# How Does the EU AI Act Affect Companies in Türkiye? (2026 Update)

> Source: https://sukruyusufkaya.com/en/blog/eu-ai-act-turkiye-sirketleri-etkisi
> Updated: 2026-07-10T05:31:54.338Z
> Type: blog
> Category: yapay-zeka
**TLDR:** How does the EU AI Act affect companies in Türkiye? Scope, timeline, risk classification, high-risk systems, GPAI, penalties, and a compliance roadmap in this guide.

<tldr data-summary="[&quot;The EU AI Act is the world's first comprehensive AI law and, through its extra-territorial reach, covers companies in Türkiye too; what matters is not the company's country but whether the output is used in the EU.&quot;,&quot;The law sets a risk-based classification: unacceptable (prohibited), high-risk, limited, and minimal; the weight of obligations varies by this risk classification.&quot;,&quot;The heaviest compliance obligations are for high-risk systems: risk management, data governance, technical documentation, human oversight, transparency, and security.&quot;,&quot;GPAI (general-purpose AI) models get their own transparency and documentation rules; systemic-risk GPAI carries additional obligations.&quot;,&quot;The most affected: Turkish companies exporting to the EU, sitting in EU supply chains, and serving EU users.&quot;,&quot;The EU AI Act and KVKK overlap but are not the same: KVKK regulates personal data, the EU AI Act regulates the system and its risk; they must be managed together.&quot;,&quot;Penalties are high; compliance must be planned when the system is designed, not afterwards. This article is informational, not legal advice.&quot;]" data-one-line="The EU AI Act affects companies in Türkiye extra-territorially via AI systems whose output is used in the EU; the key step is to label each system by risk classification."></tldr>

How does the EU AI Act affect companies in Türkiye? The EU AI Act (European Union Artificial Intelligence Act) directly binds any company that places an AI-containing product or service on the European market or whose AI output is used in the EU — even if it is headquartered in Türkiye — through its extra-territorial reach. In other words, what determines whether a Turkish company is affected by this law is not where the company is established, but whether the AI output it produces is used within the EU.

Contrary to what many Turkish executives assume, this takes the EU AI Act out of the "internal European affair" category and puts it on the agenda of every Turkish organization with a commercial, technological, or operational link to the EU. This comprehensive guide addresses what the EU AI Act means in the Türkiye context with the rigor of a management consultant: the law's scope and timeline; the risk-based classification (prohibited, high-risk, limited, minimal); the compliance obligations for high-risk systems; the GPAI rules; which Turkish companies are affected; the mechanics of extra-territorial reach; the relationship with and differences from KVKK; penalties; and a step-by-step preparation roadmap. The goal is to let you answer "are we in scope, and if so what should we do?" with a structured framework rather than a guess. Note: This content is for informational purposes and does not constitute legal advice.

<definition-box data-term="EU AI Act (European Union Artificial Intelligence Act)" data-definition="The European Union's first comprehensive AI law, regulating AI systems with a risk-based approach. It divides systems into unacceptable, high-risk, limited, and minimal risk levels; it imposes compliance obligations for high-risk systems and GPAI (general-purpose AI) models. Due to its extra-territorial reach, it also covers Türkiye-based companies that provide AI systems whose output is used in the EU." data-also="European AI Act, EU AI Regulation, AI Act"></definition-box>

## What Is the EU AI Act and Why Does It Concern Turkish Companies?

The EU AI Act is the European Union's first comprehensive legal framework regulating AI with a horizontal (cross-sector) and risk-based approach. Its aim is to limit the risks to fundamental rights, safety, and democratic values while still reaping AI's benefits. The philosophy is simple: the more potential an AI system has to cause harm, the heavier its obligations should be. So the law does not set a single rule set but a pyramid of obligations tiered by risk. For a broader view of the law's core concepts, the <a href="/en/blog/eu-ai-act-nedir">what is the EU AI Act</a> guide is a good start; if you are new to AI itself, the <a href="/en/blog/yapay-zeka-nedir">what is AI</a> guide provides the foundation.

But why should this European law concern Turkish companies? The answer lies in the law's geographic scope. Like the GDPR, the EU AI Act applies not only to companies established in the EU but to AI systems whose output is used in the EU market. Türkiye has a Customs Union with the EU, sends a significant share of its exports to the EU, and is part of many global supply chains. This economic integration takes the EU AI Act, in the Türkiye context, out of abstract legal debate and turns it into a concrete commercial reality.

A second reason is the phenomenon known as the "Brussels effect": the standards the EU sets often become de facto global standards because of the market's size. We saw how the GDPR shaped data protection laws worldwide; the EU AI Act is expected to become a similar reference for AI governance. This makes the EU AI Act a "best-practice" anchor even for Turkish companies that never export to the EU. To address enterprise AI governance conceptually, the <a href="/en/blog/ai-governance-nedir">what is AI governance</a> and <a href="/en/blog/sorumlu-yapay-zeka-nedir">what is responsible AI</a> guides complete this framework.

A third reason is competitiveness. Access to the EU market is strategically important for many Turkish companies. EU AI Act compliance is increasingly becoming a precondition for that access; a non-compliant AI component can jeopardize an export contract or get you removed from an EU customer's supplier list. In this sense compliance is not just an obligation but also a market-access tool and a competitive advantage. For the Turkish exporter, it is more accurate to see EU AI Act compliance as an investment rather than a cost item.

<callout-box data-type="info" data-title="Key principle: not geography, but output">The question that determines whether the EU AI Act covers Turkish companies is not "where is the company established?" but "where is the AI system's output used?" If the output is used in the EU, the system is most likely in scope. This extra-territorial logic is the law's most overlooked yet most decisive aspect.</callout-box>

## Why Does the EU AI Act Directly Affect Companies in Türkiye?

In the Türkiye context, the most critical concept of the EU AI Act is extra-territoriality — the law's reach beyond national borders. The scope covers different roles such as "provider" (placing the system on the market), "deployer" (using it), "importer," and "distributor," and these roles can exist outside the EU too. For example, if a Turkish software company sells an AI-based credit assessment module to a bank in the EU, that module is deemed placed on the EU market and the Turkish company becomes subject to the law's obligations as a "provider."

