Skip to content
Close
SEARCH
Contact Us
Contact Us

AI Governance and Compliance

AI Governance

AI Maturity Model

AI Management System

AI Governance Tooling and Technologies

Regulatory Compliance

AI Trust for Goverments

AI Embeded in Products and Software

AI Trust Mark

AI Embedded in Products

Digital Trust

Other Services

Trainings and Workshops

AI Trust Hub

ai_academy_1

AI Academy

Learn More

Regulations

EU AI Act (Europe)

NIST RMF 1.0 (USA)

United Kingdom

United Arab Emirates

Medical Devices Regulation (EU)

Ethics Guidelines for Trustworthy AI

All Regulations


 

Standards

ISO/IEC 42001

ISO/IEC 42005

ISO/IEC TR 24027

ISO/IEC TR 24028

ISO/IEC TR 24029-1

ISO/IEC 22989

EU Harmonized Standards

COBIT Framework

All Standards

Webinars

Our Webinars

Upcoming Webinars


Other Resources

AI Trust Hub

eu_ai_act_1

Webinars

Learn More
ai_trust_hub_1

AI Trust Hub

Learn More

Explore Our Insights

Digital Trust

AI Trust

Data Privacy

AI Maturity

AI Safety and Robustness

EU AI Act

ISO/IEC 42001

Cybersecurity

Nemko Digital News

AI - Artificial Intelligence

AI Trust

EU AI Act

GPAI Code of Practice

Korean AI Trust Mark

Webinar Announcements

About us

About
Nemko Digital Learn about us here

careers-2

Careers
Contribute towards responsible AI

AI Regulation in Turkey

Digital Regulation in Turkey: Laws on AI and Personal Data

Turkish AI regulation explained: Navigate AI laws, KVKK compliance, and governance requirements. Expert guidance for AI systems in Turkey.

​Navigating laws on AI, on personal data, and other governance requirements in Turkey. Turkey is developing a risk‑based AI framework aligned with the EU AI Act, combining data protection law with high‑risk registration, prohibited practices, transparency duties, sector guidance, and sandbox testing.

Turkey is actively shaping its regulatory framework for artificial intelligence (AI), moving toward a risk-based, human-centric approach that takes inspiration from the EU Artificial Intelligence Act (EU AI Act) while balancing innovation, competitiveness and citizen protection. The regulatory landscape today combines data-protection obligations, an AI law proposal, sector-specific guidance, and regulatory sandbox experimentation.

 

Overview of Turkey's AI Policy and Regulation

Turkey is positioning itself as a player in responsible AI governance: leveraging regulatory reform to enable domestic innovation (including local AI model development) while aligning with international standards for cross-border compatibility. The regulatory framework in Turkey is built on several interconnected components.

  • The Personal Data Protection Law, Law No. 6698, applies broadly to the processing of personal data and establishes key principles of consent, purpose limitation, and security for all systems, including those powered by artificial intelligence.
  • The National Artificial Intelligence Strategy 2021–2025 outlines the country's roadmap for AI development, emphasizing workforce capacity, infrastructure, and governance.
  • A draft Artificial Intelligence Law submitted to the legislature in June 2024 aims to introduce formal obligations, registration requirements, and sanctions for high-risk AI systems.
  • Various sectoral regulators have issued guidance in areas such as banking, finance, and digital services to interpret how existing laws should apply to AI-driven technologies.

 

Fig 1.0 Four main pillars defining Turkey's AI regulatory framework, combining data protection, national strategy, emerging legislation, and sectoral oversight.

 

The AI Law Proposal: Outline and Key Features

The draft Artificial Intelligence Law, submitted to the Turkish Parliament in June 2024, represents a major milestone in the country's journey toward comprehensive AI governance. Although the proposal is concise, consisting of only eight articles, it lays the foundation for a structured and enforceable regulatory system. It defines key actors involved in the AI ecosystem such as operators, providers, users, importers, and distributors—though some of these definitions remain broad and may require further clarification. The law introduces clear obligations for risk management, internal audits, and documentation of high-risk AI systems to ensure accountability and traceability. It also requires such high-risk systems to be registered with a designated supervisory authority, enabling oversight and compliance monitoring. In cases of non-compliance or prohibited AI practices, the bill provides for sanctions that can be applied either as fixed penalties or as fines proportional to company turnover. Finally, the draft law aligns closely with Turkey's national AI strategy and mirrors the core principles of the European Union's AI framework, reinforcing consistency and interoperability between domestic and international regulatory standards.

 

Key Features of Turkey's Draft Artificial Intelligence Law:

Risk factors and harms:

The proposal makes clear that any AI system must be built and used in line with key principles such as safety, openness, fairness, accountability, and the protection of privacy. Because of this emphasis, the proposal addresses several AI-related risks, including those linked to safety, transparency, discrimination, and data protection. By stressing that personal data must be safeguarded and that AI systems must not inflict harm or lead to unequal treatment, the proposal also aims to mitigate broader harms—such as threats to civil or human rights, safety risks, and discriminatory outcomes.

 

Governance strategies:

According to the proposal, developers and users of AI systems must carry out risk assessments, with additional requirements for systems classified as high-risk. High-risk AI must be registered with the appropriate supervisory bodies and must pass a conformity assessment. These authorities are also tasked with overseeing compliance and identifying breaches. Together, these measures establish governance tools such as impact and conformity assessments, a tiered risk categorization for AI systems, mandatory registration of high-risk systems, and the creation of enforcement mechanisms to support oversight.

 

Incentives for compliance:

The proposal specifies that operators who use prohibited AI practices, fail to meet their legal obligations, or submit false information may face financial penalties.

