# EU AI Act Digital Omnibus 2026: GPAI Amendments and the 2 August Reality for Turkish Companies

> Source: https://sukruyusufkaya.com/en/blog/eu-ai-act-digital-omnibus-2026-gpai-turkiye
> Updated: 2026-07-02T22:22:55.342Z
> Type: blog
> Category: yapay-zeka
**TLDR:** How the Digital Omnibus changed the EU AI Act, what the 2 August 2026 GPAI enforcement brings, and what Turkish companies touching the EU market should do in 60 days.

**TL;DR —** On 7 May 2026 the European Union reached the "Digital Omnibus" agreement, its first comprehensive revision of the EU AI Act. The changes cluster around three axes: timeline relief for some obligations, targeted simplification for high-risk systems, and a centralization of supervisory power at the EU level for general-purpose AI (GPAI) models. Yet 2 August 2026 remains a hard deadline: on that day the Commission's enforcement powers against GPAI providers — requests for information, model access, recalls and fines — enter into application. Any company in Türkiye that touches the EU market with a model, product or service needs to read this landscape today. In this piece I explain what changed, what stayed fixed, and what Turkish companies should do in the next 60 days — from the perspective of someone who actually deploys models in the field.

## Why I Am Writing This Now

In the last three weeks, four different companies I advise asked me almost the same question: "Did the EU loosen the law or tighten it? Should we pause the project or accelerate?" The confusion is understandable, because headlines say both "the EU backed down" and "fines start in August." Both are partly true and both are incomplete.

The reality: **the Digital Omnibus is not a retreat, it is a rebalancing.** The EU relaxed some timelines and reduced bureaucratic load to improve enforceability; but in the GPAI regime — the heart of supervision — it did the opposite, centralizing and strengthening authority. So both the company that relaxes ("it got easier") and the one that postpones ("everything is delayed") are mistaken.

I approach this not like a compliance lawyer but as an engineer-consultant who deploys models and builds the bridge between KVKK and the AI Act. My aim is not to make you memorize articles; it is to give you a mental map you can make decisions with.

## What Exactly the Digital Omnibus Changed

On 7 May 2026 the Council, Parliament and Commission negotiators reached a provisional agreement — the first substantive amendment package to the AI Act since its June 2024 adoption. I summarize it under three headings.

**1. Timeline relief.** Compliance dates for some technical obligations of high-risk systems were pushed out. The logic: harmonised standards and support tools are not yet ready. The EU accepted that punishing companies for not meeting a rule while failing to provide the technical reference to meet it would be unfair. This gives companies breathing room but is not a trick — the obligation does not disappear, it merely starts later.

**2. Targeted simplification.** Documentation and registration burdens were lightened, especially for SMEs and low-risk use cases. Some repetitive notification processes were collapsed into a single record. This trims what we call "compliance theater" — bureaucracy that reduces no real risk but consumes hours of labor.

**3. Centralization of GPAI supervision.** This is the truly critical change. The Digital Omnibus clarified and consolidated supervisory authority for AI systems based on GPAI models at the EU level. The AI Office now has exclusive competence where the model and the system are developed by the same provider (or providers within the same undertaking). The uncertainty of "which national regulator is watching me?" shrinks; large model providers are directly on Brussels' radar.

> If I compress it to one sentence: the EU lightened the peripheral bureaucracy while tightening the central supervision. It opened space for the small player and pulled the large model provider directly to its own desk.

## 2 August 2026: The Red Line That Did Not Move

Despite the relief the Digital Omnibus brought, one date stands firm: **2 August 2026.** On this date the Commission's enforcement powers over GPAI providers enter into application.

Let me clarify with a short chronology:

| Date | What Happens |
|---|---|
| 2 Feb 2025 | Prohibited practices (unacceptable risk) in force |
| 2 Aug 2025 | GPAI model rules in force (obligations begin) |
| 2 Aug 2026 | Commission's **enforcement powers** apply (including fines) |
| 2 Aug 2027 | GPAI models placed on the market before 2 Aug 2025 must also fully comply |

The subtlety: GPAI obligations actually began in August 2025, but the Commission granted providers a 12-month "soft" window to work with the AI Office. That window closes on 2 August 2026. Requests for information, model access and, where necessary, recall powers become active from that date.

The penalty ceilings are deterrent: up to 7% of global turnover for prohibited practices, up to 3% for other breaches, up to 1% for supplying incorrect or incomplete information. These figures dwarf KVKK's administrative fines and, being turnover-based, can reach millions of euros for large firms.

