ADJUSTER
TR / EN
13.07.2026 Blog Post

Cybersecurity Law in Türkiye and the New Draft Law

Cybersecurity Law in Türkiye and the New Draft Law
In today's world, where digitalization is advancing at a dizzying pace, the variety and impact of cyber threats are increasing at the same rate. In response to these developments, it has become inevitable for states to create a strong legal framework to protect their citizens and critical infrastructure in the digital environment. In line with this global necessity, Turkey is continuously strengthening its existing legal infrastructure and taking strategic steps towards cybersecurity.
This article outlines the current cybersecurity legislation in Turkey and then comprehensively evaluates the New Cybersecurity Law Draft, which was presented to the public at the end of 2024.

Current Legal Framework
1. Personal Data Protection Law (KVKK – Law No. 6698)
The Personal Data Protection Law (KVKK), which came into force in 2016, regulates the processing of individuals' personal data and forms one of the cornerstones of Turkey's cybersecurity ecosystem.
The law imposes the following obligations on data controllers:

Obtaining explicit consent,
The purpose and duration of data processing should be explained transparently.
The secure storage of personal data,
Data will be destroyed if its purpose ceases to exist.
Taking technical and administrative security measures.
These regulations aim to provide stronger protection for individuals in the digital environment.

2. Electronic Communications Law (Law No. 5809)
This law, which imposes obligations on organizations operating in the field of information and communication technologies regarding issues such as security, data privacy, and service continuity, has also strengthened the regulatory and supervisory role of the Information and Communication Technologies Authority (BTK).
Furthermore, preventive measures and response mechanisms to be taken against cyberattacks are also regulated within this scope.

3. Cybersecurity Strategies in Development Plans
Development plans, and especially the 12th Development Plan, stand out as important policy documents supporting Turkey's vision for digital transformation and cybersecurity.
These plans include:

Protecting critical infrastructure,
The creation of national cybersecurity strategies,
Training human resources in the field of cybersecurity,
Development of domestic and national technologies
Strategic objectives such as these have been explicitly stated, and a strong foundation has been laid for legislative development efforts.

New Cybersecurity Law Draft: Türkiye's Digital Shield
In line with this vision, the New Cybersecurity Law Draft, presented to the public at the end of 2024, offers a comprehensive reform package to strengthen Turkey's position in the digital world.
The draft aims to systematize the existing fragmented legislative structure and introduce stricter security standards, especially for critical sectors.

The new draft law envisages the establishment of a Cyber ​​Security Directorate under the Ministry of Transport and Infrastructure. This Directorate will play a central role in the development of national cyber security policies, crisis management, and the improvement of public-private sector cooperation.
Organizations operating in critical sectors such as energy, finance, healthcare, and communications will be required to conduct regular penetration tests, prepare cyber risk reports, and meet specific security standards.

Furthermore, the draft includes a significant emphasis on promoting the use of domestic and national technologies. Specifically, it plans to make the use of domestic software and hardware mandatory in public institutions and strategic organizations.
This step aims to reduce Turkey's dependence on foreign sources in the field of cybersecurity and to establish a more independent structure in the digital realm.

Another important regulation concerns data localization. Critical data will be required to be stored within Turkey's borders; data transfer processes will be subject to strict control.
This aims to strengthen data sovereignty and prevent both individual and national security risks.

The draft also highlights the severe administrative and criminal sanctions that will be applied in case of non-compliance with the new regulations. Sanctions such as high fines, suspension of operations, and license revocations aim to encourage compliance and increase the effectiveness of the regulations.
In addition, all public and private sector organizations will be obliged to report cyber incidents to a central system in a timely manner, and Joint Response Centers will be established for crisis management purposes.

This comprehensive transformation will enable Türkiye to establish a more proactive, independent, and robust structure in cybersecurity. However, the success of the regulations should not be limited solely to the creation of a legal framework; it must also include the development of effective oversight mechanisms, the strengthening of trust-based collaborations between the public and private sectors, and the dissemination of a cybersecurity culture throughout society.

In the coming years, Turkey is expected to create a flexible and resilient cybersecurity ecosystem against global threats by continuously updating this legal framework. The new threat environments brought about by artificial intelligence, the Internet of Things (IoT), and quantum technologies will necessitate the evolution of cybersecurity regulations.
Therefore, it is of paramount importance to be prepared not only for today's threats but also for the uncertainties of the future.

In this new era, Türkiye can become a stronger player in the digital world by developing its own technologies in the field of cybersecurity, investing in human resources, and establishing a flexible legal system that is compliant with international standards while also responding to local needs.

The steps taken in this process will be a strategic element that directly affects not only a country's cybersecurity but also its economic development and international prestige.
← Back to Blog