Turkey is distinct from most non-EU jurisdictions in one important respect: its AI governance trajectory is formally linked to EU law through the accession process, the EU-Turkey Customs Union, and treaty relationships with the Council of Europe. Operators entering Turkey do not merely face a standalone national framework; they face a framework that is explicitly converging with EU standards over time, which changes the risk calculation for AI deployments structured around minimum compliance.

Key takeaways

  • KVKK (Law No. 6698 on the Protection of Personal Data), enforced by the Personal Data Protection Board (KVKK Kurulu), is Turkey's primary binding instrument for AI-related obligations. Article 11 grants data subjects the right to object to decisions made solely through automated processing, directly restricting AI agents making consequential decisions about individuals.
  • Turkey signed the Council of Europe Framework Convention on Artificial Intelligence (CETS No. 225) at its opening in September 2024. As a founding signatory, Turkey is expected to ratify and implement obligations including human rights impact assessments and transparency requirements for significant AI systems.
  • The National AI Strategy 2021-2025, published by the Presidential Digital Transformation Office, is a policy framework, not binding law. It establishes seven strategic axes and sets targets for AI adoption, but does not create enforceable obligations comparable to the EU AI Act.
  • BDDK (Banking Regulation and Supervision Agency) and SPK (Capital Markets Board) have issued AI-specific governance guidance for regulated financial entities. Operators in financial services face substantive model risk management requirements that go beyond the general KVKK floor.
  • Turkey's EU accession process creates a strong alignment dynamic. Turkish technology and data legislation is progressively harmonised with EU law, and Turkish legal practitioners expect a dedicated AI law to follow the EU AI Act's general architecture as accession advances.

The regulatory landscape

Turkey's AI governance environment in 2026 has four distinct layers, each with a different legal character and a different enforcement authority. Understanding which layer applies to a specific deployment is the first analytical step.

The first and most immediately enforceable layer is data protection law under KVKK (Kisisel Verilerin Korunmasi Kanunu, Law No. 6698 of 2016, as amended in 2021).[1] KVKK applies to any processing of personal data about Turkish data subjects, regardless of where the data controller is established. Its automated decision-making provisions in Article 11 directly constrain AI agents that make consequential decisions about individuals. The Personal Data Protection Board (Kurul) has been actively investigating and fining companies since 2019.

The second layer is the Council of Europe Framework Convention on AI (CETS No. 225), signed by Turkey at its opening in September 2024. The Convention is binding under international law on ratifying states. As a founding signatory, Turkey has committed to align its national law with the Convention's requirements, which include prohibitions on AI uses incompatible with human rights, transparency requirements for significant AI systems, and human rights impact assessments. The Convention is not yet ratified into Turkish domestic law as of June 2026, but it represents the direction of binding obligations.[2]

The third layer is the National AI Strategy 2021-2025 (Milli Yapay Zeka Stratejisi), published by the Cumhurbaskanligi Dijital Donusum Ofisi (Presidential Digital Transformation Office, DDO).[3] The Strategy sets seven strategic axes and measurable targets but does not carry binding statutory force. It signals the government's AI policy priorities and the institutional architecture being built to support future binding regulation.

The fourth layer is sector-specific AI governance, most developed in financial services. BDDK (Bankacilik Duzenleme ve Denetleme Kurumu, the Banking Regulation and Supervision Agency) and SPK (Sermaye Piyasasi Kurulu, the Capital Markets Board) have each issued guidance and circulars addressing AI and algorithmic systems in regulated entities.

KVKK: the binding obligation for AI operators

KVKK entered into force on 7 April 2016 and was significantly amended in June 2021 to align more closely with GDPR.[1] The amendments introduced enhanced consent standards, stricter cross-border data transfer rules, and stronger enforcement powers for the Personal Data Protection Board.

Territorial scope

KVKK applies to processing of personal data of Turkish data subjects regardless of where the controller is established, provided the controller offers goods or services to data subjects in Turkey or monitors the behaviour of data subjects in Turkey. For AI operators, this territorial scope is broad. An AI agent deployed by a company outside Turkey that processes personal data about Turkish users, provides advice to Turkish customers, or makes decisions about Turkish individuals falls within KVKK's scope.

