Türkiye's cybersecurity regulatory landscape underwent fundamental restructuring with the enactment of Siber Güvenlik Kanunu (Cybersecurity Law, Law No. 7545) by the Türkiye Büyük Millet Meclisi on 12 March 2025 and its publication in the Resmi Gazete on 19 March 2025 (No. 32846). The new framework establishes a centralised institutional architecture under the newly created Siber Güvenlik Başkanlığı (Cybersecurity Directorate), expands compliance obligations for critical infrastructure operators and digital service providers, and introduces new enforcement mechanisms that operate alongside the established frameworks under Kişisel Verilerin Korunması Kanunu (Law No. 6698, "KVKK"), İnternet Ortamında Yapılan Yayınların Düzenlenmesi ve Bu Yayınlar Yoluyla İşlenen Suçlarla Mücadele Edilmesi Hakkında Kanun (Law No. 5651), and adjacent statutes.
The framework's operational impact extends across multiple sectors. Financial services operators under Bankacılık Düzenleme ve Denetleme Kurumu (BDDK) supervision, telecommunications operators under Bilgi Teknolojileri ve İletişim Kurumu (BTK) framework, energy sector operators under Enerji Piyasası Düzenleme Kurumu (EPDK), capital markets participants under Sermaye Piyasası Kurulu (SPK), healthcare data operators under Sağlık Bakanlığı framework, and digital service providers across e-commerce, cloud computing, and other sectors all face new compliance obligations under 7545 framework. The compliance picture is layered: 7545's general framework, sectoral regulations issued by competent authorities under the framework's authorisation, KVKK 6698 personal data protection requirements, TCK (Türk Ceza Kanunu, Law No. 5237) Articles 243-245 cybercrime offences, and the broader regulatory ecosystem all interact at the operational level.
This guide addresses the substantive compliance picture under 7545 framework with adjacent statutory references, the Cybersecurity Directorate's institutional architecture, sector-specific obligations across the major regulated industries, the breach reporting and incident response framework, vendor and third-party risk management requirements, internal policy and governance architecture, enforcement and administrative penalty mechanisms with judicial review pathways, and the international cooperation framework under Budapest Cybercrime Convention to which Türkiye has been party since 2014. A Turkish Law Firm experienced in cybersecurity work approaches the engagement at the intersection of regulatory compliance, technical operations, and litigation risk management rather than as discrete specialty work in any single dimension.
The Statutory Architecture: 7545 and the Adjacent Framework
Law No. 7545 establishes the substantive framework for cybersecurity governance in Türkiye. The law's structure addresses institutional organisation, scope of application, substantive compliance obligations, enforcement and sanction frameworks, and coordination with adjacent regulatory frameworks. The legislation supersedes prior sectoral cybersecurity rules in certain respects while maintaining sectoral regulatory authority for sector-specific implementation, producing a layered framework where general 7545 obligations apply alongside continuing sectoral rules issued by BTK, BDDK, EPDK, SPK, and other competent authorities.
KVKK (Law No. 6698) of 24 March 2016 operates as the foundational personal data protection framework with continuing applicability alongside 7545. KVKK Article 12 establishes data security obligations including technical and administrative measures appropriate to the data processing's risk profile, prevention of unauthorised access, prevention of unlawful data processing, and breach notification obligations. Kişisel Verileri Koruma Kurulu (Personal Data Protection Authority) Kararı No. 2019/10 specifies the 72-hour breach notification framework for personal data breaches. The 7545 framework's data security dimensions interact with KVKK 6698 obligations rather than replacing them.
5651 Sayılı İnternet Kanunu of 4 May 2007 operates as the foundational internet content and infrastructure framework with substantive coverage of internet service provider, content provider, and hosting provider obligations. The 5651 framework addresses content removal, access blocking, and provider responsibilities; the 7545 framework addresses cybersecurity infrastructure obligations that operate alongside the 5651 content framework. Operators subject to 5651 framework face additional 7545 obligations where their operations qualify as critical infrastructure or digital service provision under 7545 scope.
5809 Sayılı Elektronik Haberleşme Kanunu of 5 November 2008 establishes the electronic communications framework with substantive obligations for telecommunications operators including network security, lawful interception, emergency communications, and service continuity. BTK administers the 5809 framework with secondary regulations addressing specific technical and operational dimensions. Telecommunications operators face 5809 obligations alongside 7545 obligations where their operations qualify under 7545 scope.
5070 Sayılı Elektronik İmza Kanunu of 15 January 2004 establishes the electronic signature framework with provisions on qualified electronic signatures, certificate service providers, and electronic signature legal effects. The framework operates alongside 7545 in scenarios involving authentication mechanisms, digital identity, and electronic transaction security.
TCK (Türk Ceza Kanunu, Law No. 5237) of 26 September 2004 provides the criminal framework for cyber offences. Articles 243-245 establish specific cybercrime offences including unauthorised access to data processing systems (Article 243), preventing data system functioning or data manipulation (Article 244), and abuse of bank or credit cards (Article 245). The criminal framework operates alongside 7545 administrative framework — the same conduct may produce both administrative liability under 7545 and criminal liability under TCK 243-245 depending on the conduct's nature and the legal characterisation.
Budapest Cybercrime Convention (Council of Europe Convention on Cybercrime of 23 November 2001) establishes the international cooperation framework for cybercrime investigation and prosecution. Türkiye has been party to the Convention since ratification under Law No. 6533 (Resmi Gazete 2 May 2014, No. 28988). The Convention's framework provides mutual legal assistance, extradition framework for cybercrime offences, and harmonised substantive provisions that interact with Turkish domestic enforcement.
EU NIS-2 Directive (Directive (EU) 2022/2555) is the European Union's Network and Information Security framework establishing comparable obligations across EU member states. Türkiye is not bound by NIS-2 directly but the framework's substantive content has informed comparable compliance expectations among multinational operators with EU-Türkiye operational footprint. Operators with EU exposure should anticipate that NIS-2 compliance practices and 7545 compliance requirements will overlap meaningfully in operational implementation.
The Cybersecurity Directorate: Institutional Architecture Under 7545
The Siber Güvenlik Başkanlığı (Cybersecurity Directorate) is the central institutional innovation of Law No. 7545. The Directorate operates as a public institution under the Cumhurbaşkanlığı framework with substantive authority over national cybersecurity policy, sectoral coordination, incident response coordination, regulatory rule-making within the law's authorisation, and enforcement actions against non-compliant operators.
The Directorate's substantive authority covers several operational areas. National cybersecurity policy development includes strategic threat assessment, sectoral risk prioritisation, and coordination with national security framework. Sectoral coordination operates through the Directorate's relationship with sectoral regulatory authorities — BTK for telecommunications, BDDK for banking, EPDK for energy, SPK for capital markets, Sağlık Bakanlığı for health-sector data — with the Directorate setting general framework that sectoral regulators implement through their secondary regulations. Incident response coordination operates through the established USOM and SOME framework with the Directorate providing strategic oversight while operational response continues through established channels.
