Turkey’s new cybersecurity law could criminalize legitimate reporting on cybersecurity incidents because of its overly broad and vague language, the Committee to Protect Journalists said Thursday.

The law, passed on Wednesday, criminalizes reporting about an online data leak or sharing that report unless the authorities have confirmed the incident.

It imposes a prison sentence of two to five years for anyone who knowingly creates or spreads “false” content claiming that there is a cybersecurity data leak “in order to create anxiety, fear, and panic among the public, or to target institutions or individuals.”

“Turkey’s new cybersecurity law could not only stifle reporting on cybersecurity-related data leaks, but empowering the government to decide whether a leak actually occurred or not raises the risk of broader censorship,” said Özgür Öğret, CPJ’s Turkey representative. “Turkish authorities should revise the law to ensure that it does not threaten to undermine press freedom.”

The law also establishes a new cybersecurity authority and cybersecurity commission, which have legal access to any kind of digital information stored in Turkey when approved by a court order. An earlier draft of the bill proposed giving the newly founded bodies this authority without a court order.

The law’s passage follows an admission by Turkey’s online authority BTK in September 2024 that the personal data of 108 million people had been stolen from government servers.

Turkey’s opposition parties are preparing to apply to the Constitutional Court for an annulment of the law.

In 2022, Turkey passed a law that criminalized “spreading disinformation,” which has persistently been used against the media. Turkish authorities briefly arrested reporter İbrahim Haskoloğlu in 2022 due to reporting on an alleged data leak.

CPJ emailed the Presidential Directorate of Communications for comment but received no reply.