# EU AI Act Countdown to August 2, 2026: A Complete Compliance Guide for Turkish Exporters and GPAI Providers

> Source: https://sukruyusufkaya.com/en/blog/eu-ai-act-2-agustos-2026-turk-ihracatci-gpai-uyum-rehberi
> Updated: 2026-05-27T18:16:03.345Z
> Type: blog
> Category: yapay-zeka
**TLDR:** On August 2, 2026 the European Commission's full enforcement powers under the AI Act take effect: fines up to EUR 35M or 7% of global turnover, GPAI provider obligations, CE marking for high-risk systems, and EU representative designation. The Act applies extraterritorially to every Turkish company placing AI on the EU market — this guide is your end-to-end compliance roadmap.

<tldr data-summary="[&quot;August 2, 2026 is when the European Commission&apos;&apos;s full enforcement powers under the EU AI Act take effect: direct enforcement, penalty, and audit authority over GPAI providers begin.&quot;,&quot;Penalties reach EUR 35M or 7% of global annual turnover — the highest tier applies to prohibited AI uses; the 3% tier applies to GPAI non-compliance.&quot;,&quot;The AI Act is extraterritorial: any Turkish company placing AI on the EU market or whose outputs are used in the EU — regardless of location — falls within scope.&quot;,&quot;Risk classification is four-tiered: prohibited, high-risk, limited-risk, minimal-risk. High-risk systems require CE marking, documentation, and post-market monitoring.&quot;,&quot;Priority actions for Turkish exporters: build an AI inventory, perform risk classification, appoint an EU representative, establish a KVKK + AI Act + ISO 42001 triple-compliance matrix.&quot;]" data-one-line="From August 2, 2026, the EU AI Act extraterritorially binds every Turkish company placing AI on the EU market — compliance is not a legal project but an integrated product-engineering-governance system."></tldr>

## 1. Introduction: Why August 2, 2026 Is the Countdown Date

The EU AI Act is the world's first comprehensive, risk-based horizontal AI law. It entered into force on August 1, 2024 with phased application. **February 2, 2025** brought prohibited AI practices (Article 5) into force. **August 2, 2025** activated the core GPAI provider obligations. And **August 2, 2026** is the critical date when the Commission's **full enforcement authority over GPAI providers** begins, the AI Office's supervisory mechanism is operational, and **compliance obligations for a substantial portion of high-risk systems** start to apply.

<definition-box data-term="EU AI Act (Regulation (EU) 2024/1689)" data-definition="The European Union's horizontal regulation governing artificial intelligence systems based on risk level. It classifies systems into four categories — prohibited, high-risk, limited-risk, and minimal-risk — each with distinct obligations. It entered into force on August 1, 2024 and applies in phases: February 2, 2025 (prohibitions), August 2, 2025 (GPAI core obligations), August 2, 2026 (full enforcement), August 2, 2027 (full high-risk transition)." data-also="AI Act, EU AI Regulation, Regulation (EU) 2024/1689" data-wikidata="Q120650836"></definition-box>

**Why is August 2, 2026 important?** Three reasons. **First**, the AI Office (within the European Commission's DG CNECT) begins to exercise direct fining authority over GPAI providers. **Second**, by this date the **notified bodies** in Member States must be operational and the CE marking process for high-risk systems must be live. **Third**, all Member States must have designated their **national competent authorities (NCAs)** and transposed penalty procedures into national law.

<stat-callout data-value="EUR 35M" data-context="The EU AI Act''s highest fine bracket — for prohibited AI practices under Article 5" data-outcome="can rise to 7% of global annual turnover, with the higher of the two figures applying." data-source="{&quot;label&quot;:&quot;EU AI Act, Article 99&quot;,&quot;url&quot;:&quot;https://artificialintelligenceact.eu/article/99/&quot;,&quot;date&quot;:&quot;2024&quot;}"></stat-callout>

## 2. Legal Anatomy: Structure of Regulation (EU) 2024/1689

The AI Act has 113 articles and 13 annexes. Articles most critical for Turkish companies:

- **Article 2 (Scope).** Extraterritorial application — providers and deployers not established in the EU but placing AI outputs on the EU market.
- **Article 5 (Prohibited Practices).** Social scoring, manipulative AI, real-time remote biometric identification (with narrow exceptions), systems exploiting human vulnerabilities.
- **Article 6 and Annex III (High-Risk Systems).** Biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice and democratic processes.
- **Articles 16-29 (Provider Obligations).** Risk management system, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy-robustness-cybersecurity, quality management system.
- **Article 49 (CE Marking).** Mandatory conformity mark for high-risk systems.
- **Articles 51-56 (GPAI Models).** Distinct obligations for general-purpose AI models — documentation, copyright, transparency, systemic risk assessment.
- **Article 99 (Penalties).** EUR 35M / 7% turnover (prohibitions); EUR 15M / 3% turnover (high-risk violations); EUR 7.5M / 1.5% turnover (misleading information).
- **Article 113 (Application Timeline).** February 2, 2025 (prohibitions), August 2, 2025 (GPAI), August 2, 2026 (full enforcement), August 2, 2027 (high-risk transition).

### 2.1. Governance Architecture

The AI Act establishes a four-tier governance structure:

1. **AI Office.** Within the European Commission's DG CNECT — the central authority with direct supervisory and enforcement power over GPAI providers.
2. **AI Board.** Coordination board composed of Member State representatives.
3. **Scientific Panel of Independent Experts.** Advisory on systemic risk assessment for GPAI models.
4. **National Competent Authorities (NCAs).** Designated AI authorities in each Member State — local market surveillance and penalty enforcement.

<callout-box data-variant="info" data-title="Notified Bodies — Practical Importance for Turkish Companies">

For a large portion of high-risk systems, **conformity assessment** is conducted by an independent Notified Body. Turkish companies must work with a notified body accredited within the EU. The NANDO database must list AI-accredited notified bodies by August 2, 2026.

