Who is required to register with IYS?

Any business that sends commercial electronic messages to recipients in Türkiye (Turkey) must comply with IYS requirements. This includes companies that send promotional SMS, marketing emails, or outbound sales calls. If your business communicates promotional content even occasionally you should evaluate your IYS obligations and complete the registration process accordingly.

What counts as a commercial electronic message?

A commercial electronic message is any communication sent for marketing or promotional purposes. This may include: Discount announcements Campaign messages Product launches Brand awareness notifications Transactional or service-based messages (such as delivery confirmations or password resets) are generally treated differently. However, if a message includes promotional intent, it falls under IYS rules.

Is prior consent mandatory before sending marketing messages?

Yes. As a general rule, prior explicit consent (opt-in) must be obtained before sending commercial messages via SMS, email, or calls. Consent must be clear, affirmative, and verifiable. Simply having a customer’s contact details does not automatically grant permission to send promotional content.

Can consent be obtained through any method?

Consent can be collected through written forms, online checkboxes, mobile applications, call center confirmations, or similar structured processes. However, it must be documented properly. You should be able to demonstrate: When consent was given Through which channel For which communication type (SMS, email, calls) Without proper documentation, meeting your IYS obligations becomes difficult in case of inspection or dispute.

What is the deadline for reporting consents to IYS?

If consent is collected outside of IYS, it must be transferred to the IYS system within the legally defined timeframe (commonly structured as within 3 business days under the regulation). Failing to register the consent within this period may invalidate your right to send commercial messages to that recipient. Timely synchronization is therefore a critical operational responsibility not just an administrative task.

How must opt-out (rejection) requests be handled?

Recipients have the right to withdraw consent at any time. Businesses must provide an easy and free opt-out mechanism in every commercial message. Once an opt-out request is received, the company must stop sending commercial messages within the legally defined timeframe (commonly within 3 business days). Opt-outs must also be reflected in IYS and synchronized across all internal systems.

What happens if a company does not comply with IYS obligations?

Non-compliance may lead to administrative penalties under Law No. 6563 and related regulations. Beyond financial penalties, companies also face: Brand reputation damage Increased complaint rates Deliverability issues Legal exposure Compliance is not just about avoiding fines it protects operational continuity and customer trust.

Is ETBIS the same as IYS?

No. ETBIS and IYS serve different purposes. ETBIS is an information and declaration system related to e-commerce activities. IYS is a centralized permission management system for commercial electronic messages. Registering with one does not replace the obligation to comply with the other.

Can a company manage IYS without technical integration?

Yes, it is technically possible to manage permissions manually through the IYS panel and file uploads. However, for businesses with growing databases or frequent campaigns, API integration is strongly recommended. Integration ensures: Automatic consent reporting Real-time opt-out updates Reduced human error Easier audit tracking Manual processes may increase compliance risk as volume grows.

Do foreign companies targeting recipients in Türkiye need to comply?

If a company sends commercial electronic messages to recipients located in Türkiye, it should expect Turkish commercial messaging regulations including IYS requirements to apply. Cross-border scenarios may involve additional considerations, so seeking legal advice for international operations is recommended.

IYS Obligations Under Law No. 6563: Compliance Guide

Commercial messaging is still one of the highest-performing channels for e-commerce brands, SMEs, and agencies. But “we have a list” is not a compliance strategy. The rules focus on permission, clear record-keeping, and the recipient’s right to withdraw consent.

Regulators introduced IYS (Message Management System) to address this need. It centralizes permissions, makes opt-out requests visible, and helps businesses prove compliance when needed.

In this guide, you’ll learn what IYS is and how the registration process works. We also compare technical integration with manual uploads and explain what daily IYS obligations look like in real operations. You’ll also see how Makdos supports implementation through a structured onboarding process. It offers API and webhook options, along with a practical management panel.

What Is IYS (Message Management System)?

