Founder
November 23, 2025
23 min read
As we enter the second quarter of the twenty-first century, the digital ecosystem is undergoing a radical paradigm shift regarding data ownership, identity representation, and asset transfer. The "feudal" structure of the traditional internet (Web 2.0), built upon centralized authorities, is giving way to a "self-sovereign" structure shaped by blockchain technology, cryptography, and artificial intelligence (AI) powered autonomous systems. This transformation is not merely an update of technological infrastructures, but a philosophical rupture that shakes the fundamental assumptions of legal systems. In this new order where centralized databases are replaced by distributed ledgers, wet signatures by cryptographic keys, and human-will-based contracts by autonomous code snippets (smart contracts), the principle of legal certainty faces serious tests. This report presents a comprehensive legal and technical analysis of technological verticals such as Self-Sovereign Identity (SSI), Account Abstraction, Intent-Centric Architectures, AI Agents, and Decentralized Physical Infrastructure Networks (DePIN), within the scope of the European Union's eIDAS 2.0 vision and Türkiye's legal framework (KVKK, TMK, SPK, MASAK).
For many years, the concept of digital identity has been perceived as "account" management that tracks an individual's footprints in the digital world but remains under the control of service providers (Google, Facebook, government institutions, etc.). However, data breaches, surveillance capitalism, and censorship risks have necessitated the Self-Sovereign Identity (SSI) model, where ownership of identity is returned to the user. Unlike structures where data is held in centralized silos, this model offers an architecture stored in the user's wallet and cryptographically verifiable.
SSI is an approach that places the individual at the center of the digital identity ecosystem, ensuring they are not just an "administrator" but the "owner" of their own identity. This approach is built upon ten fundamental principles set forth by Christopher Allen in 2016. Among these, the most critical are the authority to decide with whom to share identity data (Control), data portability (Portability), and sharing no more data than necessary for a transaction (Data Minimization).
The technical backbone of this philosophy is formed by two fundamental standards: Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs).
Be the first to be informed about our new articles, opinions and case studies in the field of Blockchain.
Standardized by the W3C, DIDs are cryptographically verifiable, persistent, and globally unique identifiers that do not require any central registration authority (such as a civil registry, email provider, or domain registrar). A DID follows the did:method:specific-identifier format and represents the subject's (individual, institution, or object) digital presence and sovereignty on the blockchain.
The most revolutionary feature of DIDs is the "resolution" mechanism. When a party queries the counterparty's DID, they obtain a "DID Document" containing the public keys, authentication methods, and service endpoints belonging to that identity. This document provides the necessary cryptographic material to verify the digital signatures of the identity owner, and no intermediary institution needs to be trusted in this process.
Technological diversity has led to the development of different DID methods for various use cases. These methods diverge in terms of security, cost, and levels of decentralization:
This DID method represents the simplest form of Decentralized Identity (DID) systems.
Infrastructure and Mechanism: It does not require external infrastructure like a blockchain. The DID is derived directly from the cryptographic public key, and the key itself represents the identity.
Advantages: It is completely free, offline, and instantly creatable. Since it does not need a central ledger or authority, it offers a high level of autonomy.
Disadvantages and Risks: The most significant risk is that key rotation (password change) is not possible. If the key is lost, the identity is permanently lost. Therefore, it is more suitable for one-time or temporary transactions.
A DID method built upon the security and ubiquity of the Ethereum blockchain.
Infrastructure and Mechanism: It is managed on the Ethereum blockchain via a smart contract called ethr-did-registry. This contract holds identity records and facilitates updates.
Advantages: It relies on the proven security and widespread adoption of the Ethereum network. Interaction (such as authorization and delegate assignment) and key management are possible via smart contracts.
Disadvantages and Risks: Every update transaction regarding the identity (key change, etc.) requires "gas" (transaction fees) on the Ethereum network. During periods of high network congestion, these costs can increase significantly.
A method designed for high-scale and enterprise-level identity systems, utilizing the censorship-resistance feature of the Bitcoin blockchain.
Infrastructure and Mechanism: It operates using Sidetree, a Layer-2 protocol built on the Bitcoin blockchain. It utilizes IPFS for data storage and anchors identity hashes to the Bitcoin blockchain at regular intervals.
Advantages: It is founded on Bitcoin's global nature and censorship resistance. Thanks to the Layer-2 solution, it offers high transaction volume and provides the scalability required for state-level identity systems.
Disadvantages and Risks: Slight delays may occur depending on Bitcoin block confirmation times. Its setup and operation are technically more complex and laborious compared to other methods.