## What GPAI Is and Why It Concerns Turkish Companies

I hear the question a lot: "We don't build large language models, why should this concern us?" The answer has two layers.

**First layer — value-chain responsibility.** The AI Act assigns a role to every actor in the chain: provider, deployer, importer, authorized representative. If you use a GPAI model to offer a product/service in the EU market, certain transparency and human-oversight obligations fall on you as a "deployer." You may not have trained the model, but if you embed it in a system and sell it into the EU, you are a link in the chain.

**Second layer — the exporter reality.** Türkiye has a production and services economy deeply integrated with the EU. From automotive supply to software outsourcing, from e-commerce to fintech, many companies sell directly or indirectly to EU customers. The AI Act's extraterritorial effect kicks in precisely here: if the system's output is used in the EU, the law can apply even if the provider is in Türkiye.

So the question is not "do I have an EU office" but "does my output affect a person in the EU." If a Turkish insurtech's risk-scoring model prices an EU citizen through a German insurer, that model enters the high-risk category and obligations arise along the chain.

## The Türkiye Context: KVKK, the AI Act, and the Gap

Türkiye does not yet have a comprehensive, in-force AI law equivalent to the EU AI Act. But that does not mean "no rules." Obligations arise from three sources.

First, **KVKK.** Any AI system processing personal data is already within Law No. 6698. Automated decision-making, profiling, explicit consent, data minimization and cross-border transfer provisions apply directly. Many scenarios the AI Act calls "high-risk" (recruitment, credit scoring, biometric identification) are also sensitive under KVKK.

Second, **the EU's extraterritorial effect.** As above, Turkish companies touching the EU market are de facto subject to the AI Act.

Third, **national regulation in preparation.** AI policy documents and legislative work are on Türkiye's agenda. A company that voluntarily builds AI-Act-compliant governance today will largely be ready for the national regulation of tomorrow. I call this "compliance arbitrage": design to the strictest framework and the rest follows automatically.

> The most expensive mistake I see in the field is the "let's build fast, add compliance later" approach. Compliance is not a bolt-on module; it is an architectural decision. Retrofitting means rebuilding the model, the data pipeline and the logging layer — which costs twice as much.

## A Practical Roadmap: The Next 60 Days

Let's leave theory and sit at the table. If you are a Turkish company touching the EU market, here is what I recommend, in order, before 2 August.

**Step 1 — Build an inventory.** List every AI system you use. Which model, from which provider, in which use case? Include shadow AI (unregistered tools employees use on their own). No compliance work is possible without this inventory.

**Step 2 — Classify risk.** Label each system by the AI Act's four tiers: unacceptable risk (banned), high risk, limited risk (transparency), minimal risk. High-risk ones (recruitment, credit, health, critical infrastructure, biometrics) trigger the heaviest obligations.

**Step 3 — Determine your role.** Clarify your capacity for each system: provider, deployer, or both? The role defines the scope of obligation.

**Step 4 — Start documentation.** Technical documentation, data governance records, human-oversight mechanism and logging. Even with the Digital Omnibus relief, these remain mandatory for high-risk systems.

**Step 5 — Align with KVKK.** Merge your DPIA (Data Protection Impact Assessment) processes with the AI Act risk assessment. Don't produce two separate documents; build one integrated governance framework.

**Step 6 — Review supplier contracts.** What compliance guarantees and documentation do you get from your GPAI provider (OpenAI, Anthropic, Google, open source, etc.)? Add AI Act compliance clauses to your contracts.

## Model Choice Is Now a Compliance Decision

In 2026 model choice is not only technical but legal. With the June 2026 wave, the market has GPT-5.6, Claude Sonnet 5, Gemini 3.2 and many Chinese models (Qwen 3.7, DeepSeek V4.1, GLM-6). Each has a different AI Act compliance posture, documentation transparency and data residency.

For example, providers who signed the GPAI Code of Practice (a voluntary compliance tool) make clearer commitments on copyright, transparency and safety. As a Turkish company, when choosing a model for a product that touches the EU market, asking whether the provider follows this code and publishes system and model cards is now standard due diligence.

Chinese models can be cost-attractive, but they may raise extra questions on data residency and transparency under EU supervision. This is not a ban, it is a risk-assessment matter — decide by your sector and data sensitivity.

## Human Oversight in High-Risk Systems

The spirit of the AI Act reduces to one word: **accountability.** In high-risk systems, "the machine decided" is not a defense. Human oversight is mandatory, and that oversight must be real, meaningful and documentable.

