Cybersecurity 2023

Last Updated March 16, 2023


Law and Practice


YAZICIOGLU Legal is an Istanbul-based boutique technology law firm. The firm focuses on legal matters related to technology, media, telecommunications, and data protection/cybersecurity. The firm also has a solid expertise in cross-border transactions, corporate and commercial matters, intellectual property, regulatory compliance, e-commerce, consumer protection and dispute resolution. The firm has a dedicated team of 15 lawyers working on data protection and cybersecurity. The majority of the firm’s workload consists of data protection-related matters. In particular, the firm is known for successfully representing its clients in investigations and data breaches before the Turkish Data Protection Authority. The firm is ranked in several legal directories for its TMT practice and is also a Bronze Corporate Member of International Association of Privacy Professionals (IAPP).

According to the International Telecommunication Union’s Global Cybersecurity Index, published in 2020, Türkiye is ranked 11th in the world on commitment to cybersecurity. Hence, it is fair to say that Türkiye is one of the most cybersecure countries in the world, and it is keen on making further significant improvements in this area.

However, currently, Türkiye does not have a standalone legal framework governing cybersecurity; the legal framework, in fact, is quite fragmented. It is possible to find relevant provisions related to cybersecurity, security and confidentiality of electronic communications (“e-communication”), data breach notifications and incident response under various legislative pieces.

The most relevant legal instruments, as well as policy documents, are as follows.

General Regulations

Constitution of the Turkish Republic (“Constitution”)

The Constitution does not directly set out any provision on cybersecurity. However, as cybersecurity is an umbrella term for data protection, whether it’s personal or non-personal data, it can be considered that cybersecurity is partly and indirectly set out under:

  • Article 20(3), which provides the right to protection of personal data; and
  • Article 22, which provides the freedom of communication as an individual right to any person.

Law on Regulation of Publications via Internet and Combating Crimes Committed by Means of Such Publications No 5651 (“Internet Law”)

The Internet Law aims to regulate the obligations and responsibilities of content providers, hosting providers, internet service providers, social network providers, as well as access providers, in order to combat crimes committed via the internet.

The Internet Law directs the Turkish Information and Communication Technologies Authority (ICTA) to establish co-ordination between the relevant public institutions and law enforcement agencies and above-mentioned providers and other related institutions and organisations to ensure the safe use of the internet, raise public awareness, and carry out the necessary activities, such as conducting activities on taking necessary measures within the scope of national cybersecurity policies.

Law on Electronic Communication No 5809 (“E-Communication Law”)

As Türkiye does not have a general cybersecurity law yet, it is planned to introduce a network and information security regulation, mostly modelled after the EU’s Network and Information Security (NIS) Directive (“NIS Directive”). In order to establish the normative background for cybersecurity and institutional framework for overseeing cybersecurity, a special rule was incorporated into the E-Communication Law.

Information security is among the basic principles set forth in the E-Communication Law, which provides the main framework for network security, confidentiality of communication, and protection of personal data. Detailed provisions concerning each may be found under the several secondary pieces of legislation enacted based on this law for the same purpose.

Moreover, although this law almost entirely regulates e-communication sectors, its Article 60(11) empowers ICTA to take measures or ensure that all measures are taken to protect public institutions and organisations and natural and legal persons from cyber-attacks and provide deterrence against the same.

Hence, not only is ICTA the authorised regulatory body in the e-communications sector, but it also has comprehensive authority over private and public organisations in relation to cybersecurity.

Council of Ministers Decision on Carrying out, Managing and Coordinating National Cybersecurity Activities, dated 11 June 2012 (“Council of Ministers Decision on Cybersecurity”)

This decision is one of the landmarks of Türkiye’s cybersecurity policy.

It defines national cybersecurity as: “security of all services, transactions and data provided via information and communication technologies as well as systems used for provision of the same”.

This decision empowers the Ministry of Transport and Infrastructure (MTI) to oversee the national cybersecurity in Türkiye and to prepare policy, strategy, and action plans to ensure cybersecurity on a nation-wide scale, among other powers. The MTI carries out these tasks through ICTA and other public institutions.

Communiqué on Procedures and Principles of the Establishment, Duties and Activities of Cyber Incidents Response Centres (CERTs) (“Communiqué on CERTs”)

The purpose and scope of this communiqué is to ensure CERTs carry out their services effectively and efficiently by determining the procedures and principles of their establishment, duties and work.

Guideline for Establishment and Management of Institutional CERTs (“Institutional CERT Guideline”) and Guideline for Establishment and Management of Sectoral CERTs (Sectoral CERT Guideline)

These guidelines, published by the National Cyber Incidents Response Centre (TR-CERT), provide guidance on establishing and managing institutional CERTs and sectoral CERTs in relevant organisations, their relationship with each other and TR-CERT, capacity planning, qualifications of the personnel (education level and experience), mandatory training, and the steps that personnel must take before, during and after a cybersecurity incident.

They also include the principles for communication with internal/external stakeholders and establishment of institutional and sectoral CERTs.

Decree on Information and Communication Security Measures No 2019/12 issued by the Presidency of Türkiye (“Presidency Decree”)

The Presidency Decree has set specific measures that were deemed appropriate in order to diminish and neutralise security risks, in particular, ensuring the security of critical data that may jeopardise national security or deteriorate public order, especially when its confidentiality, integrity or accessibility is compromised.

All public bodies are bound by the Presidency Decree.

Turkish Data Protection Law No 6698 (“DP Law”) and its secondary legislation

The DP Law covers all personal data processing activities in Türkiye. From a cybersecurity perspective, it also regulates the security of personal data and full or partly automated and non-automated data processing systems. According to the DP Law, controllers are obliged to take all necessary technical and organisational measures to provide a sufficient level of security to:

  • prevent unlawful processing of personal data;
  • prevent unlawful access to personal data; and
  • ensure the safekeeping of personal data.

Personal data breach notification duty for controllers is also set forth in the same provision.