USOM (Ulusal Siber Olaylara Müdahale Merkezi — National Cyber Incidents Response Centre) operates within the cybersecurity coordination framework as the central incident response and threat intelligence body. USOM coordinates response to significant cybersecurity incidents affecting Turkish infrastructure, provides threat intelligence to operators, maintains cybersecurity incident reporting mechanisms, and coordinates with international incident response counterparts. The 7545 framework continues USOM's operational role with potential restructuring within the broader Directorate architecture.
SOME (Siber Olaylara Müdahale Ekipleri — Cyber Incidents Response Teams) operates at the sectoral and operator level. Sectoral SOMEs (Sektörel SOME) operate within sectoral regulatory authorities — Banking SOME, Energy SOME, Telecommunications SOME — providing sector-specific incident response coordination. Corporate SOMEs (Kurumsal SOME) operate within individual organisations satisfying specific scale and criticality criteria, providing organisation-level incident response capability. The SOME framework operates with prescribed reporting relationships up through sectoral SOMEs to USOM.
Sectoral regulatory authorities retain substantial regulatory authority within their established frameworks. BTK continues to administer telecommunications cybersecurity through 5809 framework and secondary regulations. BDDK continues to administer banking cybersecurity through Bankacılık Kanunu (Law No. 5411) framework and the substantial body of BDDK regulations addressing IT systems, business continuity, and operational risk. EPDK continues to administer energy sector cybersecurity through sector-specific regulations. SPK continues to administer capital markets cybersecurity through SPK framework. The 7545 framework operates alongside this sectoral regulation rather than replacing it; operators subject to sectoral regulation face the layered obligation of sectoral rules plus 7545 general framework.
Critical infrastructure designation under 7545 framework triggers enhanced compliance obligations. The Directorate's authority includes designation of specific infrastructure as critical based on substantive criteria related to scale, criticality to economic function, national security implications, or service availability impact. Designated critical infrastructure operators face enhanced obligations including specific technical controls, mandatory incident reporting timelines, periodic compliance audits, and direct Directorate oversight.
Coordination with KVKK and the Personal Data Protection Authority operates through the specific framework distinguishing general cybersecurity obligations under 7545 from personal data protection obligations under KVKK 6698. The Personal Data Protection Authority retains primary authority over personal data breaches and KVKK compliance; the Cybersecurity Directorate has primary authority over cybersecurity infrastructure and incident response. Cases involving both dimensions — typical for personal data breach scenarios — require coordinated response and reporting through both frameworks.
Scope and Application: Critical Infrastructure and Digital Services
The 7545 framework's scope extends to several categories of operators based on their function, scale, and criticality. Understanding which obligations apply to specific operators requires substantive analysis of the operator's profile against the framework's scope criteria — generic compliance approaches that treat all operators uniformly miss the substantive distinctions that determine actual obligation depth.
Public institutions including ministries, regulatory authorities, state-owned enterprises, municipalities, and other public bodies face the framework's full scope as primary subjects of cybersecurity policy. Public institutions' obligations include implementation of prescribed technical and administrative controls, designation of cybersecurity responsible personnel, integration with central incident response framework, and periodic compliance reporting. The public-institution framework operates substantially uniformly across institution types but with sectoral variation reflecting specific operational realities.
Critical infrastructure operators across designated sectors face enhanced obligations. The critical infrastructure designation typically covers: financial services including banks, insurance operators, payment institutions, and capital markets operators with substantial scale; energy sector including electricity transmission and distribution, natural gas, petroleum, and renewable energy operators; telecommunications including mobile and fixed-line operators, internet service providers, and certain content delivery operators; transportation including aviation, maritime, rail, and certain road transport operators; water and sanitation services including municipal water operators; health services including hospital systems, health insurance, and pharmaceutical distribution; food production and distribution at certain scales; and digital infrastructure including major cloud services, data centres, and internet exchange points. The specific designations operate through sectoral and Directorate decisions rather than statute-level enumeration.
Digital service providers across e-commerce, online marketplaces, search engines, social networks, online intermediation services, and similar service categories face framework obligations where their service scale or function meets specified thresholds. The substantive framework reflects the EU NIS-2 conceptual framework on digital services while applying Turkish-specific implementation. Operators with substantial Turkish user bases or transactional volumes face obligations regardless of their corporate domicile.
KVKK data controllers under 6698 framework face cybersecurity obligations under both KVKK Article 12 (data security obligations specific to personal data) and 7545 framework where they additionally qualify as critical infrastructure or digital service provider under 7545 scope. Data controllers operating purely within KVKK scope without 7545 critical-infrastructure or digital-service classification face KVKK obligations only. The substantive distinction matters operationally because the documentation, governance, and reporting requirements differ between the frameworks.
Foreign operators with Turkish operations or Turkish-user services face the framework where their operations or services qualify under the scope criteria. The framework's extraterritorial reach extends to foreign operators providing digital services to Turkish users, foreign operators with Turkish branch operations, and foreign operators with substantial Turkish data processing. Compliance obligations may operate through Turkish branch establishments, designated representatives, or direct compliance by the foreign operator depending on the specific circumstances.
Small and medium enterprises (SME) generally face proportionate obligations under the framework. The substantive obligations scale with the operator's size, complexity, and risk profile rather than applying uniformly across all entities. Specific exemptions and proportionate compliance pathways apply to SMEs in many implementation areas, though the underlying principles of cybersecurity hygiene apply broadly.
Sectoral overlay rules add specific obligations beyond general 7545 framework. Banking sector operators face BDDK secondary regulations on IT systems, business continuity, outsourcing, and cybersecurity that operate alongside 7545. Telecommunications operators face BTK regulations on lawful interception, emergency services, and network security. Energy sector operators face EPDK regulations addressing SCADA system security, control system isolation, and operational technology security specific to energy infrastructure. Operators in regulated sectors should expect integrated obligation analysis rather than 7545-only review.
Core Compliance Obligations Under the New Framework
Operators subject to 7545 framework face substantive compliance obligations across technical, administrative, and procedural dimensions. The specific obligations vary by operator category and sector, but common elements appear across the framework.
Technical control obligations include implementation of cybersecurity controls appropriate to the operator's risk profile and operational environment. Standard technical controls include network segmentation and access control with documented network architecture, identity and access management with multi-factor authentication for privileged access and sensitive systems, vulnerability management with regular scanning and timely patching, security monitoring with logging and event correlation, encryption of data in transit and at rest with appropriate cryptographic standards, secure software development practices for in-house development, and incident detection and response capability. The technical depth scales with the operator's category — critical infrastructure operators face substantively higher technical control expectations than general digital service providers.
Administrative control obligations include cybersecurity governance with board-level oversight responsibility, designated cybersecurity personnel including Cybersecurity Officer (Siber Güvenlik Yetkilisi) for substantial operators, written cybersecurity policies and procedures covering relevant operational areas, periodic risk assessment with documented risk register, security awareness training for personnel with role-based content, and supplier and third-party risk management with documentation requirements.