If DIDs are the address book of the digital world, Verifiable Credentials (VCs) are the attributes ascribed to these addresses. VCs are the digital, cryptographically signed, and machine-readable equivalents of physical documents such as driver's licenses, diplomas, passports, or bank passbooks.
The VC ecosystem relies on an architecture known as the "Trust Triangle":
Issuer: The institution that creates the credential and signs it with its private key (e.g., University, Civil Registry Office).
Holder: The user who receives the VC, stores it in their digital wallet, and decides to share it.
Verifier: The party that requests the VC and verifies its cryptographic signature (e.g., Employer, Bank).
The greatest innovation introduced by this model is that the Verifier does not have an obligation to establish real-time communication with the Issuer to confirm the document's validity. The Verifier mathematically verifies the signature using the public key in the Issuer's DID document published on the blockchain. This ensures that the validity of the document can be confirmed even if the "Issuer" servers are down or the institution has gone bankrupt (offline verification). Furthermore, this method protects privacy by preventing the Issuer (e.g., the government) from tracking where the user utilizes their identity (which bar they entered, which job they applied for).
Navigate the complexities of governance, risk, and compliance for your tokenization and digital identity projects.
To address the fragmented structure in the digital identity landscape and achieve the Digital Single Market goal, the European Union has revised the eIDAS regulation and implemented the eIDAS 2.0 framework. This regulation mandates that every member state must provide a "European Digital Identity Wallet" (EUDI Wallet) to its citizens, residents, and businesses by 2026.
eIDAS 2.0 is the most ambitious initiative in the world to place SSI principles on a legal footing on a continental scale. The regulation envisions digital wallets being used not only for identity presentation but also for creating legally valid "Qualified Electronic Signatures" (QES) and storing official documents (Attribute Attestations) such as driver's licenses, diplomas, and prescriptions.
The most critical component of this regulation is the recognition of the "Selective Disclosure" principle as a legal right and a technical necessity. In current identity card presentations, an individual is forced to present all information on the ID card, such as name, address, and place of birth, to the other party, even if they only want to prove their age. With eIDAS 2.0 compliant EUDI Wallets, a user will be able to present a cryptographic proof containing only the answer "Yes" to the question "Is the user over 18?" without disclosing their date of birth. This situation represents the most technologically advanced application of the "data minimization" principle under the EU General Data Protection Regulation (GDPR).
However, this architecture brings with it technical and political debates. Cryptography experts and privacy advocates state that current EUDI Wallet designs (especially those based on the ISO 18013-5 standard) do not fully meet the principle of "unlinkability." If unique identifiers are leaked during wallet transactions, governments or wallet providers could track citizens' usage habits and engage in profiling. Therefore, strong technical lobbying is being conducted for the adoption of more privacy-focused formats strengthened by Zero-Knowledge Proofs (ZKP) (such as SD-JWT or BBS+ signatures), as proposed by the W3C.
In Türkiye, digital identity and data management are primarily regulated by the Personal Data Protection Law No. 6698 (KVKK) and the Electronic Signature Law No. 5070. Blockchain-based SSI systems are in structural tension with this legislation, which relies on the concept of a central data controller.
KVKK attempts to assign a central "data controller" to ensure accountability in data processing procedures. However, in the SSI ecosystem, control of the data technically belongs to the user (Holder). The entity producing the data (Issuer) and the entity requesting it (Verifier) are different. Even more complex is the legal status of the thousands of node operators maintaining the blockchain network where this data is transported and verified. Are these operators, who operate the protocol without knowing the content of the data, "data processors" or merely "infrastructure providers" like telecommunication companies?
This technical reality demonstrates that the classical "data controller/data processor" distinction remains insufficient. Reports suggest that this structure must evolve into the "joint-controllership" model, which is also discussed under GDPR. In this model:
Issuer: Responsible for the accuracy of the data and its lawfulness at the moment of initial creation.
Holder (User): Held responsible for the secure storage of data in their wallet and its sharing within their consent (with the exception of personal use).
Verifier: Responsible for processing activities and retention periods after receiving the data.
The most fundamental promise of blockchain technology, "immutability," creates a direct technical conflict with the right to "deletion, destruction, or anonymization of personal data" regulated in Article 7 of the KVKK. When data is written to the blockchain, it theoretically remains there forever.
The solution to this legal impasse is the "Off-Chain Storage and Cryptographic Erasure" model. In this model:
Sensitive personal data (name, surname, biometric data) is never written directly to the public blockchain.