In practice: a credit denial, a hiring rejection or a health triage decision cannot be fully automated. A human must be able to review the decision, see its rationale, and override it when needed. That is why explainability infrastructure is no longer a luxury but a legal requirement.

A good template I see in the field: for every high-risk decision, place next to the model's output (1) a confidence score, (2) the top factors driving the decision, and (3) an approve/reject/escalate button for the human operator. This triple solves legal compliance and operational quality at once.

## Three Common Mistakes

**Mistake 1 — "No EU office, doesn't bind me."** Wrong. If your output is used in the EU, the law can apply. The determinant is the effect of the output, not a geographic office.

**Mistake 2 — "Digital Omnibus arrived, it's all delayed now."** Partly true but dangerously overgeneralized. Some technical obligations were pushed out, but GPAI enforcement and the high-risk framework stand. Delay is not "ignore."

**Mistake 3 — "Legal will handle compliance."** Compliance is joint work of engineering, legal and product teams. Logging, explainability, data pipelines — these are not things a lawyer can solve alone. Compliance is a team sport.

## Reading the AI Act and KVKK Side by Side

For Turkish companies the most practical approach is to see both frameworks in one table. The comparison below shows where each obligation comes from and where they overlap.

| Topic | KVKK (6698) | EU AI Act | Overlap / Difference |
|---|---|---|---|
| Automated decisions | Art. 11 — right to object, explicit consent | High risk — human oversight required | Both require human intervention; AI Act more detailed |
| Transparency | Duty to inform | Limited risk — "you are talking to AI" notice | AI Act adds labeling for chatbots/deepfakes |
| Data minimization | Art. 4 — purpose-limited | Data governance — training data quality | KVKK on processing, AI Act on training data |
| Cross-border transfer | Art. 9 — adequacy/undertaking | Model residency supervised | Cloud LLM use triggers both |
| Enforcement | Administrative fine (fixed tariff) | Up to 7% of global turnover | AI Act penalties far heavier |

This table shows KVKK and the AI Act are not rivals but two overlapping layers. A smart company does not build two separate compliance teams; it manages both frameworks under a single "AI governance committee." Then a single DPIA also forms the core of the AI Act's risk assessment.

## The GPAI Code of Practice: Voluntary but Decisive

In July 2025 the Commission published three key instruments: a guideline clarifying the scope of GPAI obligations, additional obligations for systemic-risk models, and the **GPAI Code of Practice** — a voluntary compliance tool prepared by independent experts, offering practical guidance on transparency, copyright and safety-security.

Don't let "voluntary" mislead you. Signing the code provides a presumption of good faith in dealings with the AI Office. A signatory benefits from the assumption of compliance; a non-signatory must prove everything one by one. That is why large providers join. As a Turkish deployer, knowing whether your model's provider signed this code directly affects your own compliance burden.

My practical advice: add to your model-selection criteria the questions "Is it a GPAI Code of Practice signatory?", "Does it publish model and system cards?", "Does it share a training data summary?" These three questions quickly separate a compliance-safe provider from a risky one.

## Quick Sector Views

**Fintech and banking.** Credit scoring and fraud detection are high-risk. The AI Act's human-oversight and explainability requirements overlap with the model-governance expectations of Türkiye's banking regulator. For Turkish fintechs serving the EU, dual compliance is unavoidable.

**Health technology.** AI qualifying as medical device software (SaMD) falls under both the EU Medical Device Regulation (MDR) and the AI Act. Clinical validation and risk-management documentation are required in both frameworks.

**HR technology.** Recruitment, candidate ranking and performance evaluation AIs are explicitly high-risk. For Turkish companies selling HR SaaS to the EU, the product's core feature becomes subject to supervision.

**E-commerce and marketing.** Recommendation systems are mostly minimal/limited risk. But features like deepfake ad generation or emotion recognition trigger stricter transparency obligations.

## A Small Case: An Anonymous Turkish SaaS Company

A mid-sized Turkish SaaS company I advised offered EU customers a GPAI-based contract-analysis product. At first they thought "we are just an interface, OpenAI provides the model, responsibility is theirs." But under the AI Act they are a "deployer" offering a system that affects the customer's legal decisions.

Our four-week work covered: system inventory, risk classification (it turned out to be limited risk but with a transparency obligation), adding a "this analysis was produced by AI; consult your lawyer for the final legal decision" notice, logging outputs and building a human-review flow. Total cost was far lower than rebuilding the project, because the architecture was fixed early.

The lesson is clear: the company that thinks about compliance early pays cheaply; the one that thinks late pays dearly. And often the fear of "high risk" turns out to be exaggerated — with correct classification, the obligation becomes manageable.

