# What Is the EU AI Act? A Guide to Europe's Artificial Intelligence Regulation

> Source: https://sukruyusufkaya.com/en/blog/eu-ai-act-nedir
> Updated: 2026-07-05T16:08:58.657Z
> Type: blog
> Category: yapay-zeka
**TLDR:** What is the EU AI Act? The EU AI Act (European Union Artificial Intelligence Act) is the world's first comprehensive horizontal AI regulation, classifying AI systems by the risk they pose and imposing obligations accordingly. This guide: a clear definition, risk classification, high-risk systems, the compliance timeline, the effect on Türkiye, GPAI rules, penalties, and FAQs.

<tldr data-summary="[&quot;The EU AI Act is the world's first comprehensive horizontal AI regulation, classifying AI systems by the risk they pose and imposing obligations accordingly.&quot;,&quot;Risk classification has four tiers: unacceptable (banned), high, limited, and minimal risk.&quot;,&quot;High-risk systems are the center of gravity: risk management, data quality, human oversight, and a conformity assessment are mandatory.&quot;,&quot;The compliance timeline is staggered: prohibitions Feb 2025, GPAI rules Aug 2025, high-risk obligations 2026-2027.&quot;,&quot;The effect on Türkiye is direct: any Turkish company placing a product on the EU market is in scope by effect.&quot;]" data-one-line="The short answer to what is the EU AI Act: the world's first comprehensive horizontal AI law that splits AI into four risk tiers and imposes proportionate rules."></tldr>

What is the EU AI Act? The EU AI Act (Artificial Intelligence Act, in Turkish "Avrupa Birliği Yapay Zeka Yasası") is the world's first comprehensive horizontal AI regulation, which classifies AI systems by the risk they pose and imposes proportionate obligations on each risk level. Rather than regulating individual sectors, the law sets up a horizontal framework that cuts across all AI systems no matter where they are used.

The law entered into force on 1 August 2024 and aims to do for AI what GDPR did for data protection: set a global standard. This guide answers what the EU AI Act is, how risk classification works, what obligations high-risk systems face, how the compliance timeline unfolds, and why the effect on Türkiye is direct.

<definition-box data-term="EU AI Act (European Union Artificial Intelligence Act)" data-definition="The world's first comprehensive horizontal AI regulation, which entered into force in 2024, splitting AI systems into four tiers by the risk they pose — unacceptable, high, limited, and minimal — and imposing proportionate obligations on each. The law is applied in phases between 2025 and 2027 through a staggered compliance timeline and covers all providers whose systems affect the EU market." data-also="European Union Artificial Intelligence Act, EU Artificial Intelligence Act, Artificial Intelligence Act, AI Act, EU AI Act"></definition-box>

## Why Was the EU AI Act Created?

In recent years AI has spread into ever more critical areas — from hiring to credit decisions, from health to public services. While this spread creates great benefit, it also introduces new risks: discriminatory decisions, unexplainable automation, biometric surveillance, and unreliable systems. The European Union sought a common legal framework to manage these risks without halting innovation entirely.

The EU AI Act aims to strike exactly this balance: protecting fundamental rights and safety while creating a trustworthy, predictable internal market for AI. The law rejects the "every AI should be regulated by the same rule" approach; instead, recognizing that it is wrong to burden a spam filter and a credit-decision system equally, it builds a risk-based logic. At the heart of this logic is risk classification.

## How Does Risk Classification Work in the EU AI Act?

The law's core mechanism is risk classification: each AI system is placed into a risk tier based on its potential impact on people's rights and safety, and the obligations are set according to that tier. Obligation depends not on what the system does but on how much harm it could cause. This four-tier risk classification is the backbone of the entire law.