Documentation obligations require operators to maintain audit-quality records of their cybersecurity programme. Required documentation typically includes: cybersecurity policy and procedure documents with version control and approval records; risk assessment documentation with periodic update; incident response procedures with tabletop exercise records; access control and identity management documentation; supplier risk management documentation; security awareness training records; and audit and review records covering both internal and external audit activity. Documentation gaps produce compliance findings during regulatory audit even where the underlying technical and administrative controls are operationally adequate.
ISO 27001 alignment is operationally common for substantial operators and provides a structured framework for documenting compliance. The 7545 framework does not formally mandate ISO 27001 certification, but the certification's structure aligns substantially with the framework's documentation expectations. Operators pursuing ISO 27001 certification benefit from structured implementation that produces documentation outputs satisfying both the certification requirements and the regulatory framework's documentation expectations.
Annual self-assessment and reporting obligations require operators to assess their cybersecurity posture annually and report to the Directorate or sectoral regulator depending on the operator's category. The self-assessment covers compliance with prescribed technical and administrative controls, identified risks and remediation status, incidents during the reporting period, and forward-looking compliance plan for emerging risks or regulatory developments. Reporting templates and formats are typically prescribed by the Directorate or sectoral regulator.
Critical infrastructure operators face enhanced periodic audit requirements. The audit framework typically includes external independent audit by qualified auditing entities at prescribed intervals (typically annually or biennially), with audit reports submitted to the Directorate and the relevant sectoral regulator. Audit findings produce compliance remediation requirements with prescribed timelines; persistent or substantive findings produce escalated regulatory attention.
Cybersecurity Officer (or Committee for substantial operators) designation and notification to the Directorate is required for operators in scope. The Officer is the operator's primary point of contact for the Directorate and sectoral regulators, leads incident response coordination, oversees the cybersecurity programme's implementation, and reports to senior management on cybersecurity matters. The Officer's qualification, independence, and reporting line are subjects of regulatory expectation; operators should select Officers with substantive cybersecurity expertise and appropriate organisational standing.
Sector-Specific Risk Management
Sectoral regulatory authorities apply 7545 framework alongside their established sector-specific regulations, producing layered compliance obligations that operators must navigate. Each major regulated sector has distinctive cybersecurity profile and obligation set.
Banking and financial services under BDDK framework face among the most demanding cybersecurity obligations in Türkiye's regulatory landscape. BDDK's IT systems and operational risk regulations (Bankaların Bilgi Sistemleri ve Elektronik Bankacılık Hizmetleri Hakkında Yönetmelik and related framework) establish detailed expectations on IT governance, business continuity, outsourcing, cybersecurity, fraud prevention, and operational risk. Banks face specific requirements on board oversight, IT risk committees, business continuity planning with prescribed recovery objectives, outsourcing approval, cybersecurity programme structure, and incident reporting. The 7545 framework adds cybersecurity-specific obligations that operate alongside BDDK rules.
Capital markets under SPK framework face specific cybersecurity obligations through SPK secondary regulations addressing investment firms, exchanges, central depositories, and asset management operators. Borsa İstanbul as the central exchange faces particular obligations as critical financial infrastructure. Capital markets operators face the layered obligation of SPK sector rules plus 7545 general framework plus where applicable banking-related rules through BDDK supervision of investment banks.
Telecommunications under BTK framework operate within established 5809 sectoral framework with substantial cybersecurity obligations through BTK secondary regulations on lawful interception, network security, service continuity, and emergency services. The 7545 framework's general obligations apply to telecommunications operators with overlay effect; operators face the layered obligation of sectoral and general rules.
Energy sector under EPDK framework faces sector-specific obligations addressing the unique characteristics of energy infrastructure. Electricity transmission and distribution, natural gas, petroleum operations, and renewable energy operators face specific cybersecurity obligations including operational technology security (SCADA systems, control systems), business continuity for critical energy services, and coordination with Türkiye Elektrik İletim AŞ (TEİAŞ) for grid security matters. The energy sector's operational technology focus distinguishes it from sectors where information technology is the predominant cybersecurity concern.
Healthcare data under Sağlık Bakanlığı framework faces specific obligations on patient data security, hospital information systems, e-prescription systems, and the broader healthcare information infrastructure. The intersection with KVKK 6698 framework is particularly intensive given health data's special category status under KVKK Article 6. Healthcare operators face integrated obligations across cybersecurity (7545 + sectoral) and personal data (KVKK + sectoral health data rules).
Transportation operators across aviation, maritime, rail, and road transport face sector-specific cybersecurity obligations through the relevant regulatory authorities including Sivil Havacılık Genel Müdürlüğü (DGCA) for aviation, Ulaştırma ve Altyapı Bakanlığı for maritime and rail, and Karayolları Genel Müdürlüğü for highway operations. Major transportation infrastructure operators (airports, ports, rail networks) face critical infrastructure designation with enhanced obligations.
Cloud services and data centres face substantial obligations as digital infrastructure providers and as service providers to multiple regulated sectors. Operators in this category face their own 7545 obligations plus contractual obligations flowing from their downstream regulated customers' compliance requirements. The cloud service compliance framework increasingly involves operator certifications (ISO 27001, SOC 2, certain Turkish-specific certifications) that satisfy customer compliance requirements through certificate transferability.
Data Breach and Incident Reporting Architecture
Cybersecurity incident reporting under 7545 framework operates through prescribed mechanisms with specific timelines based on incident severity. The framework distinguishes between routine cybersecurity incidents that the operator manages internally and significant incidents requiring external reporting and coordination.
Significant cybersecurity incidents requiring external reporting typically include: incidents producing service disruption affecting substantial customer base or operational scale; incidents involving unauthorised access to or compromise of substantial volumes of sensitive data; incidents affecting critical infrastructure operations or coordinated infrastructure dependencies; incidents indicating coordinated or persistent threat activity beyond opportunistic attack patterns; and incidents involving regulatory or contractual reporting triggers under specific frameworks.
Reporting timeline expectations vary by incident category. The 7545 framework's specific timeline provisions establish baselines that sectoral regulators may shorten through their secondary rules. Banking sector incidents under BDDK framework typically face shorter reporting timelines (often within hours of detection for substantial incidents) reflecting the financial stability concerns. Telecommunications incidents under BTK framework follow specific timelines linked to service availability impact. Critical infrastructure incidents follow accelerated timelines reflecting the criticality of timely response coordination.
USOM coordination operates as the central incident response framework for incidents affecting national cybersecurity. Incidents within USOM scope are reported through prescribed mechanisms — typically electronic submission through dedicated portals — with subsequent coordination on response activities. USOM's role includes threat intelligence sharing with affected operators, coordination of response across multiple affected operators where the incident has cascading effects, and international coordination with foreign incident response counterparts where the incident has transnational dimensions.
Sectoral SOME reporting operates as the next layer of the framework. Sector-specific SOMEs receive sector-specific incident reports from operators within their sector, coordinate sector-specific response, and aggregate sector-level threat intelligence for upward reporting to USOM and the Directorate. Operators in regulated sectors face dual reporting obligations to sectoral SOME (sector-specific operational coordination) and to USOM (national cybersecurity coordination) for incidents triggering both frameworks.
