What is AI regulation in Turkey?
AI regulation: countries and regions
AI regulation in Turkey is a developing, layered framework rather than a single enacted AI Act. As at 6 June 2026, Turkey regulates AI mainly through existing personal data, internet, criminal, cybersecurity, consumer, sector and civil liability rules, supported by the National Artificial Intelligence Strategy 2021-2025, KVKK guidance and draft AI-related bills before Parliament. Organisations should treat Turkey as an active, fast-moving jurisdiction, especially where AI uses personal data, deepfakes, automated decisions or cross-border cloud services.
What this means
Turkey does not yet have one comprehensive, enacted statute that governs all AI systems. Its current approach is a mix of binding laws that already apply to AI, official strategy documents, data protection guidance, standards activity and draft legislation.
The binding centre of gravity is data protection. The Personal Data Protection Law No. 6698, usually known as KVKK, applies where AI systems process personal data wholly or partly by automated means. That makes lawful basis, transparency, data minimisation, security, data subject rights, special category data and cross-border transfer controls central to AI governance in Turkey.
At policy level, Turkey has positioned AI as a national digital transformation priority. The National Artificial Intelligence Strategy 2021-2025 and the 2024-2025 action plan point towards trustworthy AI, data governance, legal and ethical coordination, sandboxes, public AI infrastructure and a planned Trustworthy AI Seal. Parliament has also seen several AI-related bills, but these are not the same as enacted law.
Why it matters
Turkey matters for AI regulation because it sits between several regulatory worlds. It is commercially connected to the EU, is a Council of Europe member, has its own national AI strategy, and applies a domestic data protection regime that has been moving closer to GDPR-style mechanisms in areas such as cross-border transfers.
For organisations, the practical risk is assuming that "no AI Act" means "no AI regulation". In Turkey, AI projects can already trigger obligations under KVKK, internet content rules, criminal law, cybersecurity law, employment law, intellectual property law, consumer protection and sector supervision.
This is especially important for AI systems that use Turkish personal data, affect Turkish users, support public or financial services, create synthetic voice or image content, automate employment or customer decisions, or depend on cloud infrastructure outside Turkey. The current position is not static. Bills before the Grand National Assembly of Turkey, KVKK guidance, TSE certification work and Council of Europe developments could change the compliance picture quickly.
How it works
The current model: layered regulation, not one AI code
As at 6 June 2026, Turkey's AI framework is best understood in four layers:
Existing binding laws that apply to AI depending on the use case. Official policy instruments, especially the National Artificial Intelligence Strategy 2021-2025 and its updated action planning. Regulator guidance and soft law, led by KVKK on personal data and AI. Draft legislation and standards activity that may become more important as Turkey moves from strategy to implementation.
This means the legal answer depends on what the AI system does. A recruitment scoring tool, a customer chatbot, a biometric identity system, a medical triage tool, a credit risk model and a generative AI content tool may all sit under different combinations of rules.
Turkey has not yet adopted the EU AI Act. It has not yet enacted a full domestic equivalent. However, the proposed bills show that Turkish legislators are considering risk assessment, high-risk systems, conformity assessment, registration, deepfake content controls, platform responsibility, dataset governance and penalties.
The National Artificial Intelligence Strategy 2021-2025
Turkey's National Artificial Intelligence Strategy 2021-2025 was prepared by the Presidency Digital Transformation Office and the Ministry of Industry and Technology. It is a policy framework, not a directly enforceable AI statute.
The strategy sets six broad priorities:
Training AI experts and increasing employment in the field. Supporting research, entrepreneurship and innovation. Expanding access to quality data and technical infrastructure. Making regulatory arrangements for social and economic adaptation. Strengthening international cooperation. Accelerating structural and labour transformation.
For governance, the strategy describes a two-layer structure. One layer is for high-level steering and strategic alignment. The other is for administrative, technical and legal coordination, including AI values and principles. It also refers to working groups on trustworthy and responsible AI, AI law and ethics, regulatory sandbox frameworks, guides, data spaces, a public AI ecosystem and an AI portal.
