This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.
The EU AI Act has required businesses to take steps toward staff AI literacy since 2 February 2025, the same date the Act's prohibited-practices ban took effect. It's one of the earliest-binding parts of the whole Act, and one of the least well known.
In short: Article 4 requires both providers and deployers of AI systems to take reasonable measures ensuring staff, and anyone else using AI systems on the business's behalf, have a sufficient level of AI literacy. It's been in force since February 2025. Formal enforcement supervision starts 2 August 2026. There's no mandated training format, no requirement to appoint an AI officer, and no obligation to formally test staff, just a genuine, documented effort.
What the obligation actually says
Article 4 requires providers and deployers of AI systems to take measures to ensure, to their best extent, a sufficient level of AI literacy among their staff and other people dealing with the operation and use of AI systems on their behalf, considering their technical knowledge, experience, education, training, and the context the AI system will be used in. In plain terms: if your business uses AI tools, you need to take some reasonable steps to make sure the people using them understand roughly what they're working with.
Why most businesses have never heard of it
The operations manager of a 40-person EU logistics company had rolled out three different AI tools to staff over the past year, a writing assistant, a scheduling optimiser, and a customer-service chatbot, with no formal training programme behind any of them. Before checking, she assumed AI literacy was a nice internal initiative worth doing eventually, not something with a legal basis already in force. The Act's early headlines focused on the prohibited-practices ban and the (now-delayed) high-risk deadline, both dramatic, clear-cut milestones. Article 4's obligation is quieter: no fanfare, no single hard deadline that made news, just a standing requirement that's been live for over a year.
What compliance actually looks like
The obligation is deliberately unprescriptive. There's no mandated curriculum, no minimum training hours, no requirement to test or certify staff, and no requirement to appoint a dedicated AI officer or stand up a formal governance board. What's expected is a genuine, proportionate effort, scaled to what your staff actually do with AI, not a one-size-fits-all corporate training module.
In practice, this looks like a short, documented process: identify which staff use which AI tools and for what tasks, cover the basics relevant to that use (what the tool can and can't reliably do, when to double-check its output, what data shouldn't go into it), and keep a simple record of when that happened. A 45-minute session covering the specific tools your team actually uses, repeated for new starters and refreshed when a new tool is introduced, is a reasonable, defensible baseline for most SMBs. It doesn't need to be elaborate to satisfy the obligation, it needs to be real and documented.
What happens from August 2026
The obligation itself hasn't changed and wasn't touched by the mid-2026 Digital Omnibus delay that pushed back other AI Act deadlines (see our guide on the Digital Omnibus changes). What changes from 2 August 2026 is enforcement supervision, meaning regulators begin actively checking for compliance rather than the obligation existing largely unpoliced, as it has since February 2025. This is a reasonable point to make sure any AI literacy effort is not just underway but actually documented, since a business that's never written anything down has little to show if asked.
What non-compliance actually risks
Article 4 falls under the Act's general infringement tier, which carries penalties of up to €7.5 million or 1.5% of global annual turnover, whichever is higher, the lower end of the Act's tiered penalty structure. For most SMBs, the realistic exposure isn't a standalone Article 4 enforcement action, it's this obligation coming up as one factor in a broader review if an AI-related complaint or incident brings a regulator's attention to the business for another reason.
Who this actually covers
The obligation applies to both providers of AI systems (businesses building or selling AI tools) and deployers (businesses using them in their own operations), which covers most SMBs on the deployer side. It's not limited to direct employees either, anyone dealing with the operation and use of an AI system on the business's behalf, including contractors and, in some interpretations, service providers acting for the business, falls within scope. A small business using a handful of AI tools with a mixed team of employees and freelance contractors should think about literacy measures across that whole working group, not just its payroll staff.
The scaling factor built into the Article itself is worth using deliberately: the measures expected depend on staff's existing technical knowledge, experience, and the specific context the AI system is used in. A team of developers integrating an AI API into their own product needs a different kind of literacy grounding than an admin team using a writing assistant for correspondence. Tailoring the effort to the actual use case, rather than running one generic session for the whole business, is both more defensible and more genuinely useful.
Methodology (Real-World, Verified)
We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.
Related reading: our AI governance by region.
When did the EU AI Act's AI literacy obligation come into force?
Article 4 has applied since 2 February 2025, the same date the Act's prohibited-practices ban took effect. It's one of the earliest-binding parts of the Act.
Do we need to appoint an AI officer to comply with Article 4?
No. Article 4 doesn't require a specific governance structure, a dedicated AI officer, or a formal AI governance board. Reasonable, documented measures proportionate to how staff use AI are what the obligation calls for.
Do we have to formally test staff on their AI knowledge?
No. There's no requirement to measure or certify staff AI literacy levels. Documenting what training or awareness measures were taken is more relevant than proving a specific knowledge outcome.
Was the AI literacy obligation affected by the Digital Omnibus delay?
No. The Digital Omnibus package pushed back the high-risk system and transparency deadlines, both originally 2 August 2026. Article 4's AI literacy obligation, in force since February 2025, was untouched by that delay.
The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.
Building a broader AI usage policy for your team? Start with our free template.
Get the AI Policy Template