<comparison-table data-caption="The four risk tiers of the EU AI Act and the obligations they bring" data-headers="[&quot;Risk tier&quot;,&quot;Example&quot;,&quot;Obligation&quot;]" data-rows="[{&quot;feature&quot;:&quot;Unacceptable risk&quot;,&quot;values&quot;:[&quot;Social scoring, manipulative systems&quot;,&quot;Fully banned&quot;]},{&quot;feature&quot;:&quot;High risk&quot;,&quot;values&quot;:[&quot;Hiring, credit, health, critical infrastructure&quot;,&quot;Strict compliance + conformity assessment&quot;]},{&quot;feature&quot;:&quot;Limited risk&quot;,&quot;values&quot;:[&quot;Chatbots, generative content&quot;,&quot;Transparency: inform the user&quot;]},{&quot;feature&quot;:&quot;Minimal risk&quot;,&quot;values&quot;:[&quot;Spam filters, game AI&quot;,&quot;Free, no extra obligations&quot;]}]"></comparison-table>

The core idea of this table is this: the law barely regulates most systems (minimal risk) and concentrates its energy on the small number of systems with real potential for harm. The unacceptable-risk category — for example government social scoring or subliminal manipulation — is banned entirely. Across the rest of the pyramid, the burden rises as the risk rises.

## What Obligations Apply to High-Risk Systems?

High-risk systems are the center of gravity of the EU AI Act; this is the law's most detailed and most costly part. A system is deemed high-risk if it decides on, or significantly affects decisions in, areas such as health, hiring, education, credit scoring, critical infrastructure, law enforcement, or migration. These systems are not banned, but they must meet a strict set of conditions before being placed on the market and during use.

<howto-steps data-name="Core compliance steps for a high-risk AI system" data-description="The core obligations a high-risk system must meet before being placed on the EU market." data-steps="[{&quot;name&quot;:&quot;Establish a risk management system&quot;,&quot;text&quot;:&quot;A process is built to continuously identify and mitigate the system's risks throughout its lifecycle.&quot;},{&quot;name&quot;:&quot;Ensure data governance&quot;,&quot;text&quot;:&quot;The quality, representativeness, and bias review of training, validation, and test data are documented.&quot;},{&quot;name&quot;:&quot;Keep technical documentation and records&quot;,&quot;text&quot;:&quot;The system's design, limits, and events are recorded in a traceable way (logging).&quot;},{&quot;name&quot;:&quot;Design human oversight&quot;,&quot;text&quot;:&quot;It is ensured that a human can meaningfully supervise the system and stop it when needed.&quot;},{&quot;name&quot;:&quot;Perform a conformity assessment&quot;,&quot;text&quot;:&quot;The system undergoes a conformity assessment before market release and is declared with a CE mark.&quot;}]"></howto-steps>

These obligations are not a one-off formality but an ongoing governance responsibility. After the system is placed on the market it must still be monitored, serious incidents reported, and documentation kept current. In practice this means adding a compliance and documentation layer to a high-risk AI project from the outset — adding it later is far more costly.

## Who Does the EU AI Act Cover?

The law defines not only those who "build" AI but also the different links in the chain separately. The heaviest burden is on the provider: the party that develops the system or places it on the market under its own brand. But the law also covers the party that uses the system in a task (the deployer/user), the importer, and the distributor; each role has its own proportionate obligations. For example, a company using a high-risk system in hiring is obliged to ensure human oversight and to use the system as intended, even if it is not the provider.

This role distinction matters for Türkiye, because most Turkish companies fall into scope through two different doors. A software firm is a provider for the product it sells to the EU, while another company that embeds a ready-made EU model into its own product is in the deployer position. Correctly identifying which role you are in clarifies which obligations you are subject to — and therefore your compliance cost — from the start. For this reason, compliance work should begin with a role and scope analysis before any technical development.

## Rules for General-Purpose Models (GPAI)

The EU AI Act contains a separate section covering not only narrow-purpose systems but also general-purpose AI (GPAI) models like ChatGPT. Because these models are not tied to a single task, their risks spread across countless downstream applications. The law therefore imposes specific transparency obligations on GPAI providers — such as OpenAI, Google, Meta, or developers publishing open models in the Hugging Face ecosystem.

