CRIMINAL LIABILITY FOR CYBER-ATTACKS: THE TURKISH PENAL CODE (TCK) AND CHALLENGES IN PRACTICE

I. INTRODUCTION

“From a technical standpoint, the internet is the network system formed by interconnecting all information networks and computers around the world through a protocol known as TCP/IP, thereby creating the world’s largest and most comprehensive union of humans and machines.”1

The rapid proliferation of the Internet and digitalization has rendered information and communication technologies an indispensable component of modern life. As a result, cyber-attacks have emerged as a serious threat for individuals, private legal entities, and institutions. These threats have led to multi-dimensional consequences which have resulted in the unlawful use or disclosure of personal data, economic losses, and the undermining of public security. Therefore, where prevention proves impossible, punishing perpetrators has become a priority issue in modern criminal law.

In response to these needs, cyber-attacks are regulated under Turkish law in Chapter 10, titled ‘Offences in the Field of Informatics,’ of Law No. 5237, the Turkish Penal Code2. Nevertheless, practical challenges persist regarding the management of digital evidence, the level of technical expertise, and international cooperation.

This article primarily addresses the provisions of the TCK governing cyber-attack offences, thereupon discusses the practical challenges encountered in the enforcement and application of these provisions. Indeed, the article outlines recommendations for preventing cyber-attacks and ensuring effective punishment when prevention is not possible. Therefore it further evaluates whether the current legislation is sufficient against contemporary cyber threats and considers whether improvements are needed in both legislation and practice, offering recommendations accordingly.

II. THE CONCEPT AND TYPES OF CYBER-ATTACKS

Along the advances in information Technologies (IT), cyber-attacks have increasingly become a threat reaching a level that poses serious risks to the security of both individuals and institutions. In legal terms, a cyber-attack denotes interference with an information system or with data contained in such systems without the consent and authority of the relevant person or entity; this encompasses unlawful acts such as unauthorized access, disruption of system functionality, alteration or deletion of data, and the transmission of information to third parties3.

Although the TCK does not explicitly define “cyber-attack,” such acts are regulated as informatics offences under various provisions. Articles 243, 244 and 245 of the TCK respectively address: unauthorized access to an information system; obstructing or disrupting the functioning of a system and destroying or altering data; and the misuse of bank or credit cards. Furthermore, where cyber-attacks lead to property violations, the unlawful acquisition of personal data, or breaches of privacy, punishment may be imposed under other provisions of the TCK. Thus, many acts qualifying as cyber-attacks are protected directly or indirectly by various provisions of the TCK.

Cyber-attacks can take various forms, depending on the intent of the perpetrator, the techniques utilized, and the characteristics of the targeted systems. Beyond causing individual harm, such attacks may have serious ramifications for public security, the economic order, and even national security. Consequently, it is of great importance for both national and international legal systems to keep legislation up to date and improve technical capacity in combating cybercrime.

The principal forms of cyber-attacks can be classified as follows:

(i) Unauthorized access to an information system (hacking): In legal terms, this denotes accessing an information system without the explicit consent of the owner or administrator, and interfering with the content, functioning or control mechanisms of that system4. Perpetrators typically begin by gathering as much technical information as possible about the target system. In this context, domain name queries are conducted; the operating system in use, open ports, active services, and similar elements are identified. Based on the collected information, a network map is created, and unauthorized access is performed through one of the points containing vulnerabilities5.

(ii) Destruction, impairment or alteration of data: Unlawfully deleting, corrupting, replacing, or rendering inaccessible data stored in an information system constitutes an informatics offence punishable under Article 244 of the Turkish Criminal Code. This offence may be committed through various methods, the most common include viruses, social-engineering, and trojan horses. Given these attack vectors, preventing this offence—particularly for individuals—remains quite challenging under current circumstances.

(iii) Obstructing or disrupting the functioning of an information system (e.g., DDoS attacks): This offence—less widely appreciated in Türkiye—involves interrupting a system’s normal operation by external attacks, slowing it down or rendering it completely inoperable. Such acts are commonly carried out as Distributed Denial-of-Service (DDoS) attacks, aiming to overload system resources and cause temporary or permanent service outages6. For instance, during a promotional campaign, an e-commerce platform may be rendered inoperative by thousands of bogus connections initiated by a rival.