For businesses, the strategy is not a checklist of binding duties. It is still important because it shows the direction of travel: data governance, accountable AI, trustworthy AI, legal coordination and public sector capability are central themes.
KVKK and personal data protection
KVKK is the main binding law for many AI systems in Turkey. It applies to natural persons whose personal data is processed and to natural or legal persons processing that data by automated means, or by non-automated means where the processing forms part of a filing system.
For AI, the most important KVKK duties are likely to include:
identifying a lawful basis for processing personal data meeting transparency obligations when collecting personal data limiting data to specified, explicit and legitimate purposes keeping data relevant, limited and proportionate applying security measures respecting data subject rights controlling special category data managing processor and controller roles handling retention, erasure, destruction or anonymisation assessing cross-border transfer routes for cloud, model hosting and vendor access
KVKK has also published AI-specific recommendations. These are not the same as a binding AI statute, but they are highly relevant to regulator expectations. KVKK's AI recommendations emphasise fundamental rights, lawfulness, fairness, proportionality, accountability, transparency, accuracy, limited use, security, privacy by design and privacy impact assessment where personal data processing creates high risk.
More recently, KVKK has published material on workplace use of publicly accessible generative AI tools and agentic AI. The workplace guidance highlights the risk that employees may use public AI tools without a clear organisational policy, making monitoring and control difficult. The agentic AI material reflects the growing concern that AI systems which plan, adapt and take actions can create more complex data protection issues across their lifecycle.
Cross-border data transfers and cloud AI
Cross-border transfers are a practical pressure point for AI in Turkey. Many AI systems rely on cloud hosting, model APIs, overseas analytics, remote support, global product teams or multi-country data lakes.
In 2024, Article 9 of KVKK on international transfers was amended by Law No. 7499. KVKK then published English translations of the By-Law on the Procedures and Principles for the Transfer of Personal Data Abroad and standard contract texts. This matters because AI vendors and deployers may need to map when Turkish personal data is sent outside Turkey or made accessible from abroad, and then select a lawful transfer route.
For leaders, the key point is that AI vendor review in Turkey is not only a model risk question. It is also a data flow, hosting, access control, contractual and transfer mechanism question.
Draft AI and AI-related legislation
Turkey has several AI-related proposals before Parliament. Their status matters because they indicate policy direction, but they should not be treated as enacted law unless and until passed.
The 2024 Artificial Intelligence Law Bill, registered as TBMM bill 2/2234, is a broad draft AI law. It covers AI system providers, distributors, users, importers, distributors and affected persons. The proposal includes principles such as security, transparency, fairness, accountability and privacy. It also refers to risk assessment, special measures for high-risk systems, conformity assessment, registration, monitoring, supervision and sanctions.
A later proposal, TBMM bill 2/3358, is a set of amendments to several laws rather than a single AI code. The draft would add an AI system definition to the internet law, address AI-related criminal responsibility, set content blocking and removal requirements for certain deepfake or unlawful AI-generated content, add dataset requirements into KVKK, give powers to BTK in urgent AI content cases and add cybersecurity-related duties for AI service providers. As at the research date, the TBMM record showed this bill as in commission.
Another narrower 2026 proposal, TBMM bill 2/3465, would amend KVKK Article 18 to impose fines on social media tools or digital platforms that allow the sharing of AI-generated audio, text or image messages without the person's permission. This too should be treated as proposed law, not enacted law, unless its parliamentary status changes.
The Trustworthy AI Seal and standards activity
Turkey is also developing a standards and certification layer. The Turkish Standards Institution has published information on the "Guvenilir Yapay Zeka Damgasi", or Trustworthy AI Seal, under the National Artificial Intelligence Strategy.
TSE describes the seal as a planned certification approach for assessing whether AI systems are developed and used ethically, securely, transparently and accountably, with reference to national and international standards. The stated assessment topics include technical infrastructure, data management, algorithmic transparency, human rights effects, bias and discrimination controls, security measures and accountability mechanisms.
