Turkiye: Cybersecurity Law (Law No. 7545) including security obligations enters into force

On 19 March 2025, the Cybersecurity Law (Law No. 7545) entered into force. The Law’s obligations apply to public institutions, professional organisations, private entities and individuals operating in cyberspace, with exceptions for intelligence activities in accordance with national security laws. The Law defines the basic principles, responsibilities and measures for cybersecurity, including the protection of critical infrastructure, data security and the role of cybersecurity response teams (SOME). Organisations are obligated to implement security measures, including the reporting of security incidents, the procurement of certified cybersecurity products, and compliance with inspections and audits. The formulation of policies and determination of strategic priorities is the responsibility of the Cybersecurity Council, which is composed of the President, Vice President, and ministers. In addition, the Law imposes regulations on cybersecurity personnel, including security clearance requirements, mandatory service terms for recipients of state-sponsored training, and restrictions on former employees working in private cybersecurity roles for two years without approval, while also prohibiting the unauthorised disclosure of cybersecurity information. Violations of these provisions are subject to financial penalties and imprisonment.