(iv) Use of malicious software (malware, viruses, trojan horses): “Malicious software refers to harmful code used to infiltrate information systems, steal data, impair the system, or seize control of it”7. Viruses, worms, trojans and ransomware fall into this category. For instance, when an employee opens a trojan attached to an email, this may enable the infiltration of the corporate network, the encryption of data, and subsequently a ransom demand.

(v) Data theft and acquisition of personal data: The unauthorized acquisition, reproduction, use, or transfer of personal or corporate data constitutes an offence under both the Turkish Criminal Code and the Law on the Protection of Personal Data. For instance, the exfiltration of patients’ medical information from a hospital system by a healthcare employee would fall within this scope.

(vi) Phishing and social-engineering attacks: Phishing involves deceiving users into sharing passwords, credit-card details or other sensitive data, typically via fake emails, websites or messages8. Social engineering consists of manipulative techniques that exploit human vulnerabilities to obtain information without necessarily requiring technical intrusion.

(vii) Cyber acts committed for forgery and fraud: This covers fraudulent transactions conducted through information systems, creation of forged documents, and online fraud schemes.

Each of these acts are evaluated under different offence types in the TCK and is subject to criminal sanctions.

III. REGULATION OF CYBER-ATTACKS UNDER THE TCK

TCK includes cybercrime regulations to safeguard public order and individual rights against emerging offenses due to rapid technological advancements. In particular, articles 243–245 define offences against information systems and prescribe penalties.

Article 243 criminalizes “unauthorized access to an information system,” imposing penalties on anyone who unlawfully enters an information system or remains there without authorization.

Article 244 criminalizes acts such as obstructing or disrupting the operation of an information system and destroying or altering data. Aggravated forms of the offense are applicable when the victim is a public institution or the banking system.

Article 245 establishes a legal basis for combating cyber-enabled fraud by criminalizing the unauthorized use of another’s bank or credit card to obtain benefit. These provisions aim to safeguard privacy, property rights and information security, while also enhancing deterrence. However, due to the rapid pace of technological advancement, the existing legal framework may occasionally prove inadequate, resulting in gaps in legal protection and enforcement. Accordingly, effective combat against cybercrime requires not only penal sanctions but also preventive measures, enhanced technical infrastructure and international cooperation.

A. Informatics Offences in the TCK

Acts amounting to cyber-attacks are primarily regulated under Articles 243, 244, and 245 of Law No. 5237. These provisions penalize unlawful access to information systems, obstructing or disrupting their operation, destroying or altering data, and unlawfully inserting data into a system. The unauthorized use of another person’s bank or credit card, or obtaining unjust benefit through such cards, is likewise considered within the scope of informatics offences9. In addition to these core provisions, other special offences may also be committed by means of information technologies and are relevant in the context of cyber-attacks.

1. Offence of Unauthorized Access to an Information System (TCK Art. 243)

Entering an information system unlawfully or remaining in the system after having gained unauthorized access is punishable by imprisonment or a judicial fine. Conversely, if unauthorized access results in the destruction, alteration or impairment of data contained in the system, heavier penalties may be imposed. In contrast, reduced penalties may apply for certain paid-access systems, while harming system data attracts more severe penalties.

Article 243 TCK provides:

“(1) Any person who unlawfully enters all or part of an information system, or remains there, shall be sentenced to imprisonment for up to one year or to a judicial fine.

(2) If the acts defined in the preceding paragraph are committed in relation to systems that may be used upon payment, the penalty shall be reduced by up to one-half.

(3) If, due to these acts, the data contained in the system is destroyed or altered, a sentence of imprisonment from six months to two years shall be imposed.”10

In this context, acts such as gaining unauthorized access to a social media account by cracking its password, or establishing a remote connection to another person’s computer without their knowledge, are among the most typical examples of this offence. In its decision dated 12 November 2015 (8th Criminal Chamber of the Court of Cassation, E. 2015/5648, K. 2015/4511), it was alleged that the defendant had opened an account on a social networking site under the complainant’s name and photograph, and insulted the complainant’s friends through that account, leading to a request for conviction under Article 136/1 of the TCK. The local court, however, convicted the defendant under Article 244/2 of the TCK, reasoning that by obtaining and changing the complainant’s social-media password, the defendant had disrupted or rendered the information system inaccessible11.