KVKK personal data breach reporting under KVKK Article 12 and Personal Data Protection Authority Kararı No. 2019/10 framework operates as the parallel framework for breaches affecting personal data. The 72-hour notification framework applies to personal data breaches with notifications to the Personal Data Protection Authority and, where applicable, to affected data subjects. The framework's substantive triggers and procedural requirements operate alongside 7545 cybersecurity reporting; incidents involving personal data breach typically trigger both frameworks with parallel reporting obligations.
Documentation of incidents and response activities is operationally critical regardless of whether external reporting is triggered. Internal incident documentation should capture: detection timeline including initial detection, escalation, and management notification; affected systems and data including scope assessment; response activities including containment, eradication, and recovery actions; root cause analysis including technical and procedural findings; affected parties notification (where applicable); and lessons learned with remediation planning. The internal record provides the foundation for any subsequent regulatory inquiry or audit review.
Coordinated breach response requires integrated handling across legal, technical, and operational dimensions. Counsel coordination during breach response addresses regulatory reporting compliance, evidence preservation for potential litigation or criminal investigation, communication with affected parties, and coordination with technical incident response. The substantive challenge during active incident response is balancing speed (regulatory reporting timelines, customer notification expectations) with accuracy (incomplete or incorrect initial reporting can produce subsequent compliance complications).
Vendor and Third-Party Risk Management
The 7545 framework establishes substantive obligations on operators regarding their suppliers, contractors, and other third parties whose activities affect the operator's cybersecurity posture. Vendor risk management is operationally significant because most cybersecurity programmes depend on vendor relationships for substantial portions of their actual operational implementation — cloud hosting, software-as-a-service, managed security services, contract IT operations, and specialised technical services.
Pre-engagement vendor due diligence requires operators to assess prospective vendors' cybersecurity posture before engagement. Standard due diligence elements include: vendor's cybersecurity policy framework and certifications (ISO 27001, SOC 2, Turkish-specific certifications); vendor's incident history including significant incidents during prior periods; vendor's specific security controls relevant to the contemplated services; vendor's subcontractor management and downstream supply chain visibility; vendor's regulatory standing in jurisdictions where the vendor operates; and vendor's financial stability and operational continuity capacity. The due diligence depth scales with the contemplated services' criticality to the operator's operations.
Contract terms addressing vendor cybersecurity obligations are operationally essential. Standard contract elements include: cybersecurity standards specifying the controls the vendor must maintain; service-level obligations on availability, recovery, and performance; incident notification requirements with prescribed timelines; data handling restrictions including data location, processing scope, and transfer limitations; audit rights allowing operator review of vendor's cybersecurity posture during the contract period; subcontractor approval and oversight requirements; data return and deletion obligations on contract termination; liability allocation including indemnification for cybersecurity-related losses; and insurance requirements. Contract precision in this area produces meaningful operational and legal protection compared to generic vendor agreements.
Ongoing vendor monitoring during the contract period requires structured oversight. Standard monitoring elements include: periodic compliance attestations from vendor; review of vendor incident reports during the contract period; periodic audit (operator-conducted or third-party) of vendor's cybersecurity posture; monitoring of vendor's regulatory and certification status; and performance review against contracted service levels. Vendors whose performance or compliance posture deteriorates during the contract period may require remediation, contract modification, or relationship termination.
Subcontractor and downstream supply chain visibility extends the vendor risk management framework. Operators must understand their direct vendors' subcontractor relationships and the cybersecurity implications of those relationships. Concentration risk where multiple direct vendors rely on a common upstream subcontractor produces systemic exposure that direct vendor management may not adequately address.
Joint liability for vendor-caused cybersecurity failures is an emerging exposure under the framework. Operators relying on vendors for cybersecurity-relevant operations may face direct regulatory exposure for vendor failures even where the vendor's own conduct caused the incident. The legal characterisation often depends on whether the operator exercised reasonable diligence in vendor selection and oversight; operators with documented diligence and oversight programmes are better positioned to defend against joint-liability findings.
Cyber insurance coordination operates alongside vendor risk management. Cyber insurance policies typically address operator-side losses from cybersecurity incidents but with specific coverage limitations and exclusions. Vendor-caused incidents may produce coverage questions where the policy's coverage scope intersects with vendor liability. Coordination between insurance terms, vendor contract terms, and 7545 compliance obligations requires substantive analysis at policy and contract negotiation rather than reactive handling at incident time.
Internal Policy and Governance Architecture
Substantive 7545 compliance requires institutional governance that extends beyond technical control implementation to organisational decision-making, accountability, and oversight structures. The governance framework determines whether technical controls actually function as intended and whether the cybersecurity programme adapts to changing risk and regulatory landscape.
Board of directors oversight is the apex governance element. Boards of operators in scope face specific responsibilities for cybersecurity oversight including: approval of cybersecurity policy and major investment decisions; review of risk assessment results and remediation status; review of significant incidents and response effectiveness; oversight of cybersecurity programme leadership and resourcing; and engagement with auditors and regulators on cybersecurity matters. Board engagement should produce documented evidence of oversight activity including meeting minutes, briefing materials, and decision records.
Executive committee and senior management responsibilities include translating board direction into operational implementation, allocation of resources to cybersecurity priorities, monitoring of cybersecurity programme execution, escalation of significant matters to the board, and accountability for cybersecurity outcomes. Senior management's substantive engagement is the operational reality that determines whether cybersecurity is treated as compliance overhead or as integrated business risk.
Cybersecurity Officer (or equivalent designation) leads the cybersecurity programme operationally. The Officer's responsibilities include programme strategy development, implementation oversight, incident response leadership, regulatory and audit interface, vendor risk management oversight, and training and awareness programme leadership. The Officer's organisational position should provide both substantive expertise and adequate authority to drive programme implementation across functional lines.
Risk management committee or equivalent governance body provides cross-functional coordination on cybersecurity risk alongside other operational and strategic risks. The committee typically includes senior representatives from IT, security, compliance, legal, operations, and business functions, providing the integrated oversight that cybersecurity programmes require.
Internal audit function provides independent verification of cybersecurity programme effectiveness. The audit programme should cover: cybersecurity controls implementation and operational effectiveness; compliance with prescribed policies and procedures; incident response effectiveness; vendor risk management implementation; and emerging risks and remediation status. Audit findings flow through the established audit governance with management response, remediation planning, and tracking through resolution.
Policy and procedure framework provides the operational documentation for the cybersecurity programme. Standard policy elements include: cybersecurity policy statement establishing organisational commitment and high-level requirements; access control policy with role-based access framework; data classification and handling policy; incident response policy and procedures with detailed playbooks; vendor risk management policy; security awareness and training policy; physical security policy; remote work and bring-your-own-device policy; and cryptographic standards policy. Each policy element requires periodic review and update reflecting changing risk and regulatory landscape.
Cross-border policy coordination is operationally significant for multinational operators. Group-level cybersecurity policies developed at corporate headquarters may require Turkish-specific adaptations to satisfy 7545 framework, KVKK 6698 requirements, and sectoral regulations. The operational discipline is to maintain group-policy alignment with Turkish-specific overrides clearly documented rather than maintaining inconsistent parallel frameworks.