IYS (Message Management System) is Türkiye’s centralized permission platform for commercial electronic messages. Regulators created it to store and manage marketing consents in a single national system.

It also allows recipients to see which businesses can contact them. They can control these permissions directly. In short, it turns scattered consent spreadsheets into a single source of truth that supports both businesses and recipients.

Recipients can review their permissions and withdraw them through official channels such as e-Devlet and the IYS interface. Once recipients update their permissions, the system immediately reflects the changes. This is why IYS obligations go beyond simply collecting opt-ins. They also require you to keep your records synchronized and up to date.

If you’d like a faster primer before diving into legal requirements, see our related article:

What is IYS (Message Management System)?

IYS Registration Process in Turkey

IYS registration is how a service provider (a business sending commercial messages) becomes officially recorded in the system. In practice, most businesses register through official portals, including e-Devlet access flows. They then complete the service provider setup steps defined in the framework.

During registration, you typically (and this is the moment many teams first realize how detailed iys obligations can be):

Authenticate and identify the company and authorized signatory (often via e‑signature).
Sign the required agreements and confirm your service provider profile.
Add your brand information to the system. Then define the message headers or sender IDs you plan to use, such as SMS sender names and email identities.

Some businesses face additional administrative steps based on their permission volume, brand structure, or day-to-day working model. The key takeaway: treat registration as the start of a workflow not a one-time checkbox. Your ongoing IYS obligations start immediately after approval. From that point on, you must process every new consent and every opt-out on time and record them correctly.

For a step-by-step walkthrough, see:

IYS Registration and Application Process: Step-by-Step Guide

IYS Integration Options (API vs. Panel)

Once registered, you must decide how to keep IYS aligned with your internal systems. This includes your CRM, e-commerce platform, marketing tools, and call center. Here, IYS becomes part of daily work. Your systems must always show the right consent status.

Option 1: Manual management via the IYS panel (and bulk files)

For small databases or low-frequency marketing, some companies prefer manual methods. They use the panel and upload lists in spreadsheet formats such as CSV or XLS. This can work when:

You have limited brands and channels,
Consent updates are not frequent,
A single person controls the process.

The risk is clear: manual work often causes delays and human errors. Compliance frameworks rarely tolerate these issues when you are trying to meet IYS obligations. Manual uploads often fail to handle same-day opt-outs efficiently. They also struggle during high-volume campaigns, which is why many growing businesses switch to integration sooner than planned.

Option 2: API-based integration (recommended for scale)

API integration connects your systems to IYS so that permissions and rejections are transferred automatically. In a mature setup:

When a user grants consent on your website or at a call center, the consent is recorded and transmitted to IYS.
When a recipient withdraws consent (including through IYS channels), your systems receive updates and stop messaging automatically.

Many teams also use webhook-style notifications to receive permission changes and opt-outs near real time. This approach is the most reliable way to prevent IYS obligations from turning into a manual bottleneck. It is especially important if you run frequent campaigns or manage multiple brands.

IYS Obligations Under Law No. 6563 (Core Compliance Rules)

This section is the practical core of IYS obligations. It explains how they work in daily processes. It’s also where teams most often make mistakes: consent captured in the wrong format, opt-outs processed late, or missing proof when requested.

This article is for general information and does not constitute legal advice. For case-specific compliance decisions, consult qualified legal counsel.

1) Consent (opt-in): what counts, and how to capture it

As a general rule, you must collect consent before sending any commercial electronic message. This includes promotional SMS, marketing emails, and outbound sales calls. The consent must show a clear and affirmative intent an explicit “yes.” You must also collect it in a way that you can prove later.

You can collect consent in writing. You can also collect it through electronic channels. However, you should design the process from the start to comply with IYS obligations.

Importantly, consent is typically channel-specific meaning SMS consent does not automatically cover email or calls. Treat each channel as its own permission line item in your database.