Such conduct may consist merely of gaining access to the system, but more often manifests as remaining within the system for a period without authorization or interfering with the data it contains. For instance, in its decision dated 23 October 2019 (15th Criminal Chamber of the Court of Cassation, E. 2017/5622, K. 2019/10412), the local court had acquitted the defendant of qualified fraud and of offences involving impairing, destroying, rendering inaccessible or inserting data into an information system. The complainant’s counsel appealed all acquittal decisions; however, in its opinion dated 2 August 2012, the Office of the Chief Public Prosecutor at the Court of Cassation commented only on the qualified-fraud acquittal and omitted any assessment regarding the acquittals for the informatics-related offences. Due to this incomplete opinion, the Court of Cassation decided to remit the file to the Office of the Chief Public Prosecutor to obtain a supplementary opinion concerning the acquittals for those offences12.

2. Obstructing or Disrupting an Information System; Destroying or Altering Data (TCK Art. 244)

Enhanced sanctions apply to people who interfere with the functioning of an information system by deleting, corrupting, rendering inaccessible or altering data13. These acts directly threaten system security and may endanger public security. The offence also covers inserting data into the system or transmitting existing data to third parties. Where committed against a bank, a credit institution, or a public body—or where unjust benefit is obtained—aggravated forms apply14.

Article 244 TCK provides:

“(1) Any person who obstructs or disrupts the functioning of an information system shall be sentenced to imprisonment from one to five years.

(2) Any person who corrupts, destroys, alters, or renders data in an information system inaccessible, who inserts data into the system, or who transmits existing data to another location, shall be sentenced to imprisonment from six months to three years.

(3) If these acts are committed against a system belonging to a bank, a credit institution, or a public body, the penalty shall be increased by one-half.

(4) Where, by committing the acts defined above, a person obtains unjust benefit for himself or another and no other offence is thereby constituted, a sentence of imprisonment from two to six years and a judicial fine of up to five thousand days shall be imposed.”15

In practice, acts such as changing the password of an email account to block the owner’s access or posting inappropriate content have been evaluated under Article 244.

In a notable decision (12th Criminal Chamber, E. 2013/15899, K. 2014/8411), the defendant—taking advantage of his profession—copied photos from a laptop left for repair and obtained the complainant’s email credentials, logged into the messenger account to add himself as a friend, and then changed the email password to block access. Yargıtay held that these acts constituted both the offence of unlawfully obtaining personal data (Art. 136/1) and the offence under Article 244/2, and that separate convictions were required under the rules on real concurrence; the trial court had mischaracterized the conduct as the offence of recording personal data16.

3. Misuse of Bank or Credit Cards (TCK Art. 245)

Article 245 creates a separate offence covering the unauthorized use of another’s bank or credit card, acquiring card data, or counterfeiting cards to obtain benefit—aimed at protecting the integrity of the financial system and individual property rights.

Scholarly debate persists as to whether the offence regulated under Article 245 constitutes a cyber offence or a traditional property offence. Özbek, Doğan and Bacaksız (2024) emphasize the placement of the provision under offences in the field of informatics and the electronic acquisition of card data, yet note that the protected legal interest is property; accordingly, they classify Article 245 as a “special property offence committed by informatics methods”17. By contrast, Centel, Zafer and Çakmut (2022) argue that the mere use of informatics means does not transform an offence into a cyber offence, stressing the provision’s proximity to fraud and its lex specialis nature18.

Yargıtay has likewise clarified—especially in the decision of the 15th Criminal Chamber, E. 2019/1732, K. 2019/2839—that where card data is deceitfully obtained electronically and used for online transactions, Article 245/1 applies rather than simple fraud.

Accordingly, in both practice and doctrine, misuse of bank/credit cards must be analyzed through both cyber-offence and classic property-offence lenses, and debate persists over the correct classification19.