</callout-box>

## 3. Risk Categories: Which System Falls Where?

<comparison-table data-caption="EU AI Act — Four Risk Categories and Obligations" data-headers="[&quot;Category&quot;,&quot;Examples&quot;,&quot;Obligations&quot;,&quot;Applicable From&quot;]" data-rows="[{&quot;feature&quot;:&quot;Prohibited (Article 5)&quot;,&quot;values&quot;:[&quot;Social scoring, manipulative AI, real-time biometric ID, predictive policing&quot;,&quot;Fully prohibited — cannot be placed on or used in the EU market&quot;,&quot;2 Feb 2025&quot;]},{&quot;feature&quot;:&quot;High-Risk (Article 6 + Annex III)&quot;,&quot;values&quot;:[&quot;Employment (CV screening), credit scoring, biometrics, critical infrastructure, exam grading, law enforcement&quot;,&quot;Risk management, data governance, technical documentation, CE marking, post-market monitoring, EU database registration&quot;,&quot;2 Aug 2026 (Annex III), 2 Aug 2027 (product safety linked)&quot;]},{&quot;feature&quot;:&quot;Limited-Risk (Article 50)&quot;,&quot;values&quot;:[&quot;Chatbots, deepfakes, emotion recognition&quot;,&quot;Transparency — user must be notified of AI interaction; deepfakes must be labeled&quot;,&quot;2 Aug 2026&quot;]},{&quot;feature&quot;:&quot;Minimal-Risk&quot;,&quot;values&quot;:[&quot;Spam filters, game AIs, product recommenders&quot;,&quot;No obligations (voluntary codes of conduct encouraged)&quot;,&quot;N/A&quot;]}]"></comparison-table>

### 3.1. The 8 Areas of High-Risk Systems (Annex III)

Annex III defines 8 areas automatically classified as high-risk:

1. **Biometrics.** Remote biometric identification (non-real-time), emotion recognition, biometric categorization.
2. **Critical Infrastructure.** Road traffic, water, gas, heat, electricity supply, digital infrastructure management.
3. **Education and Vocational Training.** Admission, learning outcome assessment, exam proctoring.
4. **Employment, Worker Management, and Self-Employment Access.** Hiring, promotion, termination, task assignment, performance evaluation.
5. **Access to Essential Private and Public Services.** Social benefits, healthcare, credit scoring, life and health insurance pricing, emergency call triage.
6. **Law Enforcement.** Profiling, risk assessment, evidence evaluation.
7. **Migration, Asylum, and Border Control.** Document fraud detection, risk assessment, review of visa / asylum applications.
8. **Justice and Democratic Processes.** Court decision support, systems that may influence elections.

### 3.2. Algorithm to Determine if Your System Is High-Risk

~~~
1. Does your system fall under Article 5 prohibitions?
   → YES: Cannot be placed on the market. Re-architect.
   → NO: Go to 2.

2. Is your system a safety component under EU product legislation (Annex I)?
   (medical device, machinery, toys, automotive, aviation, etc.)
   → YES: High-risk. Article 16+ obligations.
   → NO: Go to 3.

3. Do you fall into any of the 8 areas of Annex III?
   → YES: Go to 4.
   → NO: Limited or minimal-risk. If Article 50 transparency applies, comply.

4. Even if Annex III, can you benefit from Article 6(3) exemption?
   (System performs narrow procedural task, only supports human decision,
    no profiling, anomaly detection only.)
   → YES: Not high-risk, BUT document the exemption in your records.
   → NO: High-risk. All Article 16+ obligations apply.
~~~

## 4. Special Obligations for GPAI (General-Purpose AI) Providers

The AI Act establishes a separate obligation tier for **GPAI models** in Articles 51-56. A GPAI model is **a general-purpose model trained on a wide range of data and capable of competently performing a wide range of distinct downstream tasks** — GPT-5, Claude Opus 4.7, Gemini 3, Llama 4 all fall under this category.

<definition-box data-term="GPAI (General-Purpose AI Model)" data-definition="An AI model trained on broad and diverse data, capable of performing a wide range of generalized tasks, and usable as a foundation for many downstream systems. GPAI models with systemic risk are classified separately, based on training compute (above 10^25 FLOPs) or their market impact." data-also="General-Purpose AI, Foundation Model, GPAI"></definition-box>

### 4.1. Obligations for All GPAI Providers (Article 53)

1. **Technical Documentation (Annex XI).** Model architecture, training data description, training process and evaluation methods.
2. **Information to Downstream Providers (Annex XII).** Model capabilities, limitations, acceptable use policy.
3. **Copyright Policy.** Compliance with EU copyright law (Directive 2019/790), particularly the Article 4(3) opt-out mechanism.
4. **Public Summary of Training Data.** Public summary in the template provided by the AI Office.

### 4.2. Additional Obligations for GPAI Providers with Systemic Risk (Article 55)

Systemic risk threshold: **training compute above 10^25 FLOPs** (GPT-4 class and above). Additional obligations for providers of these models:

1. **Model evaluation** (including red-teaming).
2. **Systemic risk assessment** and mitigation.
3. **Reporting serious incidents to the AI Office.**
4. **Cybersecurity protection.**

### 4.3. GPAI Code of Practice (July 2025)

In July 2025 the European Commission published a **voluntary Code of Practice** for GPAI providers. The code provides concrete interpretation of AI Act obligations — signatory providers (OpenAI, Anthropic, Google, Meta, Mistral, etc.) are presumed compliant with Article 53 obligations.

<callout-box data-variant="info" data-title="Strategy for Turkish GPAI Providers">

Even Turkish national LLM projects with training compute below 10^25 FLOPs (Trendyol Turkcell-Llama, Presidential AI initiative, etc.) are subject to **Article 53 obligations** if they reach the EU market. Being below the systemic risk threshold exempts you from Article 55 — not from Article 53.