Turkish Criminal Code (TCrC)

The TCrC criminalises several actions in connection to cybersecurity and sets out criminal sanctions of imprisonment between six months and eight years for these actions. Some are as follows:

  • unlawful access to a cyber system;
  • blocking or bricking the cyber system or destroying, modifying, or making inaccessible the data within a cyber system;
  • misuse of debit or credit cards;
  • manufacturing, importing, dispatching, transporting, storing, accepting, selling, offering for sale, purchasing, giving to others or keeping the forbidden devices and software that is used to break a computer program’s password or such a code in order to commit a crime described in the bullet points above;
  • committing theft or fraud via cyber systems;
  • unlawful recording of personal data;
  • unlawful transfer, publication or acquisition of personal data; and
  • failure to destroy personal data after the retention period set forth in the applicable laws.

The Policy Framework

National Cybersecurity Strategy and Action Plans

For 2013–14 term

In accordance with this action plan, TR-CERT, whose main task is to oversee cybersecurity incident response activities and reporting, was established.

In addition, sectoral CERTs were established for co-ordinating cybersecurity incident response activities for critical sectors, and institutional CERTs were established for carrying out cybersecurity incident response activities within certain organisations such as governmental bodies and companies working in critical sectors.

For 2016–19 term

This action plan resulted from the need to update the previous one due to the development of information and communication technologies, the increasing need for cybersecurity and the experience gained.

The updated action plan set out:

  • cybersecurity risks, such as unauthorised access and disclosure of citizens’ personal data or public information following an attack targeting the information systems used by public institutions or critical infrastructure; and
  • the strategic objectives and actions for cybersecurity.

In this action plan, actions are grouped under five categories:

  • strengthening cyber defence and protecting critical infrastructures;
  • fighting against cybercrimes;
  • improvement of awareness and human resources;
  • developing the cybersecurity ecosystem; and
  • integration of cybersecurity into national security.

For 2020–23 term

This action plan recognised international co-operation as an important part of national cybersecurity strategy due to the inherently cross-border nature of cybersecurity. Thus, the government pledges to show efforts to increase bilateral and multilateral co-operation, improve information sharing and contribute to the activities that are carried out for establishing international common norms and standards in cyber space.

In this action plan, actions are grouped under eight categories:

  • protecting critical infrastructure and increasing resilience;
  • building national capacity;
  • organic cybersecurity network;
  • security of new generation technologies;
  • fighting against cybercrime;
  • developing and fostering national and domestic technologies;
  • integrating cybersecurity into national security; and
  • improving international co-operation.

For other legislation (eg, sectoral and specific legislation), please see 2.1 Key Laws.

The Ministry of Transport and Infrastructure

According to the Council of Ministers Decision on Cybersecurity, the MTI has been authorised for the implementation, administration and co-ordination of national cybersecurity actions and preparation and co-ordination of policy, strategy, and action plans regarding the governance of national cybersecurity.

The MTI is the responsible government agency for overseeing all other cybersecurity organisations throughout Türkiye. It has been overseeing and conducting cybersecurity activities at the strategic level through the TR-CERT.

The MTI’s responsibilities on cybersecurity include:

  • preparing strategy and action plans to ensure national cybersecurity;
  • preparing the procedures and principles that are necessary for securing the security and privacy of the information and data belonging to public institutions and organisations; and
  • in ensuring national cybersecurity, monitoring the establishment of the technical infrastructures in public institutions and organisations, ensuring verification, and testing the applications’ efficiency.

Information and Communication Technologies Authority

While policymaking is the responsibility of the MTI, the regulatory function has been assigned to ICTA.

ICTA is an independent administrative institution and has administrative and financial autonomy.

In addition to its regulatory role in the telecommunication sector, ICTA closely monitors the cybersecurity incidents through publicly available and private forums and mediums. ICTA also audits and warns private companies concerning specific cybersecurity threats and technical vulnerabilities.

For this purpose, ICTA works in co-ordination with public and private organisations.

Presidency of Republic of Türkiye Digital Transformation Office (DTO)

The DTO has played an active role in cybersecurity, big data, artificial intelligence, and digital transformation since its establishment in 2018.

Among its other duties, the DTO focuses on developing projects that support national cybersecurity and information security, monitoring the implementation of policies, strategies and action plans on cybersecurity throughout the country and carrying out studies to identify critical infrastructures.

In July 2020, DTO published an Information and Communication Security Guide. Please see 3.3 Legal Requirements and Specific Required Security Practices for the details and content of this guide.


In 2013, TR-CERT was established under ICTA to identify emerging threats, take measures to reduce and eliminate the effects of possible attacks and incidents on the national cyber space and share them with the relevant actors.

TR-CERT oversees the management of response to cybersecurity incidents from the beginning until the resolution. It co-ordinates with CERTs who are required to report cybersecurity events to TR-CERT.

TR-CERT also carries out awareness-raising and guidance activities to increase the awareness of public institutions and organisations against cyber-attacks.


Sectoral CERTs

Sectoral CERTs are established under:

  • the regulatory and supervisory bodies; or
  • the relevant ministries of critical sectors.

Sectoral CERTs are responsible for the co-ordination, regulation, and supervision of cybersecurity in their respective critical sectors.

Sectoral CERTs act in co-ordination with TR-CERT and institutional CERTs operating in the sectors concerned.

Institutional CERTs

Institutional CERTs are established within public and private organisations.

All organisations operating in the critical infrastructure sectors must establish an institutional CERT thereunder. On the other hand, ICTA has the authority to order a public or private organisation to establish and maintain a CERT, even if such organisation does not operate in the critical infrastructure sectors.

Institutional CERTs also act in co-ordination with TR-CERT and sectoral CERTs operating in the concerning sector (as applicable).

The personnel working in CERTs are under the obligation to maintain the confidentiality of the information they have obtained due to their duties. This obligation continues after the duty ends.

Personal Data Protection Authority (“DP Authority”)

The primary supervisory and regulatory authority for data protection matters in Türkiye is the DP Authority. It is an independent administrative institution that has administrative and financial autonomy.

The DP Authority has the power to regulate data protection activities and take measures for protecting the rights of data subjects. The DP Authority is competent to receive data breach notices according to the DP Law.

National Intelligence Agency

The National Intelligence Agency is entitled to collect, record, and analyse information, documents, news and data by using any technical intelligence and human intelligence method, tool, and system regarding foreign intelligence, national defence, counterterrorism, international crimes and cybersecurity, and to deliver the produced intelligence to the necessary institutions.

Turkish National Police Department of Cybercrime Prevention

Established in 2011, this department provides support in the investigation of crimes committed by using information technology. It gathers forensic data to fight cybercrime effectively and efficiently.

