# The EU AI Act and the Digital Omnibus: High-Risk Deferral and GPAI Enforcement (July 2026)

> Source: https://sukruyusufkaya.com/en/blog/eu-ai-act-digital-omnibus-2026-erteleme
> Updated: 2026-07-15T04:45:33.854Z
> Type: blog
> Category: yapay-zeka
**TLDR:** The Digital Omnibus defers high-risk AI obligations to December 2027, but GPAI enforcement starts on 2 August 2026. Here is what changed for Turkish companies.

**TL;DR —** With the regulatory package known as the Digital Omnibus, the most feared part of the EU AI Act — the obligations for high-risk systems — has been deferred from 2 August 2026 to 2 December 2027. But this "relief" is not the general grace period many people assume it to be. Obligations for general-purpose AI models (GPAI) have already been in force since 2 August 2025, and the European Commission's power to actually enforce them and issue fines kicks in on 2 August 2026. Transparency rules start on the same date. For companies in Turkey that sell products or services into the EU, the picture is clear: there is breathing room for high-risk, but none for GPAI and transparency. On top of that, the cross-border data transfer risk on the KVKK side already concerns you regardless of this whole timeline. In this article I explain, from my observations in the field, what was deferred, what was not, and what you concretely need to do in the coming months.

Over the last few weeks, the sentence I have heard most often in the field is this: "Şükrü, since the AI Act has been postponed, let's shelve our project for a year." Every time I hear it, something in me aches a little, because this is a textbook example of how a half-read news headline can misdirect a major corporate decision. What has been deferred is very specific. What has not been deferred covers precisely the systems that many Turkish companies actually use today. So let's set up this distinction from the very beginning, calmly.

## What exactly did the Digital Omnibus change?

Let me clarify one thing first. The EU AI Act is the European Union's first major framework law that regulates artificial intelligence horizontally — that is, in a sector-independent way. It arrives with a phased entry-into-force timeline: prohibited practices come first, then GPAI, then high-risk systems. The target date for the text to become fully applicable was 2 August 2026, with certain exceptions.

In the spring of 2026, EU institutions reached a compromise on a regulatory package referred to as the "Digital Omnibus." The provisional agreement that reached the public was announced on 7 May 2026. The most critical change here is this: **the compliance date for high-risk systems under Annex III has been deferred from 2 August 2026 to 2 December 2027.** In other words, for the category that requires companies to produce the most obligations, the most documents, and the most technical files, the timeline has been pushed roughly sixteen months forward.

But there are two fine details here, and I would not advise you to take seriously any commentary that skips them:

1. **AI embedded in regulated products under Annex I** — that is, AI inside products already subject to their own sectoral legislation, such as medical devices, machinery, and vehicles — has a compliance date of 2 August 2028. This is a separate line and must not be confused with the others.
2. **The provisional agreement is not yet final.** For the package to produce full legal effect, it must be formally adopted and published in the Official Journal of the European Union. So today we have a strong political direction, but not a finalized text. You should plan accordingly, leaving some room for flexibility.

> I recommend you read the deferral not as an "amnesty" but as a "preparation window." Sixteen months is not generous for setting up technical documentation, the risk management system, and human oversight processes; it is just about enough.

## What was NOT deferred? This is the real issue

Now we come to the part that most news coverage ignores. The Digital Omnibus pushed back the high-risk timeline, but the following three items remain on the table, and two of them point directly to the summer of 2026:

**First, GPAI — general-purpose AI models.** The obligations for these have been in force since 2 August 2025. In other words, they have been technically valid for more than a year. What is changing is enforcement: **from 2 August 2026, the European Commission's enforcement powers come into effect.** The Commission will actually enforce GPAI obligations and issue fines where necessary. So the era of "there were rules but no one enforcing them" is ending.

**Second, transparency rules.** The AI Act's provisions on transparency take effect in August 2026. This means a user should know they are interacting with an AI, and synthetic content (deepfakes, AI-generated images/text) should be labeled — items that look simple on the surface but in practice concern many customer service bots, marketing content pieces, and chatbot interfaces.