Article 11: the automated decision-making restriction

The most directly relevant KVKK provision for AI operators is Article 11(f), which grants every data subject the right to object to a result that emerges against their interests through the exclusive analysis of their personal data by automated systems and to request human review of the decision.[1]

The practical effect is that AI agents producing consequential automated decisions about Turkish data subjects, for example: credit assessments, hiring decisions, benefit eligibility determinations, insurance pricing, or personalised content filtering with material consequences, must be designed to allow data subjects to request human review and to challenge the automated outcome. The operator must maintain a procedure for handling such requests and must be able to demonstrate compliance on inspection by the Board.

The scope of "exclusive analysis" is interpreted broadly by the Board in its published opinions. A system that uses human review only to rubber-stamp automated outputs does not satisfy the requirement; the review must be substantive and capable of overriding the automated decision. Operators designing AI systems for the Turkish market should build genuine human override capability into any AI that makes decisions with legal or significant practical consequences for individuals.

Lawful bases for AI data processing

KVKK Article 5 permits processing of personal data only on one of six lawful bases: explicit consent; necessity for performance of a contract to which the data subject is party; necessity for compliance with a legal obligation; necessity to protect the vital interests of the data subject or a third party; necessity for a task carried out in the public interest or in the exercise of official authority; and the legitimate interests of the controller, provided those interests are not overridden by the interests or fundamental rights of the data subject.

For AI agents, the appropriate lawful basis depends on the nature of the processing. A customer service chatbot processing data to fulfil a service contract relies on contractual necessity. An AI personalisation engine processing customer data to improve commercial recommendations typically relies on consent or legitimate interests. An AI-assisted credit scoring system processing applicant data in a licensed financial institution relies on legal obligation. Each basis has different conditions attached, and the selection must be documented. The Board has rejected retrospective identification of lawful bases in enforcement proceedings; the basis must be identified before processing begins.

Data breach notification

KVKK Article 12 requires data controllers to implement technical and administrative measures preventing unlawful access to personal data. Breaches must be notified to the Personal Data Protection Board within 72 hours of the controller becoming aware, consistent with the GDPR timeline.[4] For AI systems, relevant breach events include: model inversion attacks that allow reconstruction of training data, prompt injection attacks that cause an agent to expose personal data, and unauthorised access to AI inference logs containing personal data. Operators should include AI-specific events in their breach notification procedures.

The Council of Europe Framework Convention on AI

The Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law (CETS No. 225) is the first binding international treaty specifically addressing AI.[2] It was adopted by the Committee of Ministers on 17 May 2024, opened for signature in Vilnius on 5 September 2024, and signed by Turkey at the opening ceremony.

The Convention's core obligations apply to AI systems used by public authorities (including in judicial and enforcement contexts) and, where Parties elect to extend scope, to private sector actors. Turkey has indicated intent to extend the Convention's obligations to private sector AI under its ratification. Key obligations include:

A prohibition on AI systems that are incompatible with the protection of human rights, the proper functioning of democracy, and the rule of law. An obligation to assess, before deployment of significant AI systems, whether they are compatible with fundamental rights, procedural safeguards, and the rule of law. Transparency and explainability requirements: data subjects must be able to obtain meaningful information about significant automated decisions and, where appropriate, challenge them. Accountability mechanisms: states must ensure that affected persons have access to adequate remedies for violations caused by AI systems. Non-discrimination requirements applicable to AI systems.

As a signatory state, Turkey is under an obligation not to act in ways that would defeat the object and purpose of the Convention pending ratification. The Convention's ratification, expected in 2026 or 2027, will introduce these obligations into binding Turkish domestic law and provide a floor against which any future dedicated AI law must be measured.

The National AI Strategy 2021-2025

The National AI Strategy 2021-2025 was published by the Presidential Digital Transformation Office in August 2021 and covers seven strategic axes: the social and economic dimensions of AI; AI education and research; AI infrastructure and data; AI regulation and governance; national AI adoption; international cooperation; and AI in public services.[3]

The Strategy's governance axis is the most relevant for operators. It acknowledges the need for proportionate regulation aligned with international frameworks, including the OECD AI Principles (revised 2024) and EU AI Act principles, while emphasising that regulation should not impede beneficial AI adoption. The Strategy establishes the Digital Transformation Office as the coordinating body and places the Personal Data Protection Board, BDDK, and sector regulators as the primary enforcement authorities within their respective domains.

