Recent Developments
Regulatory developments in the field of cybersecurity in Türkiye continue at full pace.
The Nuclear Regulatory Authority established the procedures and principles for ensuring cybersecurity in activities subject to regulatory control at nuclear facilities through the Regulation on Cybersecurity in Nuclear Facilities (“Regulation”), published in the Official Gazette No. 33244 and dated 5 May 2026.
Presidential Decrees No. 11220 and 11221, which were published in the Official Gazette dated No.33234 and dated 25 April 2026, established the special public tender procedures to be applied to Cybersecurity Presidency’s (“Presidency“) procurement of goods and services in the fields of defense, security, intelligence, and digital transformation and technological development.
These developments, when considered together with the identification of critical infrastructure sectors by the Cybersecurity Board and the launch of the Presidency’s website, indicate that developments in the field of cybersecurity have gained momentum recently.
The Regulation issued by the Nuclear Regulatory Authority is available here (in Turkish).
Presidential Decree No. 11220 is available here (in Turkish), and Presidential Decree No. 11221 is available here (in Turkish).
For further details on the critical infrastructure sectors, you can access our legal alert here.
Regulation on Cybersecurity in Nuclear Facilities
The Regulation, issued by the Nuclear Regulatory Authority, establishes the procedures and principles for ensuring cybersecurity within the scope of activities subject to regulatory control at nuclear facilities. The Regulation established a comprehensive framework covering processes related to the planning, implementation, and management of cybersecurity in nuclear facilities, management of digital assets, identification and mitigation of cyber risks, supply chain security, response to cyber incidents, personnel management, and annual reporting and information disclosure obligations.
In brief, the Regulation includes the following provisions:
- Planning of cybersecurity and preparation, review, and update of relevant plans;
- Identification of digital assets, their classification based on criticality levels, and obligations regardingtheir protection;
- Conducting risk assessments, implementing necessary technical, administrative, and physical measures, and carrying out vulnerability management activities as part of cybersecurity risk management;
- Determining and verifying cybersecurity requirements to be applied to suppliers within the scope of supply chain management;
- Establishing processes for preparation, response, and post-incident recovery in the event of cyber incidents;
- Conducting testing, annual staff training, audits, and reporting activities.
The Regulation stipulates that cyber incidents that affect or could affect safety, security, or nuclear safeguards must be reported immediately to the Nuclear Regulatory Authority and the Presidency. In addition, a report detailing the causes and effects of the incident, as well as the response activities and preventive measures taken, must be submitted to the Nuclear Regulatory Authority within five business days of the incident’s detection.
As part of the transition process, organizations that were authorized prior to the Regulation or that have applied to the Nuclear Regulatory Authority for authorization must submit an action plan to comply with the Regulation to the Nuclear Regulatory Authority within six months. This period may be extended up to one year if the organization provides a justified reason and such justification is deemed appropriate by the Nuclear Regulatory Authority.
The Regulation indicates that, in addition to the regulations to be issued by the Presidency, sector‑specific regulatory authorities also started to adopt their own cybersecurity regulations.
Special Public Tender Procedures Established for the Cybersecurity Presidency
Presidential Decrees No. 11220 and 11221 (“Decrees”) established special procedures and principles regarding procurements by the Presidency exempted under Article 3 of the Public Procurement Law No. 4734.
Decree No. 11220 established the special public tender procedures to be applied to the procurement of goods, services, and works to be carried out by the Presidency within the scope of matters related to defense, security, or intelligence, requiring confidentiality, or concerning the fundamental security interests of the state.
Decree No. 11221, on the other hand, established the procedures to be applied to the procurement of goods and services to be carried out by the Presidency for the purpose of facilitating digital transformation and supporting technological development.
The Decrees, which adopt a similar framework regarding procurement procedures, allow for the use of negotiation and competitive negotiation methods, as well as direct procurement in certain cases.
Conclusion
Recent developments in the field of cybersecurity have brought many different issues to the forefront, and it has become evident that the regulatory framework for cybersecurity in Türkiye has begun to be effectively implemented through both central authorities and sector-specific regulatory bodies. While the Regulation established sector-specific obligations regarding nuclear facilities, the procurement regulations concerning the Presidency indicated that the operational capacity of the Presidency has been strengthened.
Regulatory developments and implementation practices in the cybersecurity sector are expected to become even more concrete in the coming period. Therefore, it is crucial for all actors operating in cyberspace to closely monitor these developments and review their compliance processes accordingly.