4. Other Relevant Provisions

Connected to cybercrime, the TCK also includes offence types that may be committed via information systems such as: unlawful acquisition of personal data (Art. 136), violation of privacy (Art. 134), obstruction of communications (Art. 124), violation of the confidentiality of communications (Art. 132), insult (Art. 125), theft (Art. 142/2-e), fraud (Art. 158/1-f), and obscenity (Art. 226). Therefore, acts amounting to cyber-attacks give rise to criminal liability not only under Articles 243–245, but also under other provisions depending on the nature of the act.

Accordingly, offences committed by using or targeting information technologies are not assessed solely within Articles 243, 244 and 245; depending on the specifics, liability may arise under the other provisions listed above. This approach underscores the intersection between traditional offence types and the broad capabilities enabled by information technologies.

IV. CONDITIONS FOR CRIMINAL LIABILITY IN CYBER-ATTACKS

As in classic criminal law, determining criminal liability for cyber-attacks requires identifying the perpetrator and the victim, and establishing the objective and subjective elements of the offence in the concrete case. The abstract nature of informatics offences requires special attention and expertise in processes of proof and establishing the facts.

A. Perpetrator and Victim

In cybercrime cases, no specific attributes are required of the perpetrator. Accordingly, any person may be the perpetrator of such offences. It is not necessary for the perpetrator to be a professional cybercriminal; an individual with basic digital skills can also commit these offences. Thus, the technical capability or expertise level of the perpetrator is not determinative for criminal liability. Can a legal person be a perpetrator?

The victim is generally the owner of the information system targeted by the cyber-attack, a person who lawfully uses that system, or a natural or legal person whose data is hosted on the system. In particular, commercial entities, public bodies and individuals may experience harm to varying degrees. Identification of the victim may vary depending on the offence type and the protected legal interest.

B. The Subjective Element (Mens Rea)

The subjective element in criminal law requires that the perpetrator acts both voluntarily and with knowledge20. Under the TCK, the presence of a subjective element is generally required in addition to the objective element. Intent is defined as the voluntary and knowing commission of the factual elements specified in the statutory definition of an offence. Negligence, by contrast, arises from a breach of the duty of care and diligence, resulting in the commission of an offence21.

However, the informatics offences regulated under Articles 243 and 244 of the TCK may only be committed with intent. Accordingly, the perpetrator must knowingly and willingly commit acts such as unlawfully accessing an information system, remaining within the system, destroying data, or altering it. Negligent conduct—namely acts arising from a lack of due care—does not fall within the ambit of these offence types. 

The existence of intent in cybercrime cases is typically established through digital evidence, technical characteristics of the incident, and the perpetrator’s modus operandi. In certain cases, the perpetrator’s specific purpose—such as obtaining unlawful gain, disrupting public services, or acquiring personal data—may be relevant for legal qualification. However, entering an information system “for fun” does not negate intent, as for these offences, the legislator focuses on the occurrence of the act itself rather than the perpetrator’s underlying motive.

The perpetrator’s motivation, level of technical expertise, the complexity of the attack, and the selection of the target may all be considered when assessing the subjective element. Notably, organized or premeditated attacks tend to demonstrate intent more clearly. Accordingly, determining mens rea in cybercrime requires more technical analysis and expertise than in traditional offences.

C. The Objective Element (Actus Reus)

The objective element refers to the concrete, externally observable aspects of an offence, encompassing the perpetrator’s act, the material object affected, and the means or environment used to carry out the offence22. In the context of cybercrime, the objective element consists of various forms of attacks against information systems. Articles 243 and 244 of the TCK explicitly define such acts, including unauthorized access, remaining within a system without authorization, obstructing or disrupting system functionality, as well as destroying, altering, or transferring data.

Article 243 TCK criminalizes unlawful entry into an information system or remaining therein without authorization. This is classified as a conduct offence, completed upon the act itself, without requiring any actual result, and thus constitutes an abstract endangerment offence. Therefore, unauthorized access alone suffices for the formation of the offence under Article 24323. More severe outcomes, such as data alteration, deletion, or system disruption, are subject to additional penalties under Article 244.