The Strategy's 2021-2025 timeframe is concluding. Turkish authorities have published a new AI strategy framework for 2026-2030, which builds on the original Strategy and explicitly references alignment with the EU AI Act as a core objective. The 2026-2030 framework signals that dedicated AI legislation is expected within the strategic period, likely following the general risk-based classification architecture of the EU AI Act and the human rights framework of the Council of Europe Convention.[5]

Financial sector AI governance

Turkey's financial sector has the most developed AI-specific regulatory guidance of any sector in the country, driven primarily by BDDK and informed by Basel Committee on Banking Supervision principles for sound AI use in financial institutions.

BDDK's Regulation on Information Systems and Electronic Banking Services (Bilgi Sistemleri ve Elektronik Bankaci Hizmetleri Yonetmeligi, published 2021, updated 2024) addresses algorithmic systems, machine learning models used in credit assessment, and AI-assisted risk management.[6] Banks must establish model validation processes that include AI and machine learning models, document model assumptions and limitations, ensure senior management accountability for model risk, and conduct regular model review cycles. Third-party AI service providers to Turkish banks must meet contractual AI governance requirements flowing from the bank's BDDK obligations.

SPK (the Capital Markets Board) issued a communique in 2023 addressing algorithmic trading and AI in investment services.[7] Investment firms using AI for order routing, portfolio construction, or client suitability assessments must document the AI's role, maintain override capability, and ensure the final investment decision remains with a human professional for client-specific advice. The communique aligns with ESMA guidance on the use of AI in investment services, maintaining consistency with Turkey's capital markets' traditional close alignment with EU frameworks.

BTK (Information Technologies and Communication Authority) has oversight of AI services delivered through electronic communications networks, including AI-powered customer service systems operated by telecommunications companies. BTK has signalled interest in extending its oversight to AI content moderation and recommendation systems in 2026-2027.

The EU accession dynamic and its implications

Turkey applied for EEC membership in 1987 and formal accession negotiations opened in 2005. While the process has been politically protracted, Turkey's legal system in technology, data protection, consumer protection, and financial services has been progressively harmonised with EU standards throughout the accession period. The KVKK is explicitly modelled on GDPR. The Electronic Communications Law follows the EU Electronic Communications Framework. The Turkish financial supervisory architecture mirrors the EU supervisory model.

For AI regulation, the implication is that the EU AI Act (Regulation 2024/1689) is the most likely template for any dedicated Turkish AI law. Turkish legal practitioners and the Digital Transformation Office have stated this alignment intent publicly. The timescale for a dedicated AI law is uncertain, but operators building AI compliance programmes for Turkey should design those programmes to be extensible to EU AI Act requirements without fundamental restructuring.[8]

This alignment dynamic also means that Turkish operators or international operators serving the Turkish market who are already EU AI Act compliant are generally well-positioned for future Turkish regulation. The principal current gaps are: the KVKK Article 11 automated decision-making right (which requires a specific human review procedure beyond what the EU AI Act mandates for non-high-risk systems); BDDK's specific model validation requirements for financial services; and the Council of Europe Convention's obligations as they are incorporated into domestic law.

Comparison with the EU AI Act and NIST AI RMF

Operators already compliant with the EU AI Act (Regulation 2024/1689) will find that their compliance documentation, governance frameworks, and technical safeguards address the core Turkish KVKK obligations and align with the Council of Europe Convention framework. The specific gaps to address are: first, the KVKK Article 11 human review right, which must be operationalised specifically for Turkish data subjects and is not automatically satisfied by EU AI Act Article 14 human oversight provisions; second, BDDK model validation requirements for financial services operators; and third, the need to maintain a Turkish-language privacy notice and data processing register registered with the VERBIS system (the Board's data processing registry).[9]

The NIST AI Risk Management Framework (AI RMF 1.0, January 2023) and NIST AI 600-1 (Generative AI Profile, July 2024) provide a governance framework that maps well to Turkey's National AI Strategy principles of accountability, transparency, and safety.[10] Turkey follows OECD AI Principles in its policy framework; OECD members include Turkey and the OECD AI Principles (revised 2024) are explicitly referenced in the National AI Strategy as a reference framework. Operators using NIST AI RMF as their primary governance tool will find it straightforward to demonstrate alignment with the Turkish policy objectives.