The mechanics are understood through three typical scenarios. First, direct product/service export: the Turkish company sells AI-containing software or a device to EU customers. Second, output use: the system runs in Türkiye but its output (e.g., a score, a decision, a classification) is used about a person in the EU. Third, the supply chain: the Turkish company supplies the AI component of another firm that sells to the EU. In all three, even though the geographic center is Türkiye, the legal scope is EU law.

Here the parallel with the GDPR is instructive. Because the GDPR covers companies anywhere in the world that process the data of people in the EU, many Turkish companies already experienced GDPR compliance. The EU AI Act sets up similar geographic logic, but its focus shifts from data to the AI system. To recall the GDPR's logic, see the <a href="/en/blog/gdpr-nedir">what is GDPR</a> guide; together, the two regulations create a layered compliance environment for Turkish companies serving the EU.

For the Türkiye context, the practical conclusion is clear: if you have any AI-related commercial relationship with the EU, the assumption "this law does not bind us" is dangerous. The right approach is to assess whether you are in scope system by system; and if you are, to determine your role (provider, deployer, importer, distributor). Your role directly determines your obligations, because a provider's obligations differ from a deployer's.

<callout-box data-type="warning" data-title="&apos;It doesn't bind us&apos; is the most expensive assumption">The most common mistake Turkish companies make is seeing the EU AI Act as geographically "distant" and leaving it off the agenda. Yet if you touch any one of the trio — EU exports, EU supply chain, or EU users — you are likely in scope. Postponing the scope assessment also shortens the preparation time compliance needs, leading later to a rushed, expensive process.</callout-box>

## What Is the EU AI Act Implementation Timeline?

The EU AI Act enters into force not on a single day but through a staged timeline. This staged approach is deliberate: the highest-risk and most clearly harmful practices are banned first, while obligations requiring more complex compliance apply fully at the end of longer transition periods that give companies time to prepare. Reading this timeline correctly is decisive for Türkiye-context preparation, because you must plan backwards from each provision.

The general logic proceeds as follows. In the first phase, provisions on practices carrying unacceptable risk (prohibited) take effect; these are the earliest because their societal harm is clearest. In a following phase, transparency and documentation rules for GPAI (general-purpose AI) models begin to apply. The longest transition period is granted to the comprehensive obligations for high-risk systems, because these obligations (conformity assessment, technical documentation, quality management system) require serious preparation for both developers and users.

<callout-box data-type="info" data-title="Rely on official sources for exact dates">This article explains the structure and logic of the timeline; but the exact application date of each provision is a matter defined in official EU texts that becomes clearer over time. When making your own compliance plan, rely on current official EU sources and your legal counsel's assessment. The framework here offers a mental map for planning, not an exact calendar.</callout-box>

For Türkiye-context preparation, the practical lesson of the timeline is: waiting for the end of the transition periods is the most expensive strategy. Compliance, especially for high-risk systems, is a process that must be embedded from the design stage; achieving compliance retroactively after a system is in production is both far costlier and technically harder. That is why forward-looking Turkish companies are starting to map their own AI portfolios against the law's categories today, without waiting for official deadlines. Starting early makes the compliance cost manageable by spreading it over time.

## How Does the EU AI Act's Risk Classification Work?

The heart of the EU AI Act is the four-level pyramid called risk classification. The entire logic of the law rests on this classification: which level a system falls into directly determines the weight of the obligations that apply to it. So the first and most critical step of EU AI Act compliance is to place each of your AI systems at the right level. Misclassification leads either to unnecessary cost or to a serious compliance breach. Risk classification is both the law's strongest feature and the one that requires the most care.

### Level 1: Unacceptable Risk (Prohibited Practices)

At the top of the pyramid are entirely prohibited practices. These are AI uses deemed incompatible with the EU's core values and rights: for example, general-purpose social scoring by governments; systems that manipulate people's behavior by exploiting their vulnerabilities (age, disability, economic situation); certain biometric categorization and, under certain conditions, real-time remote biometric identification. Systems in this category are banned on the EU market no matter how well documented. The lesson for Turkish companies is clear: avoid such functions from the outset in product design.

### Level 2: High-Risk Systems

This is the pyramid's most critical layer, carrying the most obligations. High-risk systems are AI systems used in areas that can significantly affect people's safety, rights, or life chances: critical infrastructure management, education and vocational assessment, hiring and worker management, access to essential public and private services (e.g., credit scoring), law enforcement, migration and border management, and justice. These systems are not banned; but they must meet comprehensive compliance obligations before being placed on the market. The next section of this article addresses the obligations required for high-risk systems in detail.

### Level 3: Limited-Risk Systems

At this layer, basic transparency obligations kick in. Limited-risk systems, while not carrying high direct risk for users, require people to know they are interacting with an AI. The classic example is chatbots: a user should know whether they are talking to a human or an AI. Similarly, AI-generated or AI-modified content (e.g., synthetic image, audio, or video — including <a href="/en/blog/deepfake-nedir">deepfakes</a>) must be labeled appropriately. These transparency rules are much lighter than for high-risk systems but still mandatory.

### Level 4: Minimal-Risk Systems

At the base of the pyramid sits the vast majority of AI applications: spam filters, in-game AI, inventory optimization, and other systems that carry no significant risk to fundamental rights or safety. The law imposes no additional mandatory obligations for these systems; organizations may voluntarily adopt codes of conduct. A significant part of most organizations' daily AI use falls into this category, showing that the classification does not overwhelm organizations but directs attention to genuinely risky systems.

<comparison-table data-caption="EU AI Act risk classification: four levels and core obligations" data-headers="[&quot;Risk level&quot;,&quot;Example applications&quot;,&quot;Core obligation&quot;]" data-rows="[{&quot;feature&quot;:&quot;Unacceptable (prohibited)&quot;,&quot;values&quot;:[&quot;Social scoring, manipulative systems&quot;,&quot;Entirely banned&quot;]},{&quot;feature&quot;:&quot;High-risk&quot;,&quot;values&quot;:[&quot;Hiring, credit, health, critical infrastructure&quot;,&quot;Comprehensive compliance obligations&quot;]},{&quot;feature&quot;:&quot;Limited-risk&quot;,&quot;values&quot;:[&quot;Chatbot, synthetic content&quot;,&quot;Transparency (disclosure, labeling)&quot;]},{&quot;feature&quot;:&quot;Minimal-risk&quot;,&quot;values&quot;:[&quot;Spam filter, game AI&quot;,&quot;No extra requirement (voluntary)&quot;]}]"></comparison-table>

In the Türkiye context, the most important practical consequence of this risk classification is: not all of an organization's AI systems are subject to the same obligation. The right strategy is to classify systems one by one and concentrate energy on high-risk systems. Treating a minimal-risk application as high-risk wastes resources; mistaking a high-risk application for minimal is a serious compliance breach. So classification is work that requires expertise of its own and must be done carefully.