Enforcement, Sanctions, and Judicial Review
The 7545 framework establishes administrative penalty mechanisms for non-compliance with prescribed obligations. The Directorate has authority to investigate compliance, assess penalties, and issue corrective orders within the framework's authorisation. Sectoral regulators retain parallel authority within their established frameworks. Operators facing 7545 enforcement may simultaneously face sectoral enforcement under BDDK, BTK, EPDK, SPK, or other framework depending on the substantive matter.
Administrative penalty assessment follows the framework's prescribed scales for different violation categories. Penalty amounts typically scale with the operator's revenue, the violation's severity, the operator's compliance history, and the violation's impact on affected parties. The framework's design produces graduated penalty exposure that reflects the violation's seriousness rather than uniform penalty regardless of context.
Investigation procedures involve the Directorate's right to access information, request documentation, and conduct on-site inspections within the framework's authorisation. Operators facing investigation should respond through coordinated counsel, technical, and operational engagement. Statements made during investigation can support both administrative penalty findings and potentially criminal liability under TCK 243-245 framework where the conduct meets criminal offence elements; coordinated handling across administrative and criminal exposure is operationally essential.
Corrective orders accompany penalty assessment in many cases. The Directorate may order specific remediation actions including implementation of additional controls, governance changes, vendor relationship modifications, or operational changes. Corrective orders typically include compliance timelines and verification mechanisms; failure to comply with corrective orders produces additional enforcement exposure.
Administrative review and judicial appeal follow the standard administrative law framework. Operators may challenge penalty assessments and corrective orders through administrative review within the Directorate framework, then through judicial appeal to administrative courts (idare mahkemesi) under İdari Yargılama Usulü Kanunu (Law No. 2577) Article 7/1 60-day window framework. The appellate review proceeds through Bölge İdare Mahkemesi at first appellate instance and Danıştay (Council of State) at high court instance.
Interim relief through yürütmenin durdurulması (stay of execution) framework under IYUK Article 27 is available where the underlying decision produces immediate harm that final judicial decision cannot adequately remedy. The standard for interim relief includes apparent illegality of the decision and irreparability of harm absent the relief. Cybersecurity penalty cases sometimes support interim relief where the penalty's enforcement would produce immediate operational disruption.
Constitutional Court review (Anayasa Mahkemesi) is available in narrow circumstances where the underlying decision raises constitutional rights questions. The framework's individual application process allows constitutional review of decisions affecting fundamental rights including property rights, occupational rights, and procedural fairness. Constitutional Court review is operationally rare in cybersecurity penalty contexts but available where the substantive case supports it.
Reputational and contractual consequences operate alongside formal regulatory penalties. Significant cybersecurity incidents and enforcement actions produce reputational impact affecting customer relationships, vendor relationships, and capital markets standing. Contract counterparties may invoke termination rights, performance obligations, or indemnification provisions based on cybersecurity events. The integrated impact analysis captures both the formal regulatory consequences and the broader operational implications.
The Cybercrime Layer: TCK 243-245 and Adjacent Criminal Framework
Criminal cybersecurity exposure operates through Türk Ceza Kanunu (Law No. 5237) Articles 243-245 and adjacent provisions. The criminal framework operates alongside 7545 administrative framework — the same conduct may produce both administrative liability under 7545 and criminal liability under TCK 243-245 depending on the conduct's nature.
TCK Article 243 covers unauthorised access to data processing systems (bilişim sistemine girme). The offence's elements include: unlawfully entering or remaining in a data processing system; the system's communications recording; or the data system's information observation. Penalty scales include imprisonment up to one year or fine for basic offence, with enhanced penalties for offences involving systems of certain types or producing specific consequences. The offence covers both external attacks and unauthorised access by individuals with limited legitimate access.
TCK Article 244 covers preventing data system functioning or data manipulation. The offence's elements include: preventing or disrupting the functioning of a data processing system; modifying or destroying data; placing modified data into the system; or obstructing the use of data. Penalty scales include imprisonment from six months to three years for basic offences, with enhanced penalties producing imprisonment up to ten years for offences targeting specific systems or producing specific consequences. The offence framework covers ransomware operations, denial-of-service attacks, data destruction, and similar conduct.
TCK Article 245 covers abuse of bank or credit cards. The offence framework covers unauthorised use of payment instruments, production or supply of fraudulent payment instruments, and related conduct. Penalty scales reach substantial imprisonment with fines proportionate to the conduct's scale and sophistication.
Adjacent criminal provisions include TCK Article 158 fraud framework where cybersecurity violations involve fraudulent intent producing financial gain, TCK Article 142 theft framework where cybersecurity violations involve appropriation of digital assets with economic value, and TCK Article 132 violation of communications privacy where cybersecurity violations involve interception of communications. The full criminal exposure assessment requires substantive analysis across these provisions.
5651 framework adds sectoral criminal provisions specific to internet content and infrastructure. Provisions on illegal content, prohibited activities, and provider obligations produce criminal exposure for specific scenarios involving internet operations.
5237 Article 220 organised crime provisions and 6415 anti-terrorism financing framework can apply to cybersecurity violations operating through coordinated criminal enterprise or supporting terrorist activities. Major cybersecurity incidents involving organised criminal activity can produce enhanced exposure under these frameworks.
Criminal proceedings run through Cumhuriyet Başsavcılığı (Public Prosecutor) with investigation by judicial police. Cases proceed through Asliye Ceza Mahkemesi (Criminal Court of First Instance) at first instance for lower-severity matters and Ağır Ceza Mahkemesi (Heavy Penal Court) for higher-severity matters, with appellate review through Bölge Adliye Mahkemesi and high court review through Yargıtay (Court of Cassation).
Defence considerations in cybersecurity criminal proceedings include the substantive elements of the alleged offence (whether the conduct meets the criminal definition), the evidentiary record (digital evidence handling, chain of custody, forensic methodology), and procedural protections (right to counsel, search and seizure procedures, defendant rights during investigation). Coordinated handling across administrative 7545 enforcement and criminal TCK proceedings is essential where both frameworks may apply.
International Framework Coordination: Budapest Convention and Cross-Border Cooperation
Türkiye's international cybersecurity cooperation operates through several frameworks with substantive operational implications for cross-border cybersecurity matters. The frameworks address mutual legal assistance, extradition, evidence sharing, and harmonised substantive law on cybercrime.
Budapest Cybercrime Convention (Council of Europe Convention on Cybercrime, ETS No. 185 of 23 November 2001) is the primary international framework governing cybercrime cooperation. Türkiye has been party to the Convention since ratification under Law No. 6533 published in Resmi Gazete on 2 May 2014 (No. 28988). The Convention's framework provides: harmonised substantive provisions on cybercrime offences across party states; procedural framework for cybercrime investigation including expedited preservation of stored data, expedited disclosure of preserved traffic data, production orders, search and seizure, real-time collection of traffic data, and interception of content data; and mutual assistance framework for cybercrime investigation including extradition, mutual assistance, and 24/7 contact point network.