Establishing the objective element primarily depends on the evaluation of digital evidence. Critical factors such as the time, manner, and tools used in the attack; the method of access; and the specific changes made to data must be established through technical analysis. In this process, it is essential to collect evidence in accordance with legal procedures, preserve its integrity, and submit it properly to the court to ensure procedural safeguards.

There must be actual interference with the information system. For instance, merely sending an email without harmful content does not constitute an offence under Article 243 TCK. However, if unauthorized access is obtained via that email, or if malicious software is delivered, the offence is established. Thus, the objective element must be assessed thoroughly and technically in each individual case.

V. CHALLENGES ENCOUNTERED IN PRACTICE

The challenges associated with determining criminal liability for cyber-attacks and prosecuting perpetrators are multi-faceted and constantly evolving. These challenges encompass technical, legal, institutional, and international cooperation dimensions. The main practical obstacles are discussed separately under the following headings

A. Collection of Digital Evidence and Evidence Security

“In the pursuit of material truth, one of the most important means and protective measures involving interference with fundamental rights and freedoms is ‘search and seizure.”24

In criminal investigations, where no alternative means exist to obtain evidence, the search of information systems, computers, computer programs, and the data contained therein—as well as the extraction of data copies, decryption, and the production of written records—may be conducted only by a decision of the competent court.

Another method of evidence collection is the identification of the perpetrator’s IP address. “IP addresses function as a license plate and identity marker for each user accessing internet traffic”25. However, the identification of an IP address alone is insufficient as evidence and must be corroborated, since IP addresses are susceptible to manipulation. IP identification is conducted by issuing an official writ to the relevant environment where the offense was committed26.

In cyber-attack investigations, if the suspect cannot be identified or if the available evidence is insufficient to establish reasonable suspicion, the court may order a standing search or may issue a decision of non-prosecution27. Throughout this process, preserving the integrity of evidence and maintaining an unbroken chain of custody are essential for the admissibility of digital evidence in court. Evidence obtained unlawfully or not adequately preserved may not be considered during trial28.

Given that cyber-attacks are frequently committed via foreign-based infrastructures or anonymous networks both the identification of perpetrators and the collection of evidence are significantly more difficult. This necessitates the utmost care, both technically and legally, in the processes of evidence collection and preservation. At all stages—from obtaining digital evidence to its submission before the court—strict adherence to Article 134 of the Criminal Procedure Code and subsequent provisions is required to reveal the material truth and to ensure the right to a fair trial. Any break or irregularity in the chain of evidence may lead the court to deem the findings inadmissible and cause the investigation to collapse29. For these reasons, meticulous digital forensic procedures are a fundamental requirement for the effective combat against cybercrime.

B. Technical Experts

In cases involving information technology offences, it is essential that technical experts possess both sufficient and up to date knowledge and experience. Given the nature of digital evidence, experts must be able to make sound assessments on technical matters such as IP identification, validation of digital data, examination of log records, and detection of system interventions. Indeed, numerous decisions of the Court of Cassation30 (Yargıtay) have relied upon the technical findings contained in expert reports, with expert examination playing a decisive role in the adjudication process. Therefore, in addition to technical proficiency, experts should have a thorough understanding of the principles of criminal procedure and the methodologies for evaluating evidence.

C. International Cooperation and Jurisdictional Issues

Most cyber-attacks are cross-border; perpetrators may reside abroad, and the attack may be executed via servers located in different countries, thereby raising complex issues of jurisdiction and international cooperation. In practice, mutual legal assistance, evidence collection, and extradition procedures frequently operate slowly, resulting in significant delays. “Given that unauthorized access to information systems and interference with system functioning or data are among the most prevalent cyber-security offences at the national level, it is essential that such acts are comprehensively regulated under domestic law to prevent legal lacunae, and that relevant provisions are harmonized as far as possible to facilitate international cooperation in combating cybercrime.”31

D. Insufficiency of Legislation and the Need for Updates

TCK provisions relating to cybercrime principally address unauthorized access (Art. 243), the obstruction or disruption of system functioning and the destruction or alteration of data (Art. 244), and the misuse of bank or credit cards (Art. 245). While these provisions establish a fundamental legal framework for safeguarding the integrity and security of information systems, their currency and sufficiency have increasingly come under scrutiny in light of rapid technological advancements. In particular, novel threats such as ransomware, cryptocurrency theft, AI-assisted attacks, and sophisticated online fraud schemes are not expressly defined in current legislation, resulting in significant ambiguities in practice regarding the legal classification of such acts.

