Technology and digitalization have reshaped the activities and business practices of companies, restructuring all internal units such as production, marketing, advertising, sales, transportation, and communication. Although this has led to significant progress in companies, it has also introduced new risks, including digital risks.
In recent years, the number and sophistication of cyberattacks have increased significantly in Türkiye and worldwide. Ransomware, phishing attempts, payment-instruction fraud carried out through compromised business email accounts, and AI-assisted identity impersonation (deepfake) have reached levels that directly threaten companies’ financial and operational security. These cyberattacks not only cause economic losses but also lead to consequences such as the theft of personal data and commercial reputational damage.
In this context, the need for comprehensive regulation on cybersecurity has also emerged in Türkiye, and accordingly, the Cybersecurity Law No. 7545 entered into force following its publication in the Official Gazette on 19.03.2025. The Law aims to detect, prevent, and mitigate the effects of existing and potential cyberattacks and establish institutional structures and obligations to protect public institutions and organizations, professional bodies with public-institution status, and natural and legal persons against cyber threats.
A. Cybersecurity Vulnerabilities and Risk Types:
Cybersecurity vulnerabilities may arise due to inadequate security policies, human errors, or deficiencies originating from service providers. When malicious actors exploit these vulnerabilities, companies may suffer economic losses and face legal liabilities.
Outdated software, weak passwords, insufficient authentication, inadequate network security, failure to keep or analyze log records, employee mistakes and uninformed actions, and insufficient oversight of outsourced services are the most common risks encountered in companies’ information systems.
In addition, the advancement of digitalization has diversified cyberattack techniques. Accessing employee account information through fraudulent emails and websites, compromising business email accounts to issue fake payment instructions, locking systems, and encrypting data in exchange for ransom are among the most common next-generation fraud methods.
B. Legal Obligations of Companies Against Next-Generation Fraud:
With the rapid advancement of technological developments and the resulting diversification of cyberattacks, companies must adopt not only technical measures but also legal measures. In this context, Cybersecurity Law No. 7545, Personal Data Protection Law No. 6698 (“KVKK”), and the relevant secondary regulations impose multidimensional cybersecurity obligations on companies. Non-compliance with these obligations results in both administrative and criminal liability.
Companies must first conduct regular risk analyses to identify existing and potential future threats and risks related to their IT infrastructure and systems. Based on the results of these analyses, they must establish security policies against internal and external threats. Preparing security policies and procedures in writing and clearly defining rules on access management, authorization, encryption, log retention, and network security constitute fundamental obligations under the KVKK and the Cybersecurity Law. In addition, communicating these policies and procedures to employees to ensure their implementation is important for administrative compliance.
Companies must also establish an organization to form a cyber incident response team, conduct penetration tests at regular intervals, immediately remediate any detected vulnerabilities, and retain incident-related records for specified periods. If a data breach occurs as a result of a cyberattack targeting systems where personal data is processed, the Personal Data Protection Board should be notified within 72 hours. Failure to notify or delayed notification may result in significant administrative fines.
C. CONCLUSION
The rapid advancement of technology increases cybersecurity threats day by day. As a result, all operational processes and digital infrastructure of companies become targets of attacks. Therefore, companies must treat cybersecurity policies not merely as a technical matter but as a core component of corporate risk management and legal compliance.
Cybersecurity Law No. 7545, the KVKK, and the related secondary regulations impose comprehensive technical and administrative obligations on companies. In this context, companies are required to conduct risk analyses concerning cyberattacks and risks, establish their security policies and procedures, retain log records, submit notifications in case of a breach, carry out employee awareness activities and prepare action plans for situations where risks materialize.
Betül Önal Payze, Senior Associate