Convention Additional Protocols extend the framework's scope. The Additional Protocol on Cybercrime concerning the criminalisation of acts of a racist and xenophobic nature committed through computer systems (CETS 189) and the Second Additional Protocol on enhanced cooperation and disclosure of electronic evidence (CETS 224) provide enhanced cooperation mechanisms. Türkiye's participation in these protocols varies and should be verified for specific cases.
Mutual Legal Assistance (MLA) framework operates through bilateral and multilateral treaties addressing cooperation in criminal matters. Türkiye has MLA arrangements with most major economies through bilateral treaties or through participation in multilateral frameworks. Cross-border cybersecurity cases involving parties or evidence in multiple jurisdictions typically require MLA coordination for evidence access, witness availability, or enforcement of investigative measures.
Extradition framework allows surrender of suspects or convicted persons between treaty parties. Türkiye has extradition treaties with most major economies; the European Convention on Extradition (ETS 24) of 1957 to which Türkiye is party covers most European jurisdictions. Cybersecurity offences typically meet the extradition threshold of dual criminality where the conduct constitutes serious offence in both requesting and requested states.
Information sharing arrangements between cybersecurity authorities operate alongside formal MLA frameworks for operational threat intelligence and incident coordination. USOM participates in international incident response networks including FIRST (Forum of Incident Response and Security Teams) and similar coordination forums providing operational threat sharing without formal MLA process.
EU operational cooperation through the Türkiye-EU relationship produces specific cooperation mechanisms despite Türkiye's non-membership. Cooperation with ENISA (European Union Agency for Cybersecurity), CERT-EU, and EU member state CERTs operates through both formal arrangements and operational practice. The cooperation framework's depth varies with broader EU-Türkiye political relationship dynamics.
NATO cyber cooperation operates through Türkiye's NATO membership. The NATO Cyber Defence Pledge and the broader NATO cyber framework provide alliance-level cooperation on cybersecurity matters with both political and operational dimensions. Türkiye participates in NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) activities though Türkiye is not a sponsoring nation of the centre.
Bilateral cybersecurity cooperation arrangements with specific countries provide additional cooperation mechanisms. Türkiye has cybersecurity-specific bilateral agreements with various countries addressing threat intelligence sharing, operational cooperation, and capacity building. The bilateral framework supplements multilateral and regional cooperation mechanisms.
Counsel Engagement Across the Compliance Lifecycle
The 7545 framework's complexity and the integrated regulatory landscape produce substantial value from professional counsel engagement at multiple points in the compliance lifecycle. The engagement points concentrate where legal interpretation, procedural framework, and substantive risk decisions intersect.
Pre-implementation analysis at framework rollout determines the operator's substantive obligations. Counsel review of the operator's profile against framework scope criteria, sectoral overlay analysis, and integrated obligation assessment produces the operational baseline for compliance programme development. Operators that approach 7545 compliance without this baseline analysis often discover obligation gaps or scope errors during regulatory engagement when remediation is operationally complex.
Compliance programme structuring translates legal obligations into operational architecture. Counsel coordination with technical and operational stakeholders produces compliance programmes that satisfy regulatory expectations while functioning operationally — programmes that look complete on paper but fail during regulatory examination produce worse outcomes than transparent gaps that can be remediated.
Vendor and contract review addresses the substantial portion of cybersecurity programme that operates through vendor relationships. Counsel review of vendor contracts ensures the contract terms support the operator's regulatory and operational positions. Generic vendor agreements typically do not provide adequate protection; contract review and negotiation produces meaningful operational and legal protection.
Incident response coordination during active incidents addresses the substantive risks at the moment they crystallise. Counsel involvement from incident detection through response coordinates regulatory reporting compliance, evidence preservation for potential litigation or criminal proceedings, communication with affected parties, and coordination with technical incident response. Operators that engage counsel only after initial incident response often face complications with reporting compliance, evidence handling, or communication strategy that earlier counsel involvement would have prevented.
Regulatory engagement during routine compliance interactions and during enforcement proceedings benefits from professional counsel. Routine engagement includes annual reporting, periodic audits, and informal regulatory interactions; enforcement engagement includes investigation response, penalty proceedings, and corrective order coordination. The regulatory relationship over time benefits from consistent counsel involvement that builds institutional understanding of the operator's position.
Post-incident regulatory and litigation handling addresses the consequences of significant incidents. Substantial incidents may produce regulatory enforcement, civil litigation by affected parties, criminal investigation under TCK framework, contractual disputes with affected counterparties, and reputational management requirements. Coordinated handling across these dimensions produces better outcomes than fragmented response.
Cross-border coordination matters for operators with multinational operations or international incident dimensions. Counsel coordination across jurisdictions addresses MLA framework, parallel regulatory proceedings in multiple jurisdictions, and cross-border data flow implications during incidents. An Istanbul Law Firm experienced in cybersecurity work coordinates with foreign counsel to produce integrated cross-border response rather than fragmented jurisdiction-by-jurisdiction handling.
The Turkish Law Firm value-add concentrates in substantive engagement with the technical content of cybersecurity regulation rather than administrative coordination of compliance activity. Operators that engage counsel as substantive technical and legal partner rather than administrative coordinator produce better outcomes across the engagement spectrum.
Frequently Asked Questions
- What is the new Turkish Cybersecurity Law? Siber Güvenlik Kanunu (Law No. 7545), enacted by the Türkiye Büyük Millet Meclisi on 12 March 2025 and published in Resmi Gazete on 19 March 2025 (No. 32846). The law establishes the Siber Güvenlik Başkanlığı (Cybersecurity Directorate), expands compliance obligations for critical infrastructure operators and digital service providers, and operates alongside KVKK Law No. 6698, Internet Law No. 5651, Electronic Communications Law No. 5809, and TCK Articles 243-245 cybercrime framework.
- What is Siber Güvenlik Başkanlığı? The Cybersecurity Directorate established under Law No. 7545 as a public institution under Cumhurbaşkanlığı framework with authority over national cybersecurity policy, sectoral coordination, incident response oversight, regulatory rule-making within the law's authorisation, and enforcement actions. The Directorate operates alongside USOM (Ulusal Siber Olaylara Müdahale Merkezi) for incident response and SOME (Siber Olaylara Müdahale Ekipleri) at sectoral and operator level.
- Which sectors are covered? Critical infrastructure operators across financial services (banks, insurance, payment institutions, capital markets) under BDDK and SPK supervision, telecommunications under BTK framework, energy sector under EPDK framework, transportation operators (aviation, maritime, rail, road), water and sanitation, healthcare under Sağlık Bakanlığı, food production at scale, digital infrastructure (cloud, data centres, internet exchanges), and digital service providers including e-commerce, online marketplaces, search engines, and social networks at specified thresholds.
- How does 7545 interact with KVKK? KVKK Law No. 6698 governs personal data protection with Article 12 addressing data security obligations specific to personal data and Personal Data Protection Authority Kararı No. 2019/10 establishing 72-hour breach notification framework for personal data breaches. 7545 governs cybersecurity infrastructure obligations across critical infrastructure and digital services. Personal data breaches affecting operators in 7545 scope typically trigger both frameworks with parallel reporting obligations.
