Emin Çelik & Partners Emin Çelik & PartnersTechnology Law
TR Get Started

Home / Insights

Failing to Implement Cybersecurity Measures: Sanctions Companies Face Under the Cybersecurity Law

Cybersecurity AlertsJune 5, 20268 min readAv. Emin Çelik
Failing to Implement Cybersecurity Measures: Sanctions Companies Face Under the Cybersecurity Law

Short answer: Law No. 7545 on Cybersecurity imposes a fine of TRY 1,000,000 to TRY 10,000,000 on those who fail to implement the cybersecurity measures required by legislation; where damage results, the fine can rise to three to five times that damage. Where the same omission also puts personal data at risk, Article 18(1)(b) of the KVKK is triggered, and whichever of the two penalties is heavier in the specific case applies. For breaches of audit-related duties, the fine for commercial companies can reach up to five percent of gross sales revenue.

The scope of the duty to implement measures

Article 7(1)(b) of the Cybersecurity Law imposes a duty on the natural and legal persons within its scope "to implement the cybersecurity measures required by legislation for the purposes of national security, public order, or the proper functioning of public services." Notably, the Law does not itself provide a list of measures — it refers to "the measures required by legislation." This is a framework-norm technique: the concrete content of the measures will be filled in by secondary regulations issued by the Presidency and by sectoral legislation.

The practical consequence is that you cannot read the boundaries of your duty from a single text. Security regulations already in force in sectors such as electronic communications, banking, energy, and healthcare form part of the "legislation" that fills this framework — and a breach of these is now subject not only to the relevant sectoral sanction, but also to the general penalty under Article 16(10) of the Cybersecurity Law.

The penalty regime: three layers

The Law's sanctions system should be read as having three layers:

First layer — failure to implement measures (Art. 16(10)): Those who fail to implement the cybersecurity measures required by legislation are subject to an administrative fine of TRY 1,000,000 to TRY 10,000,000. The same range applies to failing to report vulnerabilities and cyber incidents, and to procuring products and services from unauthorized suppliers in the context of public institutions and critical infrastructure.

Second layer — proportional fine (Art. 17(2)): Where the breach has caused damage or generated a benefit, the fine can be set at three to five times that amount. In an incident affecting millions of users, this provision opens the door to fines so large that the fixed ceiling becomes essentially meaningless.

Third layer — audit obligations (Art. 16(11)): Those who breach the duty to keep their devices, systems, software, and hardware open to audit, and to keep the necessary infrastructure operational, are, as a general rule, subject to a fine of TRY 100,000 to TRY 1,000,000. However, where the violator is a commercial company, the fine — never less than TRY 100,000 — can rise to five percent of gross sales revenue as shown in its audited annual financial statements. This revenue-based penalty model is a level of severity, reminiscent of the GDPR, rarely seen in Turkish administrative sanctions outside of competition law.

Overlap with the KVKK: which penalty applies?

For a large share of companies, a cybersecurity measure is simultaneously a personal data security measure. Omissions such as failing to encrypt a database, leaving access permissions uncontrolled, or failing to keep logs breach Article 12(1) of the KVKK and cybersecurity legislation at the same time. Where a single omission constitutes two misdemeanours at once, Article 15(1) of the Misdemeanours Law applies: only the heaviest administrative fine is imposed (ideal concurrence).

The problem is that which fine is "heaviest" cannot be determined in the abstract. As of 2025, the range under Article 18(1)(b) of the KVKK is TRY 204,285–13,620,402; the range under Article 16(10) of the Cybersecurity Law is TRY 1,000,000–10,000,000. At the ceiling, the KVKK fine is heavier; at the floor, the Cybersecurity Law fine is heavier. And once the possibility of a proportional fine enters the equation, an abstract comparison becomes altogether impossible. The conclusion reached by Akgün and Akıncı in their in-depth study is, in our view, correct: which fine is heavier should be determined by comparing the fines actually calculated in the specific case.¹ This in turn requires a coordination mechanism between the Personal Data Protection Authority and the Cybersecurity Presidency — one that does not yet exist but is urgently needed.

One further clarification: not every duty under Article 12 of the KVKK falls within this overlap. Obligations directed purely at data protection — such as the prohibition on unlawful disclosure (Art. 12(4)), the internal audit duty (Art. 12(3)), and breach notification (Art. 12(5)) — fall outside the scope of cybersecurity legislation, so the KVKK continues to apply on its own in these areas.

How is compliance verified? A roadmap to compliance

Proving compliance with the duty to implement measures is not simply about having implemented them — it requires being able to document that they were implemented. What a company will be asked for in an audit or investigation is predictable:

  1. An inventory of measures: An up-to-date inventory showing which technical measures (encryption, network segmentation, EDR, backups, access control) and which administrative measures (policies, training, confidentiality undertakings, supplier contracts) were implemented and when.
  2. Risk analysis: Documentation showing that the measures were chosen based on a risk assessment, not arbitrarily. The KVKK's Guide to Personal Data Security sets out a minimum framework for this.
  3. Testing and audit records: Penetration tests, vulnerability scans, and internal audit reports. A company that has never had its systems tested will find the defence "we implemented the necessary measures" far from convincing in practice.
  4. Incident response capacity: The duty to implement measures is not static — having an incident response plan that would actually be activated, and having tested it, is itself part of the concept of "measures."
  5. Supply chain controls: For those serving public institutions and critical infrastructure, compliance with the authorized-supplier requirement is especially critical; breach of this requirement is an independent ground for a fine.

In place of a conclusion: a cost comparison

For a mid-sized company, the cost of a comprehensive cybersecurity compliance programme is generally lower than the floor of the fine under Article 16(10). Once you factor in the proportional fine, the revenue-based audit penalty, parallel sanctions on the KVKK side, compensation claims, and reputational damage, compliance with the duty to implement measures should be read not as an expense item, but as balance-sheet protection. In this new regulatory era, the price tag for "it won't happen to us" is now written into the law itself.

Sources

  1. Akgün, Mustafa / Akıncı, Muhammed Furkan, "The Relationship of Concurrence Between Misdemeanours under the Personal Data Protection Law and Misdemeanours under the Cybersecurity Law," Ankara Hacı Bayram Veli University Faculty of Law Journal, 2026, Vol. 30, No. 3, pp. 1399-1455.
  2. Law No. 7545 on Cybersecurity, Art. 7, 8, 16, 17, 18; Law No. 6698 (KVKK), Art. 12, 18; Law No. 5326 on Misdemeanours, Art. 15.
  3. Personal Data Protection Authority, Guide to Personal Data Security (Technical and Administrative Measures).
  4. Kangal, Zeynel T., Misdemeanours Law, Istanbul (for the general framework on concurrence).

Need legal support on this topic?

Get in touch for an assessment tailored to your company's situation.

Schedule Consultation

← All articles