The Ministry of National Defence, the Presidency of Defence Industries, and the Turkish Armed Forces Cyber Defence Command

These entities ensure cybersecurity from a perspective of military and national defence.

Please see 2.4 Data Protection Authorities or Privacy Regulators and 9.2 Public Disclosure for further information.

The Ministry of Interior Disaster and Emergency Management Presidency

The Ministry of Interior Disaster and Emergency Management Presidency is responsible for the co-ordination and the management of the crisis to protect the critical infrastructure in the event of a disaster.


Apart from the above, sector-specific administrative institutions such as Banking Regulation and Supervision of Agency (BRSA), Capital Markets Board (CMB), Turkish Republic Central Bank (TRCB), Energy Market Regulatory Authority (EMRA) and Turkish Atom Energy Agency are entitled to regulate cybersecurity-related issues in their respective sectors.

Information and Communication Technologies Authority

ICTA has broad powers to administrate and enforce the rules on cybersecurity. ICTA was given a unique authority to take measures or compel public institutions, organisations, natural and legal persons to take all precautions against cyber-attacks and to establish deterrence against the same.

For this purpose, ICTA is entitled to request any information, documents, data, and records from relevant organisations, as well as requesting access to archives, databases, and the communication infrastructure thereof. Natural persons or private organisations cannot avoid fulfilling the requests of ICTA on grounds of being subject to certain legal instruments.

ICTA has a special regulation dealing with administrative fines – ie, the By-Law on Information Technologies and Communications Administrative Sanctions, which lays down special procedures for issuing administrative fines.

The administrative fines related to breaches of network and information security are as follows:

  • an administrative fine of up to 1% of its net sales in the previous calendar year may be imposed if the operator does not comply with the legislation on e-communication security, including network security;
  • administrative fines ranging from TRY1,000 to TRY1 million are imposed on natural persons and private legal entities other than operators who fail to fulfil the obligations or to implement the measures that are determined by ICTA within the scope of its duties for the protection against cyber-attacks; and
  • in cases where ICTA detects a violation of law, depending on the nature thereof, it may adopt other concrete measures in addition to these sanctions.

Personal Data Protection Board (“DP Board”)

The DP Board’s investigations may be initiated based on a data subject’s complaint or ex officio if it becomes aware of an alleged violation of the DP Law.

If the DP Board identifies a violation of the DP Law, it can impose administrative fines from TRY29,852 up to TRY5,971,989 depending on the nature of the violation.

Criteria for administrative fines

The criteria which must be sought by ICTA when imposing administrative sanctions are the presence of damage, the existence of unfair economic gain, the presence of recurrence, administrative sanctions imposed on the operator in the last five years regarding the violation of the same article and presence of good will (or lack thereof).

As per the Misdemeanours Law No 5326, when determining the amounts of administrative fines, the DP Board must consider the severity of the breach, the fault of the breaching party and its economic condition.

Appeal to decisions of ICTA and the DP Board

The sanctioned party has a right to appeal against DP Board or ICTA decisions.

All decisions of ICTA, including administrative fines, can be appealed before the administrative courts.

On the other hand, if the DP Board’s decision includes only an administrative fine, the controller may object to this decision before the Magistrate Criminal Court within 15 days from the receipt of the decision. The decisions of the Magistrate Criminal Court can be appealed to another Magistrate Criminal Court in the same district.

Where the decision includes an administrative order bundled with or without an administrative fine, the controller can object to the decision before the administrative courts, whose decisions may be appealed to the Council of State.

Criminal Sanctions

As stated in 1.1 Laws, the TCrC criminalises a number of actions that involve personal and non-personal data processing.

The investigation may commence without any complaint – ie, ex officio by public prosecutors. The final judicial sentence is held only by courts. Under certain circumstances, it is possible to appeal the judgment of the first-tier court to the second-tier court, the Regional Criminal Court. As a final step, it is possible to appeal against the Regional Criminal Court’s judgment before the Court of Appeals if the sentence of the court meets specific criteria.

The Budapest Convention on Cybercrime of the Council of Europe (“CETS 185”)

Türkiye signed the Budapest Convention (with a few reservations) on 10 November 2010. The Convention was ratified on 29 September 2014 and came into force on 1 January 2015.

After accepting and ratifying the Convention, Türkiye amended related legislative instruments in line with the Convention, such as the TCrC. For instance, crimes against the confidentiality, integrity and accessibility of computer data or systems, which are regulated in the first title of the Convention, were reflected in the TCrC.

European Convention on Mutual Assistance in Criminal Matters

Türkiye is a party to the European Convention on Mutual Assistance in Criminal Matters. Furthermore, Türkiye has particular legislation – the Law on International Judicial Cooperation in Criminal Matters No 6706, dated 23 April 2016.

Convention No 108

Türkiye was one of the first countries to become a member of the Council of Europe and to sign Convention No 108. Although Türkiye signed the Convention on 28 January 1981, it did not ratify the Convention until 17 March 2016, shortly before Türkiye’s adoption of the DP Law. However, Türkiye has not yet signed the Modernized Convention (also known as 108+).


Türkiye has signed many co-operation agreements and memorandums with foreign countries – eg, Azerbaijan, Belarus, China, Georgia, and Greece – to provide mutual assistance in the cybersecurity realm.

NIS Directive’s Relevance for Türkiye

Türkiye, as a candidate country for the EU membership, is closely monitoring any legal developments of the EU acquis. Türkiye has a plan to adopt the provisions of NIS Directive into the Turkish Law as stated under Section 474.2 of the 11th Development Plan (2019-2023) dated July 2019. However, there is no public information on whether these documents have been amended after the entry into force of the “NIS2 Directive” in the EU in January 2023.

Data Protection

The DP Authority works collaboratively with public and private organisations to share information on privacy issues and encourage privacy compliance.



ICTA closely monitors cybersecurity incidents through publicly available and private forums and mediums. ICTA also audits and warns companies concerning specific cybersecurity threats and technical vulnerabilities.


TR-CERT and CERTs are vital structures in eliminating cyber incidents; prioritising or reducing possible damages and performing cyber incident management at the national level. The co-ordination and co-operation between TR-CERT and institutional CERTs and/or sectoral CERTs contribute greatly to Türkiye’s national cybersecurity.


As mentioned in 1.1 Laws, Türkiye’s legal framework regarding cybersecurity is quite fragmented.

