Three dates: 2 February 2026, 2 August 2026, 2 February 2027. Brussels effect means Turkish RFPs already speak this language. The thesis-driven roadmap for serious operators.
Three Dates That Define the Next Eighteen Months
The EU AI Act does not arrive as a single deadline. It arrives in three waves — 2 February 2026, when prohibitions on unacceptable-risk systems became enforceable; 2 August 2026, when general-purpose AI obligations and the first round of governance rules go live; and 2 February 2027, when high-risk system requirements complete. Reading the regulation as a single date is the most common mistake I see in board conversations. Treating it as a calendar with three checkpoints — and mapping your portfolio against each — is what serious operators are already doing. The calendar is already on your wall, even if you haven't looked at it.
Risk Categories, Plain English
Four tiers. Unacceptable risk — social scoring, manipulative subliminal techniques, real-time biometric identification in public spaces with narrow law-enforcement exceptions. These are banned outright as of February 2026. High risk — AI in critical infrastructure, education access, employment decisions, credit scoring, law enforcement, migration, justice. These face the heaviest documentation, testing, and post-market monitoring obligations. Limited risk — chatbots, deepfakes, emotion recognition — face transparency obligations, mostly disclosure that you're talking to a machine. Minimal risk — everything else, no formal obligation. Most enterprise AI deployments end up in high or limited. Knowing which one your system falls into is a thirty-minute legal exercise that almost nobody has done.
The Brussels Effect Hits Turkish RFPs
Turkey is not in the EU. The AI Act does not formally apply to Turkish organizations operating purely domestically. That sentence is technically correct and operationally useless. Any Turkish company with European customers, European data subjects, or aspirations to either is already negotiating contracts that reference AI Act compliance. By Q4 2025 we observed AI Act language appearing in defense procurement, fintech RFPs, and several mid-market SaaS tenders — none of which were legally required to include it. The procurement teams included it because their auditors asked for it. By the end of 2026, expect AI Act-equivalent language to be RFP standard regardless of cross-border exposure. That is the Brussels effect — regulatory gravity exported through purchase orders.
Sector-Specific Impact Inside Turkey
Defense — dual-use AI is partially exempted from the Act, but companies serving NATO partners or selling into European defense supply chains face de-facto application. BÖRÜ Pack-class systems live in this territory. Health — diagnostic AI is high-risk under the Act, period. Turkish healthtech companies aiming at European hospitals must plan for full conformity assessment. Finance — credit scoring, insurance pricing, and AML systems are explicitly named. Turkish fintechs with EU passport ambitions should already be scoping this. Public sector and education are next, with the longest tail because procurement cycles are slower. The pattern across sectors is consistent — the higher the consequence of an AI decision, the deeper the Act reaches in.
What Goes On the Roadmap
Five workstreams. AI inventory and classification — every system mapped to a risk tier with documented reasoning. Technical documentation — model cards, training data summaries, performance metrics, known limitations. The Act calls this Annex IV; we call it the file you wish you had during your last audit. Risk management system — continuous, not one-shot. Human oversight — designed into the workflow, not bolted on as a disclaimer. Post-market monitoring — the operational telemetry that tells you when a deployed model starts misbehaving. The same telemetry, incidentally, that AgentOps requires. Build the workstreams once, satisfy multiple frameworks. Trying to build separate compliance stacks for AI Act, ISO 42001, and KVKK is a budget-burning mistake.
What I Would Tell a Board Today
Three sentences. One — the AI Act is a procurement document long before it is a regulatory document, so the first cost of inaction is lost tenders, not fines. Two — the technical work to comply is roughly the same technical work to operate AI responsibly, so the marginal cost over what you should already be doing is low. Three — start the inventory this quarter, finish high-risk classification next quarter, and have technical documentation ready before the August 2026 GPAI deadline. The calendar is fixed. The work is finite. The boards that treat this as a 2027 problem will be answering uncomfortable questions in Q3 2026 when their first European tender response gets returned with a one-line note about AI Act readiness.