Last updated: 2026-06-20
Disclaimer: This article is for general information only and is not legal advice. Companies should consult legal counsel for final interpretation of KVKK, sector-specific regulations, and contractual obligations.
The first half of 2026 was not just another “compliance update” period in Türkiye.
For cybersecurity and GRC teams, the bigger pattern is clear: expectations are becoming more operational.
Regulators are not only asking whether a company has policies. They are increasingly looking at how systems are used, how users are verified, how employees are monitored, how AI tools process personal data, how incidents are detected, and whether organizations can prove what happened when something goes wrong.
For foreign SaaS companies with Turkish users, Turkish SMEs, retailers, healthcare providers, public-sector suppliers, and organizations preparing for ISO 27001, these updates are worth turning into a practical action plan.
One of the biggest cybersecurity governance developments in H1 2026 was the Cybersecurity Board meeting in May.
The Board identified 15 critical infrastructure sectors, including:
This gives organizations a clearer signal about where cybersecurity governance, resilience expectations, and public-private coordination may become stricter.
Even if your company is not directly in one of these sectors, you may still be affected if you supply software, infrastructure, cloud services, support, data processing, or managed services to companies in these sectors.
Map whether your company is:
That mapping should become part of your vendor risk, incident response, and compliance planning.
H1 2026 also showed the practical build-out of Türkiye’s Cybersecurity Presidency.
The public portal and incident-related channels became more visible, including cyber incident notifications, CVE-related applications, malicious link records, security notifications, and public contact channels.
Special procurement procedures were also introduced for certain Cybersecurity Presidency purchases connected to defense, security, intelligence, digital transformation, and technology development.
This is a sign that Türkiye’s cybersecurity framework is moving from “institutional setup” into operational capability.
For companies, the key issue is not only whether the law exists. The practical questions are:
Update your incident response playbook with a Türkiye-specific notification matrix.
At minimum, define:
In May 2026, Türkiye published a cybersecurity regulation for nuclear facilities.
The regulation covers areas such as cybersecurity planning, digital asset management, risk management, supply chain security, incident response, training, audit, and reporting.
This directly affects a specific high-risk sector, but the broader message is useful for other regulated or critical sectors: cybersecurity expectations are becoming more formal, documented, and auditable.
The structure also mirrors what mature organizations should already be building through ISO 27001, NIST-style controls, or sector-specific risk programs.
Even outside the nuclear sector, organizations should review whether they can answer these basic questions:
KVKK issued a public announcement in January 2026 about the use of foreign-origin communication applications in public institutions and organizations.
The concern was not simply “which app is used.” The issue was whether official, confidential, critical, or personal data was being shared through channels that may not be appropriate for public-sector communication.
This is directly aimed at public institutions, but the lesson is broader.
Many private companies also run operational workflows through informal messaging groups. HR documents, customer data, screenshots, invoices, incident details, and identity documents often move through WhatsApp-style channels without access control, retention rules, auditability, or data processing review.
Create a communication channel policy.
Separate:
This is a simple but often overlooked GRC control.
In June 2026, KVKK published a principle decision on biometric attendance tracking.
The decision is important because biometric data is sensitive personal data. KVKK emphasized issues such as proportionality, necessity, data minimization, employee-employer imbalance, and whether less intrusive alternatives are available.
Biometric systems are often adopted for convenience: fingerprint access, facial recognition, iris systems, or other attendance tools.
But convenience is not the same as necessity.
For employee monitoring, the power imbalance between employer and employee makes explicit consent especially sensitive. A company should be careful before relying on consent as the main justification for biometric attendance.
If you use biometric attendance or access systems, review:
Where possible, consider alternatives such as encrypted access cards, PIN-based systems, RFID/NFC cards, or supervised manual attendance methods.
KVKK also published public announcements in June 2026 about camera systems in workplaces and in apartments/sites.
The core message: camera footage is personal data processing.
That means CCTV must be linked to a lawful purpose, legal basis, proportionality, transparency, data security, and retention discipline.
Many organizations treat cameras as a physical security issue only.
But from a KVKK perspective, CCTV also affects:
For every CCTV system, document:
Avoid cameras in areas where monitoring would be disproportionate or highly intrusive.
In March 2026, KVKK published a principle decision on privacy notices and explicit consent.
The decision addressed a very common compliance mistake: mixing the clarification text with explicit consent language, or making people “approve” a privacy notice as if the notice itself required consent.
A privacy notice and explicit consent do different jobs.
A privacy notice informs the person about processing. Explicit consent is only one possible legal basis for certain processing activities.
When companies merge them into one unclear text, they create legal and operational risk.
Review all customer, employee, vendor, and website forms.
Check whether:
This is especially important for SaaS onboarding forms, marketing forms, cookie banners, HR forms, and e-commerce checkout flows.
