Turkiye: Cybersecurity Law (Law No. 7545) including approval requirement for mergers of cybersecurity firms enters into force

On 19 March 2025, the Cybersecurity Law (Law No. 7545) entered into force. The scope of this Law encompasses public institutions, professional organisations, private entities, and individuals operating within the cyberspace domain, with exceptions for intelligence activities under national security laws. The Law provides definitions, basic principles and responsibilities for cybersecurity, including the protection of critical infrastructure, data security and the role of cybersecurity response teams. Furthermore, the Law stipulates that companies involved in the production of cybersecurity products, systems, software, hardware, and services are obligated to notify the Cyber Security Presidency in instances of mergers, divisions, share transfers, or sales. Furthermore, transactions that grant direct or indirect control or decision-making authority over a company to individuals or legal entities are subject to the approval of the Presidency. In the absence of such approval, the legality of the transactions in question is called into question. The Presidency reserves the right to request relevant information and documentation from relevant institutions, and the implementation details will be regulated through procedures and principles published by the Presidency.