AI Literacy Under the EU AI Act
One article. Already in force. And it applies to every AI system you use.
Someone at your company bought an AI tool.
Maybe it was the marketing team — a content assistant, a campaign optimizer, something with “AI-powered” in the tagline that justified a budget nobody would have approved two years ago. Maybe it was HR — a screening tool that promises to save 40 hours per hiring cycle. Maybe your developers just started using Copilot and nobody told compliance.
And then someone — you, probably, because these things always land on the same desk — asked the question that changes the meeting: “Do the people using this actually understand what it does?”
Not the features. Not the sales pitch. Do they understand what the system is doing with its inputs? Do they know when the output might be wrong? Do they know what the company’s legal obligations are now that they’re using it?
Silence.
Since 2 February 2025, that silence has been a legal problem.
The Shortest Obligation with the Longest Reach
The entire AI literacy obligation of the EU AI Act lives in one sentence of Article 4:
Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in, and considering the persons or groups of persons on whom the AI systems are to be used.
One sentence. No subparagraphs. No delegated acts. No annexes. If you printed the entire AI Act’s high-risk AI requirements and then printed Article 4, one of them would be a binder and the other would be a Post-it note.
That one-sentence treatment has made everyone underestimate it.
Three things make Article 4 different from almost every other obligation in the AI Act:
It already applies. Not in August 2026 with the high-risk requirements. Not in 2027 with the extended deadline. February 2025. If you’re reading this in April 2026, you’ve been subject to this obligation for 14 months. Surprise.
It applies regardless of risk level. Article 4 doesn’t care whether your AI system is high-risk, limited-risk, or minimal-risk. Every AI system in the Act’s scope triggers this obligation. Your chatbot. Your translation tool. Your AI coding assistant. The thing the intern installed last Tuesday. All of them. The only systems that escape are those outside the Act’s scope entirely — military use, purely personal use, R&D before market deployment.
And it reaches everyone your AI touches. Not just employees. Contractors. Consultants. Outsourced teams. Anyone “dealing with the operation and use of AI systems on your behalf.”
What the Commission Said — and What It Left to You
In 2025, the European Commission published a Q&A on AI Literacy — the most concrete guidance available on what Article 4 means in practice. It didn’t get the attention of the prohibited practices guidelines or the AI system definition guidelines. It should have.
The Q&A sets a tone. Flexible, not prescriptive. No mandatory certifications. No required training hours. No pass/fail tests. The AI Office says it “does not intent to impose strict requirements” regarding what counts as a “sufficient level” of AI literacy.
If you just exhaled with relief — hold that breath a moment longer.
Because the Q&A also says that the choice not to train staff will be “closely scrutinised, and likely viewed negatively, by regulators, customers and other stakeholders.” You can argue about what kind of training. You can argue about how much. You cannot argue that training is unnecessary.
The minimum floor the Commission outlines:
Ensure a general understanding of AI within the organization.
What is AI? How does it work? What AI systems do we use? What are the risks?
Consider the role of the organization.
Provider or deployer? The obligations differ. A company building AI systems needs a different literacy profile than one using off-the-shelf tools.
Identify and communicate risks specific to the AI systems in use.
Staff need to know what can go wrong — and what to do when it does.
Tailor the program to the people and the context.
A data scientist and a claims handler don’t need the same training. Article 4 says so explicitly — “taking into account their technical knowledge, experience, education and training.”
One more thing the Q&A clarifies.
There is no obligation to measure your employees’ AI knowledge. No mandatory testing. No certification requirements. You don’t have to quiz your head of sales on the definition of a neural network. But documentation of what training was provided matters — because when supervisory authorities start enforcement in August 2026, AI literacy programs (or the absence of them) will be among the first things they examine.
Three Tiers — Not One Box to Check
“Train your staff on AI.” That’s what most compliance summaries tell you. As if you could buy a single e-learning course, push it to the entire organization, and file the receipt.
The regulation is more specific than that — and, for once, more reasonable.
Article 4 builds in a proportionality test through its qualifying language: “taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in.” That’s not a uniform standard. That’s a signal — different people need different things.
