ARTICLE
12 June 2026

Türkiye's Cybersecurity Board Determines Critical Infrastructure Sectors: A Major Step In The Implementation Of The New Cybersecurity Regime

BS
Balcioglu Selçuk Eymirlioglu Ardiyok Keki Attorney Partnership

Contributor

Balcioglu Selçuk Eymirlioglu Ardiyok Keki Attorney Partnership logo
Balcioglu Selcuk Eymirlioglu Ardiyok Keki Attorney Partnership is an Istanbul based full service law firm with exceptional practices in corporate, M&A, banking and finance, real estate, energy, competition and litigation. BASEAK has gained an outstanding reputation and valued clientele by tailoring effective legal solutions to a broad spectrum of clients.
Explore Firm Details
On 5 May 2026, the Cybersecurity Board convened under the chairmanship of President Recep Tayyip Erdoğan and addressed key matters relating to Türkiye's cybersecurity framework. During the meeting, the Board assessed current and emerging cyber risks, international developments, the protection of critical infrastructures, the security of digital systems, data sovereignty and the strengthening of domestic technological capabilities.
Turkey Technology
Ömer Faruk Çelik and Busra Nazli Yaldir
Your Author LinkedIn Connections
Balcioglu Selçuk Eymirlioglu Ardiyok Keki Attorney Partnership are most popular:
  • within Intellectual Property, International Law and Corporate/Commercial Law topic(s)
  • with readers working within the Banking & Credit industries

Türkiye's Cybersecurity Board Determines Critical Infrastructure Sectors: A Major Step in the Implementation of the New Cybersecurity Regime

On 5 May 2026, the Cybersecurity Board convened under the chairmanship of President Recep Tayyip Erdoğan and addressed key matters relating to Türkiye's cybersecurity framework. During the meeting, the Board assessed current and emerging cyber risks, international developments, the protection of critical infrastructures, the security of digital systems, data sovereignty and the strengthening of domestic technological capabilities. The most significant outcome of the meeting was the determination of the sectors to be classified as "critical infrastructure sectors" under Türkiye's new cybersecurity regime.

1796950a.jpg

This development constitutes a major milestone in the implementation of Act No. 7545 on Cybersecurity ("Cybersecurity Act"), which entered into force upon its publication in the Official Gazette dated 19 March 2025. Under the Cybersecurity Act, the Cybersecurity Board is expressly authorized to determine critical infrastructure sectors, while the Cybersecurity Presidency is granted extensive powers in relation to such sectors. These powers include identifying critical infrastructures and the institutions and locations to which they belong, conducting risk analyses, requiring the implementation of cybersecurity measures, carrying out resilience and vulnerability assessments, and managing authorization and certification processes for cybersecurity products and services.

Critical Infrastructure Sectors Have Been Officially Determined

During the meeting, the Board designated the following sectors as critical infrastructure sectors:

  • Digital Infrastructures
  • Digital Services
  • Electronic Communications
  • Energy
  • Finance
  • Food and Agriculture
  • Manufacturing Industry
  • Public Services
  • Media and Crisis Communication
  • Postal and Cargo
  • Healthcare
  • Defence Industry
  • Water Management
  • Transportation
  • Space

The list reflects a notably broad approach to critical infrastructure regulation. In particular, the separate classification of digital infrastructures, digital services, electronic communications and space demonstrates that the new cybersecurity framework extends well beyond traditional sectors such as energy or transportation, and will directly affect technology-intensive industries, including telecommunications operators, cloud service providers, data centres, digital platform providers, satellite operators and space technology companies. This broad sectoral scope is particularly significant in light of the increasing dependence of both public and private sector entities on interconnected digital systems and cross-border technological infrastructures.

Cybersecurity Has Been Positioned as a Matter of National Security

1796950b.jpg

One of the key themes emphasized during the meeting was that cybersecurity constitutes an integral component of national security. This approach is fully aligned with the core principles of the Cybersecurity Act, which expressly recognizes cybersecurity as inseparable from national security and identifies the protection of critical infrastructures and information systems as one of the principal objectives of the legislation.

