Turkey is facing a groundbreaking development in the field of cyber security: The Cyber Security Law (Law) has been published.

Until now, we did not have a comprehensive framework legislation specifically regulating the field of cybersecurity, unlike “The Personal Data Protection Law” or “The Law on the Regulation of Electronic Commerce”. However, this new Law, published today in the Official Gazette, aims to fill a significant gap as an overarching regulation in cybersecurity.

This Law, which affects all individuals and entities providing services in the digital sphere, adds a new compliance item to many topics ranging from personal data to electronic commerce, consumer rights to competition: cyber compliance.

While the Law is based on fundamental concepts such as “institutionalization”, “continuity” and “sustainability”, it prioritizes the principle of accountability. Therefore, everyone subject to the Law must now be able to “prove” and “document” their compliance. This, in fact, requires an internal compliance study and its integration.

Cyberspace: How Broad Is the Scope?

 The Law applies to all public institutions and organizations, professional chambers, and natural and legal persons operating in cyberspace. Cyberspace is defined as the “environment consisting of IT systems connected to the internet or electronic networks and the networks connecting these systems.” This definition makes it clear that everyone operating in the digital world will fall under the Law’s scope.

Highlights of the Law

The new regulation addresses critical topics relevant to everyone involved with technology, including:

• Provisions to protect organizations against cyberattacks,
• Establishment of the Cybersecurity Board and its duties and powers,
• Enhancing the cyber resilience and maturity levels of public institutions and critical infrastructure organizations,
• Centralized monitoring, detection, and mitigation of cybersecurity incidents,
• Implementation of auditing processes and deterrent sanctions,
• Regulation of standardization, certification, and authorization processes,
• Severe penalties for cybercrimes and incidents.

What will be the responsibilities of companies?

The main responsibilities and duties regarding cybersecurity of those who are covered by the Law and who provide services, collect, process data and carry out similar activities by using IT systems are as follows:

• Provide all data, information, documents, hardware, software and other contributions requested by the Presidency within the scope of its duties and activities in a priority and timely manner. This is quite critical because its violations may result in imprisonment and administrative fines.
• To take the measures stipulated by the legislation for the purposes of national security, public order or the proper execution of public service for cyber security, to notify the Presidency without delay of any vulnerability or cyber incidents detected in the area where they provide services.
• Procure cybersecurity products, systems, and services to be used in public institutions and organizations and critical infrastructures from cybersecurity experts, producers, and companies authorized and certified by the Presidency.
• To obtain the Presidency’s approval within the framework of the existing regulations before starting operations by cybersecurity companies subject to certification, authorization and accreditation.

Click here to read more.

Click here to learn more about our Istanbul, Turkey member firm Gökçe Attorney Partnership.