## What Are the Compliance Obligations for High-Risk Systems?

High-risk systems are the EU AI Act category carrying the heaviest compliance obligations; and this is exactly where the real challenge lies for many Turkish companies offering AI solutions to the EU. For these systems the law defines a body of obligations that must be met before market placement and sustained throughout the system's entire lifecycle. Below we address these compliance obligations item by item. Note: This list is a conceptual map; verify the exact requirements for your own system with your legal counsel and the official text.

### Risk Management System

A continuously operating risk management system must be established throughout the high-risk system's lifecycle. This system identifies, assesses, and mitigates foreseeable risks. Risk management is not a one-off document but a living process that is renewed as the system is updated and new risks emerge. To understand AI-specific risks, the <a href="/en/blog/yapay-zekada-onyargi-nedir">what is AI bias</a> and <a href="/en/blog/yapay-zeka-halusinasyonu-nedir">what is AI hallucination</a> guides give concrete grounding on which risks to monitor.

### Data and Data Governance

The datasets on which high-risk systems are trained must meet certain quality criteria: relevant, representative, and as error-free and complete as possible. The aim is to prevent bias in the data from being reflected in the system's decisions and producing discrimination. This means data governance (data sources, preparation, labeling, bias auditing) becomes a legal obligation. Where personal data is involved, this obligation also intersects with KVKK and the GDPR; for the role of anonymization see <a href="/en/blog/veri-anonimlestirme-nedir">what is data anonymization</a> and for the definition of personal data see <a href="/en/blog/kisisel-veri-nedir">what is personal data</a>.

### Technical Documentation and Record-Keeping

Before market placement, the system must have detailed technical documentation to prove compliance: the system's purpose, design, capabilities, limits, data used, and risk management. The system must also have a structure that automatically logs events during operation; this is needed for traceability and later audit. Documentation is the paper proof of compliance; a poorly documented system is not deemed compliant even if it is technically sound.

### Transparency and User Information

A high-risk system must be provided with sufficient transparency and instructions so that the people using it (deployers) can understand and use it correctly. The user must know what the system does, its limits, and how to interpret its output. This transparency is closely related to explainable AI approaches; to go deeper, see the <a href="/en/blog/aciklanabilir-yapay-zeka-nedir">what is explainable AI</a> guide.

### Human Oversight

High-risk systems must be designed so that effective human oversight is possible. This means a human can monitor the system's output, intervene when needed, or stop the system. The aim is to prevent automated decisions from producing irreversible harm without human oversight. Human oversight is not just an "approval button" but a design principle that keeps humans meaningfully in the loop.

### Accuracy, Robustness, and Cybersecurity

The system must operate at an accuracy level appropriate to its purpose and be robust against errors, inconsistencies, and malicious attacks. This covers both technical performance (model accuracy) and security (e.g., resistance to data poisoning or input manipulation). To understand AI-specific security risks, the <a href="/en/blog/llm-nedir">what is an LLM</a> guide on how large language models work and the <a href="/en/blog/uretken-yapay-zeka-nedir">what is generative AI</a> guide on the nature of generative systems provide the foundation.

### Conformity Assessment and Marking

After all these obligations are met, the high-risk system must undergo a conformity assessment, a declaration of conformity must be issued, and (where applicable) it must be placed on the market with a CE-like marking. This process lets you formally declare that the system complies with legal requirements. Conformity assessment is the crowning step of compliance; but it cannot be passed if all the preceding preparation was not done correctly.

<comparison-table data-caption="Core compliance obligations for high-risk systems" data-headers="[&quot;Obligation&quot;,&quot;What it requires&quot;,&quot;Risk if skipped&quot;]" data-rows="[{&quot;feature&quot;:&quot;Risk management&quot;,&quot;values&quot;:[&quot;Continuous lifecycle process&quot;,&quot;Unforeseen harm, breach&quot;]},{&quot;feature&quot;:&quot;Data governance&quot;,&quot;values&quot;:[&quot;Quality, representative data&quot;,&quot;Bias and discrimination&quot;]},{&quot;feature&quot;:&quot;Technical documentation&quot;,&quot;values&quot;:[&quot;Detailed records and logging&quot;,&quot;Compliance cannot be proven&quot;]},{&quot;feature&quot;:&quot;Human oversight&quot;,&quot;values&quot;:[&quot;Meaningful intervention capability&quot;,&quot;Irreversible automated decision&quot;]},{&quot;feature&quot;:&quot;Accuracy & security&quot;,&quot;values&quot;:[&quot;Robustness and cybersecurity&quot;,&quot;Attack and error risk&quot;]},{&quot;feature&quot;:&quot;Conformity assessment&quot;,&quot;values&quot;:[&quot;Declaration and marking&quot;,&quot;Cannot be placed on market&quot;]}]"></comparison-table>

In the Türkiye context, this list of obligations may look daunting; but read correctly, it is actually a checklist of good engineering and good governance. Organizations already running a mature AI development process may already apply most of these obligations under different names. Compliance is not a burden from scratch but making existing processes documented, auditable, and systematic. So for high-risk systems, compliance is less a technical obstacle than an opportunity to mature.

## What Are the GPAI (General-Purpose AI) Rules?

One of the newest and most debated parts of the EU AI Act is the rules for GPAI (general-purpose AI) models. GPAI refers to models that can serve a broad range of tasks rather than a single narrow job; large language models (LLMs) are the most typical example. To understand how these models work, the <a href="/en/blog/llm-nedir">what is an LLM</a> and <a href="/en/blog/gpt-nedir">what is GPT</a> guides provide the foundation. The GPAI rules add a second axis alongside the risk-based pyramid.

The core obligations for GPAI cluster around transparency and documentation. A GPAI provider must prepare technical documentation about the model's capabilities and limits, provide sufficient information to downstream providers who integrate the model into their own products, follow a training policy that respects copyright, and publish a sufficiently detailed summary of the content used in the model's training. These rules aim to increase transparency in the GPAI ecosystem and enable organizations using the model to make informed decisions.