Sector-specific regulations such as the By-Law on Information Systems Management of Capital Markets Board of Türkiye, the By-Law on Information Security in Industrial Control Systems Used in Energy Sector, By-Law on Management System in Nuclear, Radiation, and Radioactive Waste Facilities, and the By-Law on Internet Domain Names mostly follow international information security standards. They require a risk-based approach and mandate notification of cyber incidents. However, lack of a general law covering all sectors is a shortcoming of the Turkish law.

The details of cybersecurity are mainly regulated by administrative, regulatory actions and guidelines issued by administrative bodies. This feature of the system gives Türkiye an advantageous ability to quickly act against cybersecurity threats. It could be argued that giving broad authority to administrative bodies may be disputable from a rule of law principle.

Data Protection

Türkiye follows the EU’s omnibus model for data protection. As the DP Law was enacted only seven years ago, Türkiye’s data protection practice can be considered as a developing practice. However, Türkiye has made significant progress so far. The DP Authority’s decisions imposing a relatively high administrative fine are almost always based on the controllers’ failure to ensure an adequate level of data security while processing personal data.


In 2021, ICTA published a guideline for information security measures to be adopted by e-commerce web operators. ICTA has not publicly made available this guideline. Rather, the guideline was directly sent to the Turkish e-commerce operators. The guideline covers application security, system security, network security, audit and log control procedures, test procedures and digital forensics procedures.


On 4 January 2023, Information and Communication Security Compliance and Audit Monitoring System was launched as the centralised monitoring mechanism for compliance with Information and Communication Security Guideline (“ICS Guideline”). The organisations within the scope of this Guideline must complete their respective audits and upload the results to the system until 31 March 2023.

Personal Data Protection

Publication of the Guideline on Good Practices for Personal Data Protection in the Banking Sector (“Guideline on Banking Sector”)

The Guideline on Banking Sector introduces additional security measures to those existing under the By-Law on the Information Systems of Banks and Electronic Banking Services.

It also provides good practice examples for the following purposes/operations:

  • preventing fraud;
  • customer segmentation practices;
  • personalisation of services;
  • carrying out marketing strategies;
  • ensuring customer satisfaction; and
  • processing of special categories of personal data (including biometric data) in connection with banking operations.

Requirement to take measures to ensure user log-in (eg, website) security

The DP Authority issued a public announcement on 15 February 2022 on the technical and organisational measures that controllers are advised to take regarding user security.

It is stated that the technical and organisational measures that are taken by controllers and processors within the scope of data security would minimise the possible data breaches and the risks they would pose to data subjects.

The public announcement has laid out a number of technical and organisational measures such as:

  • two-factor authentication;
  • safe and up-to-date hashing algorithms;
  • establishing a password policy;
  • reminding data subjects to change their passwords periodically and not to use the same password on different platforms;
  • limiting the number of unsuccessful account access attempts from the IP address; and
  • conducting periodic security updates and necessary checks on the software or services that are used for accessing controllers’ systems if such software or services are used.

It is also emphasised that controllers must conduct a risk assessment and take the technical and organisational measures that are suitable for them.

Please also see 8.1 Regulatory Enforcement or Litigation.


Türkiye, as a candidate country for the EU membership, is closely monitoring any legal developments of the EU acquis. Türkiye has a plan to adopt the provisions of the NIS Directive into the Turkish Law as stated under Section 474.2 of the 11th Development Plan.

In the medium term, Türkiye is expected to have a standalone network and information security legislation.

Data Protection

According to the Economic Reform Action Plan by the Ministry of Treasury and Finance of the Republic of Türkiye, which was announced on 12 March 2021, the DP Law is under review to have its provision on data transfer abroad (Article 9) amended in line with GDPR.

However, the scope of the revisions may be broader as per the 11th Development and Human Rights Action Plan dated April 2021.

Although the targeted date for the entry into force of this amendment was 31 March 2022, no development has been announced as of March 2023, and preparatory works are still ongoing.

Some important sector-specific pieces of legislation are as follows.

Electronic Communication Sector

By-Law on Network and Information Security in Electronic Communication Sector (“By-Law NIS in E-Communication Sector”)

The purpose of this By-Law is to regulate the procedures and principles to be followed by the operators to ensure network and information security.

E-communication service providers must take measures for network and information security set forth in this By-Law, such as establishing an information security management system and a reporting and feedback mechanism to ensure that information security breach incidents and security vulnerabilities are reported without any delay.

Energy Sector

By-Law on Information Security in Industrial Control Systems Used in Energy Sector

The purpose of this By-Law is to regulate the procedures and principles for monitoring the informatics processes of industrial control systems used in critical energy infrastructures and ensuring system continuity and cybersecurity.

Critical energy infrastructure is defined as the whole of the energy network, assets, systems, and structures where the sustainability of the social order and/or the delivery of public services will be adversely affected when it cannot perform its functions partially or entirely.

By-Law on Management System in Nuclear, Radiation, and Radioactive Waste Facilities

The purpose of this By-Law, which entered into force in April 2022, is to establish a management system that prioritises the security of the organisation and its facilities. The security policy (which includes personnel training, adopting security measures, organisational and systematic structure) is determined and monitored by the top management. The management systems in these organisations are subject to internal and external audits.

Banking and Finance Sector

By-Law on Information Systems of Banks and Electronic Banking Services (“ISBEBS By-Law”)

The purpose of this By-Law is to regulate the minimum procedures and principles to be taken as a basis in the management of the information systems used by banks in the performance of their activities, the provision of electronic banking services and the management of the risks related thereto, and the necessary information systems controls that must be established.

Communiqué on Management and Auditing of Information Systems of Financial Lease, Factoring and Finance Companies

The purpose of this Communiqué is to regulate the procedures and principles regarding the management of information systems used by financial leasing, factoring, and financing companies in the performance of their activities within the scope of the Financial Lease, Factoring and Finance Companies Law and independent auditing thereof.

Communiqué on Data Sharing Services in Payment Services Area of Payment and Electronic Money Institutions’ Information Systems and Payment Service Providers (“Communiqué on Data Sharing in Payment Services”)

The purpose of this Communiqué is to regulate the procedures and principles regarding the management and auditing of the information systems used by payment and electronic money institutions and the data sharing services of the payment service providers. The Communiqué includes detailed provisions on data security measures to be adopted by payment and electronic money institutions and on security vulnerabilities and breaches.

