Türkiye Identifies Critical Infrastructure Sectors Under Cybersecurity Law No. 7545

The Board’s first decision clarifies which sectors will be treated as critical infrastructure under Cybersecurity Law No. 7545 in Türkiye.

1. Introduction

Türkiye’s Cyber Security Board (“Board”) convened on 5 May 2026 and adopted Decision No. 1 concerning the identification of critical infrastructure sectors under Türkiye’s Cybersecurity Law No. 7545 (“Law No. 7545”). The decision marks one of the first concrete steps in the practical implementation of Law No. 7545 across sectors regarded as critical to national resilience.

Under Law No. 7545, critical infrastructure broadly refers to infrastructures whose confidentiality, integrity or availability, if compromised, may result in large-scale economic damage, security vulnerabilities or disruption of public order.

In our earlier Mondaq analysis, Türkiye’s Cybersecurity Law No. 7545: What Critical Infrastructure Operators Need to Know, we examined the implications of Law No. 7545 for critical infrastructure operators, particularly its broader approach to cybersecurity governance, operational resilience, and national security beyond purely sector-specific compliance obligations.

The designation is significant because it determines which sectors are likely to fall within the operational and regulatory structure introduced under Law No. 7545.

2. Critical Infrastructure Sectors Formally Identified

A key outcome was the Board’s formal identification of critical infrastructure sectors. The sectors identified by the Board include:

• Digital Infrastructure
• Digital Services
• Electronic Communications
• Energy
• Finance
• Food and Agriculture
• Manufacturing
• Public Services
• Media and Crisis Communication
• Postal and Cargo Services
• Healthcare
• Defence Industry
• Water Management
• Transportation
• Space

The inclusion of digital services, media and crisis communication, postal and cargo services, manufacturing, and space is notable in light of recent geopolitical tensions and cyber incidents increasingly affecting logistics, industrial operations, public information systems and satellite-dependent services alongside traditional technical infrastructure, particularly in contexts shaped by hybrid threats and operational dependency.

Incidents such as the Viasat satellite disruption, the Colonial Pipeline incident and the widespread logistics disruption caused by NotPetya illustrate how cyber incidents affecting communications, transportation and supply-chain infrastructure may rapidly evolve into broader national resilience and continuity challenges.

Similar concerns are increasingly visible in international practice. Recent guidance and initiatives from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), including the “CI Fortify” initiative, have focused not only on cyber intrusion risks but also on operational isolation, continuity of essential services, vendor dependency, third-party operational reliance and crisis readiness across critical infrastructure environments.

The sector list also suggests that critical infrastructure is increasingly assessed through the operational consequences of disruption rather than technical exposure alone. Manufacturing, logistics, communications and satellite-dependent services each occupy central roles within interconnected operational environments where disruption may rapidly extend beyond a single system or organisation.

The Board’s emphasis on data sovereignty, domestic technological capability, institutional coordination, rapid response capability and resilience against cyber threats also reflects a broader cybersecurity approach centred on operational continuity and national resilience. The same priorities are reflected across Law No. 7545, particularly in relation to resilience, institutional coordination and operational preparedness.

3. What This Means for Critical Infrastructure Operators

For organisations operating within sectors now formally recognised as critical infrastructure, the implications are not limited to conventional cybersecurity compliance. As discussed in our earlier Mondaq analysis, Türkiye’s Cybersecurity Law No. 7545: What Critical Infrastructure Operators Need to Know, Law No. 7545 reflects a broader cybersecurity model built around operational continuity, institutional coordination and resilience across nationally significant infrastructures.

Under Law No. 7545, critical infrastructure operators are already subject to obligations relating to asset inventory management, risk analysis, incident and vulnerability reporting, technical and organisational security measures and supplier-related restrictions. Law No. 7545 also enables closer regulatory oversight of technologies, service providers and operational environments considered relevant to cybersecurity protection.

This is particularly significant for sectors operating interconnected operational environments or supply-chain-dependent infrastructures, where disruption may arise not only from direct technical compromise but also from third-party access, operational dependency, and coordination failures that affect continuity at scale.

Law No. 7545 also grants the Cyber Security Presidency broad supervisory and inspection powers extending to systems, software, hardware, and other digital assets relevant to cybersecurity and critical infrastructure protection.

4. What Comes Next

At this stage, many implementation details will depend on secondary legislation and future administrative measures issued by the Cyber Security Presidency.

While the Cyber Security Board identified critical infrastructure sectors at a categorical level, Law No. 7545 grants the Cyber Security Presidency broad authority over the practical implementation of the framework. This includes identifying relevant entities, setting technical and procedural requirements, establishing reporting mechanisms and defining cybersecurity obligations applicable to systems, products and services operating within these sectors.

In practice, the significance of the designation may emerge less from sector classification itself and more from the supervisory, technical and operational requirements that are likely to follow for organisations operating within sectors now regarded as critical infrastructure.

SOURCES:

Republic of Türkiye, Cyber Security Presidency, “Siber Güvenlik Kurulu Toplandı” https://siberguvenlik.gov.tr/haberler/detay/siber_guvenlik_kurulu_toplandi

Republic of Türkiye, Cybersecurity Law No. 7545, Official Gazette No. 32846, March 19, 2025

European Union, Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive) https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555

European Union, Directive (EU) 2022/2557 on the resilience of critical entities (CER Directive) https://eur-lex.europa.eu/eli/dir/2022/2557/oj

United States, Cybersecurity and Infrastructure Security Agency (CISA), Critical Infrastructure Sectors https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors

United States, Cybersecurity and Infrastructure Security Agency (CISA), CI Fortify: Strengthening Resilience Across Critical Infrastructure,  https://www.cisa.gov/topics/industrial-control-systems/ci-fortify

Türkiye's Cybersecurity Law No. 7545: What Critical Infrastructure Operators Need To Know, https://www.mondaq.com/turkey/cybersecurity/1756112/t%c3%bcrkiyes-cybersecurity-law-no-7545-what-critical-infrastructure-operators-need-to-know 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.