Cyber Security Presidency approval requirement for cyber security companies
Domestic and national technologies have been defined within the scope of the Cyber Security Law to ensure the cyber security of critical infrastructures, and the Presidential Decree on the Cyber Security Presidency (“Decree”) which will be executed by the President, has entered into force after being published in the Official Gazette dated January 8, 2025 and numbered 32776. With this new Decree, the Cyber Security Presidency (“Presidency”) is established and the procedures and principles regarding the duties, powers and responsibilities of the Presidency are determined. Subsequently, the proposal of the Cyber Security Law (“Draft Law”), which will be executed by the President of the Republic on January 10, 2025, is also approved by the Parliament and is expected to enter into force on the day it is published in the Official Gazette.
In the Decree, the Duties and Powers of the Presidency are regulated and will comprise of the following issues:
- Determining policies, strategies and objectives, preparing action plans, carrying out legislative studies, ensuring the coordination of relevant activities and monitoring their effective implementation to ensure cyber security.
- Carrying out activities to raise awareness and education on cyber security.
- Carrying out projects that support cyber security and information security.
- Working to increase cooperation between the public, private sector and universities in the field of cyber security.
- Working on the development of domestic and national products and technologies within the cyber security ecosystem and making domestic entrepreneurs competitive in the world market.
- Carrying out research and development (R&D) activities in the areas needed for cyber security and transfer of technology.
- Carrying out studies to encourage participation in exercises, events and fairs held at home or abroad related to cyber security.
- Carrying out studies to identify cyber security vulnerabilities.
- Identifying priority cyber security areas in order to direct capacity in the field of cyber security to critical areas and to prevent duplicate investments.
- Creating cyber security emergency and crisis management plans and establishing joint operation centers within the framework of these plans.
- Expressing opinions on the incentives to be given by public institutions and organizations in the field of cyber security.
- Fulfilling other duties assigned by legislation.
The purpose of the Draft Law, which consists of 21 articles, is to strengthen Turkey’s national security in cyberspace. In this context, it includes provisions on (i) measures to be taken to provide protection against cyber attacks that threaten the country’s critical infrastructures and information systems, (ii) strategies and policies to be established, and (iii) the establishment of the Cyber Security Board. The procedures and principles to be followed by those operating in the field of cyber security will also be determined by the Presidency. Cyber security experts and companies that will provide cyber security products, systems and services to be used in public institutions and organizations and critical infrastructures will be authorized and certified by the Presidency. Presidential approval will also be sought for cyber security companies subject to certification, authorization and certification. In case of operating without obtaining the necessary approvals, authorizations or permissions, the Presidency may impose imprisonment from 2 to 4 years and a judicial fine from 100 days to 2000 days.
With the exception of the National Intelligence Agency, the entire public and private sector will be subject to the Draft Law. The Presidency has the authority to supervise all acts and transactions in terms of cyber security when it deems necessary.
The Draft Law aims at giving priority to domestic and national technologies in the protection of critical infrastructures. In the import of all kinds of materials, tools, equipment, machinery, devices and systems needed by the Presidency during the execution of its duties and in the stages of going abroad, permits and certificates of conformity that must be obtained from public institutions and organizations, real and legal persons will not be sought.
In addition to the article on the unlawfulness of data in the Turkish Penal Code, the Draft Law stipulates imprisonment from 3 to 5 years for those who access, share or sell corporate data, which are previously within the scope of personal or critical public services due to data leakage in cyberspace, without the permission of individuals or institutions, for a fee or free of charge.
Even if the duties of those who work in the Presidency in permanent or contractual status are terminated for any reason, they cannot take any other official or private position in the field of cyber security in the country or abroad for 2 years without the consent of the Presidency, and cannot engage in trade, engage in self-employment activities in this field, and especially this cannot be a shareholder or director in a company operating in the sector. According to the decisions of the Court of Cassation, it will be a matter of curiosity how the implementation of this regulation will be evaluated while the geographical boundaries of this non-competition article are expected to be limited to a certain region or a few provinces. A prison sentence of 3 to 5 years is foreseen for violation of this article.
Sales of cyber security products, systems, software, hardware and services established, developed or supported by public support, and division; and merger, share transfer or sale transactions of companies producing them Iis subject to Presidential approval. The approval of the Presidency is also required for the sale of cyber security products, systems, software, hardware and services to be used within the scope of new procurement contracts for public institutions and organizations and critical infrastructures, as well as for the division, merger, share transfer or sale transactions of the companies that produce them.
Within 6 months from the entry into force of the Draft Law, all kinds of movable, information processing infrastructure and systems, vehicles, tools, equipment and materials, all kinds of records and documents in physical and electronic media and all kinds of other asset inventories belonging to the Information and Communication Technologies Authority (“ICTA”) and used exclusively within the scope of national cyber security activities, and all kinds of debts and receivables arising from the execution of such activities by ICTA, and all rights and obligations will be transferred to the Presidency. From this arrangement, it is understood that the Usom (National Cyber Incident Response Center) and Some (Cyber Incident Response Teams) infrastructures will be transferred to the Presidency.