It obliges institutions to ensure the security of information systems and hold the board of directors (BoD) accountable for the management thereof. Additional measures are required for information systems containing sensitive customer data. The Communiqué requires the organisations to notify the customers and the DP Authority when such sensitive customer information is leaked.


By-Law on Procedures and Principles Regarding Carrying out e-State Services

According to this By-Law, while carrying out e-governance services, each public institution and organisation must adopt cybersecurity measures for their own information systems, keep access records and ensure the accuracy, integrity, and confidentiality of this information.

By-Law on Internet Domain Names

The domain registrars providing services for the Turkish top-level domain-name system are subject to the Internet Domain Names Regulation published by ICTA. As per this Regulation, the registrars are required to ensure the cybersecurity of their operations and notify ICTA of any security breach accordingly.

Please see 1.2 Regulators and 2.4 Data Protection Authorities or Privacy Regulators.

Currently, there is no over-arching cybersecurity agency for Türkiye. ICTA, as explained previously, has general cybersecurity powers besides its role as the regulatory body of the telecommunications sector.

The DTO also has a wide range of tasks in relation to the digital transformation, which includes cybersecurity-related matters.

The primary supervisory and regulatory authority in Türkiye is the DP Authority.

The decision-making body of the DP Authority is the DP Board. The main duties and powers of the DP Board are as follows:

  • conducting investigations upon the complaints of the data subjects or ex officio if it becomes aware of the alleged violation, and taking temporary measures, where necessary;
  • concluding the complaints of those who claim that their rights concerning personal data protection have been violated;
  • maintaining the Data Controllers’ Registry (VERBIS);
  • imposing administrative sanctions that are provided in the DP Law;
  • determining and announcing the countries with adequate levels of protection of personal data for the purpose of international data transfers; and
  • approving the written undertaking of controllers in Türkiye and the relevant foreign country that undertakes to provide adequate protection, when adequate protection is not provided, for the purpose of international data transfers.

The BRSA, CMB and TRCB are entitled to regulate the cybersecurity-related issues in their respective sectors.

Please see 1.2 Regulators, 4.3 Critical Infrastructure, Networks, Systems and 5.8 Reporting Triggers for security and reporting requirements under certain financial and other sectoral legislation

Please see 1.2 Regulators.

ISO/IEC 27001 is an international standard for management of information security. It is translated into Turkish by the Turkish Standards Institute (TSI), and the TS EN ISO/IEC 27001 standard has been drafted under the name of “Information Technology – Security Techniques – Information Security Management Systems – Requirements”.

ISO/IEC 27001 is a frequently used international standard in Türkiye which indicates an institution’s qualifications with regard to establishing and maintaining cybersecurity measures.

Obtaining ISO/IEC 27001 certificate is a de jure standard in several sectors, especially in the e-communication sector, the energy sector and e-invoice service providers. However, many organisations have chosen to voluntarily comply with the ISO 27001 standard as a good practice to improve cybersecurity.

Another standard that draws attention to information security in Türkiye, especially in the banking sector, is Control Objectives for Information and Related Technologies (COBIT). All banks are required to meet COBIT standards thanks to the BRSA’s communiqués and by-laws which have been published since 2006 and have made COBIT-based auditing mandatory for all banks.

COBIT process management is used not only in banks but also in the finance and production sectors.

In the banking sector, Payment Card Industry Data Security Standards (PCI DSS) is another set of standards created to ensure the security of credit card transactions.

Centre for Internet Security Critical Security Controls (CIS CSC) is also another global standard focused on reducing cybersecurity risks and protect organisations against cyberattacks which is increasingly implemented among public institutions and large-scale private sector companies in Türkiye.

According to CMB’s Communiqué on Independence Audit of Information Systems, auditors who audit public companies must have a CISA certificate.

ICTA’s National Occupational Standards for Cybersecurity Personnel, published in the Official Gazette in 2020, defines the scope of the job and minimum requirements for the working conditions thereof.

Also, the DP Authority has published guidelines on personal data security, which provide helpful advice on security compliance with the DP Law.

Please see 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements and Specific Required Security Practices.


On 27 October 2021, the DTO published the Information and Communication Security Audit Guideline, which set forth the steps to be taken to comply with ICS Guideline (published on 27 July 2020), which mainly adopts ISO 27001-like certification criteria.

The ICS Guideline elaborates on cybersecurity measures that must be taken by public organisations, as well as companies that provide critical infrastructure services.

The issues regulated by the Guideline are as follows:

  • security measures for the groups of assets (network and system security, application and data security, portable devices and platform security, security of IoT devices, personnel security, security of physical environments);
  • security measures towards areas of application and technology (personal data security, instant messaging security, cloud computing security, security of crypto applications, security of critical infrastructures, new development and supply); and
  • consolidation measures concerning operating systems, databases, and servers.

The studies of TSI on subjects directly related to cybersecurity are as follows:

  • Data Centre Information Security Standard;
  • Criterion of Public Secure Data Sharing;
  • Electronic Document and Document Management System Protection Profile;
  • Protection Profile of Common Criteria for Web Service Security;
  • Authorisation Program for Personnel and Firms Providing Penetration Testing Services;
  • E-Commerce Application Protection Profile;
  • SIEM – Security Information and Event Management Systems Protection Profile;
  • Web Applications Protection Profile;
  • Health Information System Software Protection Profile;
  • Secure IC Platform;
  • Common Criteria Protection Profile for Smart Meter of Turkish Electricity Advanced Metering Infrastructure;
  • General Requirements for Hospital Information Management Systems; and
  • Geographic Information Systems Protection Profile.

Related drafts are as follows:

  • Cloud Computing Security and Standard;
  • Administrative and Technical Authorisation Program for SSL Certificate Service Providers (SSHS);
  • Penetration Testing Technical Criteria Program;
  • Embedded Operation System Protection Profile; 
  • E-Passport Protection Profile; and
  • Liveness Detection for Biometric Systems with Touch Sensor Protection Profile.

Data Protection

The DP Authority issued the Guideline on Personal Data Protection (Technical and Organisational Measures) (“Measures Guideline”) in 2018.