</callout-box>

## 5. Penalties and Enforcement: Risk Starting at EUR 35M

<comparison-table data-caption="EU AI Act — Penalty Structure (Article 99)" data-headers="[&quot;Violation Type&quot;,&quot;Maximum Fine&quot;,&quot;Percent of Global Turnover&quot;,&quot;Applied&quot;]" data-rows="[{&quot;feature&quot;:&quot;Article 5 prohibited practices&quot;,&quot;values&quot;:[&quot;EUR 35M&quot;,&quot;7%&quot;,&quot;Whichever is higher&quot;]},{&quot;feature&quot;:&quot;High-risk or GPAI obligation violation&quot;,&quot;values&quot;:[&quot;EUR 15M&quot;,&quot;3%&quot;,&quot;Whichever is higher&quot;]},{&quot;feature&quot;:&quot;Misleading / incomplete information&quot;,&quot;values&quot;:[&quot;EUR 7.5M&quot;,&quot;1.5%&quot;,&quot;Whichever is higher&quot;]},{&quot;feature&quot;:&quot;SMEs — all violations&quot;,&quot;values&quot;:[&quot;Reduced fine&quot;,&quot;Reduced percent&quot;,&quot;Whichever is lower&quot;]}]"></comparison-table>

### 5.1. Factors in Penalty Calculation

Article 99(7) mandates these factors when setting penalties:

1. **Nature, gravity, duration** of the infringement.
2. Penalties imposed by **other market surveillance authorities**.
3. **Size, annual turnover, market share** of provider or deployer.
4. **Mitigation measures** (withdrawal, notification to customers).
5. **Negligence or intent**.
6. **History of repeat infringement**.
7. Level of **cooperation with competent authority**.

### 5.2. Practical Risk Scenario for a Turkish Company

A Turkish automotive supplier with EUR 500M global annual turnover supplies a high-risk AI component (driver-monitoring system) to the EU market. **If technical documentation under Article 16 is incomplete**: maximum fine = min(EUR 15M, 3% x EUR 500M) = min(15M, 15M) = **EUR 15M**. Additionally, the Member State's market surveillance authority can order recall, contracts can be canceled, customer notification becomes mandatory.

<stat-callout data-value="7%" data-context="The EU AI Act''s highest fine tier for prohibited AI practices" data-outcome="is applied against global annual turnover — higher than the 4% ceiling under GDPR." data-source="{&quot;label&quot;:&quot;EU AI Act, Article 99(3)&quot;,&quot;url&quot;:&quot;https://artificialintelligenceact.eu/article/99/&quot;,&quot;date&quot;:&quot;2024&quot;}"></stat-callout>

## 6. Special Position of Turkish Exporters: Extraterritorial Application

Article 2(1)(c) of the AI Act states clearly that the regulation applies to providers and deployers **not established in the EU** if they place AI systems or their **outputs** on the EU market. **In practice, this means nearly every exporting Turkish company is in scope.**

### 6.1. Which Turkish Companies Are in Scope?

- **Manufacturers exporting to the EU** (automotive, white goods, machinery) — if products contain AI or are produced with AI.
- **Tech companies selling SaaS to the EU market.**
- **Companies providing AI-enabled services (consulting, analytics, marketing) to EU customers.**
- **All Turkish companies with an EU subsidiary or sales office.**
- **Companies providing HR / employment services to EU customers** (CV screening, exams, interview AIs).

### 6.2. Turkish Exporting Sectors and AI Act Risk

<comparison-table data-caption="AI Act Risk Profile for Turkish Exporting Sectors" data-headers="[&quot;Sector&quot;,&quot;Typical AI Use&quot;,&quot;Risk Class&quot;,&quot;Practical Action&quot;]" data-rows="[{&quot;feature&quot;:&quot;Automotive (Tofas, Ford Otosan, TOGG)&quot;,&quot;values&quot;:[&quot;Driver monitoring, ADAS, quality control vision&quot;,&quot;High-risk (Annex I product safety)&quot;,&quot;CE marking + technical file + post-market monitoring&quot;]},{&quot;feature&quot;:&quot;White Goods (Arcelik, Vestel, BSH TR)&quot;,&quot;values&quot;:[&quot;Predictive maintenance, IoT AI, production line vision&quot;,&quot;Minimal-to-High (Annex I if applicable)&quot;,&quot;CE marking if linked to Annex I, otherwise limited&quot;]},{&quot;feature&quot;:&quot;Textiles&quot;,&quot;values&quot;:[&quot;Quality control, production planning, customer segmentation&quot;,&quot;Minimal-risk&quot;,&quot;Generally no obligations, Article 50 if applicable&quot;]},{&quot;feature&quot;:&quot;Defense (ASELSAN, ROKETSAN, TUSAS)&quot;,&quot;values&quot;:[&quot;Target recognition, surveillance, autonomous decision&quot;,&quot;Out of AI Act scope (Article 2(3) military exemption)&quot;,&quot;Subject to EU export controls, not AI Act&quot;]},{&quot;feature&quot;:&quot;Finance / Fintech&quot;,&quot;values&quot;:[&quot;Credit scoring, KYC, fraud detection&quot;,&quot;High-risk (Annex III)&quot;,&quot;CE marking + bias monitoring + DPIA&quot;]},{&quot;feature&quot;:&quot;Health Tech&quot;,&quot;values&quot;:[&quot;Medical device AI, imaging analysis&quot;,&quot;High-risk (Annex I MDR + Annex III)&quot;,&quot;MDR + AI Act dual compliance&quot;]}]"></comparison-table>

### 6.3. Mandatory EU Authorized Representative

Article 22 of the AI Act requires **providers of high-risk systems** not established in the EU to designate an EU authorized representative. The representative:

- Maintains technical documentation on behalf of the provider.
- Liaises with market surveillance authorities.
- Shares the declaration of conformity and other documents with authorities.
- Reports serious incidents to authorities.