As reflected in case law, for instance, conduct such as altering a social media password to prevent the owner’s access may only be penalized through broad interpretation of existing provisions. Such normative gaps complicate the accurate characterization of offences and the fair adjudication of perpetrators, leading to inconsistent rulings and divergent precedents. To effectively combat international cybercrime, the legislation should be revised to explicitly address contemporary technological threats, with clear definitions of new offence types. Accordingly, regular review and updating of the TCK’s cybercrime provisions is necessary to ensure legal certainty and to maintain the effectiveness of the criminal justice system.

E. Obstacles Faced by Victims Seeking Remedies

Victims of cyber-attacks face complex and multifaceted challenges in both criminal and civil proceedings. They may seek criminal prosecution and also pursue compensation for pecuniary and non-pecuniary damages before civil courts. However, due to the anonymous or cross-border nature of cyber-attacks, identifying the perpetrator is often difficult, and criminal investigations frequently yield no results. This likewise constitutes a significant impediment to civil proceedings for compensation.  Additionally, protracted proceedings delay redress and impede access to justice.

The harm caused by cyber-attacks is not limited to pecuniary loss; it may also encompass the disclosure of personal data, privacy violations, and reputational damage. The objective assessment and proof of such harms remain problematic. Notably, with respect to personal data breaches, case law and doctrine reflect divergent approaches regarding the identification and quantification of non-pecuniary damage. In Türkiye, the Presidential Decree on Supporting Crime Victims, published in 202032, established judicial support and victim services directorates to inform victims throughout legal proceedings and to provide psycho-social support. Nevertheless, significant gaps persist in the extent to which these mechanisms address the specific needs of cyber-attack victims and secure effective redress.

In summary, the principal obstacles in victims’ pursuit of remedies include difficulties in identifying perpetrators, lengthy proceedings, challenges in determining the nature and extent of harm, and shortcomings in existing support mechanisms. Overcoming these challenges requires both legislative updates and the development of dedicated support and compensation mechanisms for cybercrime victims.

VI. PERSPECTIVES OF THE JUDICIARY

In its established case law, Yargıtay (the Court of Cassation) has consistently held that acts such as unauthorized access to an information system, destruction or alteration of data, and obstruction of system functioning are punishable under Articles 243 and 244 of the TCK. For instance, a defendant who obtained another person’s email password, accessed the account, and changed the password to prevent the rightful user’s access has been found criminally liable under Article 244(2).

Similarly, the seizure of social media accounts, access to systems using viruses or other malicious software, and the obstruction of communication between public institutions have also been classified as cybercrimes.

“However, there are serious inconsistencies both in first-instance courts and at the Court of Cassation regarding the prosecution and classification of cyber offences and offences committed through information systems. Different courts have rendered divergent decisions on both the merits and procedure for comparable acts, and even different chambers of the Court of Cassation have developed distinct lines of precedent. Moreover, members of the same chamber may hold differing opinions within the same case.”33

VII. INTERNATIONAL LEGISLATION AND COOPERATION

Due to their inherently cross-border nature, cybercrimes cannot be effectively addressed solely through domestic legislation. The possibility that perpetrators may reside in different countries, the execution of attacks via multinational digital infrastructures, and the location of digital evidence in various jurisdictions make international cooperation indispensable in the fight against cybercrime. Therefore, effective international legislation and coordination are vital for the investigation, prosecution, and prevention of cyber offences.

Türkiye is a party to the Council of Europe Convention on Cybercrime (Budapest Convention), which is the first and most comprehensive international instrument in this field. The Convention establishes mechanisms for the sharing of evidence, extradition, expedited information provision, and mutual legal assistance among States Parties, and aims to ensure legal harmonization by defining common offences and procedural rules.

