AI Regulation in Türkiye: Bringing International Laws into the Discussion

Written by: Şeymanur Yönt

Strategic Argument and Areas of Debate

While Türkiye actively expands its domestic cybersecurity architecture to combat sophisticated generative artificial intelligence threats, the nation faces a profound strategic dilemma in balancing outdated, human-centric penal codes against a fragmented international law framework that struggles to assign liability for autonomous algorithmic offences. This systemic contradiction creates a critical governance vacuum, forcing regional state actors to enforce strict cyber due diligence on private technology entities without the backing of globally unified multilateral treaties.

Executive Summary

The discussion paper from the TRT World Research Centre analyses the critical legislative vulnerabilities in Türkiye‘s regulatory response to autonomous cybercrimes driven by generative artificial intelligence. Although the country has ratified the Council of Europe’s Budapest Convention on Cybercrime and aligned with United Nations General Assembly resolutions, current domestic mechanisms such as the Turkish Penal Code remain inadequate for determining non-human liability. To navigate the ideological divides between Russia, the United States, and the European Union regarding cyberspace governance, Türkiye is advancing the January 2025 Cybersecurity Law Proposal and establishing a dedicated Cybersecurity Agency. Ultimately, the structural integration of non-binding doctrines from the Tallinn Manual 2.0 is presented as essential for compelling tech sector compliance and neutralising state-sponsored digital threats.

Analytical Framework and Key Drivers

The Budapest Convention Liability Gap: The Budapest Convention on Cybercrime establishes baseline frameworks for member states but fails to capture the autonomous nature of algorithmic offences, necessitating specific domestic legal liabilities.

State Responsibility and Due Diligence: Guided by the Tallinn Manual 2.0 and United Nations General Assembly resolutions, states are obligated to prevent their digital infrastructure from facilitating transnational attacks through stringent domestic enforcement.

Ideological Fragmentation of Multilateral Treaties: Global consensus remains paralysed by competing geopolitical visions, with Russia demanding binding multilateral cyberspace treaties while the United States and the European Union resist potential authoritarian restrictions.

Institutionalisation of Cyber Governance: The January 2025 Cybersecurity Law Proposal introduces systemic regulatory oversight by establishing the Cybersecurity Agency to coordinate policies alongside the National Cybersecurity Council.

Strategic Assessment & Empirical Findings

  • The 2004 implementation of the Turkish Penal Code criminalises unauthorised system access but lacks specific judicial mechanisms to attribute fault for offences committed autonomously by artificial intelligence without direct human involvement.
  • Seventy-six global signatories have adopted the Budapest Convention on Cybercrime, providing procedural tools for transnational investigations that nevertheless fail to address autonomous deepfakes and self-evolving malware.
  • The establishment of the Cybersecurity Agency in 2025 aims to centralise policy coordination and accelerate the training of specialised human resources to overcome systemic vulnerabilities first identified in the 2013-2014 National Cybersecurity Strategy and Action Plan.
  • The ongoing National Cybersecurity Strategy and Action Plan (2024-2028) mandates the expansion of online and laboratory-based defence training to resolve persistent skilled personnel shortages across the technology sector.
  • The introduction of the January 2025 Cybersecurity Law Proposal marks a structural shift toward preventative infrastructure protection through standardisation and certification, though it requires further codification to manage algorithmic transparency.
  • Irreconcilable ideological divisions between major geopolitical powers regarding the application of the United Nations Charter to digital warfare have continuously prevented the creation of universally enforceable artificial intelligence governance standards.

Geopolitical Trajectories & Policy Risks

  • Türkiye faces a severe institutional vulnerability if it cannot successfully integrate private sector technology developers into its national security apparatus due to ambiguous domestic liability laws. The failure to establish clear legal responsibilities for commercial algorithmic operations could severely constrain the Cybersecurity Agency in mitigating automated transnational attacks.
  • The European Union and the United States risk exacerbating global regulatory fragmentation by rejecting the binding multilateral cyber treaties aggressively proposed by Russia and China. This profound ideological deadlock directly undermines the United Nations General Assembly, forcing secondary powers to navigate conflicting jurisdictional mandates without a unified legal framework.
  • The Department of Combating Cybercrime remains highly dependent on indigenous defensive technologies to accurately detect and counter self-learning malware. Without aggressive, sustained investment in specialised artificial intelligence forensic capacity, Türkiye’s critical infrastructure remains perilously exposed to state-sponsored digital warfare.

Critical Policy Questions & Responses

Question 1 How does the jurisdictional ambiguity of the Budapest Convention on Cybercrime constrain Türkiye’s ability to prosecute autonomous algorithmic offences?

