Recent Developments
The Cybersecurity Board (the “Board”) identified the critical infrastructure sectors at its meeting held on 5 May 2026, as regulated under the Cybersecurity Law No. 7545, which entered into force in 2025 (the “Law”). Information regarding the meeting was publicly announced by the Directorate of Communications.
Following the Board meeting, the official website of the Cybersecurity Presidency (the “Presidency”) was launched on 6 May 2026. In this context, the Cyber Incident Response Team Communication Platform (“SİP”) was transferred from the infrastructure of the National Cyber Incident Response Center (“Computer Emergency Response Team of the Republic of Türkiye” or “TR-CERT“, tr. “USOM“) to the “siberguvenlik.gov.tr” domain.
The announcement made by the Directorate of Communications is available here (in Turkish).
You can access the Presidency’s website here.
Identified Critical Infrastructure Sectors
The Directorate of Communications emphasized in its announcement that cybersecurity is an integral part of national security, that cyber threats are becoming increasingly complex alongside global and regional developments, and that this field is being treated as a strategic priority. The statement also pointed out that protecting critical infrastructure, ensuring the security of digital systems, data sovereignty, and enhancing cyber resilience and deterrence capabilities are among the priority issues. In addition, it was stated that concrete steps will be taken in the upcoming period in line with the identified priorities and that relevant stakeholders will be actively involved in the process, with a particular emphasis on strengthening domestic and sustainable cybersecurity capacity within critical infrastructure sectors.
At its meeting held on 5 May 2026, the Board designated the following sectors as critical infrastructure sectors:
| Digital Infrastructure | Food and Agriculture | Healthcare |
| Digital Services | Manufacturing Industry | Defense Industry |
| Electronic Communications | Public Services | Water Management |
| Energy | Media and Crisis Communication | Transportation |
| Finance | Postal and Courier Services | Space |
Prior to the enactment of the Law, the Board designated the following sectors as critical infrastructure sectors in 2014:
- Transportation
- Energy
- Electronic Communications
- Finance
- Water Management
- Public Services
In this framework, with its decision dated 5 May 2026, the Board expanded the scope of critical infrastructure sectors and included additional sectors into the list.
The Law defines critical infrastructures as “infrastructures that host information systems which may lead to loss of life, large-scale economic damage, security vulnerabilities, or disruption of public order if the confidentiality, integrity or availability of the information/data they process is compromised“. Within the scope of the Law, natural and legal persons operating in sectors designated as critical infrastructure are subject, in addition to the general obligations set forth under the Law for ensuring cybersecurity, to the following obligations:
- Implementation of the technical and administrative security measures determined by the Presidency based on the criticality of assets
- Establishment of organizational Security Incident Response Team (i.e., “CSIRT“) and notification of cyber incidents to the relevant sectoral CSIRT,
- Procurement of cybersecurity products, systems, and services to be used in critical infrastructures solely from persons authorized and certified by the Presidency.
In addition, Article 16 of the Law provides for a prison sentence of one to three years for individuals who cause a data breach by acting in breach of the requirements of their duties in relation to the protection of critical infrastructure against cyber-attacks.
In the upcoming period, the Presidency will designate the critical infrastructures within critical infrastructure sectors, along with the institutions to which they belong and their locations and will establish the criteria and procedures for the authorization and certification of companies that will supply cybersecurity products, systems, and services for use in critical infrastructures. Within this framework, the Presidency will carry out identification, protection, the implementation of necessary technical and administrative measures, and audit activities with respect to critical infrastructures and the institutions that own them.
Official Website of the Cybersecurity Presidency Is Launched
The Presidency’s official website (“Website”) was launched on 6 May 2026 at the address https://siberguvenlik.gov.tr/. The Website provides access to cyber security activities, informative content, and different application mechanisms. In its current configuration, the Website appears to utilize the TR-CERT infrastructure, and the application, communication, and reporting processes previously conducted through TR-CERT’s official website have been transferred to this domain.
The main application and notification sections available on the Website are as follows:
- Cyber incident reports (including phishing attempts, malware activity, data leaks, access issues, and cyber threat reports)
- CVE (Common Vulnerabilities and Exposures) submission form
- Records of malicious links
- Records of security notifications
The Website also includes the Presidency’s address and contact information.
Conclusion
The Board’s identification of critical infrastructure sectors marks the effective start of the implementation and regulatory phase of the Law in the field of cybersecurity. The launch of the Presidency’s Website and the restructuring of coordination mechanisms regarding processes for cyber incident reporting and CVE submissions demonstrate that the Presidency’s role in the field has become more defined. In this framework, the details regarding the cybersecurity requirements expected to be determined by the Presidency, as regulated under the Law, will be brought to the agenda in the near future, and that more specific administrative practices will be adopted following the regulations. Therefore, it is crucial for all actors operating in cyberspace to closely monitor developments regarding the Law and the secondary regulations and take necessary compliance actions