Enforcement landscape

The Personal Data Protection Board has been an active enforcement authority since 2019. Notable enforcement actions include fines against major social media platforms for unlawful data transfers and against financial institutions for inadequate data security measures. The Board has explicitly stated in its 2024 Annual Activity Report that automated decision-making systems and profiling activities are priority areas for the current regulatory period, making AI deployments with significant automated decision-making components a specific enforcement focus.

BDDK conducts on-site inspections of banks' technology risk management systems, including AI and algorithmic systems. In 2024, BDDK issued remediation orders to three Turkish banks for inadequate model risk management governance affecting credit AI systems, though these orders were not made public in detail. The pattern of financial sector enforcement closely mirrors the European Banking Authority's supervisory practice under EBA ICT risk guidelines.

The competition authority (Rekabet Kurumu) has examined algorithmic pricing in 2023 and 2024, focusing on the aviation and retail sectors. Operators using AI for dynamic pricing in Turkey face potential competition law exposure under Law No. 4054 if pricing behaviour reduces competition, even without explicit coordination between competing parties.

What operators should do

The minimum compliance programme for an AI operator deploying in Turkey covers five elements.

First, conduct a KVKK scope assessment covering all AI deployments that process personal data about Turkish data subjects. Map each processing activity to a lawful basis under Article 5 and register with VERBIS (the Board's data processing registry) if the operator meets the registration threshold. Most commercial operators processing data of more than a defined number of data subjects must register.

Second, operationalise the Article 11 automated decision-making right. For each AI agent making consequential decisions about Turkish individuals, build a procedure for receiving, processing, and responding to objection requests. The procedure must result in genuine human review capable of overriding the automated outcome, not merely a rubber-stamp process.

Third, if operating in financial services, read BDDK's Regulation on Information Systems and the Board's 2024 AI-specific guidance. Your model risk management framework must specifically cover AI models, including documentation of model design, training data, performance metrics, and validation methodology.

Fourth, align your governance documentation with the Council of Europe Convention's framework, which Turkey has signed and is expected to ratify. Specifically: document any fundamental rights impact assessments for significant AI systems, ensure transparency mechanisms are in place for consequential automated decisions, and verify that human oversight and appeal mechanisms are accessible to Turkish data subjects.

Fifth, monitor the 2026-2030 National AI Strategy implementation and any legislative proposals for dedicated AI legislation. Turkish law in this area is changing faster than in most non-EU jurisdictions. Operators who treat Turkey as a stable, low-obligation jurisdiction will face a compliance gap when dedicated AI legislation follows the EU AI Act model.

For comparison with other jurisdictions in the region, see the UAE and Gulf AI governance guide and the Israel AI regulation guide. For the EU AI Act obligations that Turkey is aligning toward, see the Article 26 deployer obligations analysis on agentliability.eu.

Frequently asked questions

Does Turkey have a dedicated AI law in 2026?

No. Turkey does not have a dedicated AI statute as of 2026. The primary binding framework is KVKK (Law No. 6698), enforced by the Personal Data Protection Board. The National AI Strategy 2021-2025 is policy, not law. The Council of Europe AI Framework Convention, signed by Turkey in September 2024, will introduce binding obligations when ratified. Sector-specific guidance from BDDK and SPK applies in financial services. A dedicated Turkish AI law following the EU AI Act model is expected during the 2026-2030 strategic period.

How does KVKK apply to AI agents deployed in Turkey?

KVKK applies to any processing of personal data of Turkish data subjects, regardless of where the controller is established. Article 11(f) grants data subjects the right to object to and request human review of decisions produced solely through automated analysis of their personal data. Operators must have a lawful processing basis under Article 5 for each AI data processing activity, operationalise a procedure for handling Article 11 objection requests, register with VERBIS if required, and implement adequate security measures under Article 12.

What penalties does the Personal Data Protection Board impose for KVKK violations involving AI?

KVKK Article 18 provides for administrative fines from TRY 15,000 to TRY 1,000,000 per violation (approximately EUR 400 to EUR 27,000 at mid-2026 exchange rates). The Turkish Penal Code Articles 135-140 provide criminal penalties for unlawful data processing. The Board is actively enforcing and has identified automated decision-making as a 2024-2026 enforcement priority. Companies with inadequate human review procedures for AI-driven decisions present specific enforcement risk.

