Turkey: A TMT Overview

Evolution of Key Frameworks and a Shift to Oversight and Accountability

The year 2025 was a pivotal one for Turkey’s TMT landscape, shaped by an increasingly busy regulatory agenda alongside renewed signs of market momentum. As key frameworks covering data protection, cybersecurity, AI, digital platforms, and online commerce continued to evolve, regulatory focus shifted from rule-making to implementation, oversight and accountability. At the same time, Turkey’s ambition to position itself as a regional technology hub remained visible, supported by renewed M&A activity and notable investment signals, including developments in cloud and data centre infrastructure, global technology companies expanding their local footprint, and major platforms strengthening their operational presence. Against this backdrop, 2025 reflected a dual dynamic: a maturing regulatory environment testing compliance readiness across the TMT sector, and a market that continues to attract strategic interest ahead of the further consolidation and policy crystallisation expected in 2026.

Strengthening of the personal data protection framework

By 2025, the personal data protection framework in Turkey had genuinely matured, with the Turkish Personal Data Protection Authority (“KVKK”) maintaining an active stance. Following the 2024 amendments to the international data transfer regime, Turkish Standard Contracts were executed by numerous multinational companies and major technology players, with the KVKK conducting a limited number of reviews focused primarily on procedural compliance. Throughout the year, procedural aspects remained a key enforcement priority, while administrative fines were not the main focus. In parallel, the Data Controllers Registry (“VERBIS”) continued to feature prominently on the regulator’s agenda, particularly for foreign data controllers subject to local representation and registration obligations. Another notable development was the KVKK’s strict interpretation of the granularity principle in explicit consent practices, including push notifications. Overall, 2025 was an active year both in terms of companies’ compliance efforts and regulatory oversight.

AI regulation in TMT

AI regulation remained one of the central themes of Turkey’s TMT agenda. Government strategy papers increasingly referred both to future binding legislation shaped by the EU AI Act and to soft-law instruments aimed at facilitating AI adoption, particularly in public services. Legislative initiatives by smaller political parties and the KVKK’s work on generative AI further enriched the policy debate. Rather than directly transposing the EU AI Act, Turkey adopted a cautious and exploratory approach, focusing on assessing risks and opportunities rather than introducing immediate hard-law obligations. These discussions are expected to crystallise in 2026, potentially through a clearer regulatory roadmap and a renewed national AI strategy. In the meantime, the KVKK took a concrete step by publishing its Generative AI Guide, which provides a practical, risk-based framework addressing training data, personal data processing, controller–processor roles, cross-border transfers, transparency, data subject rights, and security measures. While primarily aimed at developers and deployers, the guide offers useful direction for all sectors relying on AI-based systems.

Focus on content regulation and platform oversight

Content regulation and platform oversight also moved higher on the agenda. Turkey is expected to introduce a further major amendment to the Internet Law No 5651 in 2026, marking the third significant revision within five years. Child protection has been a central driver of this initiative. While existing rules already require social network providers to offer unbundled services for children, the upcoming amendments are expected to introduce an outright ban on social media use for children under 15, implemented through age verification systems. The reform is also set to expand content moderation obligations, including stricter requirements around content removal and access blocking, and potentially proactive moderation of certain content categories. Following the withdrawal of revised Article 9 proposals twice in 2025, the government is now preparing a new version aligned with the Constitutional Court’s annulment decision. In parallel, additional obligations, such as local representative requirements, are also being considered for game developers and distributors.

Cybersecurity as an integral component of national security

Cybersecurity became a cornerstone of Turkey’s regulatory agenda in 2025 with the enactment of the Cyber Security Law in March. Prepared on the premise that cybersecurity is an integral component of national security, the law represents the first comprehensive framework, which also supports local cybersecurity solutions (from a soft-law perspective). It establishes the Cyber Security Presidency as the central authority responsible for strengthening the resilience of critical infrastructure and information systems and developing cybersecurity standards. Although the Cyber Security President was appointed in October 2025, the institution was not yet fully operational by year-end, and secondary legislation is expected in 2026. From a TMT perspective, the law’s broad scope is particularly notable, as it applies to private sector actors operating in cyberspace, including companies providing digital products and services, operating platforms or networks, or processing data. Core obligations include co-operation with the authority, the implementation of required cybersecurity measures, and prompt notification of cyber-incidents and vulnerabilities, supported by extensive inspection powers and meaningful sanctions. In addition, the President’s mandate was expanded to cover digital government, public-sector IT systems, data governance, and AI policies, developments that are expected to have an indirect but increasing impact on TMT players supplying technology and digital infrastructure to the public sector.

Geographic data permits

The geographic data permit regime introduced in 2024 remained fully operational throughout 2025. While new secondary legislation is still to be adopted, permit applications continue to be processed under the existing regulation, and permits have been granted accordingly. The Ministry proceeded on a sector-by-sector basis, sending notices to certain companies to obtain permits where their activities involved geographic data. For TMT players processing location-based data or operating mapping, mobility connected devices, or data-driven platforms linked to Turkey, this confirmed that the permit requirement continues to apply in practice despite the absence of updated implementing rules.

E-commerce and digital advertising

In the e-commerce and digital advertising space, the regulatory framework largely stabilised in 2025, with enforcement attention shifting to consumer-facing practices. The Ministry of Trade focused on consumer protection, particularly online advertising, discount campaigns, and influencer marketing, while the Advertising Board continued its active scrutiny across sectors. At the same time, content oversight in the digital space intensified. RTÜK increased its monitoring and enforcement activities for on-demand and online content, increasingly applying traditional media standards to digital platforms. Social media platforms and online gaming companies also faced heightened scrutiny, with child protection emerging as a key priority. This trend is expected to continue and intensify in 2026, alongside growing expectations around transparency and platform accountability.

The e-commerce landscape

Finally, Turkey’s already heavily regulated e-commerce landscape saw further tightening, particularly for overseas sales. With the entry into force of the Regulation on Market Surveillance and Inspection of Products Placed on the Market through Remote Communication Tools in April 2025, online sales of certain regulated products became subject to a local economic operator requirement, prompting compliance adjustments by major platforms. Additional obligations were also introduced regarding product information displayed on online listings. The most disruptive development followed in early 2026, when the facilitated tax-free import threshold for personal purchases below EUR30 was abolished. By subjecting each overseas purchase to full customs procedures, the decision rendered cross-border e-commerce into Turkey commercially unviable for many platforms, leading several international players to suspend their services. Despite significant public backlash, it remains to be seen whether these measures will ultimately benefit domestic players or prompt a policy recalibration driven by consumer pressure.