Another practical rule: you cannot send a commercial message simply to request consent. If you need consent, use a proper opt-in process. Design the flow clearly and document it. Use a web form, app checkbox, call center script, or physical form do not rely on “permission by marketing message.”

If you want stronger proof for iys obligations, use a double opt‑in workflow for email and (when possible) SMS. It reduces disputes, cleans your list, and helps your marketing team work with higher-intent recipients.

2) Proof obligation: what records you must store

With iys obligations, it’s not enough to say “the customer opted in.” You need to document how, when, and where you collected the consent.

At minimum, store:

Timestamp (date/time) of consent,
Source (web form, POS, call center, SMS confirmation, contract),
Channel (SMS, email, call),
Consent text/version shown to the recipient (where applicable),
Technical logs that show the action (IP/device/session where relevant).

If you do not obtain consent directly through IYS, you must prove that the consent is valid. In this case, the service provider carries the burden of proof. That’s why consent hygiene and logging matter as much as campaign performance.

3) Reporting consents to IYS on time

One of the most overlooked iys obligations is the reporting timeline. If you collect consent outside IYS, you must register it in IYS within the legally defined timeframe.

The regulation commonly defines this as within three business days. When you don’t register consent properly, IYS may consider it invalid. In that case, you lose the legal basis to contact that recipient through the covered channels.

A practical way to apply the “3 business days” rule in IYS obligations is to create a daily sync job:

Capture: Write every consent/opt‑out event into an immutable log table (append-only).
Validate: Enforce channel-specific fields (SMS/email/call) and required metadata.
Queue: Push events into a retryable queue (so API outages don’t cause deadline misses).
Sync: Send events to IYS via API (preferred) or prepare a CSV export for bulk upload.
Reconcile: Pull the latest permission state (or process webhook updates) and resolve mismatches.
This approach minimizes manual tasks. It also supports auditing and keeps IYS obligations aligned across your CRM, marketing tools, and call center systems.

4) Opt-out (rejection) rights and processing timelines

Every commercial message must provide an easy and free way for recipients to opt out. Recipients can withdraw consent at any time, without giving a reason.

In practice, once you receive an opt-out request, you must stop sending commercial messages. You must do this within the legally defined timeframe. The regulation commonly defines this as within three business days. This applies whether the opt-out arrives through your unsubscribe link, an SMS keyword (e.g., “STOP”), a call center request, or via IYS channels.

Treat opt-outs as a hard stop across all tools. If one system removes a contact and the other doesn’t, the data doesn’t match. Over time, this mismatch can lead to a violation of IYS obligations. Centralize permission status and push it to every sending system.

5) Required sender information inside messages

Compliance is also about transparency, and it is part of iys obligations in day-to-day messaging operations. Depending on the channel, each message must include clear identifying information.

This means the sender’s commercial identity, at least one contact method, and an easy opt-out option. For SMS and call channels, the regulation sets additional format requirements. These include displaying business identifiers and following specific naming rules.

6) Penalties and business risk

When iys obligations are ignored, the risk is not just theoretical. Administrative penalties can be significant, and enforcement risk increases with volume especially for repeated or large-scale campaigns. Beyond fines, the real business cost appears in spam complaints and email delivery problems. Over time, this also damages brand trust.

If you record a consent incorrectly, it can become invalid. The same applies if you fail to register it in IYS within the required timeframe. In that case, you lose the legal basis to send commercial messages to that recipient. Make IYS processes automatic. Don’t leave them to memory.

Why IYS Compliance Matters (Benefits Beyond “Avoiding Fines”)

It’s tempting to see IYS obligations as simple legal housekeeping. However, the business benefits are real, and strong teams treat IYS obligations as part of their marketing quality system.

Cleaner lists, better performance: Permission-based marketing improves engagement because you’re messaging people who actually want updates.
Brand trust: Transparent opt-in and opt-out flows reduce complaints and strengthen long-term customer relationships.
Operational clarity: A centralized permission model creates a single source of truth. It prevents confusion about opt-ins and avoids duplicate lists.
Structured complaint handling: When recipients manage their permissions through official channels, complaints decrease. This allows your team to focus on real customer issues instead of resolving disputes.

