Two milestones are already in force — the unacceptable-risk ban since 2 February 2025 and GPAI obligations since 2 August 2025 — and the next wave, high-risk Annex III, lands 2 December 2027. Brussels effect means Turkish RFPs already speak this language. The thesis-driven roadmap for serious operators.
The Dates That Define the Roadmap — Two Already Live
The EU AI Act does not arrive as a single deadline. It arrives in waves, and two of them already passed. Prohibitions on unacceptable-risk systems became enforceable on 2 February 2025 — that ban is live now. General-purpose AI obligations took effect on 2 August 2025 — also live. Next come the general transparency rules (Article 50) on 2 August 2026, and then high-risk Annex III systems on 2 December 2027 (pushed back from the original 2026 date under the Digital Omnibus). Reading the regulation as a single future date is the most common mistake I see in board conversations — worse, treating it as a 2026 problem when the binding rules have been in force since early 2025. Treating it as a live calendar — and mapping your portfolio against each checkpoint — is what serious operators are already doing. The calendar is not on your wall for later; two of its checkpoints have already passed.
Risk Categories, Plain English
Four tiers. Unacceptable risk — social scoring, manipulative subliminal techniques, real-time biometric identification in public spaces with narrow law-enforcement exceptions. These have been banned outright since 2 February 2025. High risk — AI in critical infrastructure, education access, employment decisions, credit scoring, law enforcement, migration, justice. These face the heaviest documentation, testing, and post-market monitoring obligations. Limited risk — chatbots, deepfakes, emotion recognition — face transparency obligations, mostly disclosure that you're talking to a machine. Minimal risk — everything else, no formal obligation. Most enterprise AI deployments end up in high or limited. Knowing which one your system falls into is a thirty-minute legal exercise that almost nobody has done.
The Brussels Effect Hits Turkish RFPs
Turkey is not in the EU. The AI Act does not formally apply to Turkish organizations operating purely domestically. That sentence is technically correct and operationally useless. Any Turkish company with European customers, European data subjects, or aspirations to either is already negotiating contracts that reference AI Act compliance. By Q4 2025 we observed AI Act language appearing in defense procurement, fintech RFPs, and several mid-market SaaS tenders — none of which were legally required to include it. The procurement teams included it because their auditors asked for it. By the end of 2026, expect AI Act-equivalent language to be RFP standard regardless of cross-border exposure. That is the Brussels effect — regulatory gravity exported through purchase orders.
Sector-Specific Impact Inside Turkey
Defense — dual-use AI is partially exempted from the Act, but companies serving NATO partners or selling into European defense supply chains face de-facto application. BÖRÜ Pack-class systems live in this territory. Health — diagnostic AI is high-risk under the Act, period. Turkish healthtech companies aiming at European hospitals must plan for full conformity assessment. Finance — credit scoring, insurance pricing, and AML systems are explicitly named. Turkish fintechs with EU passport ambitions should already be scoping this. Public sector and education are next, with the longest tail because procurement cycles are slower. The pattern across sectors is consistent — the higher the consequence of an AI decision, the deeper the Act reaches in.
What Goes On the Roadmap
Five workstreams. AI inventory and classification — every system mapped to a risk tier with documented reasoning. Technical documentation — model cards, training data summaries, performance metrics, known limitations. The Act calls this Annex IV; we call it the file you wish you had during your last audit. Risk management system — continuous, not one-shot. Human oversight — designed into the workflow, not bolted on as a disclaimer. Post-market monitoring — the operational telemetry that tells you when a deployed model starts misbehaving. The same telemetry, incidentally, that AgentOps requires. Build the workstreams once, satisfy multiple frameworks. Trying to build separate compliance stacks for AI Act, ISO 42001, and KVKK is a budget-burning mistake.
What I Would Tell a Board Today
Three sentences. One — the AI Act is a procurement document long before it is a regulatory document, so the first cost of inaction is lost tenders, not fines. Two — the technical work to comply is roughly the same technical work to operate AI responsibly, so the marginal cost over what you should already be doing is low. Three — start the inventory this quarter, finish high-risk classification next quarter, and have technical documentation ready ahead of the 2 August 2026 general-applicability and transparency milestone — remembering that the prohibitions and GPAI rules have already been in force since 2025. The calendar is fixed. The work is finite. The boards that treat this as a future problem will be answering uncomfortable questions when their first European tender response gets returned with a one-line note about AI Act readiness.