**Third, compliance for GPAI models already on the market.** For providers of GPAI models placed on the market before 2 August 2025, the final compliance date is 2 August 2027. So there is a closing date even for "old" models; there is no open-ended exemption.

Read these three together and the picture that emerges is this: if your business is mostly about building an application on top of ready-made large language models — which is exactly what the overwhelming majority of companies in Turkey do — the date that concerns you is not 2 December 2027 but 2 August 2026.

## The corrected timeline: at a glance

I recommend keeping the table below as a reference to clear up the confusion in your head. Don't try to memorize the dates; identify which category you fall into and focus on the relevant row.

| Date | What happens? | Who does it concern? |
| --- | --- | --- |
| 2 August 2025 | GPAI (general-purpose model) obligations entered into force | Model providers; indirectly, those who use models |
| 2 August 2026 | Commission's enforcement powers begin; GPAI fines become applicable; transparency rules in force | GPAI providers, chatbot/assistant developers, synthetic content producers |
| 2 August 2027 | GPAI models placed on the market before 2 August 2025 must comply | "Legacy" model providers |
| 2 December 2027 | Annex III high-risk system obligations (deferred date) | Companies developing/using high-risk AI |
| 2 August 2028 | AI embedded in Annex I regulated products must comply | Medical device, machinery, vehicle manufacturers |

Looking at this table, the thing that escapes most executives' notice is this: it is not the case that "nothing happens" between 2026 and 2027. On the contrary, 2 August 2026 is the real milestone for many practical applications.

## What do "high-risk" and "GPAI" mean in practice?

These are the two most misunderstood concepts in the field. Let me try to explain them not in the language of the legal text, but in the language of your business.

### High-risk systems

The AI Act treats certain use areas as high-risk by their very nature. The Annex III list enumerates them. In practice, the examples I encounter most are:

- **Recruitment and HR:** systems that screen CVs, rank candidates, and evaluate performance. An automated candidate-screening tool used by the HR team of a growing company in Turkey may fall within scope if it works for a subsidiary or client in the EU.
- **Credit and financial scoring:** systems that determine individuals' creditworthiness.
- **Education:** tools that grade exams and decide student admission.
- **Critical infrastructure, biometric identification, law enforcement, migration** and similar predominantly public-sector areas.

If you are deemed high-risk, what is asked of you is serious: a risk management system, data governance, technical documentation, record-keeping (logging), human oversight, accuracy and cybersecurity, conformity assessment. This heavy package is exactly what has been deferred to 2 December 2027.

### GPAI: general-purpose AI models

GPAI refers to large models that can be adapted not to a specific task but to a wide variety of tasks — the large language models we all know today are the typical example. There are two different roles here, and not confusing them is vital:

- If you are a **model provider** (you train your own foundation model and place it on the market), GPAI obligations fall directly on you: technical documentation, copyright policy, publishing a summary of training data, and so on.
- If you are a **model user / application developer** (you take the API of a ready-made model and build your own product on top of it), the GPAI provider obligations do not fall directly on you, but you depend on the documentation the provider gives you, and your own application may fall within the scope of transparency or high-risk.

> The typical scenario in Turkey is this: a company uses the API of a US-based model and builds a customer service assistant or document summarizer on top of it. This company is not a "model provider," but it may face the transparency obligation (the user must know they are talking to an AI) and, if the use area falls under Annex III, high-risk obligations.

## Why does it concern companies in Turkey? The extraterritorial effect

I want to be very clear here, because the thought "we are a Turkish company, EU law does not bind us" is one of the most expensive misconceptions I see in the field. Like the GDPR, the AI Act has an **extraterritorial** effect — one that reaches beyond national borders. Simply put: what determines your position is not where you are established, but whether your output is used in the EU.