**Practical note for Turkish companies:** This representation is typically provided by an EU law firm (Brussels, Munich, Amsterdam) or a compliance service company (TUV, DEKRA, Bureau Veritas EU subsidiaries). Annual cost ranges EUR 15,000-50,000.

## 7. KVKK + EU AI Act + ISO 42001 Triple Compliance Matrix

A practical reality for Turkish companies: AI Act alone is not enough. A compliance architecture combining KVKK (if personal data is involved) and ISO/IEC 42001 (the international AI management system standard) is required.

<comparison-table data-caption="KVKK + EU AI Act + ISO 42001 — Obligation Overlaps" data-headers="[&quot;Obligation&quot;,&quot;KVKK&quot;,&quot;EU AI Act&quot;,&quot;ISO 42001&quot;]" data-rows="[{&quot;feature&quot;:&quot;Risk Assessment&quot;,&quot;values&quot;:[&quot;DPIA (Article 5)&quot;,&quot;FRIA + Risk Management System (Articles 9, 27)&quot;,&quot;Risk management process (clause 6.1)&quot;]},{&quot;feature&quot;:&quot;Data Governance&quot;,&quot;values&quot;:[&quot;Data inventory, purpose limitation&quot;,&quot;Article 10 — training/testing/validation data quality&quot;,&quot;Clause 7.5 data management&quot;]},{&quot;feature&quot;:&quot;Documentation&quot;,&quot;values&quot;:[&quot;VERBIS registration&quot;,&quot;Technical documentation (Annex IV)&quot;,&quot;Documented information (clause 7.5)&quot;]},{&quot;feature&quot;:&quot;Human Oversight&quot;,&quot;values&quot;:[&quot;Article 11 — objection to automated decisions&quot;,&quot;Article 14 — human oversight&quot;,&quot;Clause 8.1 — operational control&quot;]},{&quot;feature&quot;:&quot;Incident Management&quot;,&quot;values&quot;:[&quot;Breach notification to VERBIS&quot;,&quot;Article 73 — serious incident reporting&quot;,&quot;Clause 10 — corrective action&quot;]},{&quot;feature&quot;:&quot;Transparency&quot;,&quot;values&quot;:[&quot;Privacy notice&quot;,&quot;Articles 13, 50 — user notification&quot;,&quot;Clause 7.4 — communication&quot;]}]"></comparison-table>

**Practical advice.** First build a data governance foundation grounded in KVKK; on top of it, install the AI Act risk management system; provide a **certified AI management system (AIMS)** via ISO 42001. Together, these three serve as **compliance evidence** for executive management and EU market surveillance.

## 8. Step-by-Step Compliance Roadmap for Turkish Exporters

### Step 1: AI System Inventory (Weeks 1-3)

Inventory **all AI systems** your company uses (in-house, purchased, SaaS). Required columns:

- System name and owner
- Use purpose
- Use geography (EU included?)
- Provider or deployer role
- Training data sources
- Personal data presence (KVKK & GDPR)
- Annex III area applicability

### Step 2: Risk Classification (Weeks 3-5)

For each system, run a scan against Article 5, 6, Annex I, and Annex III. Output: **assigned risk level per system** (prohibited / high-risk / limited-risk / minimal-risk).

### Step 3: Documentation for High-Risk Systems (Weeks 5-12)

For each high-risk system, build the technical file per Annex IV:

1. **Risk management system** (Article 9).
2. **Data and data governance documentation** (Article 10).
3. **Technical documentation** (Article 11 + Annex IV).
4. **Record-keeping / Logging** (Article 12).
5. **Transparency and user information** (Article 13).
6. **Human oversight mechanisms** (Article 14).
7. **Accuracy, robustness, cybersecurity** (Article 15).
8. **Quality management system** (Article 17).

### Step 4: Designate EU Authorized Representative (Weeks 6-8)

Contract with an EU-based authorized representative (Brussels, Munich, Amsterdam typical). Article 22 powers must be explicit in the contract.

### Step 5: CE Marking and Declaration of Conformity (Weeks 10-16)

Conformity assessment for high-risk systems:

- **Internal control** assessment (Annex VI) — most Annex III systems.
- **Notified body** assessment (Annex VII) — biometrics and product-safety-linked systems.

Outcome: CE marking and declaration of conformity. Registration to EUDAMED or AI-Act-specific EU database.

### Step 6: Post-Market Monitoring System (Continuous)

Article 72 — performance, safety, and conformity indicators are continuously monitored after market entry. Article 73 — serious incidents (death, injury, critical infrastructure disruption, fundamental rights violations) must be **reported to the AI Office within 15 days**.

### Step 7: KVKK + AI Act + ISO 42001 Integration (Weeks 12-24)

The triple compliance matrix from the previous section is operationalized.

<callout-box data-variant="tip" data-title="12-Week Accelerated Plan">

For Turkish companies approaching year-end and aiming to meet August 2, 2026, a **12-week parallel-track plan** is feasible: Weeks 1-3 inventory + classification; Weeks 4-9 documentation (3 weeks per high-risk system); Weeks 10-12 EU representative + CE marking submission + post-market monitoring setup.

</callout-box>

## 9. Turkish Company Case Studies (Anonymized)

### Case 1 — Turkish Automotive OEM Supplier: Driver Monitoring System

**Problem.** The company supplies camera-based driver attention monitoring (AI-based fatigue and distraction detection) to EU OEMs. In 2024 it became clear the system falls under AI Act with dual coverage — Annex I (automotive product safety) + Annex III (biometric / emotion recognition boundary).

**Solution.** A 9-month compliance project (November 2024 - July 2025): (1) Risk management system (ISO 14971 + AI Act Article 9 integrated); (2) Annex IV technical documentation — 280 pages; (3) TÜV SÜD (Germany) selected as notified body; (4) Munich law firm appointed as EU representative; (5) Post-market monitoring portal stood up; (6) ISO 42001 AIMS certification pursued in parallel.