Technical measures that were laid out in the Measures Guideline are as follows:

  • authorisation matrix;
  • authorisation control;
  • access logs;
  • user account management;
  • network security;
  • application security;
  • encryption;
  • penetration test;
  • attack detection and prevention systems;
  • log records;
  • data masking;
  • data loss prevention software;
  • back-up;
  • firewalls;
  • up-to-date antivirus systems;
  • deleting, destroying or anonymising; and
  • key management.

Organisational measures laid out in the Measures Guideline are as follows:

  • preparing a personal data processing inventory;
  • establishing institutional policies (access, information security, usage, retention and destruction, etc);
  • data processing and confidentiality agreements (between controllers and between controllers and processors);
  • privacy undertakings by employees;
  • periodic and/or random inspections within the institution;
  • risk analyses;
  • adding legislation-compliant provisions to employment contracts and disciplinary regulations;
  • institutional communication (crisis management, informing the DP Board and data subjects, reputation management, etc);
  • training and awareness raising activities regarding information security and legislation; and
  • registering with VERBIS.

If the personal data is kept on the cloud, the following measures are recommended:

  • encryption of data with cryptographic methods;
  • encrypted transfer of data to cloud environments;
  • where possible, using encryption keys specifically for each cloud solution service; and
  • deleting/destroying all copies of encryption keys when the cloud computing service expires or is terminated.

Moreover, the DP Board introduced more strict requirements for processing of special categories of data.

Please see 1.4 Multilateral and Subnational Issues.

According to Article 12(1) of the DP Law, controllers are obliged to take all the necessary technical and organisational measures to provide an appropriate level of security for the purposes of:

  • preventing unlawful processing of personal data;
  • preventing unlawful access to personal data; and
  • ensuring the protection of personal data.

Controllers are jointly responsible with processors for implementing these measures.

Controllers must carry out the necessary internal audits to ensure the implementation of the provisions of the DP Law.

Controllers and processors shall have a confidentiality agreement for an unlimited time.

For more information about the personal security measures that the DP Board considers as adequate measures, please see 3.3 Legal Requirements and Specific Required Security Practices; for data breach notification requirements, please see 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event and 5.8 Reporting Triggers.

There are no specific security requirements on material business data or material non-public information.

According to the TCrC, those who give or disclose to unauthorised persons the information or documents constituting a commercial secret, banking secret or customer secret which are obtained as a matter of their title or duty, occupation or profession, shall be subject to imprisonment from one year to three years and judicial fine (corresponding) up to 5,000 days upon complaint. Judicial fines are calculated and imposed on a daily basis, the amount varying from TRY20 up to TRY100 per day. The judge decides on the specific amount to be paid for each day depending on the economic and personal circumstances of the defendant.

According to Article 82(7) of Turkish Commercial Code (TCC), merchants may ask the court to be issued a document if the books and documents that the merchant must keep are lost due to a disaster such as fire, flood, earthquake or theft.

According to Article 7(1) of Electronic Book General Communiqué, if a force majeure event in the context of the Turkish Tax Procedure Law occurs which affects e-books, e-bookkeepers are obliged to apply to the Turkish Revenue Administration within 15 days from the date of the event and demand for a certificate of loss. A cyber-attack may be considered as a force majeure situation within the meaning of this Communiqué.

Critical infrastructure sectors include the following sectors:

  • e-communication;
  • energy;
  • water management;
  • critical public services;
  • transportation; and
  • banking and finance.

Some important security requirements for these sectors are as follows.

Electronic Communication Sector

According to Article 37 of By-Law NIS in E-Communication Sector, the report on NIS must be prepared by the operator every year until the end of March and kept for five years to be sent to ICTA upon request and/or submitted during the inspections made by ICTA. The report includes certain information, such as:

  • risk assessment and processing methods and details of transactions made according to these methods;
  • business continuity plans; and
  • information on information security breach incidents that have occurred.

Energy Sector

According to the By-Law on Information Security in Industrial Control Systems Used in Energy Sector, obligated organisations must fill out certain forms – namely, the Industrial Control System (ICS) Recognition Form and the ICS Inventory Form – and submit them to EMRA.

The ICS Recognition Form includes the processes operated by the obligatory organisations regarding the ICS, their work on information security and resource information. The ICS Inventory Form is not a standard form, it is individually formulated by EMRA for each obligated organisation.

Banking and Finance Sector

Banks and other financial institutions under the authority of BRSA must take the measures set forth in the ISBEBS By-Law.

Moreover, personal data specific to banking relationships are also considered as customer secret under the Banking Law. This information cannot be disclosed or transferred to third parties that are either in Türkiye or abroad without receiving a request or explicit instruction from the customer to do so, even if the customer’s explicit consent to transfer personal data to a third party is obtained as per the DP Law.

The following entities must keep their primary and secondary information systems in Türkiye:

  • banks;
  • payment institutions and electronic money institutions;
  • insurance and private pension companies (except for services such as email, teleconference or videoconference);
  • certain public companies, as well as certain capital markets institutions; and
  • financial lease, factoring and finance companies.


In addition to these, the Minimum-Security Measures Document for Critical Information System Infrastructures, prepared by the Scientific and Technological Research Council of Türkiye, defines and categorises critical infrastructure in Türkiye. In addition, it determines the minimum-security measures required for critical infrastructure systems, including institutions and organisations operating critical infrastructures.

DDos is defined under Article 3(1)(g) in the By-Law NIS in E-Communication Sector.

This By-Law requires the operators to establish mechanisms such as signal processing control, user authentication control and access control in their IP addresses, communication ports, and application protocols to protect their servers, routers, and other network elements against cyber-attacks such as Dos/DDos attacks.

The sectors with information security rules and the relevant legislation are as explained in 1.1 Laws, 1.2 Regulators and 4.3 Critical Infrastructure, Networks, Systems. Although there are special provisions in the above-mentioned legislation, there is no general security requirement for the internet of things, software development, or other data or systems.

In Türkiye, there are no specific legislative rules on reporting ransomware attacks or making ransom payments or co-operation with law enforcement authorities, so the general data protection, cybersecurity regulations and the TCrC apply.

Please see 1.1. Laws, 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event and 5.8 Reporting Triggers.

Cybersecurity Event

A “cybersecurity event” is defined in the Communiqué on CERTs as “breach or attempted breach of confidentiality, integrity or accessibility of industrial control or information systems or data processed by these systems”.