The emphasis placed on national security signals that cybersecurity is no longer viewed solely as a technical IT or information security matter. Rather, the regulatory approach in Türkiye increasingly treats cybersecurity as a strategic issue connected to economic continuity, public order, service resilience, data sovereignty and national defence capacity. This perspective is expected to shape both future secondary legislation and regulatory enforcement practices.

Data Sovereignty Has Emerged as a Key Regulatory Focus

Another notable aspect of the meeting was the distinct emphasis placed on data sovereignty. The official announcement underscored the strategic value of data and reaffirmed Türkiye's commitment to strengthening its digital sovereignty policies. This development is particularly relevant for companies operating digital infrastructures, processing or hosting large volumes of data, or providing services integrated with global technology ecosystems.

In practice, this focus on data sovereignty may give rise to more detailed obligations regarding:

  • data inventories,
  • asset inventories,
  • log retention and management,
  • cybersecurity incident notification,
  • localization of critical systems,
  • secure infrastructure requirements, and
  • information-sharing obligations with public authorities.

Companies operating in designated critical infrastructure sectors may therefore face enhanced scrutiny regarding the location, management and security of their digital assets and data processing activities.

Domestic and Certified Cybersecurity Capacity Has Been Prioritized

The meeting also emphasized the importance of developing domestic and sustainable technological capacity in cybersecurity-related areas. This policy objective is consistent with the Cybersecurity Act, which provides that domestic and national products shall be primarily preferred in cybersecurity-related activities.

This emphasis is particularly significant for technology companies providing cybersecurity products, systems or services to public institutions or critical infrastructure sectors. Article 7 of the Cybersecurity Act warrants particular attention in this regard. Pursuant to this provision, cybersecurity products, systems and services to be used by public institutions and organizations or within critical infrastructures must be procured from cybersecurity experts, manufacturers or companies authorized and certified by the Cybersecurity Presidency. Authorization and certification requirements are accordingly expected to become increasingly significant for companies operating in the cybersecurity ecosystem.

This regulatory framework is further reinforced by Article 16 of the Cybersecurity Act, which stipulates administrative fines ranging from TRY 1 million (approx. EUR 18,698) to TRY 10 million (approx. EUR 186,981) for non-compliance with certain obligations under the legislation.

Companies supplying cybersecurity-related technologies or services to public institutions or critical infrastructure operators should therefore closely monitor forthcoming authorization, certification and technical compliance requirements.

What Does This Mean for Companies?

The determination of critical infrastructure sectors is directly relevant to a broad range of companies operating in areas such as technology, telecommunications, finance, healthcare, transportation, defence, energy, digital services and space technologies. Although the Board's decision does not itself establish all applicable obligations in detail, it clearly delineates the sectors through which the new cybersecurity compliance framework will be operationalized.

In this context, companies should closely monitor the following developments in particular:

  • whether their activities fall within the scope of the designated critical infrastructure sectors,
  • future determinations by the Cybersecurity Presidency identifying specific institutions, infrastructures, assets or locations within those sectors,
  • potential obligations relating to cybersecurity risk assessments, vulnerability testing and cyber incident notification requirements,
  • certification and authorization requirements applicable to cybersecurity products and services,
  • data inventory, asset management and log retention obligations,
  • supply-chain and third-party technology compliance requirements, and
  • future secondary legislation and regulatory guidance to be issued by the Cybersecurity Presidency.

The 5 May 2026 meeting accordingly constitutes a significant milestone in the implementation of Türkiye's cybersecurity framework and signals that a more comprehensive and operationally detailed critical infrastructure cybersecurity regime is expected to take shape in the near term.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Ömer Faruk Çelik
Ömer Faruk Çelik
Photo of Busra Nazli Yaldir
Busra Nazli Yaldir
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More