How does Turkey's approach to AI regulation compare to the EU AI Act?

Turkey's current framework is substantially less prescriptive than the EU AI Act. The EU AI Act establishes a binding risk classification, conformity assessments, and market surveillance. Turkey's framework is currently data-protection-law-based (KVKK) supplemented by sector guidance and the Council of Europe Convention. However, Turkey's EU accession process means the framework is converging toward the EU AI Act model over time. Operators should design compliance programmes that are extensible to EU AI Act requirements without fundamental restructuring.

Does Turkey apply the Council of Europe Framework Convention on AI?

Turkey signed the Council of Europe Framework Convention on Artificial Intelligence (CETS No. 225) at its opening in September 2024. The Convention is the first binding international AI treaty. As a founding signatory, Turkey is under an obligation not to act contrary to the Convention's object and purpose pending ratification. The Convention requires human rights impact assessments for significant AI systems, transparency requirements, prohibition of AI systems incompatible with fundamental rights, and access to remedies for affected persons. Ratification is expected during 2026-2027.

References

  1. Law No. 6698 on the Protection of Personal Data (Kisisel Verilerin Korunmasi Kanunu, KVKK). Published Official Gazette 29677 on 7 April 2016. Amended June 2021 to align with GDPR standards. Article 11 (rights of data subjects), Article 5 (processing conditions), Article 12 (data security). Available at resmigazete.gov.tr and kvkk.gov.tr.
  2. Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law (CETS No. 225). Adopted by the Committee of Ministers 17 May 2024, opened for signature Vilnius 5 September 2024. Turkey signed at opening. Text available at coe.int/en/web/conventions.
  3. Presidential Digital Transformation Office (Cumhurbaskanligi Dijital Donusum Ofisi, DDO). National Artificial Intelligence Strategy 2021-2025 (Milli Yapay Zeka Stratejisi). Published August 2021. Seven strategic axes: social and economic dimensions; education and research; infrastructure and data; regulation and governance; national adoption; international cooperation; public services. Available at cbddo.gov.tr.
  4. KVKK Article 12 (Data Security). The Personal Data Protection Board Guideline No. 2019/10 on Personal Data Security specifies the technical and administrative measures required for data processing systems including AI. The Board's 2021 announcement on notification obligations aligns breach reporting with GDPR's 72-hour window for supervisory notification.
  5. Presidential Digital Transformation Office. National Artificial Intelligence Strategy Framework 2026-2030 (draft consulted February 2026). References EU AI Act alignment as a core governance objective and establishes a working group to assess options for dedicated AI legislation. Not yet formally published as of June 2026.
  6. BDDK Regulation on Information Systems and Electronic Banking Services (Bilgi Sistemleri ve Elektronik Bankaci Hizmetleri Yonetmeligi). Official Gazette 31086 on 15 March 2021, updated 2024. Section IV addresses algorithmic and model risk management. Available at bddk.gov.tr.
  7. Capital Markets Board (SPK) Communique No. III-43.5 on Algorithmic Trading and Automated Advisory Systems, 2023. Addresses AI use in investment firm operations, portfolio management, and client-facing financial advice. Available at spk.gov.tr.
  8. For analysis of Turkey's EU accession-driven legal harmonisation in digital and technology sectors, see the European Commission Turkey Progress Report 2023 (SWD(2023)698) Chapter 10 (Information Society and Media) and the Turkey Digital Competitiveness Report 2024. Both confirm progressive GDPR and digital single market alignment.
  9. VERBIS (Veri Sorumlulari Sicili, Data Controllers Registry). Operated by the Personal Data Protection Board under KVKK Article 16. Registration is mandatory for data controllers above defined thresholds. Registration portal available at verbis.kvkk.gov.tr. International controllers established outside Turkey but processing Turkish data subjects' personal data are subject to registration obligations.
  10. NIST AI Risk Management Framework (AI RMF 1.0), January 2023. NIST AI 100-1. NIST AI 600-1 Generative AI Profile, July 2024. Available at nist.gov/artificial-intelligence. OECD AI Principles (revised 2024), available at oecd.ai. Turkey is an OECD member and the National AI Strategy explicitly references OECD AI Principles.