undersecretary of the Ministry within the framework of the procedures and principles specified in this paragraph in terms of financial and social rights and aids and retirement rights.”
 
 
 
(2) The following line has been added to the “other Administrations with Special Budget” section of the ruler (II) attached to the Public Financial Management and Control Law No. 5018 dated 10/12/2003 and numbered 5018.
 
 
 
"46) Cyber ​​Security Presidency"
 
 
 
(3) The sixth paragraph of Article 10 of the Law on the regulation of publications made in the internet environment dated 4/5/2007 and numbered 5651 and the fight against crimes committed through these publications has been amended as follows.
 
 
 
“(6) The institution provides coordination with content, location, access providers and other relevant institutions and organizations within the scope of their duties, carries out activities to remove the necessary measures and performs needed studies.”
 
 
 
(4) Electronic Communication Law No. 5809 dated 5/11/2008;
 
 
 
a) paragraph (h) of the first paragraph of Article 5 has been repealed and (I) has been changed as follows.
 
 
 
“I) The data and systems within the scope of the duties carried out by the Ministry and the data centers and infrastructures required for the transfer of the data and the necessary infrastructures for the transfer of the data and to determine the policies, strategies and objectives for these centers, to prepare action plans, to determine the procedures and principles of the action and the implementation of all these activities.
 
 
 
b) paragraph (V) of the first paragraph of Article 6 has been amended as follows.
 
 
 
“V) To fulfill the duties assigned by the President and the Ministry on internet domain names and institution duties.”
 
 
 
c) The eleventh paragraph of Article 60 and the annex 1 and 2nd articles were repealed.
 
 
 
Compliance, transition arrangements and establishment transactions
 
 
 
PROVISIONAL ARTICLE 1- All kinds of transport infrastructure and systems, vehicles, tools, equipment and electronic environment, all kinds of records and documents and all kinds of assets in the case It is transferred to the Security Presidency within six months after the publication of this Law.
 
 
 
(2) Employees of the Personnel in the staff and positions of the Information and Communication Technologies Authority and those who are deemed appropriate by the Cyber ​​Security Presidency may be assigned to the presidency. The provisions of the Decree Law no. The service periods that have been entitled to severance pay excluding the severance payments of these personnel shall be taken into consideration in the account of the retirement bonuses or the end of the work before the appointment of this personnel.
 
 
 
(3) Contracts on the National Cyber ​​Security Activities of the Presidency of the Information and Communication Technologies Authority and Digital Transformation Office, the lawsuits and enforcement procedures that will be opened and to be opened, and the completion of the assignment procedures in the second paragraph shall be transferred to the presidency and the files related to the existing case files and execution follow -up are transferred to the Presidency.
 
 
 
(4) Federations of associations, foundations and trade companies, which are carried out in the field of cyber security, are obliged to complete the certification, authorization and certification procedures within the framework of the principles determined by the Presidency within one year. The legal entities of the Foundations and Federations are terminated by the court decision of the Turkish Civil Code dated 22/11/2001 and numbered 4721, and if necessary measures do not fulfill their liability in the same period. IR.
 
 
 
(5) In accordance with the third and fourth paragraphs of Article 19, the institutions operating within the scope of the provisions abolished shall continue to carry out their duties within the framework of the provisions mentioned until the completion of the organization of the Presidency.
 
 
 
(6) The regulations regarding the implementation of this Law shall be implemented within one year until the existing regulations are enacted.
 
 
 
Force
 
 
 
ARTICLE 20- (1) This law shall enter into force on the date of publication.
 
 
 
Executive
 
 
 
ARTICLE 21- (1) The provisions of this law shall be executed by the President.
 
 
 
18/3/2025
 
Source: CUMHA - CUMHURS NEWS AGENCY