**Result.** CE marking obtained in May 2025. Total investment: EUR 1.4M (compliance + consulting + notified body + technical infrastructure). The company became one of the first Turkish automotive suppliers compliant with the EU AI Act — a competitive advantage in new contract negotiations with European OEMs.

### Case 2 — Turkish White Goods Manufacturer: Predictive Maintenance AI

**Problem.** The white goods company offers a "smart fault prediction" feature in products sold to the EU market. Cloud-based, with IoT sensor data from devices feeding cloud AI for fault prediction. In 2025 the question arose whether this is in AI Act scope.

**Solution.** Analysis concluded: (1) The system is **minimal-risk** — not in Annex III; Annex I linkage exists (Low Voltage Directive) but the AI component is not safety-critical (comfort only); (2) Article 50 transparency applied — user informed that the device uses AI for fault prediction; (3) ISO 42001 implemented in parallel as "AI governance maturity" evidence for EU OEM customers.

**Result.** Full CE marking unnecessary (system not high-risk). Total investment: EUR 150,000. Direct positive impact on EU sales — large retailers' question "what is your AI governance policy?" answered with ISO 42001 certificate.

### Case 3 — Turkish SaaS Company: HR AI (CV Screening)

**Problem.** A Turkey-based SaaS company provides CV screening and interview AI to EU customers. This system is automatically high-risk under Annex III(4)(a) — AI for employment.

**Solution.** (1) Company role: Provider; EU customers: Deployers; (2) Authorized representative: an Amsterdam-based subsidiary established for this purpose; (3) Bias monitoring — monthly automated bias tests across gender, age, nationality; (4) Annex IV technical documentation; (5) Mandatory open notification to users (job applicants) per Article 50; (6) Human oversight (Article 14) — final decision always made by a human HR specialist.

**Result.** System obtained CE marking before August 2, 2026. Total investment: EUR 380,000. The company became one of the first Turkish HR-tech SaaS firms able to sell to the EU market.

## 10. Risks and Common Mistakes

<callout-box data-variant="warning" data-title="Common Mistakes of Those Who Miss August 2, 2026">

1. **Assumption: "We're in Turkey, AI Act doesn't apply."** Wrong — extraterritorial. If you place AI outputs on the EU market, you are in scope.
2. **Delayed risk classification.** "Let's code first, look at compliance later" — high-risk systems may need architecture changes, which take months.
3. **Late notified body contact.** Notified body AI accreditation is not complete until August 2, 2026; first applications may face 6-12 month waits.
4. **Treating the EU representative as "a lawyer who signs."** The authorized representative is actually the **first point of contact** for market surveillance — the contract must be serious.
5. **Skipping training data copyright scan.** Article 53(1)(c) requires copyright opt-out compliance. The first EU lawsuits (Stable Diffusion, ChatGPT) will test this article.
6. **Running KVKK compliance as a separate project from AI Act.** Designed together, costs drop 40%; designed separately, conflicting documentation arises.

</callout-box>

### Compliance Cost Estimate

<comparison-table data-caption="AI Act Compliance Cost for Turkish Companies (Annual)" data-headers="[&quot;Item&quot;,&quot;SME (50-250)&quot;,&quot;Mid (250-1500)&quot;,&quot;Large (1500+)&quot;]" data-rows="[{&quot;feature&quot;:&quot;EU representative&quot;,&quot;values&quot;:[&quot;EUR 15-25K&quot;,&quot;EUR 25-40K&quot;,&quot;EUR 40-80K&quot;]},{&quot;feature&quot;:&quot;Technical documentation&quot;,&quot;values&quot;:[&quot;EUR 20-40K&quot;,&quot;EUR 60-150K&quot;,&quot;EUR 200-500K&quot;]},{&quot;feature&quot;:&quot;Notified body assessment&quot;,&quot;values&quot;:[&quot;EUR 25-50K&quot;,&quot;EUR 50-150K&quot;,&quot;EUR 150-400K&quot;]},{&quot;feature&quot;:&quot;Post-market monitoring infra&quot;,&quot;values&quot;:[&quot;EUR 10-30K&quot;,&quot;EUR 30-80K&quot;,&quot;EUR 100-300K&quot;]},{&quot;feature&quot;:&quot;ISO 42001 certification&quot;,&quot;values&quot;:[&quot;EUR 15-30K&quot;,&quot;EUR 30-60K&quot;,&quot;EUR 60-150K&quot;]},{&quot;feature&quot;:&quot;Internal team + external consultant&quot;,&quot;values&quot;:[&quot;EUR 50-100K&quot;,&quot;EUR 150-400K&quot;,&quot;EUR 500K-2M&quot;]},{&quot;feature&quot;:&quot;TOTAL ANNUAL&quot;,&quot;values&quot;:[&quot;EUR 135-275K&quot;,&quot;EUR 345-880K&quot;,&quot;EUR 1.05M-3.43M&quot;]}]"></comparison-table>

## 11. Frequently Asked Questions

<callout-box data-variant="answer" data-title="As a Turkey-based company subject to AI Act — can I ignore KVKK?">

Absolutely not. KVKK and AI Act are complementary — one protects personal data, the other secures AI systems. A high-risk AI system processing personal data (CV screening, credit scoring, biometrics) is **subject to both regimes simultaneously**. KVKK Board's March 2026 Agentic AI guidance explicitly states alignment with the AI Act.

</callout-box>

<callout-box data-variant="answer" data-title="I only have 10 EU customers — am I still in scope?">

Yes. The AI Act has no minimum customer threshold. Placing AI output on the EU market for even one EU customer triggers Article 16+ or Article 50+ obligations depending on risk category. SMEs get reduced fines (Article 99(8)) but no obligation exemption.

</callout-box>

<callout-box data-variant="answer" data-title="My system is not high-risk — do I need to do nothing?">

Not entirely. Limited-risk systems have **Article 50 transparency obligations**: chatbot users must know they're interacting with AI; deepfakes must be labeled; emotion recognition use must be disclosed. Minimal-risk has no obligations but voluntary codes are encouraged.

