The Parliament has passed the Cybersecurity Law, a 21-article bill introduced by the ruling Justice and Development Party (AKP), with certain adjustments following criticism from the opposition and rights groups. The final vote, held just after midnight on Mar 12, resulted in 246 votes in favor and 102 against.
The law includes several key provisions, including the establishment of a Presidency of Cybersecurity and a Committee of Cybersecurtiy, as well as various prison sentences for individuals who carry out cyberattacks against "elements of Turkey's national power in cyberspace" or store such illegally obtained data.
The Presidency of Cybersecurity will be responsible for enhancing the cybersecurity resilience of critical infrastructure and information systems, protecting against cyberattacks, detecting cyber threats, and preventing or mitigating the impact of potential attacks.
The Presidency of Cybersecurity will be authorized to provide on-site or remote incident response support to entities affected by cyber incidents. It will be auhotized to access archives, electronic data processing centers, and communication infrastructure as needed for its investigations.
Any collected data will be used for investigative purposes for a maximum of two years before being destroyed. Entities that receive data requests from the directorate will not be allowed to refuse compliance by citing their own regulations.
Also, the authority will be able to collect, store, and analyze log records from information systems and prepare reports based on these records, which will be shared with relevant institutions and organizations.
The new law also envisages the establishment of a Ceybersecurity Council headed by the president, whose members will include the head of the Presidency of Cybersecurity, the vice-president, the intelligence chief and several ministers.
Amendments following debates
In response to public criticism, AKP deputies removed a clause that would have granted the Presidency of Cybersecurity the power to conduct searches, seize materials and make copies of digital material before a court approval. This provision was approved by the parliament during the Mar 6 session but was later amended.
Additionally, the wording of the controversial Article 16, Section 5, was revised. Originally, it penalized individuals who falsely claimed a "data leak" had occurred. Following amendments, the phrase "data leak" was modified to "cybersecurity-related data leak."
Turkey’s new cybersecurity law allows home searches with post-search approval
Criticism
The Freedom of Expression Association (İFÖD) criticized the law, arguing that it violates the principle of legality, lacks institutional clarity, and endangers privacy and personal data protection.
The association also warned that the law allows authorities to access private information without sufficient safeguards, contradicts Constitutional Court rulings, and threatens press freedom by imposing vague and arbitrary restrictions.
During yesterday's parliamentary debates, opposition lawmakers raised similar concerns, arguing that minor amendments did not resolve fundamental problems in the bill.
Özgür Ceylan, an MP from the main opposition Republican People’s Party (CHP) , criticized the law’s vague definitions and lack of oversight.
"The definition of 'critical infrastructure' is left entirely to a committee led by the Presidency," he noted. "There is no independent oversight mechanism. The law introduces penalties, but no accountability measures—this is a classic AKP approach. You want unchecked power without being monitored."
Ceylan also questioned the removal of warrantless search powers from Article 8 while similar provisions remained in Articles 6 and 7, calling it a legal contradiction. "The Cybersecurity President’s power to conduct searches and seizures was removed from Article 8, and we appreciate that. But the same authority still exists in Articles 6 and 7. This is a clear violation of the Constitution and will be overturned by the Constitutional Court."
He further criticized Article 16, which criminalizes spreading false claims about cybersecurity-related data leaks, warning that it could be used as a censorship tool: "We support stronger cybersecurity, but you are introducing an unnecessary crime category that already exists under the Turkish Penal Code. Instead of protecting cybersecurity, this law restricts press freedom and public discourse. If passed, it will hang over society like a guillotine, suppressing fundamental rights and freedoms."
Alleged citizenship data breaches in Turkey
Concerns over large-scale data breaches involving Turkish citizens’ information have surfaced multiple times in recent years. The leaked data reportedly includes a wide range of information about citizens, including ID numbers, health records, property information, residence addresses, and phone numbers.
In April 2022, journalist İbrahim Haskoloğlu claimed that hacker groups had contacted him, alleging that they had obtained data from the e-government (e-devlet) system. To prove their claims, the hackers reportedly sent him an image of President Recep Tayyip Erdoğan’s identity card, which Haskoloğlu shared online. He was arrested after the revelation.
In February 2023, Cyberthint, a platform monitoring cyberthreats worldwide, reported another major breach including data of millions of citizens.
Main opposition Republican People’s Party (CHP) lawmaker Özgür Karabat last year released a video showing how such interfaces worked. Allowing data retrieval for all citizens, these tools were being sold on platforms like Telegram for as little as 200 Turkish liras (roughly a few dollars).
Also last year, reports emerged that Turkey's Transportation and Infrastructure Ministry sought help from Google after 108 million citizens' information was leaked to Google Drive.
Additionally, a recent documentary titled Panel, released by YouTube channel 140journos, reignited concerns about data privacy. The documentary featured interviews with an anonymous individual who claimed to have created one of the interfaces and admitted to involvement in various cybercrimes.
Turkish authorities have repeatedly denied reports of massive breach of citizenship data. It remains unclear whether MİT’s recent operation is directly linked to these breach allegations.
Penalties introduced
The law imposes penalties for several acts:
- Eight to 12 years in prison for carrying out cyber attacks targeting elements of Turkey's national power in the cyberspace.
- Up to three years in prison and fines for individuals who refuse to provide requested information to authorized officials.
- Two to four years in prison and fines for operating without the required licenses and permits.
- Four to eight years in prison for failing to comply with confidentiality obligations.
- Three to five years in prison for sharing or selling personal or sensitive government data obtained through a cybersecurity breach.
- Two to five years in prison for falsely claiming that a cybersecurity-related data leak has occurred to cause public panic or defame institutions or individuals.
Business regulations
The law also introduces new regulations on cybersecurity-related products and services. Accordingly, companies providing cybersecurity products, systems, software, and services must obtain government approval before exporting them abroad.
Any mergers, acquisitions, or share transfers of companies in the cybersecurity sector must be reported to authorities. Transactions that change ownership or decision-making control will require government approval to be legally valid.
Companies that fail to comply with security measures and reporting obligations may face fines ranging from 1 to 10 million liras (32,000 to 320,000 US dollars).
Businesses that fail to open their systems, software, and hardware for inspections could face additional fines of up to 5% of their annual revenue. (VK)
