Critical infrastructures are vital assets for public safety, economic welfare and/or national security of countries. Today, cyber systems are extensively used to control and monitor critical infrastructures. A considerable amount of the infrastructures are connected to the Internet over corporate networks. Therefore, cyber security is an important item for the national security agendas of several countries. The enforcement of security principles on the critical infrastructure operators through the regulations is a still-debated topic. There are several academic and governmental studies that analyze the possible regulatory approaches for the security of the critical infrastructures. Although most of them favor the market-oriented approaches, some argue the necessity of government interventions. This paper presents a three phased-research to identify the suitable regulatory approach for the critical infrastructures of Turkey. First of all, the data of the critical infrastructures of Turkey are qualitatively analyzed, by using grounded theory method, to extract the vulnerabilities associated with the critical infrastructures. Secondly, a Delphi survey is conducted with six experts to extract the required regulations to mitigate the vulnerabilities. Finally, a focus group interview is conducted with the employees of the critical infrastructures to specify the suitable regulatory approaches for the critical infrastructures of Turkey. The results of the research show that the critical infrastructure operators of Turkey, including privately held operators, are mainly in favor of regulations. (C) 2016 Bilge Karabacak, Sevgi Ozkan Yildirim, Nazife Baykal. Published by Elsevier Ltd. All rights reserved.