Only meaningless cryptographic summaries (hashes), schemas, or revocation registries belonging to this data are written to the blockchain.
When a user wishes to exercise the "right to be forgotten," the actual data in the off-chain database is deleted, or the private key encrypting the data is destroyed.
When the key is destroyed, the hash value on the blockchain transforms into irreversible "garbage" data that points to nothing. The most critical interpretation that will pave the way for the technology would be for legal authorities to recognize this "cryptographic erasure" method as a valid act of "destruction" within the meaning of KVKK.
The Electronic Signature Law No. 5070 bases the "Secure Electronic Signature" on a Qualified Electronic Certificate (QEC) issued by Electronic Certificate Service Providers (ECSPs) authorized by the Information and Communication Technologies Authority (BTK). This is a hierarchical and centralized trust model based on government-authorized institutions.
In contrast, SSI and VCs rely on a decentralized and mathematical trust model. The source of trust is not an institution's "certificate of authority," but the correctness of the cryptographic process. Due to this fundamental difference in philosophy, under the current wording of the law, a signing process performed with a DID or VC is not considered a "secure electronic signature" within the meaning of Law No. 5070 and does not count as definitive evidence (conclusive proof). However, under Article 202 of the Code of Civil Procedure (HMK), it can be accepted as "prima facie evidence" (delil başlangıcı) or very strong "discretionary evidence." The blockchain-based identity system planned for e-Government in Türkiye could build a bridge between these two models, positioning public institutions as "Trusted Issuers."
For many years, the crypto asset ecosystem has been confined to a primitive account structure called "Externally Owned Accounts" (EOA). EOAs, which form the basis of wallets like MetaMask or Ledger, are managed by a single private key. This structure imposes the rule "whoever loses the key loses the asset" and shows no tolerance for user error. This rigid structure has proven insufficient to meet the complex authorization and security needs required by financial systems. To solve this problem, the Ethereum ecosystem launched the "Account Abstraction" revolution.
The ERC-4337 standard offers an infrastructure that allows smart contracts to behave like wallets (Smart Accounts) without requiring a hard fork in the blockchain protocol. Instead of sending transactions directly to the blockchain, this standard sends them to an intent pool called the "UserOperations" mempool (alt-mempool).
The innovations introduced by ERC-4337 redefine asset management from legal and operational perspectives:
In EOAs, if the password is forgotten, assets are lost. In smart accounts, the user can recover their account through pre-designated "guardians" (family members, lawyers, or hardware wallets). Legally, this is a revolutionary tool for the transmission of digital inheritance. However, the risk of guardians engaging in "collusion" to take over the account requires a clear definition of the legal relationship (agency, escrow, etc.) between the guardians and the user.
This feature, vital for companies, can require approval from multiple executives for a transaction to occur or authorize an employee to spend only within a certain limit.
A Paymaster is a smart contract mechanism that pays the user's transaction fee (gas) via sponsorship or takes stablecoins (USDC) from the user and pays ETH in return. Legally, Paymasters exist in a grey area. If a Paymaster accepts a user's token and pays the transaction fee in exchange for fiat money or another asset, could this activity be considered that of a "money transmitter" or "payment service provider"? Under regulations by FinCEN in the US and the CBRT in Türkiye, a licensing obligation may arise for these actors.
The adoption of ERC-4337 has been slow due to the necessity for existing EOA users to migrate their assets to new smart accounts. To solve this problem, EIP-7702, proposed by Vitalik Buterin and his team, allows existing EOA wallets to temporarily gain smart contract capabilities with a single transaction.
With a new transaction type ("set code transaction" - 0x04), EIP-7702 allows the user to delegate control of their account to a smart contract for a specific period or transaction. For legal professionals, this transaction is in the nature of a "digital power of attorney." The user permits the code to act on their behalf through their declaration of will (signature).
EIP-7702 brings significant security risks. If a user authorizes a malicious or flawed contract ("drainer" contracts), their wallet can be completely emptied. Furthermore, how a user exercises their right of "revocation" (azil) after granting this authority is critical. Technically, a new transaction is required to revoke the authority, but if the user cannot access their account at that moment (e.g., under attack), legal protection mechanisms (stopping the transaction via court order) do not function on the blockchain. This situation reveals that user interfaces (wallet applications) must clearly inform the user about "what they are authorizing" (duty of disclosure).
