Türkiye's first comprehensive cybersecurity law has been in force since 19 March 2025 — and it covers all companies, not just critical infrastructure.
What the law introduces
Law No. 7545 entered into force on 19 March 2025, establishing the Cybersecurity Directorate (SGB) under the Presidency and imposing binding duties on the public sector and all private companies operating in cyberspace.
Duties in force today
- Apply security measures set out in SGB policies and guidance
- Provide information and documents on request
- Report cyber incidents and vulnerabilities to the Directorate without delay
- Critical infrastructure: certified products/providers, incident response teams (SOME), regular penetration tests, log sharing
Penalties
Administrative fines reach into the millions of lira — for audit non-cooperation up to 5% of annual gross revenue — and attacks on critical infrastructure carry prison terms of 8-12 years. Secondary regulations detailing reporting formats and certification are still being rolled out, but the framework is already binding.
How 113SEC helps
Our managed security service builds the technical foundation: 24/7 SOC/SIEM monitoring makes incidents visible, reporting becomes part of normal operations, and KVKK + 7545 compliance are handled in one programme.
This page is for information only and is not legal advice.