Turkey's Information and Communication Technologies Authority (BTK) is circulating a draft, under active debate as of late April 2026, that would for the first time treat any service that encrypts and transmits internet traffic for privacy or security as a regulated carrier — a "Virtual Network Service Provider." Under the proposal, such providers would need a BTK license, a locally incorporated Turkish company (joint-stock or limited liability) with an authorized representative, user data stored inside Turkey, technical means for monitoring, compliance with content restrictions, and fast responses to official orders. Press accounts of the draft describe administrative fines of 1 million to 30 million lira, a roughly six-month cure period, and — for providers that stay unlicensed — bandwidth throttling of up to 90 percent and outright blocking.
The case the government is making
The strongest version of Ankara's argument deserves a fair hearing. The draft surfaced after two school attacks in Siverek, Şanlıurfa on April 14–15, 2026 that left nine people dead, including a teacher, according to Nordic Monitor; officials have tied the package to a broader child-safety effort that also includes a "child SIM" and national-ID login. Governments have a legitimate interest in being able to identify the operator of a service that millions of residents route their traffic through, and in not letting wholly offshore intermediaries operate as a law-free zone. Jurisdiction over a service used domestically is not an inherently unreasonable demand, and child protection is a serious aim, not a pretextual one.
But the strength of an aim does not validate the design of the instrument. The draft's defining move is a category error: it regulates a mathematical technique — encryption of transit traffic — as though it were a telecom operator. Almost every secure tool does what the draft describes. A corporate VPN connecting an Istanbul branch to headquarters encrypts and transmits traffic. So does a bank's TLS session, a messaging app's tunnel, and the privacy features increasingly built into mainstream browsers and operating systems. Drafting the trigger around the function rather than the abuse sweeps in the security infrastructure the economy runs on.
Localization and monitoring break the product
The requirements to store user data in Turkey and to enable monitoring are not compliance overhead — they are incompatible with the value proposition of a privacy VPN. A no-logs provider that creates Turkish user logs and a lawful-interception interface is no longer a no-logs provider. This is why credible operators tend to exit rather than comply: the alternative is to ship a weaker product worldwide or to maintain a backdoored Turkish variant that any sophisticated user will distrust. The likely result is not safer VPNs but the departure of the reputable ones and the persistence of opaque, genuinely risky apps.
The mandates have a precedent — and a warning
The localization and local-representative requirements echo Turkey's 2020 social-media amendments to Law No. 5651, which required large platforms to appoint local representatives and keep Turkish users' data in-country. As the Electronic Frontier Foundation warned at the time, a local representative is also a local pressure point — a person exposed to domestic legal action — and escalating fines (then TRY 10 million, rising to TRY 30 million) push intermediaries to over-remove lawful speech to avoid penalties. The VPN draft transplants that architecture onto the layer people use precisely to resist over-removal.
The enforcement record undercuts the safety framing
Turkey's recent history suggests the tools will be aimed at speech, not just at violent content. The BTK ordered ISPs to block 17 VPN services in November 2023 without a court order, and by late 2023 more than 953,000 domains were blocked nationwide, according to Freedom House's Freedom on the Net 2024 report; by August 2024 the count of blocked VPN services had reached 27, per the Stockholm Center for Freedom. The same authority throttled access and blocked Instagram for nine days in August 2024. Freedom House's Freedom on the Net 2025 rates Turkey's internet "Not Free" at 31 out of 100 and flags the March 2025 Cyber Security Law (No. 7545), which criminalizes refusing to hand over requested personal data. A licensing regime layered on top of that record is less a safety measure than a formalization of control.
Demand will route around it
There is also a practical futility problem. Reporting indicates VPN sign-ups in Turkey jumped after the draft became public — Proton VPN told TechRadar its regional sign-ups roughly doubled. Demand for circumvention rises with the threat of restriction, and the people most able to find an unlisted protocol or a self-hosted tunnel are not the ones a child-safety law is meant to reach. The burden falls instead on ordinary users, small businesses, and the open commercial market, while determined actors adapt.
A proportionate path exists
None of this requires Turkey to abandon its stated goals. A proportionate approach would target conduct, not cryptography: pursue specific illegal content and specific bad actors through narrow, court-supervised orders; address minors' access through device-level and parental tools rather than a nationwide carrier mandate; and preserve encryption as the baseline security primitive that protects Turkish banks, hospitals, and dissidents alike. Licensing a function as broad as "encrypts and transmits traffic" — backed by data localization, monitoring hooks, and 90-percent throttling — is the opposite of proportionate. It weakens everyone's security to gesture at a problem it is poorly built to solve.