113SEC  —  BLOG
X000Y000
[113SEC]TR
SUPPORT
← ALL ARTICLES[ GUIDE ] — Compliance

Türkiye's Cybersecurity Law No. 7545: What Companies Need to Know

Türkiye's first comprehensive cybersecurity law has been in force since 19 March 2025 — and it covers all companies, not just critical infrastructure.

SCAN ACTIVE · 5 NODES

Türkiye's first comprehensive cybersecurity law has been in force since 19 March 2025 — and it covers all companies, not just critical infrastructure.

What the law introduces

Law No. 7545 entered into force on 19 March 2025, establishing the Cybersecurity Directorate (SGB) under the Presidency and imposing binding duties on the public sector and all private companies operating in cyberspace.

Duties in force today

  • Apply security measures set out in SGB policies and guidance
  • Provide information and documents on request
  • Report cyber incidents and vulnerabilities to the Directorate without delay
  • Critical infrastructure: certified products/providers, incident response teams (SOME), regular penetration tests, log sharing

Penalties

Administrative fines reach into the millions of lira — for audit non-cooperation up to 5% of annual gross revenue — and attacks on critical infrastructure carry prison terms of 8-12 years. Secondary regulations detailing reporting formats and certification are still being rolled out, but the framework is already binding.

How 113SEC helps

Our managed security service builds the technical foundation: 24/7 SOC/SIEM monitoring makes incidents visible, reporting becomes part of normal operations, and KVKK + 7545 compliance are handled in one programme.

This page is for information only and is not legal advice.

Talk to us today

Free assessment. On-site + remote. Istanbul, Kocaeli, Bursa.

FAQ

Does Law 7545 only apply to critical infrastructure?

No. General duties — providing information and reporting incidents — apply to all companies. Critical infrastructure operators carry additional obligations.

What should we do before secondary regulations are final?

Asset inventory, log collection, an incident response plan and baseline controls are required in every scenario. Build the foundation now; fine-tune when details land.