</callout-box>

<callout-box data-variant="answer" data-title="What is the systemic risk threshold for GPAI?">

Training compute above 10^25 FLOPs — Article 51(1) and Annex XIII. The Commission can update this via delegated act. As of 2026, GPT-4, GPT-5, Claude Opus 4.7, Gemini 3 Ultra, Llama 4 405B sit above; smaller models (Claude Haiku, GPT-4o-mini, Llama 4 70B) sit below.

</callout-box>

<callout-box data-variant="answer" data-title="Is ISO 42001 certification mandatory?">

No, the AI Act doesn't mandate ISO 42001. But it offers a natural compliance framework for the Article 17 quality management system obligation — particularly to structure Annex IV technical documentation. Notified bodies and EU customers increasingly treat ISO 42001 as **compliance evidence**.

</callout-box>

<callout-box data-variant="answer" data-title="What do I do about training data copyright?">

Article 53(1)(c) — comply with EU copyright law (Directive 2019/790). Practically: respect the Article 4(3) opt-out for text and data mining (TDM). If a rights holder has indicated via robots.txt or other machine-readable means "no TDM", you must not train on that data. You must also publish a **public summary of the training dataset** in the AI Office template.

</callout-box>

<callout-box data-variant="answer" data-title="How do I choose a notified body?">

The NANDO database (European Commission) lists notified bodies accredited for the AI Act. As of 2026 the strongest candidates: TÜV SÜD (Germany), TÜV Rheinland (Germany), Bureau Veritas (France), DEKRA (Germany), DNV (Norway). Selection criteria: sector expertise, language support, price, references.

</callout-box>

<callout-box data-variant="answer" data-title="What happens if I miss August 2, 2026?">

Direct penalty risk is high. When market surveillance authorities identify a non-compliant company placing AI on the EU market they can: (1) Order recall; (2) Impose Article 99 penalties; (3) Notify EU border control authorities for export bans. Worst case for Turkish companies: products stuck at customs, customer contracts canceled.

</callout-box>

## 11.9. Stakeholder Communication: Board, Customers, Investors

AI Act compliance is not just a problem for the compliance team / DPO / CISO — it is a **company-wide strategic concern**.

### Board Presentation Framework

When presenting AI Act to the Board, cover 7 points:

1. **Exposure analysis.** Where and how big is the company's AI exposure to the EU market.
2. **Risk score matrix.** Top 5 most at-risk AI systems in a table.
3. **Penalty model.** Current 3% and 7% of turnover converted to EUR; comparison.
4. **Compliance investment.** Annual budget estimate (compliance system + consultant + certification).
5. **Market opportunity.** The potential to win new EU contracts by being compliant.
6. **Timeline.** Final state before August 2, 2026.
7. **Board decision.** Risk Committee appointment, resource allocation, executive accountability.

### Customer Communication

Compliance can also be a marketing tool:

- **Compliance Statement** on your website, in contracts, in RFP answers.
- **Certification display.** CE marking, ISO 42001 certificate, EU representative information.
- **Transparency Report.** Publish your AI systems' compliance status annually.
- **DPA updates.** Reflect AI Act clauses in DPAs with customers.

### Investor Communication

Listed Turkish companies that export to the EU are starting to disclose **AI Act exposure** and **compliance status** in their financial reports. From 2026 onward:
- A separate section in the annual activity report
- Cost/penalty estimates in the risk factors section
- AI ethics policy in sustainability reporting

VC-backed companies have begun seeing AI Act compliance asked about in **due diligence for new rounds**. Investors ask for:
- DPIA files
- Penalty exposure calculation
- AI inventory

## 12. Next Steps: 12-Week Compliance Roadmap

To complete EU AI Act compliance or assess the current state:

1. **AI Act Gap Analysis Workshop (2 weeks).** AI system inventory, Annex III scan, risk classification, gap list. Output: prioritized compliance roadmap.
2. **High-Risk System Documentation Sprint (6-8 weeks).** Annex IV technical file per high-risk system. KVKK + AI Act dual-compliant DPIA/FRIA + risk management system.
3. **EU Representative & Notified Body Matching (2-4 weeks).** Sector-appropriate EU representative and notified body contact and contract negotiation.
4. **Post-Market Monitoring System Setup (3 weeks).** Article 72-73 compliant incident reporting, performance monitoring, serious incident notification infrastructure.
5. **ISO 42001 + KVKK + AI Act Integrated Governance (Continuous).** Integration of all three frameworks into a single AI management system (AIMS).

Reach out via the contact form on the site.