KVKK published a principle decision in February 2026 about loyalty cards, phone numbers, and verification mechanisms.
The issue was common in retail: using a customer’s phone number or loyalty card number without proper verification, which could allow third parties to access or use another person’s benefits or data.
This is a good example of KVKK moving into day-to-day product and customer experience design.
The compliance issue is not only the text of the privacy notice. It is also the transaction flow.
Retailers, e-commerce companies, marketplaces, and loyalty program operators should review:
For many companies, this belongs jointly to legal, product, CRM, security, and store operations.
In March 2026, KVKK published a document on agentic AI.
Agentic AI systems can perform multi-step tasks with a higher degree of autonomy. That creates new privacy and governance questions because these systems may collect, infer, combine, store, or transfer personal data in less predictable ways.
Many companies are already experimenting with AI assistants, support bots, sales automation, HR tools, coding agents, and workflow automation.
The risk is not only the AI model. The risk is the full workflow:
Create an AI governance register.
For each AI tool or agent, document:
AI governance should be connected to KVKK, GDPR, vendor risk, security architecture, and internal acceptable-use policies.
H1 2026 breach notifications in Türkiye showed several recurring patterns:
Examples included incidents involving healthcare systems, online education, retail, hospitality, and cloud/service-provider environments.
The pattern is more important than any single breach.
Many organizations still rely too heavily on basic awareness training or one-time security reviews. But the incidents show the need for stronger operational controls.
Prioritize the controls that reduce real breach impact:
For ISO 27001 readiness, these are not only technical controls. They also affect risk treatment, supplier management, incident management, asset management, access control, and business continuity.
The first half of 2026 points to three practical trends.
The Cybersecurity Board, Cybersecurity Presidency, critical infrastructure sectors, and sector-specific rules show that cyber governance in Türkiye is becoming more formal.
Organizations should expect more emphasis on resilience, reporting, local coordination, and auditability.
KVKK developments in H1 2026 were not limited to legal documents.
They touched:
This means privacy compliance must involve legal, IT, security, product, HR, marketing, procurement, and operations.
Policies are useful, but they are not enough.
Companies need evidence:
In practice, this is where many compliance programs fail.
Several H1 2026 developments show that regulators are looking at how systems actually work, not only whether a document exists.
GDPR templates can be useful, but Turkish KVKK requirements, VERBIS expectations, terminology, and local authority practice need separate review.
For employee monitoring, convenience alone is weak justification. Necessity, proportionality, and alternatives matter.
Messaging apps, screenshots, shared drives, cloud backups, and vendor portals often contain personal data outside formal processes.
After a breach, the organization needs facts quickly: what happened, when, whose data, which systems, which vendors, which safeguards, and what was done.
Kooch Cybersecurity & Compliance helps companies turn regulatory updates into practical controls.
Relevant services include:
The goal is not to create documents that sit in a folder. The goal is to build a compliance system that can survive real operations, audits, client questions, and incidents.
Applicability depends on the company’s activities, sector, role, and future secondary legislation. However, even companies outside critical sectors should monitor the framework if they provide technology, cloud, cybersecurity, managed services, or data processing support to regulated sectors.
They may need to assess KVKK exposure if they process personal data connected to individuals in Türkiye, offer services to Turkish users, run Turkish-language operations, use Turkish marketing, or work with Turkish business customers. The exact assessment should be reviewed with legal counsel.
Not as a simple blanket statement. But KVKK’s 2026 principle decision makes clear that biometric attendance systems carry significant risk, especially in employee contexts. Companies should assess necessity, proportionality, alternatives, legal basis, and safeguards before using them.
CCTV can be used in some workplace contexts, but it must be lawful, proportionate, transparent, purpose-limited, secure, and retained only as needed. Camera locations, field of view, access rights, signage, and privacy notices should be reviewed.
Start with an AI inventory. Identify which tools process personal data, what data is entered, where it is hosted, who can access logs, whether vendors use data for training, and whether human review is required before actions are taken.
This article should be refreshed after 30 June 2026 and again when new secondary regulations, Cybersecurity Presidency guidance, KVKK decisions, or major breach notifications are published.
Not sure which of these updates affects your company? Kooch can help you turn the H1 2026 regulatory and cybersecurity changes into a practical control checklist for your team.
Book a KVKK/GDPR Gap Analysis or ISO 27001 Readiness review with Kooch to identify your highest-risk gaps, prioritize remediation, and prepare evidence before a client question, audit, or incident.
/en/kvkk-startup-launchpad/en/gdpr-kvkk-gap-analysis/en/iso-27001-readiness/en/ongoing-compliance/blog/kvkk-vs-gdpr-practical-differences/blog/verbis-readiness-checklist/blog/iso-27001-readiness-checklist/blog/vendor-risk-management-kvkk-gdpr