The exact operational status needs checking at the point of use. TSE's public page describes the model and application route, while also stating that practical certification activity had not yet started at the stage described and would follow completion of infrastructure and process preparation. Leaders should not present the seal as a mature mandatory approval system unless confirmed by TSE's live process.
Turkey, the EU and the Council of Europe
Turkey is EU-adjacent in trade, data, supply chain and digital policy terms, but it is not an EU Member State and the EU AI Act does not automatically apply as Turkish domestic law.
However, the EU AI Act may affect Turkish organisations indirectly. This can happen where a Turkish provider places AI systems on the EU market, where an AI system's output is used in the EU, where a Turkish business supplies an EU-regulated customer, or where contracts require EU AI Act alignment.
Turkey is also a Council of Europe member and participated in the broader Council of Europe AI policy environment. The Council of Europe Framework Convention on Artificial Intelligence, Human Rights, Democracy and the Rule of Law is relevant because it sets a human rights, democracy and rule of law model for AI governance. As at the research date, official sources confirmed the Convention and its principles, but public treaty listings and related public materials did not establish Turkey as having signed or ratified CETS No. 225. This point should be checked against the live Council of Europe Treaty Office record before publication updates.
Examples
A Turkish customer service chatbot using personal data
A company deploys a chatbot for Turkish customers. The bot uses names, contact details, order history and complaint information. Even if there is no standalone AI Act, KVKK applies because personal data is being processed. The company needs to identify the controller and processor roles, explain the processing to users, limit the data used, secure the system, manage retention and check whether any model provider or cloud host outside Turkey receives or can access Turkish personal data.
A public workplace generative AI tool
Employees begin using a public generative AI service to summarise internal documents and draft responses. KVKK's workplace generative AI material is relevant because the organisation may not have a clear policy, approval route or monitoring process. The practical response is to decide what data may be entered into public tools, which tools are approved, how employees are trained, how incidents are reported and whether personal or confidential data is being exposed.
A synthetic media platform facing proposed deepfake duties
A platform allows users to create or share AI-generated audio, image or text content. Existing law may already apply through privacy, personality rights, content, criminal and data protection rules. Draft bills add another layer of uncertainty because they propose specific duties and penalties for unauthorised AI-generated content, deepfake material and platform responsibility. The platform should track parliamentary status, but it should not wait for a new AI statute before building complaint handling, consent, labelling, removal and escalation controls.
Common misunderstandings
"Turkey has no AI regulation because it has no AI Act."
Incorrect. Turkey has no single comprehensive enacted AI Act, but AI is already regulated through data protection, content, criminal, cybersecurity, civil, consumer and sector rules where those rules apply to the use case.
"The National Artificial Intelligence Strategy is binding law."
Incorrect. The strategy is a government policy and governance framework. It matters for regulatory direction and institutional design, but it is not the same as a statute imposing direct duties on every AI deployer.
"The EU AI Act automatically applies in Turkey."
Incorrect. The EU AI Act is not Turkish domestic law. It may still affect Turkish providers, customers and suppliers through EU market access, contracts, group policy and extraterritorial scope.
"Only personal data teams need to care about AI regulation in Turkey."
Incorrect. KVKK is central, but AI governance in Turkey can also involve legal, security, product, HR, procurement, compliance, content moderation, public affairs and sector specialists.
"Draft bills can be ignored until enacted."
Incorrect. Draft bills are not binding law, but they show likely pressure points. In Turkey, current proposals focus on high-risk AI, transparency, deepfakes, dataset governance, platform duties, cybersecurity and penalties. These are useful signals for risk planning.
Risks and boundaries
The main boundary is legal status. Turkey's current AI regulation is not a settled single code. Some instruments are binding, such as KVKK and existing internet, criminal and cybersecurity laws. Some are policy instruments, such as the national strategy. Some are regulator guidance. Some are proposals before Parliament.
This creates four practical risks.