<references-list data-items="[{&quot;title&quot;:&quot;Regulation (EU) 2024/1689 — Artificial Intelligence Act&quot;,&quot;url&quot;:&quot;https://eur-lex.europa.eu/eli/reg/2024/1689/oj&quot;,&quot;author&quot;:&quot;European Parliament &amp; Council&quot;,&quot;publishedAt&quot;:&quot;2024-07-12&quot;,&quot;publisher&quot;:&quot;EUR-Lex&quot;},{&quot;title&quot;:&quot;EU AI Act Official Site (artificialintelligenceact.eu)&quot;,&quot;url&quot;:&quot;https://artificialintelligenceact.eu/&quot;,&quot;author&quot;:&quot;Future of Life Institute&quot;,&quot;publishedAt&quot;:&quot;2024&quot;,&quot;publisher&quot;:&quot;FLI&quot;},{&quot;title&quot;:&quot;AI Act Article 99 — Penalties&quot;,&quot;url&quot;:&quot;https://artificialintelligenceact.eu/article/99/&quot;,&quot;author&quot;:&quot;European Commission&quot;,&quot;publishedAt&quot;:&quot;2024&quot;,&quot;publisher&quot;:&quot;EU&quot;},{&quot;title&quot;:&quot;AI Act Annex III — High-Risk AI Systems&quot;,&quot;url&quot;:&quot;https://artificialintelligenceact.eu/annex/3/&quot;,&quot;author&quot;:&quot;European Commission&quot;,&quot;publishedAt&quot;:&quot;2024&quot;,&quot;publisher&quot;:&quot;EU&quot;},{&quot;title&quot;:&quot;AI Office (European Commission, DG CNECT)&quot;,&quot;url&quot;:&quot;https://digital-strategy.ec.europa.eu/en/policies/ai-office&quot;,&quot;author&quot;:&quot;European Commission&quot;,&quot;publishedAt&quot;:&quot;2024&quot;,&quot;publisher&quot;:&quot;EU&quot;},{&quot;title&quot;:&quot;GPAI Code of Practice (July 2025)&quot;,&quot;url&quot;:&quot;https://digital-strategy.ec.europa.eu/en/library/general-purpose-ai-code-practice&quot;,&quot;author&quot;:&quot;European Commission&quot;,&quot;publishedAt&quot;:&quot;2025-07&quot;,&quot;publisher&quot;:&quot;EU&quot;},{&quot;title&quot;:&quot;AI Act Timeline of Application&quot;,&quot;url&quot;:&quot;https://artificialintelligenceact.eu/implementation-timeline/&quot;,&quot;author&quot;:&quot;FLI&quot;,&quot;publishedAt&quot;:&quot;2024&quot;,&quot;publisher&quot;:&quot;FLI&quot;},{&quot;title&quot;:&quot;NANDO — Notified Bodies Database&quot;,&quot;url&quot;:&quot;https://ec.europa.eu/growth/tools-databases/nando/&quot;,&quot;author&quot;:&quot;European Commission&quot;,&quot;publishedAt&quot;:&quot;2024&quot;,&quot;publisher&quot;:&quot;EU&quot;},{&quot;title&quot;:&quot;Kennedys Law — EU AI Act Compliance for Non-EU Providers&quot;,&quot;url&quot;:&quot;https://kennedyslaw.com/en/thought-leadership/article/2024/eu-ai-act-compliance-non-eu-providers/&quot;,&quot;author&quot;:&quot;Kennedys Law&quot;,&quot;publishedAt&quot;:&quot;2024&quot;,&quot;publisher&quot;:&quot;Kennedys&quot;},{&quot;title&quot;:&quot;Legiscope — AI Act Compliance Guide&quot;,&quot;url&quot;:&quot;https://legiscope.com/ai-act&quot;,&quot;author&quot;:&quot;Legiscope&quot;,&quot;publishedAt&quot;:&quot;2025&quot;,&quot;publisher&quot;:&quot;Legiscope&quot;},{&quot;title&quot;:&quot;ISO/IEC 42001:2023 — AI Management System&quot;,&quot;url&quot;:&quot;https://www.iso.org/standard/81230.html&quot;,&quot;author&quot;:&quot;ISO&quot;,&quot;publishedAt&quot;:&quot;2023-12&quot;,&quot;publisher&quot;:&quot;ISO&quot;},{&quot;title&quot;:&quot;KVKK — Law No. 6698 (Republic of Türkiye)&quot;,&quot;url&quot;:&quot;https://www.kvkk.gov.tr/&quot;,&quot;author&quot;:&quot;Republic of Türkiye - KVKK&quot;,&quot;publishedAt&quot;:&quot;2016-04-07&quot;,&quot;publisher&quot;:&quot;Türkiye&quot;},{&quot;title&quot;:&quot;EDPB Guidelines on Article 22 GDPR&quot;,&quot;url&quot;:&quot;https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en&quot;,&quot;author&quot;:&quot;EDPB&quot;,&quot;publishedAt&quot;:&quot;2020&quot;,&quot;publisher&quot;:&quot;EDPB&quot;},{&quot;title&quot;:&quot;AI Act Article 2 — Scope and Extraterritorial Application&quot;,&quot;url&quot;:&quot;https://artificialintelligenceact.eu/article/2/&quot;,&quot;author&quot;:&quot;European Commission&quot;,&quot;publishedAt&quot;:&quot;2024&quot;,&quot;publisher&quot;:&quot;EU&quot;},{&quot;title&quot;:&quot;AI Act Article 22 — Authorised Representatives&quot;,&quot;url&quot;:&quot;https://artificialintelligenceact.eu/article/22/&quot;,&quot;author&quot;:&quot;European Commission&quot;,&quot;publishedAt&quot;:&quot;2024&quot;,&quot;publisher&quot;:&quot;EU&quot;},{&quot;title&quot;:&quot;AI Act Article 51 — Classification of GPAI with Systemic Risk&quot;,&quot;url&quot;:&quot;https://artificialintelligenceact.eu/article/51/&quot;,&quot;author&quot;:&quot;European Commission&quot;,&quot;publishedAt&quot;:&quot;2024&quot;,&quot;publisher&quot;:&quot;EU&quot;},{&quot;title&quot;:&quot;AI Act Article 53 — Obligations for Providers of GPAI Models&quot;,&quot;url&quot;:&quot;https://artificialintelligenceact.eu/article/53/&quot;,&quot;author&quot;:&quot;European Commission&quot;,&quot;publishedAt&quot;:&quot;2024&quot;,&quot;publisher&quot;:&quot;EU&quot;},{&quot;title&quot;:&quot;AI Act Article 55 — Obligations for Providers of GPAI with Systemic Risk&quot;,&quot;url&quot;:&quot;https://artificialintelligenceact.eu/article/55/&quot;,&quot;author&quot;:&quot;European Commission&quot;,&quot;publishedAt&quot;:&quot;2024&quot;,&quot;publisher&quot;:&quot;EU&quot;},{&quot;title&quot;:&quot;AI Act Article 73 — Reporting of Serious Incidents&quot;,&quot;url&quot;:&quot;https://artificialintelligenceact.eu/article/73/&quot;,&quot;author&quot;:&quot;European Commission&quot;,&quot;publishedAt&quot;:&quot;2024&quot;,&quot;publisher&quot;:&quot;EU&quot;},{&quot;title&quot;:&quot;AI Act Annex IV — Technical Documentation&quot;,&quot;url&quot;:&quot;https://artificialintelligenceact.eu/annex/4/&quot;,&quot;author&quot;:&quot;European Commission&quot;,&quot;publishedAt&quot;:&quot;2024&quot;,&quot;publisher&quot;:&quot;EU&quot;},{&quot;title&quot;:&quot;Directive (EU) 2019/790 — Copyright in the Digital Single Market&quot;,&quot;url&quot;:&quot;https://eur-lex.europa.eu/eli/dir/2019/790/oj&quot;,&quot;author&quot;:&quot;European Parliament &amp; Council&quot;,&quot;publishedAt&quot;:&quot;2019-04-17&quot;,&quot;publisher&quot;:&quot;EUR-Lex&quot;},{&quot;title&quot;:&quot;Turkish Exporters Assembly (TIM) — EU Market Data&quot;,&quot;url&quot;:&quot;https://www.tim.org.tr/&quot;,&quot;author&quot;:&quot;TIM&quot;,&quot;publishedAt&quot;:&quot;2025&quot;,&quot;publisher&quot;:&quot;TIM&quot;},{&quot;title&quot;:&quot;TÜV SÜD — AI Certification&quot;,&quot;url&quot;:&quot;https://www.tuvsud.com/en/services/auditing-and-system-certification/iso-iec-42001&quot;,&quot;author&quot;:&quot;TÜV SÜD&quot;,&quot;publishedAt&quot;:&quot;2025&quot;,&quot;publisher&quot;:&quot;TÜV SÜD&quot;},{&quot;title&quot;:&quot;DEKRA — AI Compliance Services&quot;,&quot;url&quot;:&quot;https://www.dekra.com/en/artificial-intelligence/&quot;,&quot;author&quot;:&quot;DEKRA&quot;,&quot;publishedAt&quot;:&quot;2025&quot;,&quot;publisher&quot;:&quot;DEKRA&quot;},{&quot;title&quot;:&quot;BSI Group — AI Act Readiness&quot;,&quot;url&quot;:&quot;https://www.bsigroup.com/en-GB/insights-and-media/insights/blogs/eu-ai-act-readiness/&quot;,&quot;author&quot;:&quot;BSI&quot;,&quot;publishedAt&quot;:&quot;2025&quot;,&quot;publisher&quot;:&quot;BSI&quot;},{&quot;title&quot;:&quot;PwC EU AI Act Compliance Roadmap&quot;,&quot;url&quot;:&quot;https://www.pwc.com/eu/ai-act/&quot;,&quot;author&quot;:&quot;PwC&quot;,&quot;publishedAt&quot;:&quot;2025&quot;,&quot;publisher&quot;:&quot;PwC&quot;},{&quot;title&quot;:&quot;Deloitte AI Act Implementation Guide&quot;,&quot;url&quot;:&quot;https://www2.deloitte.com/eu-ai-act&quot;,&quot;author&quot;:&quot;Deloitte&quot;,&quot;publishedAt&quot;:&quot;2025&quot;,&quot;publisher&quot;:&quot;Deloitte&quot;},{&quot;title&quot;:&quot;KPMG Turkey — AI &amp; Compliance&quot;,&quot;url&quot;:&quot;https://kpmg.com/tr/tr/home.html&quot;,&quot;author&quot;:&quot;KPMG TR&quot;,&quot;publishedAt&quot;:&quot;2025&quot;,&quot;publisher&quot;:&quot;KPMG&quot;},{&quot;title&quot;:&quot;Mondaq Turkey — AI Act Articles&quot;,&quot;url&quot;:&quot;https://www.mondaq.com/turkey/new-technology&quot;,&quot;author&quot;:&quot;Mondaq&quot;,&quot;publishedAt&quot;:&quot;2025&quot;,&quot;publisher&quot;:&quot;Mondaq&quot;},{&quot;title&quot;:&quot;Future of Life Institute — AI Act Resources&quot;,&quot;url&quot;:&quot;https://artificialintelligenceact.eu/&quot;,&quot;author&quot;:&quot;FLI&quot;,&quot;publishedAt&quot;:&quot;2025&quot;,&quot;publisher&quot;:&quot;FLI&quot;}]"></references-list>

