On January 15, 2025, the Committee on National Security within Turkey’s unicameral legislature, the Grand National Assembly of Turkey, approved a proposed cybersecurity law. According to the bill’s explanatory memorandum, the proposed law aims to create a framework to systematize various cybersecurity roles and responsibilities currently fragmented across different governmental agencies.
If the general assembly passes the bill, it would establish a governmental agency called the Presidency of Cybersecurity. The agency would be granted regulatory and investigatory powers, including powers to set standards for cybersecurity products and services; certify and audit cybersecurity service providers; investigate cybersecurity incidents; conduct on-site inspections; and conduct searches and seizures in non-public premises subject to a court order. (Arts. 6 and 8.)
The law would also create a Cybersecurity Council to establish policy, strategy, and action plans regarding cybersecurity. (Art. 9.) The council would be chaired by the president of the Republic of Turkey. It would include several cabinet-level officers and high-level bureaucrats, namely the vice president; the ministers of justice, interior affairs, national security, industry and technology, and transportation and infrastructure; the general secretary of the National Security Council; and the heads of the National Intelligence Organization, the Presidency of Defense Industries, and the Presidency of Cybersecurity.
The bill sets forth criminal and administrative penalties for non-compliance with the information requests from the Presidency of Cybersecurity. It also contains criminal sanctions for providing access to, sharing, or selling personal data or institutional data that are related to critical public services; creating or disseminating content that—for the purpose of harming persons or institutions or to create fear, anxiety, or panic in the public—falsely claims that a data breach has occurred; and commissioning cyberattacks against “elements constituting the national forces of the Republic of Turkey in cyberspace.” (Art. 16.)
During the committee process, lawmakers adopted several amendments addressing some of the major criticisms made by opposition parties. For instance, lawmakers amended the provision on the search and seizure powers of the Presidency of Cybersecurity, stipulating that emergency orders may only be issued in cases involving national security, public order, or the prevention of crimes or cyberattacks. (Art. 8/5.) The amended version now requires that emergency orders—issued by the head of the Presidency of Cybersecurity or a prosecutor subject to ex-post review by a judge within 24 hours of the order—must include sufficient information to demonstrate a reasonable basis for their issuance. The provision criminalizing the act of creating or disseminating false claims of a data breach was also amended to clarify that the offending conduct must be intended to harm a person or institution, or to spread fear, anxiety, or panic in the public. (Art. 16/5.) Previously, this provision sought to criminalize “conduct aiming at harming institutions or individuals by creating the perception that a data breach has occurred where it has not.”
As the general assembly continues its deliberations on the bill, it remains possible for additional amendments to be introduced and adopted.
Prepared by Zeynep Timocin Cantekin, Legal Research Fellow, under the supervision of Hanibal Goitom, Chief, Foreign, Comparative, and International Law, Division I
Law Library of Congress, March 11, 2025
Read more Global Legal Monitor articles.