First, organisations may under-comply by assuming there is no AI law. That misses existing binding rules, especially where AI uses personal data or affects protected rights.
Second, organisations may overstate certainty by treating draft bills, strategy documents or planned certification models as if they are already mandatory law.
Third, organisations may import EU AI Act templates without adapting them to Turkish legal duties. EU alignment can be useful, but it should not replace a Turkey-specific data, content, cybersecurity and sector review.
Fourth, organisations may miss fast-dating points. The status of bill 2/2234, bill 2/3358, bill 2/3465, the Trustworthy AI Seal and the Council of Europe Framework Convention position should be checked shortly before relying on this article for operational decisions.
This article is a practical regulatory explainer, not legal advice. Organisations should take Turkish legal advice for regulated sectors, high-risk deployments, personal data transfers, synthetic media, public sector uses or contentious automated decision-making.
What to do next
Map AI systems used in or affecting Turkey, including internal tools, customer systems, embedded vendor AI and public generative AI use by staff. Identify which systems process personal data, special category data, employee data, children's data, biometric data or customer records. Build a Turkey-specific KVKK review into AI procurement and model deployment, including lawful basis, transparency, data minimisation, retention, security, data subject rights and controller or processor roles. Map cross-border data flows, including cloud hosting, API calls, overseas support, analytics access and group-level data sharing. Track parliamentary status for the AI Law Bill 2/2234, the AI-related amendments bill 2/3358 and the 2026 KVKK amendment bill 2/3465. Create rules for public generative AI use at work, including what must not be entered into public tools. For synthetic media and user-generated content, prepare consent, labelling, complaint, takedown and escalation processes before specific AI content laws are finalised. Monitor TSE's Trustworthy AI Seal and Council of Europe developments, but treat both as evolving reference points unless they become directly applicable to the organisation.
FAQs
Does Turkey have a standalone AI Act?
No comprehensive standalone AI Act had been enacted as at 6 June 2026. Turkey has draft AI-related bills, but current AI regulation is mainly built from existing laws, official strategy, KVKK guidance and developing standards activity.
What is the most important law for AI in Turkey today?
For many AI systems, the most important law is the Personal Data Protection Law No. 6698, known as KVKK. It applies when AI systems process personal data and brings duties around lawful basis, transparency, proportionality, security, data subject rights and cross-border transfers.
Is Turkey following the EU AI Act?
Turkey has not adopted the EU AI Act as domestic law. However, EU AI Act concepts are relevant because Turkey is commercially close to the EU, Turkish providers may serve EU markets, and Turkish policy materials show interest in international alignment.
What is the National Artificial Intelligence Strategy?
It is Turkey's main AI policy framework for 2021-2025. It sets priorities for skills, research, data, infrastructure, regulation, international cooperation and labour transformation. It also describes AI governance mechanisms and working groups.
Are AI bills currently before the Turkish Parliament?
Yes. Relevant proposals include the 2024 Artificial Intelligence Law Bill, TBMM 2/2234, and the 2025 AI-related amendments bill, TBMM 2/3358. A 2026 proposal, TBMM 2/3465, would amend KVKK in relation to unauthorised AI-generated audio, image and text content. Their status should be checked before relying on them.
What does KVKK say about AI?
KVKK itself is a personal data law, not an AI-only law. KVKK guidance on AI recommends rights-respecting, lawful, fair, proportionate, accountable, transparent and secure personal data processing, with privacy by design and impact assessment where high risk is expected.
Does Turkey regulate deepfakes?
Existing privacy, personality rights, content, criminal and data protection rules may already apply to harmful synthetic media. Draft bills would add more specific duties and penalties for some AI-generated or deepfake content, but those proposals should not be treated as enacted law unless passed.
What should a non-Turkish AI provider check before serving Turkish users?
It should check whether it processes Turkish personal data, transfers that data abroad, offers services into Turkey, creates user-facing automated decisions, produces synthetic media, serves regulated sectors or contracts with Turkish customers that require local compliance.