Some large GPAI models may be classified as carrying "systemic risk"; these are models that, due to their scale and widespread use, could produce society-level effects. For systemic-risk GPAI, additional obligations apply: conducting model evaluations, analyzing and mitigating systemic risks, reporting serious incidents, and ensuring adequate cybersecurity. This extra layer ensures that the most powerful models are under the highest oversight.

In the Türkiye context, the practical importance of the GPAI rules is: the vast majority of Turkish companies are not developers but users of GPAI models. That is, most Turkish organizations integrate a ready large language model into their own product or process. In that case, the organization is either a downstream provider or a deployer. A smart strategy for such an organization is to check, at the contracting stage, whether the GPAI provider it uses offers EU AI Act-compliant documentation, and to use that documentation in its own compliance file. Part of compliance is solved by choosing the right provider.

<callout-box data-type="info" data-title="If you are a GPAI user: question your provider">Most Turkish companies do not develop GPAI models — they use them. So the most practical GPAI compliance move is to clarify, before contracting, whether the model provider you use supplies EU AI Act-compliant technical documentation, usage instructions, and transparency information. The provider's compliance forms the basis of yours; choosing the wrong provider inherits the compliance gap to you.</callout-box>

## Which Turkish Companies Are Affected by the EU AI Act?

In the Türkiye context, the most concrete question is: "Does this law cover my company?" The answer depends on the form of the company's AI-related relationship with the EU. Below we address the most affected Turkish company profiles. The common thread is that they all, in some way, deliver AI output to the EU market.

### Companies Exporting to the EU

This is the most directly affected group. Turkish companies selling AI-containing software, a device, or a service to the EU become subject to provider obligations depending on that system's risk level. A software firm that exports, a smart device manufacturer, or a technology company offering SaaS to EU customers is in scope. Export is the clearest trigger that directly activates the EU AI Act, because you are the one who actually places the product on the EU market. So for Turkish companies exporting to the EU, EU AI Act compliance is as fundamental an export precondition as customs and product safety compliance.

### Companies in the Supply Chain

The second group is Turkish companies that, even without exporting directly to the EU, sit in the supply chain of a firm that sells to the EU. For example, a Turkish technology firm supplying an AI-based component (an image-processing module, a prediction engine) to a manufacturer that sells to the EU is indirectly in scope. The EU-based principal firm passes its own compliance obligation to its suppliers through contracts; thus compliance pressure spreads to every link back along the export chain. The supply-chain effect is the main reason the EU AI Act affects a much wider segment in Türkiye than assumed.

### Companies Serving EU Users

The third group is companies that run the system in Türkiye but use its output for people in the EU. For example, a hiring platform assessing applicants in the EU, a fintech producing credit scores for EU customers, or a digital service offering AI-supported advice to EU users may fall under the EU AI Act even though it is geographically in Türkiye. What matters is not the server's location but about whom and where the output is used.

### Turkish Arms of Multinational Groups

The fourth group is a Türkiye subsidiary or R&D center of a multinational group headquartered in the EU. Such organizations must follow the AI governance policies applied group-wide; the group spreads EU AI Act compliance to all its subsidiaries. In that case the Türkiye arm becomes part of the compliance process not from a local obligation but because of group policy.

<comparison-table data-caption="Which Turkish companies are affected: profiles and typical role" data-headers="[&quot;Company profile&quot;,&quot;Form of effect&quot;,&quot;Typical role&quot;]" data-rows="[{&quot;feature&quot;:&quot;EU exporter&quot;,&quot;values&quot;:[&quot;Direct scope&quot;,&quot;Provider&quot;]},{&quot;feature&quot;:&quot;Supply-chain member&quot;,&quot;values&quot;:[&quot;Indirect via contract&quot;,&quot;Component provider&quot;]},{&quot;feature&quot;:&quot;Serving EU users&quot;,&quot;values&quot;:[&quot;Output used in EU&quot;,&quot;Provider/Deployer&quot;]},{&quot;feature&quot;:&quot;Multinational subsidiary&quot;,&quot;values&quot;:[&quot;Group policy&quot;,&quot;Deployer&quot;]},{&quot;feature&quot;:&quot;Domestic only&quot;,&quot;values&quot;:[&quot;Indirect (de facto standard)&quot;,&quot;Observer&quot;]}]"></comparison-table>

A point to note is that even companies operating only domestically with no EU contact are not entirely immune. As the EU AI Act becomes a "de facto global standard," even these companies increasingly move to adopt its principles (transparency, human oversight, risk management) — both to prepare for a possible future Türkiye regulation and for customer trust. Although an organization that does not export is not directly obligated today, the framework the EU AI Act sets is forming the global language of responsible AI.

## What Is the Relationship and Difference Between the EU AI Act and KVKK?

The topic Turkish executives most often confuse is the relationship between the EU AI Act and KVKK (the Turkish Personal Data Protection Law). Although both look like "regulation concerning AI," they regulate different things and are not substitutes for each other. Understanding this distinction clearly is critical to seeing how EU AI Act compliance overlaps with both KVKK and the GDPR. For KVKK's basic framework, the <a href="/en/blog/kvkk-nedir">what is KVKK</a> guide, and for KVKK-compliant AI architecture, the <a href="/en/blog/kvkk-uyumlu-yapay-zeka-nedir">what is KVKK-compliant AI</a> guide are good starting points.

The core difference is this: KVKK regulates the processing of personal data; its focus is data. If an AI system processes personal data, KVKK kicks in: legal basis, disclosure obligation, data security, VERBIS registration, and the data subject's rights. The EU AI Act, on the other hand, regulates the AI system itself and its societal risk; its focus is the system. Which risk level the system is in, which safety and transparency requirements it meets, whether there is human oversight — these are the EU AI Act's questions. A system may be high-risk and subject to EU AI Act obligations even if it processes no personal data at all (e.g., a manufacturing quality-control model).

The two regulations intersect but do not overlap. An AI system may be fully KVKK-compliant (processing personal data correctly) but fail to meet the EU AI Act's high-risk system obligations (missing risk management or human oversight). The reverse is also possible. For Turkish companies serving the EU, the practical upshot is a three-layer compliance environment: KVKK (domestic) and the GDPR (EU data) for personal data, and the EU AI Act for the AI system. These three complement each other; none replaces another.