- What are core compliance obligations? Technical controls including network segmentation, identity and access management with multi-factor authentication, vulnerability management, security monitoring, encryption of data in transit and at rest, secure development practices, and incident detection and response capability. Administrative controls including board-level cybersecurity oversight, designated Cybersecurity Officer (Siber Güvenlik Yetkilisi), written policies and procedures, periodic risk assessment, security awareness training, and supplier risk management. Documentation requirements covering policies, procedures, risk assessment, incident response, training, audit, and review records.
- What about ISO 27001? The 7545 framework does not formally mandate ISO 27001 certification but the certification structure aligns substantially with framework documentation expectations. Operators pursuing ISO 27001 certification benefit from structured implementation that produces documentation outputs satisfying both certification requirements and regulatory framework expectations.
- What is the breach reporting timeline? Significant cybersecurity incidents typically require external reporting through prescribed mechanisms with timelines varying by incident category and operator sector. Banking sector incidents under BDDK framework typically face shorter reporting timelines reflecting financial stability concerns. Telecommunications incidents under BTK framework follow specific timelines linked to service availability impact. Personal data breaches under KVKK Article 12 follow the 72-hour framework under Personal Data Protection Authority Kararı No. 2019/10. Incidents affecting national cybersecurity report through USOM channels.
- Who is USOM? Ulusal Siber Olaylara Müdahale Merkezi — National Cyber Incidents Response Centre — is the central incident response and threat intelligence body coordinating response to significant cybersecurity incidents affecting Turkish infrastructure. USOM provides threat intelligence to operators, maintains incident reporting mechanisms, and coordinates with international incident response counterparts including FIRST framework participants.
- What is SOME? Siber Olaylara Müdahale Ekipleri — Cyber Incidents Response Teams — operate at sectoral and operator level. Sectoral SOMEs operate within sectoral regulatory authorities (Banking SOME, Energy SOME, Telecommunications SOME, etc.). Corporate SOMEs operate within individual organisations satisfying scale and criticality criteria. The framework provides prescribed reporting relationships up through sectoral SOMEs to USOM.
- Can foreign companies be penalized? Yes. The framework's extraterritorial reach extends to foreign operators providing digital services to Turkish users, foreign operators with Turkish branch operations, and foreign operators with substantial Turkish data processing. Compliance may operate through Turkish branch establishments, designated representatives, or direct compliance depending on the specific circumstances.
- What about cybercrime under TCK? TCK (Law No. 5237) Articles 243-245 establish criminal cybercrime offences. Article 243 covers unauthorised access to data processing systems. Article 244 covers preventing data system functioning or data manipulation including ransomware and denial-of-service attack scenarios. Article 245 covers abuse of bank or credit cards. The criminal framework operates alongside 7545 administrative framework — the same conduct may produce both administrative and criminal liability.
- Does Türkiye participate in international cybercrime cooperation? Yes. Türkiye has been party to the Budapest Cybercrime Convention (Council of Europe Convention on Cybercrime ETS 185) since ratification under Law No. 6533 published in Resmi Gazete 2 May 2014 (No. 28988). The Convention provides harmonised substantive provisions, procedural framework for cybercrime investigation, and mutual assistance framework. Türkiye also participates in NATO cyber cooperation, FIRST incident response network, and bilateral cooperation frameworks with various countries.
- What are the enforcement mechanisms? Administrative penalty assessment by the Cybersecurity Directorate within framework authorisation. Sectoral regulators retain parallel enforcement authority within established frameworks (BDDK, BTK, EPDK, SPK). Penalties scale with operator revenue, violation severity, compliance history, and impact. Corrective orders accompany penalty assessment in many cases with prescribed remediation timelines.
- Can I appeal a penalty? Yes. Administrative review through Directorate framework, then judicial appeal to administrative court (idare mahkemesi) under İdari Yargılama Usulü Kanunu (Law No. 2577) Article 7/1 60-day window framework with Tebligat Kanunu (Law No. 7201) notification analysis. Appellate review through Bölge İdare Mahkemesi at first appellate instance and Danıştay (Council of State) at high court instance. IYUK Article 27 yürütmenin durdurulması interim relief framework available where appropriate.
- Where does ER&GUN&ER Law Firm support cybersecurity compliance engagements? As a Turkish Law Firm experienced in cybersecurity and data protection work, support across the compliance lifecycle: pre-implementation scope analysis under Law No. 7545 with sectoral overlay assessment across BDDK, BTK, EPDK, SPK, Sağlık Bakanlığı, and other relevant regulatory frameworks; integrated obligation analysis covering 7545 general framework, sectoral regulations, KVKK Law No. 6698 personal data protection with Article 12 data security framework and Personal Data Protection Authority Kararı No. 2019/10 72-hour breach notification framework, Internet Law No. 5651, Electronic Communications Law No. 5809, Electronic Signature Law No. 5070, and Türk Ceza Kanunu (Law No. 5237) Articles 243-245 cybercrime framework; compliance programme structuring with technical control architecture including network segmentation, identity and access management, vulnerability management, security monitoring, encryption, and incident detection and response capability, plus administrative control architecture including board oversight, Cybersecurity Officer (Siber Güvenlik Yetkilisi) designation, written policies and procedures, periodic risk assessment, security awareness training, and supplier risk management; ISO 27001 certification preparation and alignment with regulatory framework; vendor and third-party risk management with pre-engagement due diligence, contract terms addressing cybersecurity standards, service-level obligations, incident notification, data handling restrictions, audit rights, subcontractor oversight, liability allocation, and insurance requirements, and ongoing vendor monitoring; incident response coordination with USOM (Ulusal Siber Olaylara Müdahale Merkezi) and sectoral SOME (Siber Olaylara Müdahale Ekipleri) framework, regulatory reporting compliance under 7545 and KVKK 6698 frameworks, evidence preservation for potential litigation or criminal investigation, and communication with affected parties; sectoral coordination across BDDK Bankaların Bilgi Sistemleri ve Elektronik Bankacılık Hizmetleri framework, BTK Electronic Communications framework, EPDK energy sector cybersecurity, SPK capital markets framework, and Sağlık Bakanlığı health-data framework; internal policy and governance architecture including board oversight, executive committee responsibility, Cybersecurity Officer organisational positioning, risk management committee, internal audit function, and policy framework with cross-border policy coordination for multinational operators; enforcement defence including Directorate investigation response, administrative penalty proceedings, corrective order coordination, and judicial review through idare mahkemesi at first instance under İdari Yargılama Usulü Kanunu (Law No. 2577) Article 7/1 60-day window with Tebligat Kanunu (Law No. 7201) notification analysis and IYUK Article 27 yürütmenin durdurulması interim relief framework, Bölge İdare Mahkemesi appellate review, Danıştay high court review, and Anayasa Mahkemesi (Constitutional Court) individual application where fundamental rights questions support; criminal cybersecurity defence under TCK Articles 243-245 framework with adjacent provisions including TCK Article 158 fraud, Article 142 theft, Article 132 communications privacy, plus 5651 internet content provisions and 5237 organised crime framework where applicable, with proceedings through Asliye Ceza Mahkemesi at first instance for lower-severity matters and Ağır Ceza Mahkemesi for higher-severity, appellate review through Bölge Adliye Mahkemesi, and high court review through Yargıtay under Ceza Muhakemesi Kanunu (Law No. 5271) framework; international cooperation framework analysis including Budapest Cybercrime Convention (Türkiye party through Law No. 6533 since 2014) procedural framework with expedited preservation, production orders, search and seizure, and 24/7 contact point network, mutual legal assistance through bilateral and multilateral treaties, extradition framework including European Convention on Extradition, NATO cyber cooperation, FIRST and ENISA-related cooperation; and integrated multi-disciplinary engagement coordinating cybersecurity, data protection, criminal defence, contract, regulatory, and litigation dimensions across the compliance lifecycle from initial framework analysis through ongoing programme management and incident response.
