LAW NO. 7545 ON CYBER SECURITY IN COMPARISON WITH EUROPEAN UNION AND US LEGISLATION

I. INTRODUCTION

In today’s rapidly digitalizing world, cybersecurity has become a priority policy area for states in many areas, from national security to economic stability, from the sustainability of public services to the protection of individual rights. Increasing cyber-attacks, data breaches and threats to critical infrastructure create multi-dimensional risks that require direct intervention not only by the private sector but also by public authorities. In this context, the Cybersecurity Law No. 7545, which entered into force in Türkiye on March 19, 2025, introduced obligations, administrative structure and sanction mechanisms covering the public and private sectors by presenting a systematic legal framework for the first time. With the enactment of this law, while Türkiye’s legal infrastructure in the field of cybersecurity is being reshaped, this regulation, when compared with the European Union’s NIS2 Directive and the US CISA legislation, reveals remarkable similarities and differences in terms of obligations, sanctions and institutional structure regarding the digital dimension of national security. This article discusses the law in a comparative law perspective.

II. THE MEANING OF CYBERSECURITY

A. Approach to Cybersecurity

Cybersecurity legislation has become one of the most important defense tools for countries against technological threats today. However, each country adopts different priorities and strategies in line with its historical background, social structure, and institutions. Indeed, both Cybersecurity Law No. 7545 and EU regulations recognize cybersecurity as an important element of public safety. However, there are notable differences between these two approaches in terms of legal understanding, the role of the public, and the penalties in case of a cybersecurity breach.

B. Cybersecurity in Türkiye

To reveal the legal meaning of the concept of cybersecurity in Türkiye, it would be appropriate to refer to the definition in Article 3 of Law No. 7545:

“Cybersecurity: All activities that encompass the protection of information systems constituting the cyberspace from attacks, ensuring the confidentiality, integrity, and accessibility of information/data processed in this environment, detecting attacks and cyber incidents, activating response and alarm mechanisms against these detections, and then restoring the systems to their state before the cyber incident…”1.

The definition in Article 3 of Law No. 7545 essentially positions cybersecurity as a defense practice developed against attacks. Expressions such as protection from attacks, detection, response, and restoration in the definition highlight intervention and recovery mechanisms that come into play after a cyber incident occurs. This linguistic preference indicates that the understanding of cybersecurity is predominantly reactive and focuses on eliminating the threat2.

C. Cybersecurity According to EU Legislation

On the approach of the European Union towards cybersecurity;

Article 7 of the Directive on measures for a high common level of cybersecurity across the Union (“NIS2 Directive”):

“(i) In order to strengthen the cyber resilience and the basic level of cyber hygiene of small and medium-sized enterprises, including those outside the scope of this Directive, the provision of easily accessible guidance and support tailored to their specific needs.

(j) The promotion of effective cyber protection”3.

and Recital (1) in the preamble of the Cyber Resilience Act (“CRA”);

“…Improving the functioning of the internal market by strengthening the Union’s approach to cybersecurity, addressing cyber resilience at Union level and establishing a uniform legal framework for essential cybersecurity requirements for products with digital elements placed on the Union market...”4.

When considered together, it follows that the EU addresses cybersecurity with a system-resilience-oriented approach and places resilience at the core of its cybersecurity policy5.

D. Cybersecurity Strategy in the USA

The United States, with its National Cybersecurity Strategy (“CISA”) published in 20236 clearly positions cybersecurity as a critical national security issue7 8. The strategy builds the US cybersecurity policy on five fundamental factors, adopting a more holistic approach to threats under these headings. Key elements highlighted in the strategy document include cyber defense in critical infrastructures, preventing and eliminating threat actors, shaping the market to enhance security and resilience, investing in a resilient future, and international partnerships to achieve goals9.

E. Comparison of the EU, the US, and Cybersecurity Law No. 7545

Upon review of the relevant legislation, it is evident that Türkiye, the European Union, and the United States exhibit differing regulatory approaches in their cybersecurity policies:

The definition of cybersecurity in Article 3 of Law No. 7545 in Türkiye mainly presents a reactive framework; it focuses on the stages of detection, intervention, and restoration after an attack has occurred10. This approach structures cybersecurity as a defense-based security practice and limits it to the process of eliminating the attack.

The NIS2 Directive11 and CRA12 shape cybersecurity with the goal of enhancing corporate and technical resilience, adopting a preventive, sustainable, and systemic approach. In this context, priority is given to structural and long-term resilience strategies that will ensure the uninterrupted operation of digital systems13.