<comparison-table data-caption="EU AI Act vs KVKK/GDPR: what they regulate, their focus" data-headers="[&quot;Dimension&quot;,&quot;KVKK / GDPR&quot;,&quot;EU AI Act&quot;]" data-rows="[{&quot;feature&quot;:&quot;Focus&quot;,&quot;values&quot;:[&quot;Personal data&quot;,&quot;AI system and its risk&quot;]},{&quot;feature&quot;:&quot;Core question&quot;,&quot;values&quot;:[&quot;Is data processed lawfully?&quot;,&quot;Is the system safe and fit for its class?&quot;]},{&quot;feature&quot;:&quot;Trigger&quot;,&quot;values&quot;:[&quot;Personal data processing&quot;,&quot;The AI system's risk level&quot;]},{&quot;feature&quot;:&quot;Example obligation&quot;,&quot;values&quot;:[&quot;Disclosure, VERBIS, data security&quot;,&quot;Risk management, human oversight, conformity&quot;]},{&quot;feature&quot;:&quot;System in scope&quot;,&quot;values&quot;:[&quot;Any system processing personal data&quot;,&quot;May apply even without personal data&quot;]}]"></comparison-table>

For EU AI Act compliance in the Türkiye context, the smart approach is to address these two (actually three) regulations not in separate silos but in an integrated governance framework. Managing both the KVKK/GDPR data obligations and the EU AI Act system obligations for the same AI system in a single compliance file is both efficient and prevents gaps. International frameworks play a unifying role here: ISO/IEC 42001 (the AI management system standard) and the NIST AI RMF (the AI risk management framework) help gather different regulations under a single governance structure. This is not legal advice; you are advised to obtain expert opinion for your own situation.

## How Much Are the EU AI Act Penalties and Why Take Them Seriously?

The EU AI Act is backed by a serious enforcement regime so it does not remain on paper. Penalties are tiered by the severity of the breach and at the top tier can reach a significant share of global annual turnover or a high fixed amount. This means, as with the GDPR, that the penalty scales with the company's size; for a large company, the penalty is designed to be high enough to deter. For the Türkiye context, this shows that non-compliance carries not just reputational but direct financial risk.

The penalty tiers generally depend on the type of breach. The heaviest penalties are for breaching unacceptable (prohibited) practices. A lower but still serious tier applies to breaching high-risk system obligations. There is a separate tier for breaching GPAI rules. In addition, providing incorrect, incomplete, or misleading information to competent authorities carries its own penalty. Although proportionality is considered for SMEs and startups, the basic principle is clear: non-compliance is costly.

<comparison-table data-caption="Tiers of the EU AI Act penalty regime (conceptual)" data-headers="[&quot;Breach type&quot;,&quot;Severity&quot;,&quot;Penalty tier (conceptual)&quot;]" data-rows="[{&quot;feature&quot;:&quot;Prohibited practice&quot;,&quot;values&quot;:[&quot;Heaviest&quot;,&quot;High percentage of global turnover / high fixed amount&quot;]},{&quot;feature&quot;:&quot;High-risk obligation breach&quot;,&quot;values&quot;:[&quot;Heavy&quot;,&quot;Mid-high tier&quot;]},{&quot;feature&quot;:&quot;GPAI rule breach&quot;,&quot;values&quot;:[&quot;Serious&quot;,&quot;Separate tier&quot;]},{&quot;feature&quot;:&quot;Incorrect/incomplete information&quot;,&quot;values&quot;:[&quot;Medium&quot;,&quot;Lower tier&quot;]}]"></comparison-table>

<callout-box data-type="warning" data-title="Rely on the official text for exact amounts">The table above conceptually shows the structure of the penalty regime; exact percentages and amounts depend on the type of breach, the company's size, and the current version of the official text. For specific figures in your own risk assessment, rely on current official EU sources and your legal counsel. This article is for informational purposes, not legal advice.</callout-box>

The real message of the penalties is not the amounts themselves but that compliance is an obligation, not "optional goodwill." For the Turkish exporter, the penalty risk usually contains a threat broader than paying a direct fine: a finding of non-compliance can lead to the product being withdrawn from the EU market, contracts being canceled, and reputational loss. So the real cost is the loss of market access as much as the penalty itself. That is why compliance should be assessed as a risk-mitigation investment; and the smartest investment is to design it correctly from the start rather than fixing it later.

## How Do You Build an EU AI Act Compliance Roadmap?

The most practical part of Türkiye-context EU AI Act preparation is turning scattered obligations into a sequenced, manageable roadmap. The steps below show how a Turkish company can build a compliance program from scratch. This roadmap is conceptual; every organization should adapt it to the size of its AI portfolio and the intensity of its EU contact.

<howto-steps data-name="EU AI Act compliance roadmap" data-description="A step-by-step roadmap for a Turkish company to build EU AI Act compliance from scratch." data-steps="[{&quot;name&quot;:&quot;Build an AI inventory&quot;,&quot;text&quot;:&quot;List all AI systems in the organization; mark which ones touch the EU market.&quot;},{&quot;name&quot;:&quot;Do risk classification&quot;,&quot;text&quot;:&quot;Label each system as prohibited, high-risk, limited, or minimal; determine its role (provider/deployer).&quot;},{&quot;name&quot;:&quot;Run a gap analysis&quot;,&quot;text&quot;:&quot;For systems that turn out high-risk, measure the gap between the current state and the obligations.&quot;},{&quot;name&quot;:&quot;Establish a governance framework&quot;,&quot;text&quot;:&quot;Define roles, responsibilities, documentation, and decision processes; use ISO/IEC 42001 and the NIST AI RMF.&quot;},{&quot;name&quot;:&quot;Implement technical obligations&quot;,&quot;text&quot;:&quot;Embed risk management, data governance, human oversight, logging, and transparency into the systems.&quot;},{&quot;name&quot;:&quot;Move to continuous monitoring&quot;,&quot;text&quot;:&quot;Turn compliance from a one-off project into a regularly audited process.&quot;}]"></howto-steps>

The most critical steps of this roadmap are the first two: inventory and classification. If an organization does not know which AI systems it has and which risk level they are at, planning compliance is impossible. Surprisingly, many organizations do not fully know their own AI inventory: different departments may have acquired independent tools, creating "shadow AI." So building an inventory is both the first step of compliance and often the most eye-opening one.