The core obligations are: preparing technical documentation, providing information for developers who will integrate the model, complying with EU copyright law, and publishing a summary of the training data content. For very large models that pose "systemic risk," additional requirements kick in: model evaluation, adversarial testing, and reporting of serious incidents. This distinction requires understanding what foundational language models are; for detail, see the <a href="/en/blog/llm-nedir">what is an LLM</a> and <a href="/en/blog/uretken-yapay-zeka-nedir">what is generative AI</a> guides.

## How Does the EU AI Act Compliance Timeline Work?

Although the law entered into force in 2024, not all rules began applying at once. The compliance timeline is staggered, giving companies a phased period to prepare. Knowing this timeline is critical for an organization to plan which obligation it must meet and when.

<comparison-table data-caption="EU AI Act compliance timeline: key milestones" data-headers="[&quot;Date&quot;,&quot;What takes effect&quot;,&quot;Who it concerns&quot;]" data-rows="[{&quot;feature&quot;:&quot;August 2024&quot;,&quot;values&quot;:[&quot;Law entered into force&quot;,&quot;General framework began&quot;]},{&quot;feature&quot;:&quot;February 2025&quot;,&quot;values&quot;:[&quot;Banned practices apply&quot;,&quot;Anyone with unacceptable-risk use&quot;]},{&quot;feature&quot;:&quot;August 2025&quot;,&quot;values&quot;:[&quot;GPAI (general-purpose model) rules&quot;,&quot;Model providers&quot;]},{&quot;feature&quot;:&quot;August 2026&quot;,&quot;values&quot;:[&quot;Most high-risk obligations&quot;,&quot;High-risk system providers&quot;]},{&quot;feature&quot;:&quot;August 2027&quot;,&quot;values&quot;:[&quot;Certain product-embedded high-risk rules&quot;,&quot;AI embedded in regulated products&quot;]}]"></comparison-table>

This staggered compliance timeline is not a breather but a preparation window. An organization building a high-risk system needs to start setting up its documentation, data governance, and human oversight processes today to meet the 2026 obligations; these processes can take months. Postponing the timeline with "we'll look at it later" is the most common compliance mistake.

## What Is the EU AI Act's Effect on Türkiye?

The EU AI Act is an EU law, but its effect does not stop at the EU border. The law applies on an effect basis (extraterritorial): it looks not at where a company is established but at whether its system is placed on the EU market or its output is used in the EU. That is why the effect on Türkiye is not abstract but direct and operational.

Concretely: a Turkish company selling AI-powered software to an EU customer, an e-commerce firm running a recommendation engine for EU users, or a team building a model whose output is evaluated in the EU all fall within scope. The "Brussels effect" seen with GDPR applies here too: Turkish companies serving the EU with products or services are in practice forced to adopt this standard. For this reason the effect on Türkiye is on the agenda of every technology company that exports.

<stat-callout data-value="World #1" data-context="According to We Are Social's &quot;Digital 2026&quot; data, Türkiye ranks first in the world in the share of web traffic referred from generative AI tools; this high adoption makes EU AI Act compliance&quot; data-outcome=&quot;an increasingly early competitive and market-access matter for Turkish companies serving the EU." data-source="{&quot;label&quot;:&quot;Euronews TR / Digital 2026&quot;,&quot;url&quot;:&quot;https://tr.euronews.com/next/2026/01/04/turkiye-chatgpt-trafiginde-yuzde-9449luk-oranla-dunya-birincisi&quot;,&quot;date&quot;:&quot;2026-01&quot;}"></stat-callout>

## The EU AI Act's Relationship with GDPR and KVKK

The EU AI Act is often confused with GDPR, but the two regulate different things. GDPR (and its Turkish counterpart KVKK) governs how personal data is processed; the EU AI Act governs the AI system itself — its safety, its risk level, and its trustworthiness. If an AI system processes personal data, it must comply with both regimes at once; one does not replace the other.