Let's make it concrete. If you are in any of the following situations, the AI Act concerns you:

- You offer an AI-enabled product/service to customers or users in the EU.
- Your system's output is used within the EU (for example, a subsidiary, dealer, or customer of yours in the EU incorporates your AI output into their work).
- You supply an AI component in the supply chain of an EU company — which is the most common situation for exporting Turkish companies.

Considering how intertwined the Turkish economy is with the EU, it becomes clear how broad this scope is. Automotive components, textiles, machinery, software service exports, call centers, and BPO services... Almost all of these sectors already have an AI component today, or one is on the way. If you are a Turkish company that sells products or services to the EU, the AI Act is not "a distant European matter" for you but a compliance requirement that will soon enter your contracts.

## The KVKK dimension: the deferral does not save you here

Now I come to a point that is often skipped but that I insist on underlining in my consultancy work. Whatever the AI Act timeline is, if you operate in Turkey, the KVKK (the Turkish Personal Data Protection Law) already binds you today, and your use of AI falls directly within KVKK's scope.

In November 2025, KVKK published a document titled **"Generative Artificial Intelligence and the Protection of Personal Data Guide (15 Questions)."** This guide addresses the most common practical questions of organizations using generative AI and draws a clear direction for the field. One of the most critical messages here is this: **using an AI system hosted outside Turkey may be considered a transfer of data abroad under KVKK.**

Let me unpack what this means. Suppose one of your employees pastes a text containing customer names, contract details, or personal data into an AI tool whose servers are located abroad, and asks for a summary. This seemingly innocent operation may be evaluated under KVKK's cross-border data transfer regime, and if there is no appropriate legal basis (explicit consent, appropriate safeguards, exception conditions), it may give rise to a violation.

KVKK's administrative fine range for 2026 is also not to be underestimated: **roughly between 85,437 TL and 17,092,242 TL.** In other words, long before the AI Act even reaches the enforcement stage, there is a risk on the KVKK side to which you are actually exposed today.

> The most common mistake I see in practice is this: when companies heard about the AI Act deferral, they froze all their AI compliance work. But the KVKK risk was never deferred. Even if the EU gives you 2027, KVKK does not even give you 2026 — it is in force now.

For this reason, I recommend separating the two fronts from each other. One front is AI Act compliance (EU-focused, phased timeline), the other is KVKK compliance (Turkey-focused, in force today). Putting both into a single "AI legislation" bag and deferring them makes the KVKK risk invisible.

## What should a Turkish exporter do today? Concrete steps

That's enough theory. Now let me share the practical roadmap I apply in the field and give to my clients. I have ordered these by priority.

### 1. Build an inventory: where, which AI, with what data?

The first step of compliance is always visibility. Build an inventory of all the AI systems used in your company. For each row, note the following:

- Which department uses it?
- Whose model is it, where is it hosted (inside Turkey or outside)?
- What data is processed, does it contain personal data?
- Is the output used in the EU?
- Does the use area fall under Annex III (high-risk)?

Any compliance conversation held without producing this inventory remains up in the air. Most companies realize for the first time at this step that there are many shadow AI tools that are not officially "approved" but that teams use daily.

### 2. Determine your role: provider or user?

For each system, clarify your role under the AI Act. Are you training your own model (provider) or using a ready-made model (user/deployer)? This distinction directly determines the weight of the obligations that fall on you.

### 3. Prepare for August 2026 for transparency

This is the nearest concrete date. Make sure your users clearly know they are interacting with an AI. Add clear notices to your chatbot interfaces. Label the images/videos/text you produce with AI. This is technically one of the easiest but most overlooked steps.

### 4. Perform a KVKK cross-border transfer check

Map the data flows going to AI tools hosted abroad. Document the legal basis for flows containing personal data. If necessary, write a clear "AI usage policy" for employees: which types of data can be entered into which tools, and which are prohibited. Make KVKK's 15-question guide the backbone of this policy.

### 5. If you are in the high-risk category, don't spend 2027 waiting

The deferral gave you a preparation window, not an excuse to sit idle. Setting up a risk management system, technical documentation, and human oversight processes takes months. If you are targeting the end of 2027, you must start working in 2026.

