Key Highlights of Cyber Security Law No. 7545
- Begum Durukan Ozaydin, Ilgin Tanriover, Ekrem Demirci
- Mar 19
- 2 min read
Cyber Security Law Enacted
Law No. 7545 on Cyber Security (the “Law”) was published in the Official Gazette No. 32846 on March 19, 2025, and has entered into force. The Law aims to strengthen cyber security measures and establish necessary strategies and policies to combat cyber threats. The Law covers public institutions and organizations operating, providing services, or engaging in activities in cyberspace, as well as professional organizations with public institution status, natural and legal persons, and entities without legal personality.
Cyber Security Presidency & Board
The Cyber Security Presidency (the “Presidency”) is established with broad authority, including supervising cyber security, setting industry standards, ensuring compliance, establishing a Cyber Incident Response Team and imposing sanctions.
The Cyber Security Board (the “Board”), chaired by the President of the Republic, oversees national cyber security policies, strategy decisions, and to resolve disputes between the Presidency and other public institutions.
Obligations of Cyber Security Companies
Companies must ensure that cyber security-related software, hardware, and services meet minimum standards and obtain necessary certifications.
Key responsibilities include:
Providing requested data and documents to the Presidency.
Implementing cyber security measures and reporting incidents immediately.
Procuring cyber security solutions to be used by public institutions and critical infrastructures from certified providers.
Obtaining the Presidency’s approval before commencing operations.
Complying with regulations to enhance cyber security resilience.
The sale of cyber security products, systems, software, hardware and services abroad shall be made in accordance with the procedures and principles to be determined by the Presidency. The approval of the Presidency shall be obtained for the sale of products subject to authorization to be included in these procedures and principles.
Companies must notify the Presidency of mergers, demergers, share transfers, or sales transactions; transactions that result in a change of control require the Presidency’s approval; otherwise, they are legally invalid.
Supervision & Sanctions
The Presidency has extensive authority to conduct inspections and impose penalties for non-compliance.
Penalties include:
Failure to provide requested information: 1-3 years imprisonment & judicial fine (500-1,500 days).
Operating without required authorization: 2-4 years imprisonment & judicial fine (1,000-2,000 days).
Negligence in critical infrastructure security leading to data breaches: 1-3 years imprisonment.
Failure to report or prevent data leaks: Administrative fine (1M - 10M TRY).
Non-compliance with Article 18 obligations: Administrative fine (10M - 100M TRY).
Processing of Personal Data
Personal data processed under the Law must comply with legal and good faith principles, be accurate, up-to-date, and used for specific, legitimate purposes in a limited and proportionate manner. Such data and trade secrets shall be deleted, destroyed, or anonymized ex officio once the need for access ceases.
Next Steps for Companies
Regulations related to the implementation of the Law will be enacted within one year, as stipulated in Provisional Article 1/6. Accordingly, cyber security companies must promptly ensure compliance with the standards established by the Law and the Presidency and obtain the necessary permits before commencing operations. Otherwise, they must remove references to cyber security from their company names and business activities or initiate liquidation procedures.
In the following period, it is expected that a more detailed secondary legislation will be issued by the President of the Republic and the Presidency to set sector standards and regulate the certification and authorization processes.
For further inquiries or legal assistance, feel free to contact Durukan+Partners team.
Comments