Author: Mirkan Topcu is an attorney registered with the Istanbul Bar Association (Istanbul 1st Bar), Bar Registration No: 67874. His practice at this Turkish Law Firm focuses on cross-border and high-stakes matters where evidence discipline, procedural accuracy, and risk control are decisive.
He advises foreign and domestic corporates, financial institutions, technology companies, healthcare operators, telecommunications operators, energy sector participants, and multinational executives across Turkish cybersecurity engagements under Siber Güvenlik Kanunu (Cybersecurity Law, Law No. 7545) of 12 March 2025 (Resmi Gazete 19 March 2025 No. 32846) framework with Siber Güvenlik Başkanlığı (Cybersecurity Directorate) institutional architecture, USOM (Ulusal Siber Olaylara Müdahale Merkezi) and SOME (Siber Olaylara Müdahale Ekipleri) coordination, critical infrastructure designation framework, and digital service provider scope analysis; Adjacent Statutory Framework including Kişisel Verilerin Korunması Kanunu (KVKK, Law No. 6698) of 24 March 2016 with Article 12 data security framework and Personal Data Protection Authority Kararı No. 2019/10 72-hour breach notification framework, İnternet Ortamında Yapılan Yayınların Düzenlenmesi Hakkında Kanun (Internet Law, Law No. 5651) of 4 May 2007, Elektronik Haberleşme Kanunu (Electronic Communications Law, Law No. 5809) of 5 November 2008, Elektronik İmza Kanunu (Electronic Signature Law, Law No. 5070) of 15 January 2004, Türk Ceza Kanunu (Law No. 5237) Articles 243-245 cybercrime framework with adjacent Articles 132 communications privacy, 142 theft, and 158 fraud provisions; Sectoral Overlay Coordination across BDDK Bankaların Bilgi Sistemleri ve Elektronik Bankacılık Hizmetleri Hakkında Yönetmelik framework, BTK Electronic Communications and lawful interception framework, EPDK energy sector cybersecurity including SCADA and control system requirements, SPK capital markets cybersecurity framework, Sağlık Bakanlığı health-data framework with KVKK Article 6 special category data interaction, transportation regulators across Sivil Havacılık Genel Müdürlüğü (DGCA) for aviation, Ulaştırma ve Altyapı Bakanlığı for maritime and rail, and Karayolları Genel Müdürlüğü for highway operations; Compliance Programme Structuring with technical controls including network segmentation, identity and access management with multi-factor authentication, vulnerability management with regular scanning and patching, security monitoring with logging and event correlation, encryption of data in transit and at rest, secure software development practices, incident detection and response capability, and administrative controls including board-level cybersecurity oversight, designated Cybersecurity Officer (Siber Güvenlik Yetkilisi), written cybersecurity policies and procedures, periodic risk assessment with risk register, security awareness training, and supplier risk management; ISO 27001 certification preparation and integration with regulatory documentation framework; Vendor and Third-Party Risk Management with pre-engagement due diligence, contract terms addressing cybersecurity standards, service-level obligations, incident notification timelines, data handling restrictions including data location and processing scope, audit rights, subcontractor approval, data return and deletion obligations, liability allocation and indemnification, insurance requirements, ongoing vendor monitoring with periodic compliance attestations and audit, subcontractor and downstream supply chain visibility, joint liability analysis, and cyber insurance coordination; Internal Policy and Governance Architecture including board of directors oversight responsibility, executive committee and senior management accountability, Cybersecurity Officer programme leadership, risk management committee cross-functional coordination, internal audit function independent verification, policy and procedure framework with periodic review and update, and cross-border policy coordination for multinational operators; Incident Response Coordination with regulatory reporting compliance under 7545 framework and KVKK 6698 framework, USOM coordination with electronic submission through dedicated portals, sectoral SOME reporting framework, evidence preservation for potential litigation or criminal investigation, communication with affected parties, and integrated handling across legal, technical, and operational dimensions; Enforcement Defence including Directorate investigation response, administrative penalty proceedings under 7545 framework with sectoral parallel framework where applicable, corrective order coordination with compliance timeline management, and reputational and contractual consequence analysis; Judicial Review through idare mahkemesi at first instance under İdari Yargılama Usulü Kanunu (Law No. 2577) Article 7/1 60-day window framework with Tebligat Kanunu (Law No. 7201) notification analysis, IYUK Article 27 yürütmenin durdurulması interim relief framework, Bölge İdare Mahkemesi appellate review, Danıştay (Council of State) high court review, and Anayasa Mahkemesi (Constitutional Court) individual application framework where fundamental rights questions support; Criminal Cybersecurity Defence under TCK Articles 243-245 with Article 243 unauthorised access to data processing systems, Article 244 preventing data system functioning or data manipulation including ransomware and denial-of-service scenarios, Article 245 abuse of bank or credit cards, adjacent provisions under Articles 132 communications privacy, 142 theft, 158 fraud, 220 organised crime, plus 5651 sectoral criminal provisions, with proceedings through Asliye Ceza Mahkemesi or Ağır Ceza Mahkemesi depending on severity, Bölge Adliye Mahkemesi appellate review, Yargıtay (Court of Cassation) high court review, and HAGB (Hükmün Açıklanmasının Geri Bırakılması) framework where applicable, all under Ceza Muhakemesi Kanunu (Law No. 5271) procedural framework; International Cooperation Framework including Budapest Cybercrime Convention (Council of Europe Convention on Cybercrime ETS 185 of 23 November 2001, Türkiye party through Law No. 6533 published in Resmi Gazete 2 May 2014 No. 28988) with procedural framework for expedited preservation, production orders, search and seizure, real-time collection of traffic data, and 24/7 contact point network, Convention Additional Protocols where applicable, Mutual Legal Assistance bilateral and multilateral treaties, European Convention on Extradition (ETS 24) of 1957, NATO cyber cooperation through Türkiye's NATO membership, FIRST (Forum of Incident Response and Security Teams) operational cooperation, ENISA-related cooperation in EU-Türkiye relationship context, and bilateral cybersecurity cooperation arrangements; and integrated multi-disciplinary engagement across cybersecurity, data protection, criminal defence, contract, regulatory, and litigation dimensions throughout the compliance lifecycle.
Education: Istanbul University Faculty of Law (2018); Galatasaray University, LL.M. (2022). LinkedIn: Profile. Istanbul Bar Association: Official website.