Cyber Security Law

Cybersecurity Law is a legislative measure enacted to protect Türkiye’s digital infrastructure, enhance the security of critical systems, and implement active measures against cyber threats. It was adopted by a vote in the Grand National Assembly of Türkiye on 12 February 2025. Law aims to strengthen the national cyber security framework by encompassing both the public and private sectors under the coordination of the Cyber Incident Response Team (CIRT).

Objective and Scope

The primary objectives of the law are as follows:

• Establishing and implementing cyber security policies,

• Protecting critical infrastructure in both the public and private sectors,

• Enhancing coordination with Cyber Incident Response Teams (CIRT),

• Creating mandatory reporting and oversight mechanisms,

• Developing effective response procedures against cyber attacks.

The law mandates institutions operating in key sectors—primarily energy, finance, healthcare, telecommunications, and transportation like—to strengthen their cyber security measures.

Cyber Incident Response Teams (CIRT) and Coordination

Under the law, the National Cyber Incident Response Center (NCIRC) and Cyber Incident Response Teams (CIRT) play a critical role. Their responsibilities include:

• Detecting, preventing, and responding to cyber threats through CIRTs in both public and private sectors,

• Strengthening national and international cyber security cooperation,

• Mandating institutional cyber incident reporting to establish early warning systems,

• Enhancing cyber security awareness through regular cyber drills.

Mandatory Reporting for Critical Infrastructure

According to the law, all public and private sector entities operating in critical sectors must report cyber security incidents to CIRTs without delay.

• Cyber attacks or security breaches must be reported to NCIRC within 24 hour.

• Institutions that fail to report incidents or neglect cyber security measures will face severe administrative penalties.

Penalties and Sanctions

The law prescribes significant financial penalties and operational sanctions for institutions that fail to comply with the mandated cyber security measures:

• Organizations that fail to disclose cyber security vulnerabilities may be fined between 500,000 TL and 10 million TL.

• In cases where security weaknesses are identified in critical infrastructure, sanctions such as suspension of operations or revocation of licenses may be imposed.

International Cooperation and Digital Security

The law also aims to align Türkiye with international cyber security standards. It anticipates enhanced information sharing with other countries on cyber attacks, adoption of common security protocols, and strengthened international collaboration against digital threats.

The Cyber Security Law seeks to strengthen Türkiye’s digital infrastructure and enhance its resilience against cyber attacks. By establishing regulations on the protection of critical infrastructure, coordination of CIRTs, mandatory reporting mechanisms, and stringent penalties, the law significantly boosts the nation’s cyber security capacity.