Another critical actor in the ERC-4337 architecture is the "Bundler." Bundlers collect user operations, package them, and process them onto the blockchain. This role is similar to miners but more active. The legal debate concerns the status of Bundlers regarding OFAC sanctions or AML rules. Can a Bundler be held liable if they package a transaction coming from a sanctioned address? The Tornado Cash rulings in the US set a precedent that even technical infrastructure providers can be held liable. Therefore, in the future, it may become mandatory for Bundlers to use filtering mechanisms similar to "Know Your Customer" (KYC).
The process starting with account abstraction moves blockchain interactions from a "transaction-based" structure to an "intent-based" structure. Users now, instead of saying "Swap token A for token B via this specific route," declare their Intent by simply stating, "I want the most amount of B for my A."
In intent-based systems (such as UniswapX, CoW Swap, 1inch Fusion), third-party actors who find the best path to execute the user's intent and perform the transaction are called "Solvers" or "Fillers." The user does not execute the transaction themselves; they transfer the right (and risk) to execute the transaction to the Solver.
Legally, the status of Solvers is complex:
Broker/Dealer? Since they find the best price and execute the transaction on behalf of the user, they approach the definition of a "broker" in traditional finance. Under U.S. securities laws, this activity could be an intermediation activity requiring a license.
Agent? Do they have an obligation to act in the user's interest? If a Solver chooses a path that maximizes their own profit (MEV exploitation) rather than giving the user the best price, could this be considered a breach of "fiduciary duty"?
Counterparty? In most models, the Solver fulfills the transaction from their own inventory. In this case, a sales contract is established between the user and the Solver.
The intent architecture also enables the concept of "Chain Abstraction." A user can transact without knowing which blockchain they are operating on (e.g., using an application on Solana with a balance held on Ethereum).
This situation further complicates jurisdiction and applicable law issues in cross-border transactions. If a transaction starts on Ethereum, passes through a bridge to Solana, and is completed there by a Solver, which country's courts are competent in a potential dispute (e.g., if the bridge is hacked)? Legal doctrine predicts that blockchain-based dispute resolution mechanisms (such as Kleros, Aragon Court) will gain importance for such "delocalized" transactions. However, whether the decisions of these mechanisms will be enforced by national courts (e.g., under the New York Convention) remains uncertain.
ISO 20022: What a Possible Game Changer in Blockchain IndustryCase StudiesOctober 4, 2025👤Sercan Koç
The combination of artificial intelligence (AI) and blockchain has given rise to "Autonomous AI Agents" capable of performing financial transactions without human intervention. Thanks to ERC-4337 wallets, an AI bot can own its own wallet, accumulate assets, and transact in DeFi protocols.
Who will be responsible if an AI agent manipulates the market, breaches a contract, or goes bankrupt independently of its owner?
Absence of Legal Personality: Turkish law and most legal systems globally have not attributed "personality" to artificial intelligence. AI agents legally hold the status of "goods" or "software." Therefore, they cannot incur rights and obligations in their own name.
Chain of Responsibility: Under the current regime, the person "operating" or "using" the agent is responsible for its actions. However, in cases where the agent is managed by a DAO (Decentralized Autonomous Organization) or its code is immutable, finding a responsible addressee (the "Attribution Problem") may become impossible.
Electronic Personality Debate: The concept of "electronic personality" previously raised by the European Parliament suggests granting limited capacity to such autonomous entities and proposing that these agents possess their own insurance funds or capital to compensate for damages. This implies AI agents becoming legally recognized "economic actors."
Explore the legal limits of AI, covering data privacy, algorithmic bias, and institutional responsibilities in Turkey.
The EU AI Act, adopted in 2024, classifies AI systems that perform financial risk assessment or manage critical infrastructure as "High Risk."
This law seeks a "human oversight" requirement in AI systems. However, ensuring human oversight on an agent running on a blockchain, whose code cannot be altered and which acts autonomously (e.g., a Trading Bot), is a technical paradox. While the law also demands "transparency" and "explainability," the "black box" nature of deep learning models makes this compliance difficult.
Furthermore, from a GDPR perspective, can an AI agent that autonomously collects and processes personal data be a "Data Controller"? UK courts have ruled that the controllers of the software, not the software itself, would be responsible. However, as the agent becomes autonomous and control slips from human hands, this legal fiction severs its tie with reality.
The conflict between transparency (for Anti-Money Laundering - AML) and privacy (as a fundamental human right) in financial systems is the sharpest fault line of blockchain law.
Zero-Knowledge Proof (ZKP) is a cryptographic protocol that allows one party (prover) to mathematically prove the truth of a piece of information without disclosing the information itself to the other party (verifier).