### 6. Review your contracts

Your EU customers will soon begin asking you for contractual commitments regarding AI Act compliance. Clauses on AI-related liability, documentation, and disclosure will enter your supplier contracts. Whoever prepares for this proactively gets ahead of the competitor who is late.

## Compliance checklist

You can use the list below as a self-audit tool. Mark each item as "yes / no / partial"; the "no" and "partial" ones are your work list for the coming quarter.

- [ ] There is an up-to-date inventory of all AI systems in the company.
- [ ] Our AI Act role (provider/user) has been determined for each system.
- [ ] It has been established which systems' output is used in the EU.
- [ ] Uses falling under Annex III (high-risk) have been flagged.
- [ ] Chatbots and assistants have a transparency notice (ready for August 2026).
- [ ] Content produced with AI is being labeled.
- [ ] Personal data flows going to AI tools hosted abroad have been mapped.
- [ ] The legal basis for KVKK cross-border transfer has been documented.
- [ ] A written AI usage policy for employees is in force.
- [ ] There is a process to detect shadow AI usage.
- [ ] EU customer contracts have been reviewed for AI compliance clauses.
- [ ] If we are in the high-risk scope, a project plan and budget for 2027 have been allocated.

## Common mistakes

Here are the traps I see again and again in the field and want to warn you about:

**Mistake 1: "It's been deferred, so we can stop."** This is exactly what I have been trying to explain from the start of this article. Only high-risk was deferred. GPAI enforcement and transparency are in 2026. KVKK is already today.

**Mistake 2: Putting the AI Act and KVKK in a single bag.** These are different authorities, different timelines, different sanctions. Deferring one does not defer the other.

**Mistake 3: Thinking "we are a Turkish company, the EU does not bind us."** The extraterritorial effect is real. If your output is used in the EU, you are in scope.

**Mistake 4: Ignoring shadow AI.** Teams may be entering sensitive data into tools abroad without your knowledge. You cannot manage risk without building an inventory.

**Mistake 5: Mistaking the provisional agreement for settled law.** The Digital Omnibus has not yet been published in the Official Journal and finalized. The direction is clear, but details may change; leave a margin of flexibility in your plan.

**Mistake 6: Treating transparency as a technical detail and deferring it.** In fact, the cheapest, fastest win is in transparency. Adding a notice line takes hours; the cost of a violation is much higher.

## Looking ahead: a reading for the next twelve months

Today is 14 July 2026. Looking at the timeline ahead, the picture I draw for my clients is this:

**This summer (August 2026):** Transparency rules and GPAI enforcement powers come into effect. If you do chatbots, assistants, or content generation, have your transparency notices and provider documentation ready by this date. This is the most urgent and nearest job.

**Autumn-winter 2026:** Follow the publication of the final version of the Digital Omnibus in the Official Journal. The dates in the provisional agreement will most likely be preserved, but there may be fine adjustments in the definitions and exceptions in the final text. Reading this text line by line with a legal or compliance advisor will solidify your 2027 plan.

**Throughout 2027:** If you are in the high-risk scope, your work on the risk management system and technical documentation should be in full swing. 2 August 2027 is also a threshold for legacy GPAI models. You need to have completed the high-risk package by 2 December 2027.

On the KVKK front, meanwhile, the timeline is not waiting: cross-border transfer discipline, employee policies, and the data inventory should be on your agenda starting today. I usually say this: the deferral the EU has given you is actually a gift for you to finish your domestic homework in Turkey. Use that window to solidify your KVKK compliance, so that when the AI Act fully enters into force, you are ready on both sides.

One final observation: all of these regulations are in motion. Dates, definitions, and exceptions can change. My advice is to set up compliance not as a one-time project but as a living process reviewed quarterly. Keep your inventory current, include each newly adopted AI tool in the process, and translate every new step in the legislation into your own use scenario. As far as I can see in the field, the winning companies are not the ones that achieve perfect compliance from day one; they are the ones that move at a disciplined, regular, and realistic pace.