IYS also intersects with data protection expectations (including KVKK considerations) because consent records include personal data. A disciplined permission workflow helps you apply access controls, retention logic, and security practices consistently.

Practical Scenarios (SMEs, Marketing Teams, IT & Compliance)

Different teams experience iys obligations differently. Here’s how to translate the rules into day-to-day actions.

SMEs and small e-commerce brands

For smaller businesses, the biggest risk is “one mistake becomes one big bill.” A simple compliance playbook goes a long way:

Audit your lists: identify who has provable consent per channel.
Fix your opt-in UX: add clear checkboxes and store the logs.
Keep IYS up to date: If you can’t integrate, upload regularly and check that records match.
Never reuse “legacy lists” without proof.

If you’re under-resourced, prioritize correctness over complexity. Meeting iys obligations is easier when you standardize your forms and reduce manual exceptions.

Marketing & growth teams

Marketing teams should treat IYS status as a campaign gating control:

Before launch, verify that every segment is permission-valid for the channel.
Use permission type as a segmentation attribute (SMS-only vs. email-only vs. both).
Keep unsubscribe logic consistent across tools so opt-outs propagate everywhere.

A practical way to protect IYS obligations is to define your send audiences from a dedicated permission table. Do not rely on raw CRM exports for campaign lists.

IT teams and technical owners

For IT, iys obligations translate into architecture and this is where clean data models prevent compliance fires:

Decide whether IYS is the master record or a synchronized mirror.
Implement idempotent API calls and retries to avoid missed deadlines.
Log every request/response for audit and troubleshooting.
Build reconciliation: detect mismatches between IYS state and internal systems.

If you lack in-house engineering capacity, a specialized integration partner can reduce both time and risk.

How Makdos Helps You Meet IYS Obligations

Makdos helps businesses turn IYS obligations into a structured daily workflow. This prevents them from becoming a recurring manual task and keeps processes consistent across teams and tools. As an IYS business partner, Makdos offers a clear and structured integration process. It also provides a management layer designed for SMEs, e-commerce brands, corporate marketing teams, and agencies.

Key capabilities include:

Guided onboarding and setup: You receive clear guidance on the registration steps. You also learn how to authorize an integration partner within the official process.
API + webhook integration: Automate consent updates and opt-outs so IYS runs continuously, not in bulk uploads.
Administration panel: Even without full integration, you can handle permissions using a practical panel and file-based imports.
Reporting: Track total consents, new opt-ins, and opt-outs to keep stakeholders aligned and reduce compliance blind spots.
Security-first infrastructure: Protect permission records with secure transport and controlled access. If you want to strengthen your stack further, Makdos also offers firewall/security services for infrastructure hardening.

If email is a core channel for your campaigns, align permission management with reliable mail infrastructure as well. Mail hosting controls keep identity and access management consistent across the organization. They also maintain reliable audit trails an often overlooked factor in meeting IYS obligations at scale.

Conclusion and Next Steps

IYS exists to make permission-based marketing real in daily operations. Treat consents as structured data, including timestamps, sources, and logs. Then enforce opt-outs as a strict stop rule this makes IYS obligations easier to manage. The process turns repeatable and scalable.

Your next steps are straightforward if you want to keep iys obligations under control:

Confirm your IYS registration path and service provider profile.
Standardize consent capture per channel and store proof-ready logs.
Implement a sync method (panel uploads for small volumes; API/webhooks for scale).
Reconcile and audit regularly so your sending tools match IYS state.

If you want to meet IYS obligations without relying on manual uploads and scattered spreadsheets, explore Makdos IYS Integration. A structured integration workflow can lower risk. It can also reduce day-to-day workload.

👉 Makdos IYS

IYS Obligations Under Turkey’s Law No. 6563