This technology offers a strategic key specifically for the Turkish banking sector to escape the pincers of the BRSA (BDDK) and KVKK:
The BRSA prohibits bank data (customer secrets) from leaving the country. With ZKP, while sensitive data remains on the bank's on-premise servers, only meaningless mathematical proofs are sent to the cloud infrastructure. Since the cloud provider does not "see" the data, data sovereignty is not violated, and banks can benefit from the processing power of the cloud.
ZKP provides "Selective Disclosure." When a bank auditor asks, "Is there a suspicious transaction?", instead of opening the entire transaction list, the bank can present a definitive "No" proof generated via ZKP. This represents the extreme point of the data minimization principle of KVKK.
For financial applications, zk-SNARKs (short proof size, fast verification) are ideal but carry a "trusted setup" risk. zk-STARKs, on the other hand, are transparent (require no trusted setup) and are quantum-resistant, but their proof sizes are larger.
The legal limits of privacy technologies were tested with the Tornado Cash case. The US Department of the Treasury (OFAC) placed Tornado Cash, a ZKP-based crypto mixer, on the sanctions list on the grounds that it was used by North Korean hackers for money laundering activities.
The project's developers (Alexey Pertsev and Roman Storm) were arrested for acts of "writing code" and "developing software" and are being tried for complicity in money laundering. The developers argued that smart contracts are "immutable" and that they had no authority to stop the protocol (meaning control was not in their hands). However, courts and prosecutors tend to attribute liability by arguing that the developers managed the interface (UI), profited from the protocol, and consciously failed to add AML measures to the system.
This case is the point where the "Code is Law" philosophy collapses in the face of the state's coercive power. The lesson learned for developers is that simply writing code and walking away does not absolve them of liability; compliance mechanisms (such as "Proof of Innocence" or blacklist filters) must be integrated during the protocol design phase.
Decentralized Physical Infrastructure Networks (DePIN) are models that enable the decentralized establishment and operation of physical infrastructures (telecommunications, energy, data storage) using blockchain technology.
In DePIN projects (e.g., Helium), individuals set up devices (hotspots) in their homes to create network coverage and earn tokens in return. This model carries a risk of conflict with the Electronic Communications Law No. 5809 in Türkiye.
Authorization: Providing electronic communication services requires obtaining an authorization certificate from the BTK (Information and Communication Technologies Authority). Individuals sharing internet or establishing encrypted communication infrastructure without a license may be considered to be engaging in illegal activity.
Node Operator Liability: Is a node operator responsible for the content of the data (e.g., criminal data) passing through their device? Under Law No. 5651, liabilities of a "hosting provider" or "access provider" may arise. However, in encrypted networks, it is impossible for the operator to know the content, which creates a legal ambiguity.
In order to regulate the crypto asset market, Türkiye made significant amendments to the Capital Markets Law (Law No. 7518) in 2024.
Crypto Asset Service Providers (CASPs): A license requirement has been introduced for exchanges and custody institutions. Existing platforms are required to apply for an operating permit by June 2025 and obtain their licenses by June 2026.
Capital and Structure: Platforms are required to be established as joint-stock companies (Anonim Şirket), their shares must be registered (nama yazılı), and they must have a minimum capital of 50 million TL.
Custody: It is essential that customer assets are kept separate from the platform's assets. The law has paved the way for custody services to be performed by authorized banks or custody institutions (such as Takasbank), but platforms are allowed to perform custody in-house during the transition period.
The fate of digital assets (cryptocurrencies, NFTs) after death is one of the grayest areas of Turkish law.
Determination of the Estate: The Court of Cassation and regional courts of appeal (Antalya BAM decision) accept that crypto assets and digital accounts have economic value and must be included in the estate (tereke).
Access Problem: Even if there is a court order, if the password (private key) of the wallet containing the crypto asset is unknown, it is technically impossible to access the asset. Unlike banks, there is no authority to "write a writ to" in decentralized wallets.
Technical Solution: Therefore, smart contracts such as the "Dead Man's Switch," which automatically transfers assets to the heir if the user remains inactive for a certain period, are proposed. However, if this automatic transfer violates the "reserved share" (saklı pay) rules in the Turkish Civil Code, it may be subject to a "tenkis davası" (action for reduction) among the heirs.
Understand how to legally tokenize real-world assets and manage their digital lifecycle, including succession.
