On May 5, 2026, Turkey's Cybersecurity Board met in Ankara under the chairmanship of President Recep Tayyip Erdoğan and formally designated 15 sectors as critical infrastructure under Cybersecurity Law No. 7545. According to the official statement from the Presidency's Directorate of Communications, the list spans Digital Infrastructures, Digital Services, Electronic Communications, Energy, Finance, Food and Agriculture, and continues through defense, healthcare, transportation and space. The same statement elevated "data sovereignty" (veri egemenliği) to a strategic focus, describing data as "not merely a technical element but a strategic value," and prioritized "developing capacity in domestic and national technologies" (yerli ve millî teknolojilerde kapasite geliştirilmesi).
This is the first concrete implementation step for a law that entered force on March 19, 2025, via Official Gazette No. 32846. It is worth taking seriously on its own terms before raising concerns.
The case for Ankara's move is real
The strongest argument for designating critical sectors and tightening their security obligations is simply that the threat is genuine and rising. Power grids, payment systems and hospitals are now routine targets for ransomware crews and state-aligned actors, and a serious compromise of any of them can cost lives or freeze an economy. Law No. 7545 codifies sensible baselines: asset inventories and periodic risk assessments (Article 5), incident reporting to the Cybersecurity Presidency "without delay," and cooperation with audits (Article 8). Turkey is also a relative latecomer here — this is its first comprehensive cybersecurity statute, arriving years after the EU's NIS framework and the US executive orders on critical infrastructure. Mapping who must protect what is a precondition for any coherent regime, and a risk-based approach that asks more of an electricity operator than a corner shop is precisely the proportionality that good regulation should embody.
Where Ankara's framing becomes harder to defend is the slide from security to sovereignty as procurement policy.
When "national" products become a mandate
Article 7 of Law No. 7545 provides that "domestic and national products shall be primarily preferred" in cybersecurity activities, and requires that products and services for public institutions and critical infrastructure be procured only from vendors "authorized and certified by the Cybersecurity Presidency." The May 5 meeting reinforced this, with officials stressing the goal of "storing and processing Türkiye's strategic data within the country and decreasing dependence on foreign systems," per Daily Sabah's account of the session, alongside national projects such as the KamuNet public-sector network and an "AI Shield" disinformation tool.
The instinct is understandable, and pro-Ankara analysts frame it as consolidating sovereignty in a "techno-polar" world rather than mere defensiveness. But a domestic-preference rule layered on top of a single-gatekeeper certification body is where cybersecurity policy quietly turns into industrial policy — and the trade-offs deserve scrutiny.
First, security and provenance are not the same thing. A firewall is not safer because it was written in Istanbul rather than Tel Aviv or Helsinki; it is safer if it is well-engineered, promptly patched and independently tested. The global security stack — from threat intelligence feeds to vulnerability databases to cloud-native defenses — is deeply interdependent, and the best tools rarely come from any single country. A rule that nudges procurement toward "national" options on principle risks deploying weaker defenses in exactly the 15 sectors the state most wants to protect.
Second, a state-run certification chokepoint creates concentration risk of its own. If every product used in finance, energy or electronic communications must pass through one Presidency-controlled authorization process, that process becomes both a single point of failure and a lever for discretion. The composition of Turkey's cybersecurity bodies has already drawn criticism for excluding the data-protection authority (KVKK), the bar associations and journalists' groups — a governance gap that matters when the same framework carries heavy penalties.
Those penalties are not trivial. Law No. 7545 authorizes administrative fines ranging from roughly ₺125,490 up to ₺125,490,000, penalties of up to 5% of annual gross revenue for commercial entities, and — under Article 16 — imprisonment for certain governance and critical-infrastructure failures. Combine steep liability with data-localization expectations and a domestic-vendor tilt, and the rational response for a multinational operating in Turkey may be to over-localize, fragment its architecture, and route around foreign tooling even where that tooling is best-in-class.
Proportionate sovereignty is still possible
None of this means Turkey should abandon the project. The goal — resilient critical infrastructure and credible control over genuinely strategic data — is legitimate, and the EU pursues comparable aims. The question is how.
- Certify for security, not nationality. Tie procurement preferences to verifiable engineering standards and independent audit results, not to the passport of the vendor.
- Keep the gate open and transparent. Publish certification criteria and timelines so foreign and domestic firms compete on equal, predictable terms; an opaque gatekeeper invites both insecurity and protectionism complaints.
- Localize narrowly. Reserve hard data-residency rules for the genuinely sovereign categories rather than imposing blanket localization that fragments networks and raises costs without raising security.
Turkey has, sensibly and belatedly, drawn the map of what it must defend. The risk now is that the implementing details treat "made in Türkiye" as a security property in itself. The strongest digital sovereignty is not a walled garden of certified national champions — it is a market open enough to deploy the best defenses, governed by rules clear enough that operators trust the gate. Ankara still has room to choose the second path.