Answer: Although the Budapest Convention on Cybercrime provides a robust framework for investigating human-driven intrusions, its technology-neutral design fails to address incidents where artificial intelligence executes attacks without direct external commands. Consequently, Türkiye is forced to adapt the outdated human-centric paradigms of the 2004 Turkish Penal Code, creating a profound liability vacuum that limits the prosecution of non-state actors deploying self-evolving malware.

Question 2 Why does the geopolitical deadlock between the United States and Russia challenge the establishment of global algorithmic security standards?

Answer: Russia actively advocates for a comprehensive, legally binding international treaty to govern digital warfare, while the United States and the European Union reject this approach to prevent authoritarian constraints on digital freedoms. This irreconcilable ideological divide paralyses the United Nations General Assembly, compelling nations to rely on non-binding mechanisms and hindering cross-border enforcement against state-sponsored artificial intelligence threats.

Question 3 What strategic trade-offs does Türkiye face when applying the due diligence doctrines of the Tallinn Manual 2.0 to domestic cyber regulation?

Answer: By incorporating the Tallinn Manual 2.0’s doctrine of due diligence, Türkiye can hold private technology developers strictly accountable for preventing their domestic infrastructure from launching transnational attacks. However, enforcing these rigorous international norms requires the newly established Cybersecurity Agency to impose heavy compliance mandates on the commercial sector, potentially stifling domestic innovation while attempting to secure national sovereignty.

Question 4 How does the January 2025 Cybersecurity Law Proposal attempt to resolve the systemic institutional dependencies hindering national digital defence?

Answer: The January 2025 Cybersecurity Law Proposal accelerates the institutionalisation of digital defence by mandating preventative certification processes and formally establishing the autonomous Cybersecurity Agency. By bridging the critical human resource deficit identified in previous strategies, the legislation seeks to empower the National Cybersecurity Council to proactively neutralise the expanding threat of generative artificial intelligence operations.

Key Actors and Systemic Dynamics

  • United States → Competes with → Russia
  • Cybersecurity Agency → Regulates → Critical infrastructure
  • Generative artificial intelligence → Accelerates → Transnational cybercrimes
  • Türkiye → Depends on → Budapest Convention on Cybercrime
  • Tallinn Manual 2.0 → Shapes → State due diligence obligations
  • United Nations General Assembly → Coordinates with → Member states
  • Turkish Penal Code → Constrains → Algorithmic liability prosecution
  • Department of Combating Cybercrime → Responds to → Self-evolving malware
  • European Union → Challenges → Binding multilateral cyber treaties
  • National Cybersecurity Council → Strengthens → Indigenous defensive technologies

APA

MLA

Chicago

Download the Discussion Paper
👁 Şeymanur Yönt
Şeymanur Yönt
Şeymanur Yönt is a Deputy Researcher at TRT World Research Centre. She holds a Bachelor of Laws degree from Istanbul University and a Master of Laws degree from the London School of Economics and Political Science. She has practiced as a lawyer for two years and worked as a publications and research intern at the American Society of International Law. Her research interests include public international law, international economic law, and development.

Analytical Digest

To counter generative artificial intelligence threats, Türkiye must urgently modernise the 2004 Turkish Penal Code by integrating doctrines from the United Nations General Assembly and the Tallinn Manual 2.0. Consequently, the government advanced the January 2025 Cybersecurity Law Proposal and established the Cybersecurity Agency to enforce state due diligence. This structural transformation is vital for policymakers navigating the deep ideological deadlock between the United States, the European Union, and Russia over multilateral digital governance. While the state remains heavily reliant on the Council of Europe’s Budapest Convention on Cybercrime, the treaty’s technology-neutral constraints completely fail to address self-evolving malware and algorithmic deepfakes. Strategic alignment with global standards is therefore required to impose mandatory risk assessments on the private technology sector. Expanding the operational authority of the National Cybersecurity Council and the Department of Combating Cybercrime remains an essential policy imperative for securing sovereign digital borders against sophisticated transnational hacking operations.

MORE FROM CURRENT CATEGORY

Governing Debt in the Age of Technology

Strategic Argument and Areas of Debate As the structural efficacy of orthodox monetary policy disintegrates under the weight of severe demographic decline and compounding public...

A Deficit of Coherence? Türkiye and the Search for American Strategic Reason

Strategic Argument and Areas of Debate The United States is experiencing a structural rationality crisis where its immense geopolitical power is no longer guided by...

From Promises to Obligations: Reclaiming Climate Justice through the ICJ’s Advisory Opinion

Strategic Argument and Areas of Debate The July 2025 Advisory Opinion of the International Court of Justice exposes a profound structural tension between short-term sovereign...