The future of digital identity and asset management will be neither a completely anarchic "code is law" order nor a rigid bureaucracy that stifles technology. The solution lies in hybrid structures where legal rules are embedded into smart contracts via the "Law as Code" principle.
SSI and ZKP technologies are creating a new data economy that protects privacy, compliant with KVKK and eIDAS 2.0. Account Abstraction and AI Agents require legal liability to be redistributed based on the principles of "control" and "benefit."
Türkiye has the potential to play a leading role in this transformation by transforming its e-Government infrastructure into a blockchain-based wallet and providing regulatory certainty with the new crypto law.
It is essential for the healthy progression of this comprehensive transformation that legal professionals understand the architecture of the code, and that developers grasp the societal and legal consequences of the code. As Genesis Law Firm, we are committed to providing our clients with the most up-to-date and strategic legal consultancy services in this complex and rapidly evolving field of digital law.
The digital ecosystem is undergoing a radical transformation that fundamentally shakes traditional legal approaches under the influence of Web3, Artificial Intelligence (AI), and blockchain technologies. This change necessitates identifying legal breaking points and solution orientations emerging in five main areas, ranging from identity to asset management, and from liability to infrastructure services.
In traditional identity management (Civil Registry, Google, Facebook), the individual's control over their data is limited, and identity is managed by central authorities. The new paradigm, Self-Sovereign Identity (SSI), aims for the individual to be the "owner" of their own identity using Decentralized Identifiers (DID) and Verifiable Credentials (VC); identity data is stored in the user's wallet instead of centralized silos.
The legal conflict arises at the point of to whom the central "Data Controller" concept defined in Law No. 6698 (KVKK) will be attributed in this distributed structure. Since technical control lies with the user (Holder), the data-producing institution (Issuer), and the using party (Verifier), the proposed solution is a transition to the "Joint-Controllership" model, where liability is distributed among these actors.
While traditional approaches require the disclosure of the entire information for verification (e.g., seeing the ID card), Zero-Knowledge Proofs (ZKP) offer the possibility to mathematically prove that information is true without sharing the information itself (e.g., proving one is over 18 without showing the date of birth).
This technology overcomes the inability of traditional methods to achieve the "Data Minimization" principle, which is a fundamental principle in the EU's GDPR and Türkiye's KVKK legislations. In the future, the aim is to protect privacy at the highest level even while fulfilling legal obligations through ZKP-based solutions such as ZK-KYC (Zero-Knowledge Know Your Customer) and "Selective Disclosure."
While traditional financial assets are held in central accounts at banks or intermediary institutions, the new paradigm replaces primitive accounts managed by private keys with programmable Smart Accounts (ERC-4337).
The legal succession crisis stems from access to the asset becoming technically impossible if the private key is lost and the insufficiency of classical rules of Property/Inheritance law. To overcome this crisis, smart contract-based inheritance tools such as "Social Recovery" mechanisms, where family members or lawyers can be appointed, and the "Dead Man's Switch," which automatically transfers assets if the user remains inactive, need to be legally recognized.
While legal liability belongs to the human will performing the action in traditional management, structures such as Autonomous Agents and Decentralized Autonomous Organizations (DAO), which can own their own wallets and take autonomous decisions and actions, are coming to the fore in the new ecosystem.
The legal conflict creates an "Attribution Problem" regarding who will bear the liability when they cause damage, as "Legal Personality" cannot be attributed to AI agents in Turkish and most global legal systems. The proposed solution is the recognition of the "Electronic Personality" concept, also discussed by the European Parliament, with a limited capacity, and mandating that these agents possess their own insurance funds/capital to cover potential damages.
Telecommunications and other physical infrastructures (e.g., Türk Telekom) are traditionally operated by large, centralized, and state-licensed institutions. The new paradigm, Decentralized Physical Infrastructure Networks (DePIN) (e.g., Helium, Filecoin), allows individuals to provide infrastructure services with devices installed in their own homes and earn tokens.
This situation creates legal uncertainties, such as the conflict between individuals providing unlicensed electronic communication services and the Authorization obligations under the Electronic Communications Law No. 5809. Furthermore, whether node operators will bear "Hosting Provider" liability is also a subject of legal debate. As a solution, new generation and lightened Authorization models (e.g., General Permission Regime) suitable for decentralized, numerous, and distributed actors need to be developed.
Legal Disclaimer
This report has been prepared for general informational purposes only and does not constitute legal advice or opinion. Since crypto asset regulations and technological standards are changing rapidly, it is recommended that you receive professional legal support for your specific cases.