Nevertheless, various challenges persist in practice. Differences in national legislation, inconsistencies in offence definitions, and divergent data protection standards impede evidence sharing and mutual legal assistance, thereby diminishing the effectiveness of investigations. Furthermore, the limited application of mutual recognition and execution, as well as bureaucratic obstacles, are significant factors hindering international cooperation.

In conclusion, combating cybercrime requires a multilateral and technically robust framework of international cooperation, in addition to national measures. Advancing Türkiye’s alignment with international norms, diversifying bilateral and multilateral cooperation protocols, and accelerating mutual legal assistance mechanisms would significantly enhance effectiveness in this area.

VIII. RECOMMENDATIONS AND ASSESSMENT

The initial step in effectively combating cyber-attacks is updating current legislation. Although the relevant provisions of the TCK were considered sufficient at the time of adoption, they no longer match the pace of technological developments.

In particular, the absence of explicit statutory counterparts for emerging threats, such as ransomware and AI-assisted attacks, leads to normative uncertainty and complicates the legal classification of such acts. Therefore, it is crucial to update the TCK and related legislation in line with technological advancements, define offence types in detail, and recalibrate sanctions proportionately.

Enhancement of technical capacity is also essential. The technical expertise of judicial and administrative actors must be improved; specialized units dedicated to cybercrime should be strengthened, and the number of qualified personnel in digital forensics should be increased. Continuous professional training, sustainable collaboration with universities and relevant public institutions, and the adoption of scientifically based solutions in practice should be promoted.

The collection, preservation, and presentation of digital evidence require meticulous attention. Aligning digital evidence processes with international standards will minimize the risk of inadmissibility in court. Accordingly, it is necessary to establish legislation and guidelines for digital forensic processes, and to adopt application standards to guide institutions in assessing digital evidence within a legal framework.

Given the frequent cross-border nature of cyber-attacks, effective international cooperation is essential. Within the framework of international instruments to which Türkiye is a party, mechanisms for mutual legal assistance, information sharing, and extradition should be reinforced; active participation in multilateral platforms should be ensured; and bilateral agreements in the fight against cybercrime should be expanded. Diplomatic and legal progress is critical to reconcile divergent national laws and approaches to the protection of personal data34.

Finally, cybersecurity is not solely the responsibility of the State; individuals and the private sector also have significant roles. Public awareness of cyber threats must be raised, and preventive measures at both individual and corporate levels should be encouraged. Cybersecurity education should be promoted in schools, universities, and public institutions, and preventive policies should be supported through the media, NGOs, and the private sector. Special attention should be given to educating vulnerable groups, such as children and the elderly, in order to enhance societal cyber resilience.

IX. CONCLUSION

Alongside the opportunities brought by technological progress, new forms of threats have emerged. Cyber-attacks now represent multidimensional offences that threaten not only personal privacy and economic assets, but also institutional security, public order, and even national security. Although numerous measures have been introduced in the TCK to prevent these threats and ensure the effective prosecution of offenders, the current provisions of the TCK are insufficient to fully address dynamic cyber threats, and important gaps and challenges remaining in practice. While Articles 243 and 244 cover core types of cyber offences, they are limited in defining and penalizing the complex and advanced methods encountered in today’s environment. This results in normative gaps, especially in cases involving ransomware, cryptocurrency fraud, and phishing attacks.

In addition, challenges in digital evidence management, deficiencies in technical expertise, inadequate capacity among law enforcement and judicial authorities in the field of cybercrime, and the cross-border activity of perpetrators—which necessitates international cooperation—all pose significant obstacles to establishing criminal liability. Effective combat against cybercrime thus requires more than legislative reform; it demands a multidisciplinary approach. Strengthening technical infrastructures, establishing specialized judicial units for cybercrime, and aligning evidence collection and evaluation with international standards are of paramount importance.

Ultimately, the fight against cyber-attacks must be based on a holistic strategy that prioritizes not only punitive measures, but also prevention, education, and cooperation. Legal adaptation to technological change is essential to ensure social security in the digital age. In this context, the development of TCK in accordance with evolving conditions, harmonization with international standards, and the equipping of practitioners with the necessary technical knowledge and tools will enable more effective combat against cybercrime in the future35.