Short answer: The European Union has set a clear rule in Article 35 of the NIS2 Directive: if an administrative fine has already been imposed under the GDPR for the same act, NIS2 authorities may not impose a second fine for it. Turkish law contains no equivalent provision. Where the KVKK and Law No. 7545 on Cybersecurity overlap, the outcome is determined by the general rules on concurrence: for breaches of security-measure duties, only the heaviest fine applies; for breaches of notification duties, both authorities impose their own fines, and these fines are cumulative. For multinational companies operating in Turkey, this difference directly shapes compliance strategy.
The same problem in both legal systems: one act, two regimes
Cybersecurity legislation and personal data protection legislation inevitably intersect over the same events. An unencrypted database is both a cybersecurity vulnerability and a personal data security breach; a ransomware attack is both a "cyber incident" and a "data breach." The question is: when a single act breaches two regimes at once, how many penalties follow?
The EU answers this question through positive legislation, while Turkey relies on the general rules on concurrence of misdemeanours. And the two answers differ significantly.
The EU's answer: NIS2 Article 35 and the single-penalty principle
Directive (EU) 2022/2555 (NIS2) is the framework legislation imposing comprehensive cybersecurity obligations on entities in critical and important sectors across the EU. Article 35 of the Directive directly resolves the overlap with the GDPR: where a breach of an obligation under NIS2 also constitutes a personal data breach that must be notified under the GDPR, and the data protection authority has already imposed an administrative fine under Article 58(2)(i) GDPR, the NIS2 authorities may not impose the fine provided for in Article 34 of the Directive for the same act.
Two nuances are worth noting. First, the prohibition applies only to fines — NIS2 authorities retain the power to apply other sanctions and measures, such as warnings, binding instructions, or temporary suspension of activities. Second, Article 31(3) of the Directive requires cybersecurity authorities to cooperate closely with data protection authorities in incidents resulting in a personal data breach; the single-penalty principle was designed together with this inter-authority coordination architecture.
This approach reflects the importance the Court of Justice of the European Union has placed on consistency in sanctions regimes. In Deutsche Wohnen, the Court held that the conditions for imposing administrative fines under the GDPR are determined entirely by EU law and cannot be supplemented by Member States — explicitly affirming the goal of a homogeneous sanctions practice across the Union.¹ NIS2 Article 35's single-penalty principle is a product of this same drive for consistency.
Turkey's answer: rules on concurrence and a dual outcome
Turkish law contains no provision equivalent to NIS2 Article 35 addressing this overlap explicitly. Because Law No. 7545 on Cybersecurity contains no special norm governing its relationship with the KVKK, the issue is resolved through the general rules on concurrence in Article 15 of the Misdemeanours Law No. 5326. The framework set out by Akgün and Akıncı in their systematic study of this question can be summarized as follows:²
Ideal concurrence for breaches of security-measure duties. Where a single omission (for example, failing to encrypt a database) constitutes a misdemeanour under both Article 18(1)(b) of the KVKK and Article 16(10) of the Cybersecurity Law, only the heaviest administrative fine is imposed under Article 15(1) of the Misdemeanours Law. Which fine is heavier can only be determined — given the possibility of a proportional fine under Article 17(2) of the Cybersecurity Law — by calculating and comparing the actual fines in the specific case.
Real concurrence for breaches of notification duties. The data breach notification to the Board and affected individuals (KVKK Art. 12(5)) and the cyber incident notification to the Presidency (Cybersecurity Law Art. 7(1)(b)) are two separate duties that differ in content and addressee, so neglecting both constitutes two separate acts. The result: both authorities impose their own fines, and the fines are cumulative. A scenario resolved in the EU by the single-penalty principle results in double sanctions under Turkish law.
One might think this outcome violates the prohibition on double punishment (ne bis in idem); but that prohibition only bars punishing the same act twice. Because the notifications owed to different authorities, with different content, are legally distinct acts, neglecting both is not, in a technical sense, a single breach punished twice. A similar approach has been adopted in German case law: the Frankfurt Court of Appeal held that the failure to send required reports to both the Bundesbank and BaFin involved two separate omissions.³
Comparative table
| EU (NIS2 + GDPR) | Turkey (Cybersecurity Law + KVKK) | |
|---|---|---|
| Express provision governing the overlap | Yes (NIS2 Art. 35) | None |
| Same act breaching both regimes | If a GDPR fine has been imposed, a NIS2 fine is barred | Ideal concurrence: heaviest fine in the specific case |
| Failure to meet separate notification duties | Single fine + NIS2's other measures remain available | Real concurrence: two separate, cumulative fines |
| Inter-authority cooperation | Mandatory (NIS2 Art. 31(3)) | No statutory mechanism yet |
| Notification deadlines | NIS2: 24-hour early warning + 72-hour notification; GDPR: 72 hours | Cybersecurity Law: "without delay"; KVKK: 72 hours |
What this means for companies operating in Turkey
First, multinational companies operating in Turkey that base their practices on EU group policies should understand that NIS2 compliance does not automatically translate into compliance with Turkish legislation. Incident-response playbooks built around the EU's "one notification, one fine" logic must be localized for Turkey, where two separate notifications to two separate authorities are required.
Second, there is an open de lege ferenda debate: scholars strongly advocate for establishing a statutory mechanism that would enable coordination and fine-comparison between the Personal Data Protection Authority and the Cybersecurity Presidency.² NIS2 Articles 35 and 31(3) offer a ready-made model for such a mechanism. As the secondary legislation process continues, it would serve both predictability and proportionality for the Turkish legislature to take this model into account.
Third, until such a regulation is adopted, the current picture is this: the bill for a cyber incident in Turkey can be structurally higher than the bill for the same incident in the EU. Plan your compliance budget and your insurance coverage accordingly.
Sources
- CJEU, C-807/21, Deutsche Wohnen SE v. Staatsanwaltschaft Berlin, 5 December 2023, ECLI:EU:C:2023:949.
- Akgün, Mustafa / Akıncı, Muhammed Furkan, "The Relationship of Concurrence Between Misdemeanours under the Personal Data Protection Law and Misdemeanours under the Cybersecurity Law," Ankara Hacı Bayram Veli University Faculty of Law Journal, 2026, Vol. 30, No. 3, pp. 1399-1455.
- OLG Frankfurt a.M., decision of 30 April 2020 – 2 Ss-OWi 85/19; cf. KG Berlin, 17 June 2020, 3 Ws (B) 125/20.
- Directive (EU) 2022/2555 of the European Parliament and of the Council (NIS2), Art. 23, 31, 34, 35; Regulation (EU) 2016/679 (GDPR), Art. 33, 34, 58, 83.
Need legal support on this topic?
Get in touch for an assessment tailored to your company's situation.
Schedule Consultation