 

Notable Key Gaps and Ongoing Policy Discussions

​While Turkey's draft Artificial Intelligence Law marks significant progress toward structured AI governance, several important gaps remain. The proposal does not yet provide clear definitions for different levels of risk, leaving uncertainty around how specific AI systems will be categorized or monitored. And some observers argue the proposal is short and lacks detail compared with the EU AI Act for example, in definitions, actor-scope, or prohibited uses. Likewise, the roles and responsibilities of various actors such as developers, providers, and users are not fully detailed, which could complicate accountability and enforcement once the law takes effect. The absence of a single, dedicated AI regulator also creates a fragmented oversight landscape, with authority divided among multiple existing bodies. In addition, although the bill references prohibited AI practices, it lacks a comprehensive list of specific restrictions comparable to those found in the European Union's AI Act, leaving room for interpretation and inconsistency in application.

As AI technology evolves, several emerging trends are expected to shape Turkey's future regulatory landscape. Generative AI and large language models have introduced new risks, such as deepfakes, synthetic content, and large-scale automated decision-making, requiring updated rules and safeguards. The rise of cross-border AI services and data flows will also demand mechanisms for international cooperation and consistent application of standards beyond national borders. Finally, Turkey's strategy places growing emphasis on interoperability, auditing frameworks, and certification mechanisms such as a proposed "Trustworthy AI Seal" to build confidence and align domestic practices with global standards, though detailed guidance on implementation is still under development.

 

Sectoral and Compliance Considerations

Turkey's AI regulatory landscape is closely tied to existing data protection, intellectual property, and sector-specific rules, ensuring that innovation is balanced with accountability and legal certainty.

 

Data protection and privacy:

Any artificial intelligence system that processes personal data in Turkey must comply with the Personal Data Protection Law, Law No. 6698. This includes registering with the national data controller registry where required, maintaining detailed records of data processing, and implementing strong confidentiality and security safeguards. For large-scale or sensitive data processing, organizations are expected to follow additional best-practice recommendations issued by the regulator. These include transparency obligations, fairness in automated decision-making, and clear communication with data subjects about how their information is used.

 

Intellectual property and AI outputs:

Turkey has not yet adopted specific intellectual property rules for works or inventions created by artificial intelligence systems. Current copyright and industrial property laws continue to recognize only human authors and inventors, leaving uncertainty about ownership, originality, and protection of AI-generated content. This legal gap highlights a growing need for reform as generative AI tools become more prevalent across industries.

 

Sectoral impact:

Certain sectors will face greater regulatory scrutiny under the new AI framework. Industries such as healthcare, finance, education, and transportation are expected to be classified as high-risk areas due to their impact on public welfare and individual rights. For example, diagnostic tools in healthcare, credit scoring in banking, and recruitment algorithms in employment are likely to be subject to stricter compliance requirements. Regulators in banking, capital markets, telecommunications, and public infrastructure are already developing targeted guidelines to ensure that AI applications in these fields operate safely, transparently, and in accordance with national law.

 

Governance Structure and National Strategy

Turkey's model is hybrid, combining both sector-specific regulation and overarching coordination:

  • Central oversight mechanism: The draft law envisions supervisory authorities taking responsibility for monitoring and enforcing compliance of artificial intelligence systems across the country. However, a dedicated national AI regulator has not yet been formally established, leaving oversight distributed among existing institutions.
  • Decentralised implementation: Sector-specific regulators such as those overseeing banking, capital markets, and telecommunications are expected to issue their own detailed guidance to address the unique risks and applications of AI within their respective domains.
  • Focus of the National Strategy: Turkey's National Artificial Intelligence Strategy highlights key national priorities, including developing a skilled AI workforce, creating shared digital infrastructure through a Public Data Space, supporting innovation via testbeds and sandboxes, and promoting the localization of AI models to strengthen domestic capabilities.

This approach reflects Turkey's broader goals of supporting SMEs, enhancing domestic AI capacity, and aligning regulatory frameworks with economic competitiveness and social inclusion.

 

Practical Compliance Checklist for Organisations

For businesses deploying AI in Turkey (or partnering with Turkish entities) seeking AI governance support, the following checklist may be helpful:

  • Organizations should begin by creating a complete inventory of all AI models, datasets, and processing activities, focusing on those that may present higher risks
  • They should verify compliance with data protection requirements whenever personal data is processed, ensuring proper registration, documentation, and security measures.
  • Each AI system should be assessed and classified by its level of risk, with extra caution applied to large-scale or high-impact applications.
  • Comprehensive documentation must be maintained, including model records, audit logs, bias assessments, and human oversight procedures.
  • Strong governance structures should be established, assigning senior leadership responsibility and ensuring continuous monitoring and incident management.
  • For public-sector projects, organizations should prepare for certification and take advantage of potential incentives for compliant AI systems.
  • It is essential to stay informed about legal developments as the draft AI law may still change before formal implementation.
  • Finally, companies operating internationally should align their frameworks with European AI standards such as ISO/IEC 42001 to ensure interoperability and easier access to the EU market.

 

Conclusion

Turkey is at a critical juncture in its AI regulatory journey. With the AI Bill under parliamentary review and a well-defined national strategy in place, 2025 is a transitional phase: organisations must act now. While the full regulatory framework is not yet finalised, the momentum is clear Turkey aims to balance innovation, competitiveness and citizen protection. For businesses and operators, proactive governance, robust documentation, data-protection alignment and readiness for risk-tier obligations will be key to success and regulatory resilience.

Start your AI readiness journey with Nemko Digital— talk to our experts and get a risk assessment today.

Dive further in the AI regulatory landscape

Nemko Digital helps you navigate the regulatory landscape with ease. Contact us to learn how.

Contact Us

Get Started on your AI Governance Journey

Contact Us