Cybersecurity and Information Technology Crimes

Formulation of cybersecurity policies, incident response, and legal management in investigation and litigation proceedings related to information technology crimes.

Get in touch

Cyber incidents are no longer exceptional—they are an ordinary risk in corporate operations. With the enactment of Law No. 7545 on Cybersecurity in 2025, Turkey has established its first comprehensive regulatory framework in this field. Simultaneously, the data security obligations under the Turkish Data Protection Law (KVKK), log retention and content liability requirements under Law No. 5651, and the provisions of the Turkish Penal Code concerning information technology crimes remain in force. Our firm operates with a focus on managing this multiple regulatory regime in parallel and delivering operationally applicable security compliance to our clients.

We assist our clients in drafting cybersecurity policies, designing incident response plans, managing content provider, location provider, and access provider obligations within the framework of Law No. 5651, auditing log infrastructure, and preparing information security annexes to cloud service agreements. We collaborate with our clients in implementing secondary regulations anticipated under the new Cybersecurity Law, liaising with the Cybersecurity Authority, and—depending on the applicable sector—mapping out additional obligations foreseeable for critical infrastructure operators.

In a cyber incident, time is critical. In the initial response phase, evidence preservation, internal communication protocols, the KVKK's 72-hour notification requirement to the Authority, notification to affected individuals, and—where necessary—filing a criminal complaint with the Office of the Chief Public Prosecutor are steps that must proceed in parallel. Our firm, in coordination with information security teams and digital forensics experts, jointly designs these steps, conducts the legal dimension of root cause analysis, and prepares the groundwork for insurance and supplier recovery proceedings. In offenses regulated under Articles 243 et seq. of the Turkish Penal Code—such as unauthorized access to information systems, data tampering, and use of false digital identity—we stand beside our clients in complaint, intervention, or—where a company employee is the accused—defense proceedings.

Cybersecurity is a field where legal compliance cannot be disconnected from technical reality. Policy documents are aligned with auditable control points from frameworks such as ISO/IEC 27001 and NIST to ensure they remain more than mere paper exercises. Our deliverables include board-approved cybersecurity policies, incident response runbooks, supplier security assessment questionnaires, and regular tabletop exercise scenarios.