The CISA strategy of the USA14 on the other hand, promotes a “stricter” regulation of cybersecurity and enhanced cooperation between the government and the private sector15.

In conclusion, Türkiye prefers a more intervention-focused and security-oriented perspective in the field of cybersecurity, while the European Union favors a resilience-based institutional structure, and the USA prefers a management cooperation model between the public and private sectors that increases national capacity.

III. MAIN COMPARISON TOPICS OF CYBERSECURITY IN EU, US, AND TURKISH LEGISLATION

A. In Terms of Organizations Providing National and Sectoral Cybersecurity

1. Türkiye (Law No. 7545)

In accordance with the principles of continuity and institutionalization set forth in Article 4 of Law No. 754516 a Cyber Security Directorate has been established to ensure the effective implementation of national cybersecurity policies17. This directorate has been designated as the primary authority for regulating and supervising individuals and organizations operating in the cybersecurity sector, thereby taking over the powers previously held by the Information and Communication Technologies Authority and the Digital Transformation Office in this regard.

The Cyber Security Directorate is tasked with investigating cyber incidents, providing intervention support to affected individuals and organizations, collecting all kinds of information, documents, data, and records from individuals and institutions within the scope of the law; and also appointing and authorizing independent auditors to conduct cybersecurity audits and reviews In this context, the Directorate has the authority to audit all transactions and activities related to cybersecurity on-site through its own experts or authorized independent auditors, and has the authority to examine and collect copies and digital images of related data, documents, electronic infrastructure, devices, systems, software and hardware.

As can be seen, the Cyber Security Presidency established under Law No. 7545 aims to create a central and singular authority in the field of cybersecurity by consolidating broad powers such as regulation, supervision, intervention, and information gathering.

2. EU NIS2 Directive

According to the Directive, each EU member state is required to adopt a national cybersecurity strategy, inventory critical service providers, and regularly update this list. In this way, the aim is to build an integrated structure consisting of minimally harmonized and complementary national frameworks across the EU18. Furthermore, NIS2 emphasizes that cybersecurity is not only a technical matter, but also brings the accountability of senior management to the attention of the board by introducing accountability in case of non-compliance with cybersecurity risk management measures19. As a result, the European Union is following a structure towards establishing a cross-sectoral and holistic cybersecurity ecosystem that is compatible with national strategies. Since Türkiye’s Law No. 7545 similarly establishes a singular framework covering every sector, it carries structural parallels with the EU’s approach.

3. USA Legislation

In the US, apart from restrictions on unfair trade practices, there is no single, generally applicable cybersecurity law. Federal regulatory agencies responsible for each critical sector establish and enforce their own sector-specific cybersecurity requirements and minimum standards20. For example, in the financial services sector, regulators such as the Securities and Exchange Commission (SEC) oversee the cyber risk management of publicly traded companies and banks. Similarly, in the healthcare sector, the Health Insurance Portability and Accountability Act (HIPAA) mandates that healthcare providers, such as hospitals and insurance companies, take specific cybersecurity measures to protect sensitive health information21.

In March 2023, the National Cybersecurity Strategy signaled a shift from sector-based regulations to a more comprehensive regulatory approach in the ‘existing policy’ section with the following statement:

“…while voluntary approaches to cybersecurity have produced meaningful improvements, the absence of mandatory requirements has led to insufficient and inconsistent outcomes”22.

As seen, although the strategy document takes a critical approach to the existence of multiple regulatory laws, the United States ultimately continues to maintain a cybersecurity ecosystem shaped by sectoral regulatory measures and national standards, rather than a single comprehensive law. Türkiye’s mandatory framework approach, established with Law No. 7545, which is central and covers all sectors, differs from the more distributed and flexible system of the United States.