The second critical point is the governance framework. EU AI Act compliance is not the job of a single person or department; it requires coordination among legal, technology, data, business units, and senior management. Sound governance clarifies who is responsible for what, how decisions are made, and how compliance is documented. To build AI governance at the enterprise level, the <a href="/en/blog/ai-governance-nedir">what is AI governance</a> guide offers a framework; if you want to draw on external expertise to build it, the <a href="/en/blog/yapay-zeka-danismanligi-nedir">what is AI consulting</a> guide provides direction.

## EU AI Act Compliance Checklist and Preparation Template

The checklist below is a practical tool for an organization to quickly assess its own readiness in Türkiye-context EU AI Act preparation. If you can say "yes" to every item, your compliance maturity is high; each "no" points to your next step.

<howto-steps data-name="EU AI Act compliance checklist" data-description="A step-by-step checklist for an organization to assess its EU AI Act compliance maturity." data-steps="[{&quot;name&quot;:&quot;Scope clarity&quot;,&quot;text&quot;:&quot;Do we know which of our systems touch the EU market and in which role the law covers us?&quot;},{&quot;name&quot;:&quot;Inventory and classification&quot;,&quot;text&quot;:&quot;Do we have an inventory and risk classification of all our AI systems?&quot;},{&quot;name&quot;:&quot;High-risk identification&quot;,&quot;text&quot;:&quot;Have we identified our high-risk systems and done a gap analysis for them?&quot;},{&quot;name&quot;:&quot;Documentation&quot;,&quot;text&quot;:&quot;Are our technical documentation, logging, and compliance-evidence processes ready?&quot;},{&quot;name&quot;:&quot;Human oversight&quot;,&quot;text&quot;:&quot;Have we designed meaningful human oversight for critical decisions?&quot;},{&quot;name&quot;:&quot;GPAI procurement&quot;,&quot;text&quot;:&quot;Have we requested compliance documentation from the GPAI providers we use?&quot;},{&quot;name&quot;:&quot;KVKK/GDPR integration&quot;,&quot;text&quot;:&quot;Are we managing EU AI Act compliance in a framework integrated with KVKK and the GDPR?&quot;},{&quot;name&quot;:&quot;Continuous monitoring&quot;,&quot;text&quot;:&quot;Do we have a governance and monitoring process that regularly audits compliance?&quot;}]"></howto-steps>

This checklist works like a maturity mirror: most Turkish companies, looking for the first time, answer "not yet" to many items; and that is normal. The goal is not to be perfect but to make gaps visible and prioritize them. The smartest strategy is to focus first on the highest-risk systems that touch the EU market the most, rather than trying to make all systems compliant at once. This risk-based prioritization directs limited compliance resources to the highest impact.

<callout-box data-type="success" data-title="Start small, scale systematically">EU AI Act compliance can look daunting; but it should not be treated like running a marathon in a single step. The most successful organizations start with an inventory, make a single high-risk system fully compliant to create a "template," and scale that template to other systems. This approach makes compliance both learnable and manageable; each system leaves behind a competency that makes the next one easier.</callout-box>

## Sectoral EU AI Act Examples: How Is Each Sector Affected?

The EU AI Act's impact varies markedly by sector, because each sector's AI use falls into different risk levels. The examples below show, in the Türkiye context, where each sector should pay attention. The patterns matter, not numbers.

### Finance and Banking

In this sector, credit scoring and credit assessment systems often fall into the high-risk category, because they directly affect individuals' access to essential services. A Turkish fintech offering credit products to EU customers must meet full compliance obligations for these systems. In this sector the EU AI Act also creates a layered compliance environment with existing financial regulations (and, in Türkiye, the BDDK framework).

### Human Resources and Hiring

AI systems used in hiring, promotion, and worker assessment are among the areas the law explicitly deems high-risk, because they affect people's job opportunities. A Turkish company operating in the EU or assessing EU candidates must ensure its hiring algorithms meet bias auditing, transparency, and human oversight obligations. To understand the bias risk, the <a href="/en/blog/yapay-zekada-onyargi-nedir">what is AI bias</a> guide is especially important in this context.

### Health and Medical Devices

AI used in health (diagnostic support, image analysis) is subject to double-layered compliance with both the EU AI Act and medical device regulations. This is one of the areas with the highest compliance burden; for Turkish companies exporting health technology to the EU, compliance must be an integral part of the product development process.

### Manufacturing and Industry

Quality control, predictive maintenance, and robotic systems used in manufacturing mostly fall into lower risk levels, but applications involving critical infrastructure or safety components can be high-risk. Turkish manufacturers exporting machinery or smart products to the EU should assess how their AI components intersect with the product safety framework.

### Retail and Marketing

In this sector, recommendation systems and personalization are mostly minimal or limited risk; but transparency obligations kick in for chatbots and synthetic content. A Turkish e-commerce company serving EU consumers must appropriately label AI-generated content and bots that interact with customers.

<callout-box data-type="info" data-title="Same technology, different risk">What is striking is that the same AI technology can fall into different risk levels in different contexts. An image recognition model can be minimal-risk on a retail shelf but high-risk in candidate assessment in hiring. So risk classification looks not at the technology but at the purpose and context of use. If you use the same model in different places, you must classify each use separately.</callout-box>

## What Are Common Mistakes and Breaches in EU AI Act Compliance?

In Türkiye-context EU AI Act preparation, an experienced eye sees organizations fall into the same mistakes again and again. The common feature of these mistakes is addressing compliance either too late or too superficially. The most common are:

- **The "it doesn't bind us" assumption:** The most common and most expensive mistake is never doing a scope assessment, trusting in geographic distance. Every AI touch with the EU raises a scope question.
- **Starting without an inventory:** Planning compliance without knowing which AI systems you have is impossible. "Shadow AI" — tools acquired without awareness — is a hidden compliance gap in most organizations.
- **Skipping classification:** Putting all systems in the same basket leads either to wasted resources or to missing a high-risk system. Correct classification is the foundation of compliance.
- **Leaving compliance to the last minute:** Trying to achieve obligations retroactively after a system is in production is both very costly and technically hard. Compliance must be embedded in design.
- **Lack of documentation:** A well-working but undocumented system is non-compliant under the EU AI Act, because compliance must be provable. "We did it but didn't write it down" is not a defense.
- **Confusing it with KVKK or thinking one is enough:** Mistaking KVKK compliance for EU AI Act compliance creates a dangerous gap. The two regulate different things and must be addressed separately.
- **Not questioning the GPAI supplier:** An organization using a ready large language model that does not request compliance documentation from its provider takes the compliance gap onto itself.