If an organisation is required to establish a CERT, then, as a rule, its CERT must report any cybersecurity event to TR-CERT and the relevant sectoral CERT, (if applicable).

On the other hand, if an organisation is not required to establish a CERT, then it does not have the requirement to report a cybersecurity event to TR-CERT, although it may do so voluntarily.

Personal Data Breach

Unlike the GDPR, the DP Law does not include a definition of a personal data breach. On the other hand, according to the DP Board’s resolution on data breach, controllers must report to the DP Board within 72 hours and notify the relevant data subjects within the shortest time possible in the event that personal data is unlawfully acquired by third parties.

Also, unlike GDPR, there are no criteria to be qualified as reportable or non-reportable personal data breaches. As a rule, any personal data breach must be reported to DP Board and communicated to the affected data subjects.

Reporting a cybersecurity event covers any data processed by ICSs and information systems.

Reporting a personal data breach to the DP Board covers only personal data affected by such breach.

Reporting a cybersecurity event covers ICSs and information systems.

Reporting a personal data breach covers any information system that processes personal data affected.

Turkish Medical Devices Regulation (TMDR) states the security requirements for cybersecurity.

Pursuant to Appendix 1 of the TMDR, an IT audit plus operating safety and information security are indicated as mandatory security requirements to be taken by medical device manufacturers.

The minimum-security requirement applying to the ICSs (and SCADA) are as follows.

  • Protecting the systems from unauthorised access:
    1. management of physical access to the centre where the system is located;
    2. restricting access to the systems by computer networks; and
    3. restricting portable storage platforms.
  • Management of authorised personnel’s access to the systems:
    1. procedure for assigning the system manager and operator;
    2. management of authorised personnel’s user IDs and procedure of safe log-in;
    3. records management and separation of duties; and
    4. operating procedures, roles, and responsibilities.
  • Management of system’s procurement, development, and maintenance:
    1. management of application software’s safety;
    2. management of technical deficits; and
    3. maintenance contract;
  • Work continuity precautions:
    1. back-up system centre, procedures, and tests.
  • Employment of information systems security manager and personnel:
    1. security manager;
    2. personnel continuity; and
    3. personnel training and education.
  • Documentation:
    1. policy document; and
    2. management of records.
  • Intervention to cybersecurity events.

The DTO’s Information and Communication Security Guide recommends certain security measures for IoT regarding network services and communication, internal data storage, authentication and authorisation, API and connection security, and other measures.

As for the security of the personal data processed in IoT devices, please see 3.3 Legal Requirements and Specific Required Security Practices.

There is no regulation that uniformly regulates the security software lifecycle, patching and responsible disclosure of vulnerabilities, so the general data protection and cybersecurity regulations apply.

However, there are certain international standards and best practices that are followed by organisations in Türkiye.

  • ISO/IEC 27034 – This standard provides guidelines for application security, covering the entire software development lifecycle, from requirements definition to deployment.
  • Open Web Application Security Project (OWASP) – OWASP is a global non-profit organisation that provides resources and guidance for developing secure web applications.
  • Building Security in Maturity Model (BSIMM) – BSIMM is a set of best practices for software security that helps organisations understand how to build and maintain a software security programme.
  • National Institute of Standards and Technology (NIST) – NIST provides a framework for improving cybersecurity and managing cybersecurity risk.

Sector-specific requirements, if any, must also be considered.

Cybersecurity Event

Please see 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event

Personal Data Breach

Please see 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event.

Electronic Communication

In the telecommunications sector, according to the By-Law NIS in E-Communication Sector, the operator must notify ICTA regarding network and information security breaches that affect more than 5% of its subscribers and the circumstances that interrupt the continuity of the business. The notification must include, as a minimum, the time, nature, impact, and duration of the breach, as well as the measures taken.

Banking and Finance

In the banking sector, pursuant to Article 18 of ISBEBS By-Law, banks must report the cyber events to the BRSA.

Public Companies

If a public company is affected by a cyber-attack, such an attack must be disclosed to the public as per the Communiqué on Material Events Disclosure. 

There is no “risk of harm” threshold for reporting cybersecurity events or data breaches.

While there are no provisions that explicitly restrict network and website access monitoring, there are Turkish Constitutional Court decisions and DP Board resolutions that set forth principles for employers to access and/or monitor their employees’ work computers, work mobile phones and other electronic devices. For such access/monitoring to be performed:

  • employers must inform their employees beforehand;
  • employers must have a legitimate purpose for accessing/monitoring the devices;
  • accessing and/or monitoring must be proportionate to the legitimate purpose.

These principles can be used as precedent to similar activities, network monitoring, and other cybersecurity defensive measures.

Moreover, as per the Internet Law, hosting service providers and internet service providers are required to retain traffic data for one year (although there is ambiguity for the retention period for hosting service providers in the relevant by-law, the minimum period for retaining this data is one year, as per the Internet Law).

Access providers must retain access logs that are required records and retain them for two years.

These entities are required to disclose this data to public prosecutors or other competent administrative authorities when requested.

Restrictions on Accessing and Sharing Insurance Data

The Insurance and Private Pension Regulatory and Supervisory Authority (“Insurance Authority”) issued the By-law on Insurance Data in 2022. The measures determined for the insurance data specified are as follows.

  • Data sharing with institutions, organisations, and data centres other than member institutions is carried out through protocols signed by the Insurance Information and Surveillance Centre (“the Centre”) and upon approval of the Insurance Authority.
  • The Centre determines the authorised users with access to the data in the general database and the content of the data they can access upon approval of the Authority.

For data protection-related measures, please see 3.3 Legal Requirements and Specific Required Security Practices.

Cybersecurity and data protection are fundamentally linked and compatible disciplines since both work towards the same goals and implement similar regulations and techniques.

However, there is always the risk of extreme cybersecurity precautions leaning towards excessive monitoring. Further down the line, this might cause damage to the data protection rights of the data subjects whose data is being processed within the scope of cybersecurity activities.

Thus, related actors and institutions should aim to establish and maintain a balance between these two disciplines.

VERBIS is an open-to-public registry that helps demonstrate the data processing activities of controllers that have an obligation to register with this system.

The information that must be disclosed to this system includes the technical and organisational measures that are taken by the controller with respect to data protection.

Please also see 5.8 Reporting Triggers.

The TR-CERT, operated by ICTA, requires the covered bodies, particularly operators under the critical sectors, to notify cyber incidents directly. TR-CERT also publishes a list of known vulnerabilities through its official website.

