ETAHSlerin lisans alma ve yenileme yükümlülüklerine ilişkin ekonomik bütünlük kriterinin değerlendirme zamanları yeniden değiştirildi
March 20, 2025Siber Güvenlik Hizmeti sunan şirketler için yeni dönem
March 20, 2025
A New Era for Companies Providing Cybersecurity Services
The Cybersecurity Law (“Law”), adopted by the Grand National Assembly of Turkey on March 12, 2025, was published in the Official Gazette dated March 19, 2025, numbered 32846, and came into force as of its publication date.
In the initial draft submitted to the Assembly, regulations regarding cybersecurity products and the companies producing and selling these products were defined under the term ‘Companies established, developed, or supported with public assistance’; however, this term was removed in the final Law.
Public institutions and organizations, professional organizations with a public institution status, natural and legal persons, and organizations without legal personality, that exist, operate, or provide services in cyberspace (collectively referred to as “Cybersecurity Companies”) are now within the scope of the Law; while the activities conducted under the National Intelligence Organization Law and the Turkish Armed Forces Internal Service Law are excluded from this scope.
Cybersecurity Companies are required to:
- Comply with the procedures and principles set forth by the Department of Cybersecurity (“Department”) regarding the sale of cybersecurity products, systems, software, hardware, and services abroad; approval from the Department will be required for the sale of products, which are subject to permission, outside of Turkey.
- Be subject to the obligation of providing information and documents.
Mergers, divisions, share transfers, or sales transactions of companies producing cybersecurity products, systems, software, hardware, and services will be subject to Department approval. Transactions conducted without obtaining Department approval will be deemed invalid.
The regulations regarding the implementation of the Law will enter into force within one year and the provisions of existing regulations that are not contrary to the Law will continue to be applied.
Cybersecurity Companies that do not complete certification, authorization, and documentation processes within one year from the entry into force of regulations regarding the implementation of the Law, will not be able to continue their activities in the field of cybersecurity. In such case, the references to cybersecurity will be required to be removed from their articles of association and liquidation processes for their deletion from the commercial registry will need to be initiated.
You can find detailed information about the content of the Law in our article: Cyber Security Presidency approval requirement for cyber security companies