## Frequently Asked Questions

**"Will we be fined on 2 August?"** No automatic fine arrives that day. It is the date the Commission's enforcement tools become active. A fine comes into play if a breach is found and the process is run. But a "we're not ready" posture raises your risk.

**"Are we exempt if we use open-source models?"** Partly. The AI Act grants some exemptions to open-source GPAI models, but systemic-risk models and high-risk uses fall outside that exemption. "Open source" alone is not immunity.

**"If we comply with KVKK, do we comply with the AI Act?"** Partly overlapping but not sufficient. The AI Act's technical documentation, risk-management system and post-market monitoring obligations are absent in KVKK. They must be managed separately but in an integrated way.

## An Actionable Governance Framework

To move from theory to practice, let me share a simple but working governance framework I use in my consulting. It reduces the hundred-page reports of big consultancies into five layers a mid-sized Turkish company can actually implement.

**Layer 1 — Ownership.** AI governance must have an owner. It need not be a "Chief AI Officer"; it can be a CTO, a legal director or a product lead. What matters is a single chokepoint: who decides, who is accountable? Ownerless compliance is nobody's compliance.

**Layer 2 — Inventory and classification.** The inventory and risk classification described above live here. This is not one-off but a living document. Every new model and use case is recorded and classified. Quarterly review is a good rhythm.

**Layer 3 — Controls.** Define a minimum control set for each risk level. High risk: human oversight, explainability, logging, DPIA, post-market monitoring. Limited risk: transparency notice, usage logs. Minimal risk: basic record. Proportioning controls to risk avoids both waste and under-protection.

**Layer 4 — Evidence.** The spirit of the AI Act is "prove what you did." Every control needs a mechanism that produces evidence: logs, approval history, model cards, evaluation reports. What works in an audit is not good intentions but documents. A control that produces no evidence is a control that doesn't exist.

**Layer 5 — Supplier management.** Manage the relationship with GPAI providers as a control point. Add compliance clauses, model-card requests, incident-notification duties and an exit strategy to contracts. Locking to a single provider is both a technical and a compliance risk.

These five layers can be run even with a spreadsheet and a regular meeting rhythm. The goal is not to build perfect bureaucracy; it is to be able to say, when an audit arrives, "we saw this risk, we placed this control, here is the evidence."

## Compliance as Competitive Advantage

Let me offer a final perspective, because most companies see compliance as a cost line, and that is a narrow view. For a Turkish company selling to the EU, AI Act compliance can become a sales argument. The EU buyer wants its supplier to be compliant — because the supplier's non-compliance puts the buyer's own chain at risk. A Turkish company that can say "we offer an AI-Act-compliant system, here is our documentation" gets ahead of a rival that cannot.

To make it concrete: a European enterprise buyer now routinely asks "AI governance" questions during procurement. Do you have a model card? How does human oversight work? Where is data processed? The supplier that answers clearly closes the deal. The one that cannot says "we'll get back to you" and usually doesn't. So compliance becomes an enabler that accelerates the sales cycle.

Therefore I recommend reading the next 60 days not as a threat calendar but as a positioning opportunity. The Digital Omnibus clarified the framework, 2 August gives you a target date. That clarity is a gift for the disciplined company. Build the inventory, classify the risks, set up the controls, accumulate the evidence — and tell your customer about it. When you turn regulation from a burden into a certificate of your credibility, compliance starts working for you.

## A Quick Checklist

To close, I leave you a checklist you can sit down with your team and mark today. It is the most practical tool for turning theory into action.

- **Inventory done?** Are all AI systems, including shadow AI, on a single list?
- **Classification done?** Is each system placed in one of the four risk tiers?
- **Role clear?** Is your provider/deployer capacity defined for each system?
- **KVKK aligned?** Are the DPIA and AI Act risk assessment in one document?
- **Supplier contracts updated?** Are you getting compliance guarantees and model cards from your GPAI provider?
- **Human oversight set?** Is there a human who can override every high-risk decision?
- **Evidence produced?** Are logs, approval history and documentation audit-ready?
- **Owner named?** Is there a single accountable owner for governance?

If you can turn these eight items green, you are ready for 2 August. If not, wherever you stall tells you your priority. Compliance is not a project that ends once; it is a working muscle. But the company that starts exercising it today breathes easy in tomorrow's audit environment. In the plainest terms: today's one-hour inventory meeting is far cheaper than tomorrow's million-euro fine risk. To begin is to be half done.