Turkey has passed a far-reaching cybersecurity law introducing both criminal and administrative sanctions, with some violations carrying prison terms of up to 15 years. The legislation, enacted in March 2025, creates a centralized Cybersecurity Presidency and a national Cybersecurity Council to oversee enforcement, critical infrastructure protection, and incident response coordination.

The law applies to public institutions, professional bodies, private companies, and other entities operating in cyberspace. It mandates continuous cybersecurity measures across the lifecycle of products and services, prioritizing domestic solutions, and holding all stakeholders accountable for implementing policies.

Offenses targeting national infrastructure could lead to 8 to 12 years in prison, increasing to 10 to 15 years for data distribution. Enhanced penalties apply for crimes committed by public officials, multiple perpetrators, or organized groups.

Administrative fines range from 100,000 to 100 million Turkish lira, with commercial entities facing penalties of up to 5% of gross revenue for failing to meet inspection requirements. The law also criminalizes spreading false information about cybersecurity-related data leaks, carrying sentences of 2 to 5 years.

Critics say this provision risks equating investigative reporting with cybercrime. The Media and Rights Studies Association warned it could “punish journalists working on data security with the same penalties as the perpetrators behind the leaks.”

The Cybersecurity Presidency has the authority to conduct audits, order vulnerability testing, and access data from organizations. Those refusing to comply could face up to 3 years in prison. The head of the directorate, appointed by the president, can request information from any institution and coordinate with domestic and international teams to counter threats.

Opposition lawmakers and rights groups have raised concerns over potential abuse. Özgür Ceylan of the main opposition CHP said, “Posts claiming data leaks or breaches of cybersecurity that closely concern the public could be targeted. Individuals’ ability to express themselves freely may be restricted.”

The law follows several large-scale breaches in recent years, including incidents affecting tens of millions of citizens’ personal data, and marks a significant escalation in Turkey’s regulatory approach to cybersecurity and online information control.