---

This is a living document; the EU AI Act ecosystem (delegated acts, GPAI Code of Practice updates, notified body accreditation) shifts every quarter, so it is **updated quarterly**.

### Closing: AI Act Compliance as a Strategic Advantage

EU AI Act compliance is not just a cost line; it is a **strategic competitive advantage**. Compliant Turkish companies:

1. Position **ahead of other Turkish competitors** in the EU market.
2. Earn **automatic shortlist** placement in EU institutional RFP processes (banks, governments, universities).
3. Are evaluated as a **maturity indicator** by investors.
4. Gain marketing advantage with "Trustworthy AI" branding.
5. Build an **internal AI governance culture** that prepares for future regulations (including the Turkish AI Law).

August 2, 2026 is not a deferrable date. Turkish companies that **start now** will define their EU market position in 2027-2028.

### Additional Resources and Communities

Communities and resources Turkish companies can use for AI Act compliance support:

- **TÜBİSAD AI Committee.** Within the Turkish IT Association.
- **TOBB AI Working Group.** Sectoral collaboration.
- **TÜRKAK accredited bodies.** ISO 42001 certification.
- **KVKK Academy.** DPO and compliance team training.
- **IAPP Turkey Chapter.** Community on international standards.
- **EU Commission Türkiye Delegation.** Reference for AI Act interpretation queries.

Leading AI Act consulting firms in Türkiye: KPMG Türkiye, PwC Türkiye, Deloitte Türkiye, EY Türkiye, BSI Türkiye, TÜV Türkiye, TÜV SÜD Türkiye.