<callout-box data-type="warning" data-title="The common thread: postponement">Most of these mistakes rest, at root, on the same behavior: seeing the EU AI Act as "not urgent" and postponing it. Yet compliance, especially for high-risk systems, requires months of preparation; and transition periods pass faster than assumed. The cost of postponement turns into a later rushed and expensive compliance process — or into losing market access.</callout-box>

The most effective way to avoid these mistakes is to take compliance out of being a "legal department task" and make it an organizational priority. EU AI Act compliance is the shared responsibility of technology, legal, data, and business units; and it requires senior management ownership. An independent external assessment — an eye not emotionally attached to the project and familiar with the framework — is especially valuable in catching these mistakes early. To develop enterprise AI capacity, the <a href="/en/blog/kurumsal-yapay-zeka-egitimi-nedir">what is enterprise AI training</a> guide helps teams gain this awareness.

## How Is EU AI Act Compliance Maturity Measured and Monitored?

Compliance is not a one-off goal but a state to be continuously monitored. Seeing Türkiye-context EU AI Act preparation as a "project done once and finished" is one of the most common strategic mistakes; because both the systems evolve and the law's interpretation and guidance mature over time. So mature organizations monitor compliance with a maturity model and measurable indicators.

The practical way to monitor compliance maturity is to track a few core indicators regularly: how much of the organization's AI systems have been inventoried and classified; how much of the high-risk systems are fully compliant; how current the documentation is; and how fast identified compliance gaps close. These indicators turn compliance from abstract "goodwill" into a measurable management topic. Each indicator should have a baseline, a target, and a review frequency.

The second dimension of monitoring is being able to respond to changes. When an AI system is updated, its risk level can change; when a new use case is added, a minimal-risk system can become high-risk. So compliance governance must be tied to the system lifecycle: every significant change should trigger a reclassification. This dynamic approach prevents compliance from eroding over time.

<callout-box data-type="info" data-title="Compliance is a process, not a state">Do not see EU AI Act compliance as something "obtained and shelved" like a certificate. As your AI systems change, your use cases expand, and legal guidance matures, your compliance status changes too. The healthiest model is to set up compliance as a continuous process that is regularly reviewed, has an owner, and is monitored with indicators. This both lowers risk and keeps you ready for every audit.</callout-box>

<stat-callout data-value="World #1" data-context="According to We Are Social's &quot;Digital 2026&quot; data, Türkiye ranks first in the world in the share of web traffic referred from generative AI tools; this high adoption," data-outcome="shows that Turkish companies are rapidly starting to use AI and that, therefore, putting compliance frameworks like the EU AI Act on the agenda early carries strategic importance." data-source="{&quot;label&quot;:&quot;Euronews TR / Digital 2026&quot;,&quot;url&quot;:&quot;https://tr.euronews.com/next/2026/01/04/turkiye-chatgpt-trafiginde-yuzde-9449luk-oranla-dunya-birincisi&quot;,&quot;date&quot;:&quot;2026-01&quot;}"></stat-callout>

This high adoption carries a two-way meaning for the Türkiye context. On one hand, Turkish companies and users are adopting AI rapidly; this shows AI's economic value will rise quickly in Türkiye. On the other hand, rapid adoption also enlarges the risk of falling behind compliance frameworks: if systems are put into production quickly while compliance lags, an expensive correction will be needed later. So high adoption is a reason to bring compliance forward, not to postpone it. Organizations that establish early compliance both secure access to the EU market and gain a trust advantage on responsible AI.

## Why Is EU AI Act Compliance a Competitive Advantage?

Most of the Türkiye-context EU AI Act debate frames compliance as a "burden"; but that is only half the picture. Compliance, handled correctly, ceases to be a cost item and becomes a competitive advantage. There are several concrete reasons for this, and this perspective also makes it easier to explain the compliance investment to the board.

First, market access. The EU is one of the world's largest single markets, and EU AI Act compliance is increasingly a precondition for selling AI-related products to that market. The compliant Turkish company can access contracts its non-compliant rivals cannot enter; compliance opens a door. Second, trust: a company that follows the EU AI Act's principles (transparency, human oversight, security) offers its customers and partners a concrete assurance on "responsible AI." This trust turns directly into commercial value, especially in B2B relationships.

Third, internal maturity. The discipline set up for EU AI Act compliance — inventory, risk management, documentation, human oversight — is itself good AI engineering and governance. An organization that establishes this discipline is not only compliant; it also develops more reliable, less risky, and more scalable AI systems. That is, the compliance effort makes the organization a better AI organization. For organizations that want to manage this transformation strategically, the <a href="/en/blog/dijital-donusum-nedir">what is digital transformation</a> guide places compliance within a broader transformation framework.

The final message in the Türkiye context is this: compliance is not a defensive necessity but a strategic positioning. Turkish companies that read the law early and correctly will stand out as trusted AI suppliers in the EU market; those that delay face the risk of losing both market access and the trust advantage. In this light, compliance should be seen not as "a rule we were forced to follow" but as "an advantage we gained by complying early."

## Frequently Asked Questions

### Why does the EU AI Act affect companies in Türkiye?

The EU AI Act is an extra-territorial law: even if a company is headquartered in Türkiye, it falls under the Act if its AI-containing product or service is placed on the EU market or if its system's output is used in the EU. This resembles the geographic logic of the GDPR. Therefore Turkish companies that export to the EU, sit in an EU firm's supply chain, or provide AI-based services to EU users are directly affected; what determines whether you are covered is not the company's country but where the output is used.

### How does the EU AI Act's risk classification work?

The law divides AI systems into four risk levels. Unacceptable risk: practices such as social scoring are entirely prohibited. High-risk systems: systems used in areas like critical infrastructure, hiring, credit, education, and health, subject to heavy compliance obligations. Limited-risk systems: such as chatbots, requiring basic transparency. Minimal-risk systems: such as spam filters, with no additional obligations. The weight of obligations is set by this risk classification; the first step is always to classify your system correctly.