B. From the Perspective of Criminal and Administrative Sanctions

1. Türkiye (Law No. 7545)

The law imposes cybersecurity obligations on all individuals and organizations engaged in cyber activities in the public and private sectors, and it foresees criminal sanctions in case of violation of these obligations.

a. Examples Regarding Imprisonment and Fines

m. 16/2 states that operating without permission: Those who carry out an activity within the scope of the law without the necessary approval or authorization: “Those who operate without obtaining the necessary approvals, authorizations, or permissions shall be punished with imprisonment from two to four years and a judicial fine from one thousand to two thousand days”23.

m. 16/3 states the violation of confidentiality: “Those who fail to fulfill the obligation to maintain confidentiality shall be sentenced to imprisonment from four to eight years”24.

m. 16/4 states that those who share personal or critical data without authorization: “…those who make corporate data available, share it, or put it on sale, whether for a fee or free of charge, without the permission of individuals or institutions, shall be sentenced to imprisonment from three to five years”25.

b. Administrative Fines

The law states that administrative fines will be applied directly in some violations. In particular, it is stated that “those who do not fulfill the critical notification and supply obligations in Article 7 “those who violate the obligations in Article 18 shall be fined from one million Turkish Liras to ten million Turkish Liras”; those who violate the obligations in Article 18 “shall be fined from ten million Turkish Liras to one hundred million Turkish Liras26.

Additionally, Article 8, paragraph 4, stipulates penalties starting from 100,000 TL and potentially reaching up to 5% of the gross sales revenue of the companies concerned, for violations of obligations such as investigation, regulation, procurement, and taking precautions27.

c. Sanctioning Authority over Entities

Article 5 of the Law grants broad regulatory and supervisory powers to the Cyber Security Presidency28. Among these powers, the presidency can authorize audit officials and, when necessary, revoke these authorizations temporarily or permanently.

2. AB Legislation

a. Fines

The NIS2 Directive establishes common minimum levels for administrative sanctions in case of non-compliance. According to Article 34, Member States shall impose, “effective, proportionate and dissuasive administrative fines for infringements of this Directive”29. The established minimum penalty limits are as follows:

For essential entities: an administrative fine with a maximum of at least “EUR 10,000,000 or 2% of the total worldwide annual turnover, whichever is higher” shall be applied30.

For important entities: an administrative fine with a maximum of at least “EUR 7,000,000 or 1.4% of the total worldwide annual turnover, whichever is higher” shall be applied31.

In addition, according to Article 34/2 of the NIS2 Directive “Administrative fines shall be applied in addition to the measures referred to in Article 32(4)(a) to (h), Article 32(5) and Article 33(4)(a) to (g)”32 making it mandatory for member states to implement the following administrative measures.

b. Administrative Measures

According to Article 32, paragraph 4, point a of the NIS2 Directive: “To issue warnings regarding infringements of this Directive by the relevant entities” 33.

According to Article 32, paragraph 4, point h of the NIS2 Directive: “To order the relevant entities to publicly disclose aspects of infringements of this Directive in the manner specified”34.

According to Article 33(4)(a) of the NIS2 Directive: “Issue warnings regarding infringements of this Directive by the entities concerned”35.

According to Article 33(4)(a) of the NIS2 Directive: “‘Issue warnings regarding infringements of this Directive by the entities concerned”36.

c. Sanctioning Authority over Entities

“In cases of serious infringements, and especially in critical infrastructure services, the authorities are also granted the following powers37:

According to Article 32(5)(a) of the NIS2 Directive: “to temporarily suspend a certificate or authorization relating to part or all of the activities in accordance with national law.”

According to Article 33(4)(b) of the NIS2 Directive: “Request the relevant bodies, courts or tribunals to temporarily prohibit any natural person who is responsible for fulfilling management responsibilities from performing management duties in the entity concerned.”

3. USA Legislation

When examining the sanctions that the USA has to implement regarding cyber security; the Critical Infrastructure Incident Reporting Act (“CIRCIA”) of 2022, the Computer Fraud and Abuse Act (“CFAA”) of 1986, and the Cyber Security Executive Order of 2021 (Executive Order 14028) are among the fundamental regulations.

a. Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)

CIRCIA mandates private organizations in critical infrastructure sectors to report certain cyber incidents to CISA (Cybersecurity and Infrastructure Security Agency) within 72 hours. The aforementioned law requires this:

CIRCIA Sect. 2242/a/1/A “A covered entity that experiences a covered cyber incident shall report the covered cyber incident to the Agency not later than 72 hours after the covered entity reasonably believes that the incident has occurred”38.

If the company does not comply with the subpoena, the law may explicitly consider this as contempt of court, and failure to comply with the CIRCIA subpoena may be penalized as contempt of court39.

If a company fails to report a mandatory cyber incident, CISA may first request information and then issue a subpoena. If the company does not comply with the subpoena, the law explicitly states that it may be penalized as contempt of court.

