Summary: Businesses' logging obligations, legal responsibility and technical requirements under Türkiye's Law No. 5651 (internet law).

In Türkiye, every business that provides internet access is subject to certain logging obligations under Law No. 5651. Places offering guest Wi-Fi such as cafes, hotels and restaurants know this better; but every company that provides internet access to its employees is also within scope.

In this article we summarize what the law requires, which logs must be kept and what needs to be done technically.

Legal note

This article is general information, not legal advice. Make an assessment together with your legal counsel based on your business's specific situation.

What Law 5651 requires — a summary

Within the framework of the definitions of "hosting provider" and "access provider," the law requires certain internet-traffic logs to be retained and presented to authorized authorities when needed. In practice, for businesses this means:

  • It must be recorded who connected, when and to where for users accessing the internet
  • These logs must be retained timestamped and with their integrity preserved
  • The retention period is at least 2 years (it may vary by content type; verify with your advisor)
  • They must be presentable to authorized authorities on request

Which logs must be kept?

It varies with your business profile, but typically:

  • NAT/firewall logs: who connected, when, from which internal IP, to which external IP
  • DHCP logs: which IP was assigned to which MAC address on a given date
  • Web filtering logs: accessed URLs (category-based may be sufficient)
  • Authentication logs: 802.1X, captive portal, RADIUS login records

Our Law 5651-compliant logging service is designed to cover all of these items.

Why is the timestamp critical?

Just collecting logs isn't enough; it must be provable that the logs were not altered afterward. This is done with timestamps obtained from an independent timestamp service (such as TÜBİTAK Kamu SM or an authorized body). Unstamped logs can be challenged in court.

Extra requirements for guest Wi-Fi

If you offer public access (hotel, cafe, store):

  • Authentication is required (at least an SMS- or national-ID-based captive portal)
  • The terms of use the user accepted must be recorded
  • The mapping between the outbound IP and the internal user cannot be left open

Recommended technical architecture

A typical Law 5651-compliant infrastructure includes these components:

  1. Firewall (NAT/log generation) — such as FortiGate
  2. Logging server — Linux + syslog + log analysis
  3. Captive portal — guest authentication (PacketFence/UniFi/Aruba ClearPass)
  4. Timestamp integration — from an authorized TS provider
  5. Backup — keeping a second copy of the logs

We build this architecture turnkey and manage it from hardware/software selection to annual maintenance.

"Our internet provider keeps my logs directly"

This is often an inadequate defense. The service provider sees the outbound IPs but can't know which user on the internal network used that IP. So the answer to the real "who?" question must be with you.

Your business's situation

A firewall may be generating logs; but without a system where that log is regularly collected, retained with timestamps and searchable, you aren't considered Law 5651-compliant. If there's a gap, it needs to be closed.

We can assess your current infrastructure for free from a Law 5651 perspective; we report your gaps and present a cost-effective completion plan.

Let's build your Law 5651-compliant logging infrastructure

Get an assessment for compliant, timestamped and retained logging.

Request a Free Assessment