### What compliance obligations apply to high-risk systems?

The compliance obligations for high-risk systems are extensive: establishing a continuous risk management system; data governance (quality and representativeness of training data); detailed technical documentation and record-keeping (logging); providing adequate transparency and instructions to users; designing effective human oversight; ensuring an appropriate level of accuracy, robustness, and cybersecurity; and completing a conformity assessment with a declaration of conformity and marking before placing the system on the market. These obligations last throughout the system's entire lifecycle.

### What are the GPAI (general-purpose AI) rules?

GPAI refers to general-purpose AI models (e.g., large language models) that can serve a broad range of tasks rather than a single job. The EU AI Act introduces a separate rule set for these models: preparing technical documentation, providing information to downstream providers who integrate the model, complying with a copyright policy, and publishing a summary of the training data. For large GPAI models carrying systemic risk, additional obligations (model evaluation, systemic risk analysis, incident reporting, cybersecurity) apply. Since Turkish companies are mostly the party using these models, they should use the documentation supplied by the provider for their own compliance.

### What is the difference between the EU AI Act and KVKK?

The two are different but complementary regulations. KVKK regulates the processing of personal data: legal basis, disclosure, data security, VERBIS registration. The EU AI Act regulates the AI system itself and its societal risk: which risk level the system is in, and which safety and transparency requirements it meets. A system may comply with KVKK but not meet the EU AI Act's high-risk system obligations, or vice versa. For Turkish companies serving the EU, the practical upshot is: KVKK, GDPR, and the EU AI Act must be managed together. This is not legal advice.

### How much are the EU AI Act penalties?

The EU AI Act provides a tiered penalty regime that varies with the severity of the breach. The heaviest penalty is for unacceptable (prohibited) practices and can reach a share of global annual turnover or a high fixed amount. There are lower but still serious tiers for breaching high-risk system obligations and GPAI rules; providing incorrect or incomplete information to authorities also carries a separate penalty. Because exact amounts depend on the type of breach and the size of the company, you should rely on the current official text and your legal counsel for your own situation.

### Is a Turkish company that does not export to the EU also affected by the EU AI Act?

It may not be under direct obligation, but it is very likely to be affected indirectly. Many Turkish companies sit in the supply chains of EU customers or partners; these EU parties pass their own compliance obligations to suppliers through contracts. So even if you do not export directly to the EU, an EU customer may require an EU AI Act-compliant AI component or documentation from you. Moreover, because the EU AI Act is becoming a global de facto standard, being compliant is increasingly turning into a precondition for market access and competitiveness.

### Where should Turkish companies start for EU AI Act compliance?

The first step is to build an AI inventory: which AI systems exist in the organization, and which of them touch the EU market. The second step is to label each system by risk classification. The third step is a gap analysis for systems that turn out to be high-risk. The fourth step is to establish a governance framework (roles, documentation, monitoring); here frameworks such as ISO/IEC 42001 and the NIST AI RMF provide guidance. The fifth step is to turn compliance into a continuously monitored process. Starting small but systematically makes compliance manageable.

### What is the EU AI Act implementation timeline?

The EU AI Act enters into force in stages: provisions on prohibited (unacceptable-risk) practices earliest; provisions on GPAI rules in a following phase; and the full obligations for high-risk systems apply fully at the end of a longer transition period. This staged timeline is designed to give companies time to prepare. The practical implication for Turkish companies is: rather than waiting for the end of the timeline, map which provision takes effect when for their own systems and plan backwards. For current and exact dates, official EU sources should be relied upon.

### Does the EU AI Act only concern big tech companies?

No. The law covers large providers that develop AI as much as it covers organizations of every size that deploy AI. For example, a mid-sized manufacturer using an AI tool in hiring becomes subject to deployer obligations if that system falls into the high-risk class. Although the law provides some proportionality and support mechanisms for SMEs, the basic principle applies to everyone: the risk of AI is determined by its area of use, not the company's size. That is why the EU AI Act is on the agenda of every Turkish company that touches the EU ecosystem, not only giant tech firms.

## In Short: How Does the EU AI Act Affect Companies in Türkiye?

In short, the EU AI Act affects companies in Türkiye extra-territorially through AI systems whose output is used in the EU; what is decisive is not the company's country but where the output is used. The law divides systems by risk classification (prohibited, high-risk, limited, minimal); the heaviest compliance obligations are for high-risk systems; there are separate transparency rules for GPAI (general-purpose AI) models; and the penalties are serious. The most affected are Turkish companies that export to the EU, sit in EU supply chains, and serve EU users.

The most important message is this: EU AI Act compliance is not a burden to postpone but a strategic opportunity to address early. A compliance approach managed together with KVKK and the GDPR, embedded in design, and continuously monitored both lowers the risk of penalties and market loss and creates a trust advantage in the EU market. This article is an informational framework, not legal advice; you are advised to obtain expert opinion for your own situation.

For the basic concepts you can see the <a href="/en/blog/eu-ai-act-nedir">what is the EU AI Act</a>, <a href="/en/blog/kvkk-nedir">what is KVKK</a>, and <a href="/en/blog/ai-governance-nedir">what is AI governance</a> guides; for an EU AI Act and KVKK compliance assessment and roadmap tailored to your organization you can start with <a href="/en/consulting">AI consulting</a>, review <a href="/en/training">corporate training</a> options to build your teams' compliance awareness, and deepen all concepts in the <a href="/en/learn">learning center</a>.

<references-list data-references="[{&quot;label&quot;:&quot;Euronews TR — Türkiye first in the world in generative AI traffic (Digital 2026)&quot;,&quot;url&quot;:&quot;https://tr.euronews.com/next/2026/01/04/turkiye-chatgpt-trafiginde-yuzde-9449luk-oranla-dunya-birincisi&quot;},{&quot;label&quot;:&quot;What is the EU AI Act? (internal guide)&quot;,&quot;url&quot;:&quot;/en/blog/eu-ai-act-nedir&quot;},{&quot;label&quot;:&quot;What is KVKK-compliant AI? (internal guide)&quot;,&quot;url&quot;:&quot;/en/blog/kvkk-uyumlu-yapay-zeka-nedir&quot;}]"></references-list>