With the internet becoming an indispensable part of business life and daily life, legal regulations for combating cybercrimes and ensuring information security have also become inevitable. One of the most fundamental legal frameworks in this field in Turkey is Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed Through These Publications, also known as the "Log Law" among the public. This law imposes an obligation on institutions providing internet access to record (log) the digital movements of their users and to guarantee the accuracy of these records.
Many institution managers think that Law No. 5651 only covers internet service providers (ISPs) or large telecom companies. However, the law holds a very wide range of actors under responsibility, from the smallest businesses to the largest public institutions that offer internet access to their employees, guests, or customers. Failure to establish a correct and legally compliant logging infrastructure can lead to businesses facing direct legal liability and heavy sanctions in case of cybercrimes. In this guide, we will examine in detail what the 5651 logging obligation is, for whom it is mandatory, and how it should be technically implemented.
What is Law No. 5651 and Logging?
Logging within the scope of Law No. 5651 is the process of recording the digital footprints (IP address, MAC address, connection date and time, accessed destination IPs, etc.) of each user providing internet access over a network in accordance with legal standards.
The most critical obligation brought by the law is not only keeping these log records, but also storing them by signing with a Time Stamp.
- What is a Time Stamp? A time stamp is a cryptographic signing method that guarantees under international standards that a specific data existed at the specified date and time, and that no changes have been made to it since then (integrity). Log records that are not signed with a time stamp do not have legal evidence status in courts.
For Whom is 5651 Logging Mandatory?
The law has determined the obligations of actors offering internet access by dividing them into different categories. Most businesses are defined as "Collective Use Providers" in the law.
1. Collective Use Providers (Companies, Hotels, Cafes, etc.)
All real and legal persons who make the internet line allocated for their own use available for collective use by their employees, guests, or customers fall under this scope.
- Offices and Companies: All private companies providing internet to their employees for business purposes.
- Service Sector: Cafes, restaurants, hotels, hostels, and shopping centers offering free Wi-Fi to their customers.
- Educational and Social Areas: Schools, universities, dormitories, hospitals, and associations.
2. Collective Use Providers for Commercial Purposes (Internet Cafes, etc.)
These are places that offer internet access directly as a commercial service (providing internet use for a fee). These businesses are obliged to obtain a permit from local administrative authorities, keep IP distribution logs, and use systems that filter harmful content.
Which Data Must Be Kept Under 5651 Logging?
In accordance with the regulation, collective use providers must record the following data completely and verifiably in their systems:
- Internal IP Distribution Logs (DHCP Logs): Information on which device in the local network (LAN) was allocated which local IP address (e.g.,
192.168.1.50) at what date and time, matched with the MAC address. - External IP and Port Information (NAT Logs): Information on which public IP address and which source port number a device in the local network used while going out to the external world (internet).
- User Authentication Information: Especially in hotel, cafe, or corporate Wi-Fi networks, user authentication records such as SMS verification code, T.C. ID Number, or room number used by users when logging into the system.
All of this data must be stored in a secure environment for at least 2 years retrospectively and signed daily with a time stamp.
Technical Requirements and SIEM Integration
5651 compliance cannot be fully achieved merely by installing a simple log collection software. Especially in large-scale networks, professional solutions must be positioned to protect log integrity and analyze incidents:
- Central Log Management: Logs coming from different network devices (firewall, switch, DHCP server, Active Directory, etc.) must be collected and correlated in a single center.
- SIEM Integration: Security Information and Event Management (SIEM) systems do not only record logs, but also analyze cyber attack signals in real-time to generate alerts.
To establish a professional log infrastructure that combines legal compliance with cybersecurity standards in your organization, you can benefit from our SIEM and Security Incident Management Integration solutions.
Additionally, firewall devices in your network must be correctly configured so that 5651 compliant logs can be safely collected. In this regard, you can examine our Network Security, Firewall and IDS/IPS Solutions services.
To professionally plan your business's legal compliance processes, IT investments, and technology roadmap, you can work with our expert team within the scope of our Business and Management Consulting services.
You can also review our other guides that will strengthen your information security, cybersecurity, and legal compliance processes:
- For integrity and evidence status of 5651 logs: Log Integrity in 5651 Compliance
- For secure archiving of collected logs: Archiving and Retention Strategies in 5651 Projects
- For obligations of hosting and data center operators: 5651 Obligations for Hosting Companies
- For the balance between 5651 logging and protection of personal data: Differences Between 5651 and KVKK
- For cyber incident monitoring and logging standards: ISO 27001 and Cybersecurity Incidents
- For security and design of backup systems: The Role of Backup Policies
- For other technical changes required in your IT infrastructure: IT Infrastructure for KVKK Compliance
- For compliance of camera and physical security systems: Camera Systems Within the Scope of KVKK
- For data deletion and secure destruction methods within the scope of KVKK: Obligations of Deletion, Destruction, and Anonymization in KVKK
- For integrated management of KVKK and ISO 27001 standards: KVKK and ISO 27001 Integration
- To learn about the general structure of the standard: What is ISO 27001?
To make your business's internet infrastructure fully compliant with Law No. 5651, establish time-stamped logging systems, and strengthen your cybersecurity infrastructure, you can contact us at any time.
Frequently Asked Questions
What is the penalty for not keeping 5651 logs?
In case collective use providers do not fulfill their legal obligations within the scope of Law No. 5651, heavy administrative fines are applied by local administrative authorities. More importantly, when a cybercrime (fraud, terror propaganda, insult, etc.) is committed over the internet line belonging to your business and the actual perpetrator of the crime cannot be detected (because logs are not kept), the business managers who are the legal owners of the line directly become first-degree suspects and face judicial processes.
Is keeping logs without a time stamp legally valid?
No, it is not valid. A time stamp is the only method proving under cybersecurity and cryptography standards that log records have not been retrospectively modified. Log records kept without being signed with a time stamp, merely as plain text or Excel files, are not accepted as legal evidence in courts because they are open to digital manipulation.
If I share my home internet with my neighbor, do I fall under the scope of 5651?
Legally, sharing your home internet with others is not recommended. Home internet lines are individual subscriptions, and the line owner is directly responsible for all digital activities carried out over that line. In case your neighbor performs an illegal transaction over your line, it will be extremely difficult to defend yourself before judicial authorities since you cannot have a professional logging infrastructure compliant with 5651.
Conclusion
The 5651 logging obligation is not just a bureaucratic necessity to be fulfilled for businesses, but also a vital shield protecting corporate cybersecurity and manager responsibilities. Every institution offering internet access must establish a log infrastructure that is compliant with the law, time-stamped, and has a retrospective 2-year retention capacity. A correctly configured logging and cybersecurity architecture both protects your business from legal sanctions and maximizes your operational credibility in the digital world.