This distinction matters in practice. For example, a hiring algorithm must process candidates' data lawfully under GDPR; and under the EU AI Act, as a high-risk system, it must meet bias review, human oversight, and documentation obligations. For organizations operating in Türkiye and serving the EU, these two layers must be designed together; for how KVKK reflects in the AI context, see the <a href="/en/blog/kvkk-nedir">what is KVKK</a> guide.

## Penalties and Common Misconceptions in the EU AI Act

The cost of non-compliance is high. For the most serious violations — for example using a banned practice — penalties can reach up to 7% of global annual turnover or EUR 35 million, whichever is higher. For other obligation breaches this drops to 3% of turnover or EUR 15 million; lower thresholds apply for lighter breaches such as giving wrong or incomplete information. Penalties are set proportionately to the severity of the breach and the size of the company.

At this point a few common misconceptions need correcting:

- **The "this only binds EU companies" misconception:** The law is effect-based; Turkish companies placing products on the EU market are also covered.
- **The "all AI is being banned" misconception:** The overwhelming majority of systems are minimal-risk and free; the bans apply only to the unacceptable-risk category.
- **The "compliance is a one-off document" misconception:** For high-risk systems, compliance is a governance responsibility that lasts across the whole system lifecycle.
- **The "there's plenty of time" misconception:** Although the compliance timeline is staggered, preparation for high-risk systems takes months; postponement is the costliest mistake.

Organizations that clear these misconceptions early can turn compliance from an obstacle into a market-access advantage. To design compliance into an enterprise AI roadmap from the start, you can begin with <a href="/en/consulting">AI consulting</a>.

## Frequently Asked Questions

### When did the EU AI Act enter into force?

The EU AI Act entered into force on 1 August 2024, but the obligations did not all start at once. The compliance timeline is staggered: banned practices apply from 2 February 2025, general-purpose model rules from 2 August 2025, and most high-risk system obligations in 2026-2027.

### Do companies in Türkiye have to comply with the EU AI Act?

Turkish companies that place an AI product on the EU market or whose system output is used within the EU fall into scope. The law applies on an effect basis (extraterritorial); the company need not be located in the EU. For software firms exporting services or products to the EU, the effect on Türkiye is direct.

### What are the high-risk systems in the EU AI Act?

AI systems that decide on or affect areas such as health, hiring, credit scoring, education, critical infrastructure, law enforcement, and migration are considered high-risk. For these systems, risk management, data governance, human oversight, and a conformity assessment are mandatory.

### What is the penalty for not complying with the EU AI Act?

For banned practices, penalties can reach up to 7% of global annual turnover or EUR 35 million, whichever is higher. For other violations this drops to 3% of turnover or EUR 15 million. Penalties are set proportionately to the severity of the breach and the size of the company.

### What is the difference between the EU AI Act and GDPR?

GDPR governs the processing of personal data; the EU AI Act governs the AI system itself, its safety, and its risk level. The two complement each other: if an AI system processes personal data, it must comply with both GDPR and the AI Act.

### Are general-purpose models like ChatGPT covered by the AI Act?

Yes. There is a separate category for general-purpose AI (GPAI) models: obligations such as technical documentation, copyright, and training-data transparency apply. For very large models that pose systemic risk, additional evaluation and reporting requirements apply.

## In Short: What Is the EU AI Act?

In short, the answer to what is the EU AI Act is: the world's first comprehensive horizontal AI law that splits AI systems into four tiers by the risk they pose and imposes proportionate obligations. Risk classification is the backbone of the law; high-risk systems require strict compliance; the staggered compliance timeline runs between 2025 and 2027; and the effect on Türkiye is direct for every company serving the EU. For the basics see the <a href="/en/blog/yapay-zeka-nedir">what is AI</a> and <a href="/en/blog/chatgpt-nedir">what is ChatGPT</a> guides, and for enterprise compliance and strategy start with <a href="/en/consulting">AI consulting</a>.

<!-- INTERNAL LINK DEBT: /en/blog/gdpr-nedir, /en/blog/sorumlu-yapay-zeka-nedir, /en/blog/yapay-zeka-yonetisimi-nedir, /en/blog/yapay-zeka-etigi-nedir once published. -->