1) What is changing: The definition of "cybersecurity" by the Presidency is expanding

The Cybersecurity Presidency was established by the decree numbered 177 published in the Official Gazette numbered 32776 dated January 08, 2025, with its responsibilities primarily defined in the areas of cybersecurity policy/strategy, capacity building, ecosystem, and crisis management.

The decree numbered 192 expands this set of responsibilities under two critical headings:

(i) Legislation and strategy on "Cybersecurity + digital government"

The decree grants the Presidency a very broad policy-making role in conducting legislative studies in the areas of cybersecurity and digital government, preparing national strategies/action plans, coordinating implementation, and coordinating the alignment of national legislation with international regulations.

(ii) "Digital government institutional architecture" and public IT standards

Perhaps the most operational impact of the text is here: The Presidency is granted the authority to determine the principles, procedures, and standards concerning the administrative-financial-technical characteristics of the information products, services, and systems to be provided/developed by public institutions for the creation of the digital government institutional architecture.

This is not just an authority for a "technical guide". It is a leverage that directly reflects on the public side of standard setting; procurement specifications, acceptance criteria, integration obligations, and consequently contract risk distribution.

2) Artificial intelligence in the public sector

The most striking new additions to decree number 192 are collected under four headings that address artificial intelligence in the public sector from policy to data, application to standard:

• Legislative studies on AI applications in the public sector and contributions to national policy/strategy/action plans, as well as contributions to harmonization with international regulations.

• Data governance: In the context of digital government and the use of AI in the public sector, determining principles/procedures/standards covering processes from data creation to destruction.

• Quality criteria/standards and conformity processes for the data to be used in the common data space infrastructure and AI applications.

• With an approach to "lead" AI applications in the public sector, identifying requirements in collaboration with institutions and structuring the implementation ecosystem.

This framework inevitably raises two discussions in practice:

1. Will AI governance be tied to a "central" standard within the public sector?

2. When the institution managing the "data" for AI also manages the "digital government architecture", how will the requirements of public service be balanced with data protection obligations like KVKK/GDPR?

Here, the reality of data processing in the e-Government ecosystem also provides an important background: It is clearly seen in public information texts that a very large data set, including identity, communication, transaction, entry data, is processed at the e-Government Gateway, and data related to cybersecurity, such as IP/port, is also evaluated within this scope.

3) Organization and "institutionalization": General Directorates and representations

The text does not only add responsibilities; it also increases institutional capacity:

• The Presidency is being restructured as a President + three vice presidents.

• It defines the authority to establish a maximum of 7 representations within the country, as well as abroad.

• It is regulated that the Presidency can establish companies related to its duties within/outside the country by the decision of the President.

• The General Directorate of Public Artificial Intelligence and Digital Government is added to the service units.

The authority to establish companies, especially when read together with the duty of "joint product/service/system development and operation" (e-Government Gateway and joint digital government infrastructures), may also bring about discussions regarding business models in public IT. To what extent will public service production be designed as an administrative activity, and to what extent as a commercial/operational activity? This distinction will be decisive in terms of procurement law, competition law, transparency, data security, and accountability regimes.

4) How should we read this regulation in the "language of the AI Act"?

The EU Artificial Intelligence Regulation (AI Act) has become a reference text worldwide with its risk-based approach and governance architecture (especially in high-risk systems focusing on risk management, data governance, technical documentation, transparency, and human oversight).

The emphasis on "data governance", "quality criteria", "common data space", and "harmonization" in the decree number 192 regarding AI in the public sector suggests that public AI in Turkey can approach this risk-based governance language, at least at a conceptual level. This is not a certainty, but the direction of the text points to the fact that AI is not just "software" but a standard for data and processes.

Similarly, NIST's AI Risk Management Framework (AI RMF 1.0) document brings together the language of risk management, governance, and measurement to operationalize the expectations of "trustworthy AI" for public institutions and suppliers. ISO/IEC 42001 also provides another anchor for those who want to establish an auditable AI governance mechanism on the corporate side.

The critical point here is that decree number 192 does not directly import these frameworks, but describes a ground where AI in the public sector will be managed with standards and data governance.

5) Practical effects from the LANT perspective in the "near term"

This text is seen as particularly likely to produce concrete impacts in three areas:

For public institutions: Digital government architecture, integration standards, and project management principles may narrow the period of "I am doing it this way" in internal IT projects. This will require redesigning many texts from procurement documents to technical acceptance criteria.

For the GovTech/supplier ecosystem: The scope of "compliance" for companies providing AI or digital services to the public expands. Not only KVKK or cybersecurity controls but also data quality, common data space compliance, integration standards, and project management frameworks may become contractual obligations.

For lawyers and compliance teams: This change increases the need to address requirements for data governance, registration/auditability, public-specific transparency, and accountability in the same file, without being limited to discussions about licensing/liability when it comes to "AI contracts". While the existence of large data processing sets is already a known reality in the e-Government ecosystem, the addition of AI to this data area will further complicate the risk profile.