In the context of evolving global dynamics, the digital realm has become an increasingly critical arena of power competition, prompting states to adopt a range of strategies to address its growing implications. As we look ahead to 2025, it is heartening to see the notable institutional and legislative steps taken by Türkiye in the digital sphere, which signify a significant turning point for its cybersecurity architecture.
On Jan.8, 2025, the Cybersecurity Directorate was established under the authority of the Presidency of the Republic of Türkiye. This was followed by the enactment of the Cybersecurity Law on March 19, 2025. In recent weeks, the Digital Transformation Office of the Presidency of the Republic of Türkiye (CBDDO) was dissolved, with a significant portion of its responsibilities transferred to the newly formed Cybersecurity Directorate. These developments may signal a new phase in Türkiye’s cybersecurity policies. In this context, a historical overview may be a helpful way to understand how Türkiye’s cybersecurity policies have evolved to date and where they might be headed in the future.
1990s: Genesis of policies
Türkiye’s journey in cybersecurity policy began in earnest in the 1990s, spurred by the civilian adoption of network technologies. Initially focused on military applications, the field rapidly gained strategic importance as internet usage expanded and cyber threats became more prevalent. A critical step came in 1991, when cybercrimes were incorporated into the Turkish Penal Code (TCK) – an early legislative attempt to address emerging digital risks. In 1996, the Security Working Group drafted a preliminary framework, although it could not be materialized into a formal legislative proposal.
In 1999, the Ministry of Transport released Türkiye’s National Information Infrastructure Master Plan (TUENA), the first official document aimed at strengthening IT infrastructure. Institutionally, organizations such as the Scientific and Technological Research Council of Türkiye (TÜBITAK), particularly its Informatics and Information Security Research Center (BILGEM), played formative roles in early cybersecurity research. Throughout the 1990s, cybersecurity was viewed as a secondary issue within the broader context of technological advancement. However, the rapid digital transformations of the 2000s led to a growing recognition of the need for more robust policy responses.
2000s: Emergence of cybersecurity
The 2000s marked the beginning of a more structured legal and institutional approach to cybersecurity in Türkiye. Although a draft law on the Nnational Information Security Organization and its duties was introduced in 2000, followed by another draft on national information security in 2002, neither was enacted. It is nevertheless encouraging to see that cybersecurity is beginning to feature in national planning documents. The 2002 e-Türkiye Initiative Action Plan included information security as a subcomponent. In a similar vein, the 2003 e-Transformation Türkiye Project and the 2003-2004 Short-Term Action Plan addressed the subject of information security, while Prime Ministry Circular No. 2003/10 outlined guiding principles for information systems security.
During this period, legal milestones such as the Electronic Signature Law (Law No. 5070) and the revised TCK (Law No. 5237), both enacted in 2004, which addressed legal dimensions of cyberspace. The National Information Systems Security Program was launched in 2006 and cybersecurity measures were also integrated into the 2006-2010 Information Society Strategy and Action Plan.
Further legal groundwork was established with Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed Using Such Publications (“The Internet Law”) (2007), followed by the Electronic Communications Law No. 5809 (2008). Meanwhile, the Information and Communication Technologies Authority (BTK) began to assume a regulatory role in cybersecurity, and Türkiye conducted its first national cybersecurity exercise. As the decade drew to a close, a Draft Law on e-government and the Information Society was prepared. In parallel with NATO’s prioritization of cybersecurity, Türkiye formulated its own National Cybersecurity Policy Document in this term.
2010-2018: National strategies
The period from 2010 to 2018 marked a significant turning point in Türkiye’s cybersecurity policies. For the first time, the Constitution was amended to include provisions on the protection of personal data, and cyber threats were explicitly acknowledged in the National Security Council Declaration. In addition, Türkiye signed the Council of Europe Convention on Cybercrime.
In 2012, the BTK was given the mandate to coordinate national cybersecurity efforts. TÜBITAK BILGEM’s Cybersecurity Institute emerged as a key actor in developing technologies and providing specialized training. During this period, crucial institutions were established, including the Cybersecurity Board, the Computer Emergency Response Team of the Republic of Türkiye (TR-CERT), the National Cybercrime Department of the Turkish National Police and the Turkish Armed Forces Cyber Defense Command.
The 2013-2014 National Cybersecurity Strategy and Action Plan was followed by the AFAD’s 2014-2023 Road Map for the Protection of Critical Infrastructures. The 2015-2018 Information Society Strategy and Action Plan featured information security as a core theme. The National Cybersecurity Strategy and Action Plan was updated in 2016. That same year, the Personal Data Protection Law (Law No. 6698) was passed. In 2017, the Personal Data Protection Authority was established. The 2010s saw a growing recognition of cybersecurity as a key element of national security, accompanied by a rapid institutionalization.
2018-2025: Integration in cybersecurity
With Türkiye’s transition to a presidential system in 2018, the establishment of the CBDDO marked a significant organizational shift. National cybersecurity coordination was entrusted to the CBDDO’s newly formed Cybersecurity Department, while the Cybersecurity Board was dissolved. During this phase, key documents were published, including the Decree on Information and Communication Security Measures, the Information and Communication Security Guide, the 2020-2023 National Cybersecurity Strategy and Action Plan and the National Cybersecurity Governance Analysis Report.
This period also saw significant educational advances: Türkiye’s first cybersecurity high school, vocational college and cybersecurity engineering program were launched, and the National Cybersecurity Workshop was held. The National Cybersecurity Strategy and Action Plan was updated again in 2024 for the 2024-2028 term. During this period, policy priorities centered on mitigating cyber threats, strengthening national capabilities, safeguarding critical infrastructure and promoting international cooperation. Additionally, efforts have been made to nurture the cybersecurity ecosystem through education, awareness-building, and technological development.
Post-2025: A new era
In recent years, Türkiye has experienced notable developments in its digitalization and cybersecurity landscape. The enactment of the Cybersecurity Law in early 2025, along with the establishment of the Cybersecurity Directorate and Cybersecurity Council, appears to signal a move toward a more centralized and comprehensive approach to countering cyber threats. The new law introduces harsh penalties for data breaches and cyberattacks and strengthens oversight of critical infrastructure.
The Cybersecurity Directorate is poised to take a central role in implementing the law. Its duties include fostering inter-agency coordination, maintaining data inventories, conducting risk assessments, and enforcing security protocols. On March 28, 2025, the CBDDO was officially dissolved, and its responsibilities were transferred to the new Cybersecurity Directorate. This body is not only tasked with defending against cyber threats, but also plays a broader role in guiding public sector digital transformation, enhancing e-government services and promoting the adoption of artificial intelligence.
This development underscores a paradigm shift: Cybersecurity is no longer viewed merely as a defense mechanism, but as a core pillar of the digital ecosystem. It could be seen as marking a new phase in Türkiye’s cybersecurity trajectory – one that may require a proactive, inclusive and adaptable approach to address evolving threats. It is thought that a framework of this kind could potentially contribute to national security and enhance Türkiye’s international competitiveness. As a presidential centralized entity, the Cybersecurity Directorate is strategically positioned to assume a critical role in coordinating cohesive and impactful cybersecurity policies. This new role reflects the dynamic evolution of the digital sphere, which is progressively more recognized not merely as a domain of security but also as an arena for fostering innovation, enhancing governance, and advancing public service delivery.