Some cyber incidents are considered under more severe sanctions. For example, if the notification made under CIRCIA contains a deliberately false statement, a severe prison sentence is envisaged:

Federal Register, Proposed Rule under CIRCIA p.94: “Penalty for false statements and representations. Any person who knowingly and willfully makes any materially false or fraudulent statement or representation in connection with or in any CIRCIA Report, in response to a request for information, or in response to an administrative subpoena, shall be subject to the penalties under 18 U.S.C. 1001”40.

18 U.S.C. 1001: “… Any person who “knowingly and willfully falsifies, conceals, or covers up by any trick, scheme, or device a material fact; or makes any materially false, fictitious, or fraudulent statement or representation… shall be fined under this title or imprisoned not more than 5 years, or both …”41.

b. Computer Fraud and Abuse Act (CFAA)

Section 47, titled ‘Offenses’ of the United States Criminal Code, and Section 1030, which regulates the Computer Fraud and Abuse Act (“CFAA”), criminalizes acts such as unauthorized computer access, causing harm to information systems, and fraud committed through computer systems. The penalties imposed by the CFAA include imprisonment and fines, with different sanctions prescribed for different violations. Some examples of these penalties are as follows42:

CFAA (a)(2): In the offense of unauthorized access to financial or personal information,

According to CFAA (c)(2), a fine or imprisonment for up to 1 year, or both

CFAA (a)(1): In the offense of unauthorized access to classified information relating to national security,

According to CFAA (c)(1), a fine or imprisonment for up to 10 years, or both

CFAA (a)(5)(A): The offense of knowingly causing damage by transmitting malicious code,

According to CFAA (c)(3) fine or imprisonment for not more than 5 years, or both

c. Executive Order on Improving the Nation’s Cybersecurity

Executive Order 14028, signed by the US President on May 12, 2021, sets binding rules for federal agencies and contractors, leading to indirect sanctions for non-compliance. The order integrates cybersecurity requirements through federal acquisitions. According to the order, the FAR (Federal Acquisition Regulation) will be amended to require all software suppliers to commit to compliance with the specified standards43. After the final rule is published, ‘non-compliant software products will be removed from all government contracts’ and if software in existing contracts does not meet these requirements after a transition period, the contracts will not be renewed44. The provision in the order text is exactly as follows:

Executive Order 14028 Section (4)(p):“… Following publication of any final rule amending the FAR, agencies shall, as appropriate and consistent with applicable law, remove any software products that do not meet the requirements of the amended FAR from all indefinite-delivery, indefinite-quantity contracts, Federal Supply Schedules, Government-wide Acquisition Contracts, Blanket Purchase Agreements, and Multiple Award Contracts”45.

Therefore, Executive Order 14028 has created a de facto sanction mechanism for companies in the federal supply chain. Companies that do not comply with cybersecurity requirements risk losing their federal business. In this respect, the executive order has established an administrative enforcement regime.

IV. CONCLUSION

Law No. 7545 on Cybersecurity is Türkiye’s first systematic step towards creating an institutional, legal, and sanction-based framework in the field of cybersecurity. In this respect, it contains both similarities and differences with the European Union’s NIS2 Directive and the U.S.’s fragmented but powerfully impactful regulations such as CISA, CIRCIA, and CFAA. While Türkiye adopts a centralized and intervention-focused model, the European Union focuses more on the principle of institutional resilience, and the U.S. displays an approach based on sector-based flexibility and market orientation.

7545 Law establishes the Cyber Security Presidency in Türkiye as a central authority in the field of cybersecurity, creating a broad regulatory-auditing mechanism that covers all sectors. The EU, on the other hand, envisages a multi-layered structure in each member state through national strategies and institutions with the NIS2 Directive, adopting an accountable model by assigning responsibilities at the management level in decision-making processes. In the US, the institutional structure is a fragmented model carried out by sectoral regulatory bodies, and recent strategy documents show that this fragmentation is moving towards a more centralized structure.

In terms of sanctions, Law No. 7545 adopts a strict security approach that includes imprisonment and judicial fines, as well as administrative sanctions, especially for acts such as data sharing, unauthorized activity, and confidentiality, and attaches serious penal consequences. EU regulations, on the other hand, offer sanctions that focus on corporate responsibility, such as high turnover-based fines and public disclosure obligations. The US, on the other hand, uses different legal instruments together by regulating notification obligations with CIRCIA, provisions regarding IT crimes with CFAA, and administrative measures with Executive Order 14028.