Controllers and processors are free to share information with other people and organisations, as long as it is necessary for the execution of their legal obligations, or the information is shared in order to carry out their business activities.

However, when sharing information, controllers and processors must bear in mind their obligations arising from relevant data protection and cybersecurity legislation as well as legal contracts, especially non-disclosure agreements (NDAs), if any.

ICTA has an active contact point for accepting notification and denunciation from third parties. The authority welcomes voluntary information sharing.

ICTA does not publish cybersecurity fines through public mediums. It prefers to keep such information confidential.

On the other hand, DP Authority decisions are not also public unless the DP Authority publishes them or a summary thereof. Here are some recent decisions that the DP Authority published on its website related to the lack of technical measures.

Decision on a Hospital

The personal data of 789 patients was taken from a hospital archive by some hospital employees. These employees were found to be following the instructions of a doctor who had been working at the same hospital and treating the patients in question. The DP Authority considered the fact that the breach was detected after 17 days as an indication that the hospital was lacking data security policies and procedures and imposed an administrative fine in the amount of TRY450,000.

Decision on an E-commerce Company

A seller operating in an e-marketplace had access to the personal data submitted/processed by another seller via the e-marketplace’s seller panel due to the e-marketplace operator’s failure to take appropriate technical measures.

Although the e-marketplace operator and seller that had access to personal data signed a confidentiality agreement with retrospective effect, the DP Board decided that such confidentiality agreement with retrospective effect would not be enough to cure the data breach, because the seller was not authorised to access such personal data at the time of access. Hence, the DP Board imposed an administrative fine of TRY600,000 on the e-marketplace operator.

Please see 8.1 Regulatory Enforcement or Litigation.

Applicable legal standards are explained through the text where applicable.

There is no major publicly-known private litigation about cybersecurity.

Class actions are not applicable in Turkish Law.

Responsibilities of Board of Directors

The TCC addresses the responsibilities of the BoD, which must act in the best interest of the company and its shareholders under a broad duty of care. These broad responsibilities are deemed to include overseeing and approving cybersecurity policies and strategies to protect the company’s information assets and systems from cyber threats.

The BoD is the competent and responsible body for adopting adequate technical and organisational measures under the DP Law in connection with the company’s personal data processing activities.

In the payment services sector, the Communiqué on Data Sharing in Payment Services obliges organisations to ensure the security of information systems and hold the BoD accountable for the management thereof. The BoD must conduct an annual risk assessment on information systems and submit the report on the results of this assessment to the TRCB by the end of January each year.

Appointment of a Chief Information Security Officer (CISO)

There are no specific provisions requiring the appointment of a CISO. However, in practice, companies occasionally appoint a CISO.

Appointment of a CISO may be regarded as an organisational measure under the DP Law to ensure the security of personal data as well as within the broad responsibilities of BoD

Training Requirements and Certifications

There is no overarching legislation providing a cybersecurity training requirement for the BoD or company personnel in the private sector.

However, in the public sector, public institutions (eg, especially regulatory bodies or sector-specific institutions) have specific regulations for the qualifications of their personnel.

Guidelines for sectoral and institutional CERTs also involve capacity and qualification requirements for their personnel and list the mandatory training for the same.

Risk Assessments

For companies operating in critical structures sector, there are pieces of sectoral legislation requiring periodic risk analysis to ensure the safety of these infrastructures.

For example, the By-Law on Information Security in Industrial Control Systems Used in Energy Sector sets forth the procedures and principles of the risk analysis to be performed for ensuring the security of the information technology systems therein.

Regular vulnerability assessments and penetration tests are among the technical measures that are recommended by the DP Authority. Please see 3.3 Legal Requirements and Specific Required Security Practices.

Standards for Recovery and Resiliency

There are no required standards for recovery and resilience actions to be taken after a cyber-attack. However, as an international standard, ISO/IEC 27031 has been translated into Turkish by TSI as “Guidelines for information and communication technology readiness for business continuity”.

The By-Law NIS in E-Communication Sector also sets forth an obligation to submit a report to ICTA that includes business continuity plan. The DP Authority also recommends regular data back-up.

Please see 3.3 Legal Requirements and Specific Required Security Practices and 4.3 Critical Infrastructure, Networks, Systems.

Carrying out due diligence over a target organisation is based on the legal basis of “legitimate interest”.

On the other hand, when requesting and sharing of personal data in the course of a due diligence process, “proportionality” and “data minimisation” principles must be taken into consideration.

The relevant capital markets regulations impose an obligation on the companies carrying out a public offering to state the risks of the business beforehand. Although there is no specific requirement to state cybersecurity risks, they should be mentioned in the course of a public offering if such risks are known.

VERBIS is an online public registry which shows the personal data processing inventory of controllers who have registered with and submitted information to VERBIS. Thus, the information which is submitted to VERBIS is publicly available, including “technical and organisational measures” adopted.

For more information about notifying the affected persons, please see 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event.

In Türkiye, cybersecurity insurance has not been regulated as a mandatory obligation, but some of the insurance companies residing in Türkiye issue cybersecurity insurance policies and most of them warrant the following protections:

  • administrative fines regarding personal data;
  • data protection damage;
  • cyber-ransom damage;
  • information security and secrecy responsibility;
  • network security responsibility;
  • data breach costs;
  • business interruption insurance; and
  • legal expenses.

NidaKule - Goztepe,
Merdivenköy Mahallesi Bora Sokak No:1
Kat:7 34732 Kadıköy

+90 216 468 88 50

+90 216 468 88 01
Author Business Card

Law and Practice


YAZICIOGLU Legal is an Istanbul-based boutique technology law firm. The firm focuses on legal matters related to technology, media, telecommunications, and data protection/cybersecurity. The firm also has a solid expertise in cross-border transactions, corporate and commercial matters, intellectual property, regulatory compliance, e-commerce, consumer protection and dispute resolution. The firm has a dedicated team of 15 lawyers working on data protection and cybersecurity. The majority of the firm’s workload consists of data protection-related matters. In particular, the firm is known for successfully representing its clients in investigations and data breaches before the Turkish Data Protection Authority. The firm is ranked in several legal directories for its TMT practice and is also a Bronze Corporate Member of International Association of Privacy Professionals (IAPP).

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.