Emin Çelik & Partners Emin Çelik & PartnersTechnology Law
TR Get Started

Home / Insights

How to Report Cyber Incidents to the Cybersecurity Presidency

Cybersecurity AlertsJune 10, 20267 min readAv. Emin Çelik
How to Report Cyber Incidents to the Cybersecurity Presidency

Short answer: Under Law No. 7545 on Cybersecurity, anyone who provides services, collects, or processes data through information systems must report, without delay, any vulnerability or cyber incident detected within their area of service to the Cybersecurity Presidency. Breach of this duty is subject to an administrative fine of TRY 1,000,000 to TRY 10,000,000. The secondary legislation detailing the procedure and form of notification is still being finalized; this guide will be updated as the relevant regulations are published.

A new duty, a new authority

For a long time, cyber incident reporting in Turkey was handled through sector-specific regulations (banking, electronic communications, energy) and the SOME (Cyber Incident Response Team) structure coordinated by USOM (the National Cyber Incident Response Center). Law No. 7545 on Cybersecurity, adopted on 12 March 2025, consolidated this fragmented landscape into a single general duty and a single central authority: the Cybersecurity Presidency, affiliated with the Presidency of the Republic.

Article 7(1)(b) of the Law imposes a duty on everyone within its scope to report two things: vulnerabilities and cyber incidents detected within their area of service. This distinction matters — the duty covers not only attacks that have already occurred, but also security gaps that have not yet been exploited. A critical vulnerability discovered by your security team is no longer purely an internal technical matter; it is now a legal notification issue.

Who is obligated?

The scope of the Law is broad: it covers natural and legal persons who provide services, collect, process data, or carry out similar activities through information systems. In practice, it is difficult to think of a commercial business that would fall outside this definition. E-commerce sites, SaaS providers, logistics companies, healthcare providers, educational institutions — in short, anyone operating through digital infrastructure is a potential obligor.

For public institutions and operators of critical infrastructure, the Law also provides for stricter obligations (using authorized suppliers, being open to audits). The notification duty itself, however, is not limited to this narrower group — it is of general application.

What does "without delay" mean?

While the KVKK Board has set a concrete 72-hour deadline, the Cybersecurity Law uses the phrase "without delay," which points to a stricter standard than 72 hours. Any unreasonable delay after the incident has been confirmed may be treated as a breach of the duty. For comparison: the EU's NIS2 Directive establishes a tiered system for significant incidents — an early warning within 24 hours and an incident notification within 72 hours. It would not be surprising if Turkey's secondary legislation adopts a similarly tiered approach; we will update this section once the relevant regulation is published.

Through which channel is the report made?

At the time of writing, the secondary legislation governing the form, content, and channel of notification has not yet been published. In the meantime, the practical approach is as follows:

  1. USOM channels: The reporting mechanisms of the National Cyber Incident Response Center (the notification channels on usom.gov.tr) remain, in practice, the channel used to convey cyber incidents to the national authority.
  2. Sectoral SOMEs: Entities subject to sectoral regulation (banks, electronic communications operators, energy companies) must continue to fulfil their existing notification duties to their own sectoral SOMEs and regulators in parallel.
  3. Written notification: When in doubt, reporting the incident to the Presidency in writing through a verifiable channel (registered electronic mail, KEP) is a safe approach to documenting that the "report without delay" duty has been fulfilled.

The minimum content of the notification will also need to await the implementing regulation; however, in line with international practice, a notification should be expected to include the date the incident was detected, its nature, the systems affected, the estimated impact, and the initial response measures taken. An early notification with incomplete information is always safer than a late notification with complete information.

Penalties: a fixed range plus the risk of a proportional fine

The sanction for breaching the notification duty is set out in Article 16(10) of the Law: an administrative fine of TRY 1,000,000 to TRY 10,000,000. But that is not where the analysis should stop — Article 17(2) of the Law allows the fine to be set at three to five times this amount where the breach has caused damage or generated a benefit. In a scenario where an unreported cyber incident causes major damage, the fine can far exceed the fixed ceiling.

There is also a KVKK dimension. If the cyber incident also resulted in personal data being obtained by unauthorized parties, notification to the Personal Data Protection Board and to the affected individuals is a separate duty. As current scholarship demonstrates, because the two notification duties differ in content and addressee, neglecting both triggers "real concurrence" and each authority issues its own fine independently.¹ Having notified the Presidency does not discharge your duty toward the Board, and vice versa.

A checklist for your company

  • Add notification to the Cybersecurity Presidency to your incident response plan as a separate step — do not merge it with the KVKK notification.
  • Review your vulnerability management process: define an internal threshold and approval mechanism for which vulnerabilities count as "reportable."
  • Clarify who has the authority to file the notification. In an incident detected at midnight, the "who signs off on this" debate is the most common cause of breaching the "without delay" standard.
  • If you have sectoral notification duties (to the BRSA, ICTA, EMRA), remember these will run in parallel with the new general duty, not instead of it.
  • Follow the secondary legislation. This guide will be updated once the implementing regulations are published — subscribe to our newsletter to stay informed.

Sources

  1. Akgün, Mustafa / Akıncı, Muhammed Furkan, "The Relationship of Concurrence Between Misdemeanours under the Personal Data Protection Law and Misdemeanours under the Cybersecurity Law," Ankara Hacı Bayram Veli University Faculty of Law Journal, 2026, Vol. 30, No. 3, pp. 1399-1455.
  2. Law No. 7545 on Cybersecurity, Art. 3, 7, 16, 17.
  3. Directive (EU) 2022/2555 of the European Parliament and of the Council (NIS2), Art. 23.

Note: The procedural explanations in this article are based on current practice and international examples, as the secondary legislation implementing the Cybersecurity Law has not yet been published. This article will be updated once the relevant regulations are issued.

Need legal support on this topic?

Get in touch for an assessment tailored to your company's situation.

Schedule Consultation

← All articles