Law No. 7545 on Cybersecurity (the “Law”), which entered into force in 2025, introduced a comprehensive framework by systematizing the principles and obligations relating to cybersecurity that had previously been regulated in a fragmented manner under various legislative instruments. In parallel, new competent administrative authorities were established to oversee cybersecurity governance.
A significant part of the procedures and principles governing the implementation of the Law is expected to be clarified through secondary legislation. In this respect, recent amendments concerning the organizational structure of the Cybersecurity Presidency have been introduced by way of a Presidential Decree.
The Law expressly regulates the administrative fines to be imposed in cases of non-compliance with cybersecurity-related obligations. As of 2026, these sanctions have been significantly increased following the application of the revaluation rate. The updated administrative fine amounts applicable under the Law are set out in the table below:
|
Violation Subject to Administrative Fine |
2025 Administrative Fine Amount |
2026 Administrative Fine Amount |
|
Failure to take the cybersecurity measures prescribed under the legislation; failure to promptly notify the Presidency of detected vulnerabilities or cyber incidents |
TRY 1,000,000 – TRY 10,000,000 |
TRY 1,254,900 – TRY 12,549,000 |
|
Procurement of cybersecurity products, systems or services for public institutions or critical infrastructures from suppliers other than those authorized |
TRY 1,000,000 – TRY 10,000,000 |
TRY 1,254,900 – TRY 12,549,000 |
|
Production or export of cybersecurity products, systems, software, hardware or services in violation of the obligations set forth under Article 18 of the Law |
TRY 10,000,000 – TRY 100,000,000 |
TRY 12,549,000 – TRY 125,490,000 |
|
Failure to keep devices, systems, software and hardware open to inspection; failure to provide the required infrastructure or to maintain operability during audits
Failure by commercial companies to comply with audit-related obligations |
100.000 TL – 1.000.000 TL |
125.490 TL – 1.254.900 TL |
|
Provided that it shall not be lower than the statutory minimum administrative fine, and up to 5% of the annual gross sales revenue
|
||
Considering the updated amounts, it is evident that the administrative fines envisaged for violations under the Law have reached levels that may pose serious financial risks for companies. In this context, it is expected that audit and supervisory activities relating to cybersecurity obligations will be conducted in a more systematic, technical and outcome-oriented manner in the upcoming period. Accordingly, companies are strongly advised to ensure that their cybersecurity-related policies, procedures and technical infrastructures are not merely formal or documentation-based, but are designed in a manner that is effectively implementable and auditable in practice.
In conclusion, recent developments in cybersecurity legislation should be addressed not merely as a matter of legal compliance, but as an integral component of corporate risk management and business continuity strategies.
12.1.2026