Recital 20 makes it explicit. The “notions” required for AI literacy “may vary with regard to the relevant context” and can include understanding technical elements during development, measures during use, how to interpret AI output, and — for people subjected to AI decisions — how those decisions will impact them.
Germany’s Bundesnetzagentur — the designated national market surveillance authority — published guidance in June 2025 recommending a three-stage approach. The Commission’s Q&A acknowledges that “having different levels of training or learning approaches can be appropriate.”
Put these together and the shape is clear. Three tiers.
Tier 1 — General AI awareness. Everyone.
This is the floor. Every person in the organization — from the CEO to the receptionist to the warehouse worker — needs a baseline:
What AI is and, at a conceptual level, how it works. Which AI systems the organization uses. That the organization has legal obligations around AI. What to do if they encounter something unexpected — who to escalate to. The basic opportunities and risks.
This isn’t a 40-hour course. It could be an annual e-learning module. An internal policy document everyone reads and signs off on. A town hall where at least some people are paying attention. The format matters less than the fact that it exists and that you can prove it happened.
Tier 2 — Role-specific competence. People who work with AI systems.
Anyone who operates, manages, or makes decisions based on AI output needs more.
Understanding how the specific AI systems they work with function — not at code level, but practically. What the system does. What data it uses. What its limitations are. When it might be wrong. The risks specific to those systems. The ability to interpret AI outputs correctly — including knowing when to distrust the output. And what to do when something doesn’t look right.
The HR coordinator using an AI screening tool needs to know what the system evaluates, what it misses, and when human judgment should override it. The loan officer reviewing an AI credit recommendation needs to understand the model’s inputs and limitations — not because they’re a data scientist, but because they’re making decisions that affect people’s mortgages.
Tier 3 — Specialised competence. Human oversight.
Article 14(5) of the AI Act requires that natural persons assigned to human oversight of high-risk AI systems have the “competence, training and authority” to effectively perform that role. Not “awareness.” Not “familiarity.” Competence. They must be able to properly understand the system’s capabilities and limitations. Monitor its operation and detect anomalies. Be aware of automation bias — the tendency to over-rely on AI output. Correctly interpret the system’s output. And have the authority to override or disregard it when necessary.
Article 4 is the foundation. Article 14 is the superstructure. You cannot comply with human oversight requirements if your oversight personnel lack AI literacy.
This matters because the real enforcement risk for AI literacy isn’t a standalone Article 4 fine. It’s what happens when a high-risk AI system causes harm and the investigation reveals that the person assigned to human oversight didn’t understand the system well enough to oversee it. At that point, Article 4 non-compliance becomes evidence of Article 14 non-compliance — and the penalty exposure jumps from a training gap to a systemic governance failure.
Who falls into Tier 3: the senior underwriter serving as human-in-the-loop for AI-assisted insurance decisions. The radiologist overseeing AI diagnostic imaging. The safety engineer monitoring AI in critical infrastructure. The compliance officer responsible for an AI system that makes decisions affecting people’s rights.
These people need deep, system-specific knowledge. Known failure modes. Confidence levels. Conditions under which the system should be stopped. Documentation and incident reporting requirements. This isn’t an e-learning module. This is dedicated, ongoing, system-specific training — and the ability to prove it.
What This Looks Like in Practice
First Scenario - The insurer
An insurance company uses AI for claims processing — a fraud detection model that flags suspicious claims and a machine learning system that assists underwriters with risk assessment.
Tier 1 is straightforward. Everyone in the company — from reception to the CEO — gets an annual briefing on the company’s AI use, its obligations, and basic AI literacy. An e-learning module. Internal communications about the AI policy.
Tier 2 is the one that will take work. The claims team needs to understand that “flagged” means a probability score — not a verdict. They need to know the system’s false positive rate. They need to know what to do when they disagree with the system’s output. The underwriters using AI-assisted risk assessment need to understand the model’s inputs, its limitations, and the circumstances under which they should override the recommendation. This isn’t optional training. This is the minimum for people making decisions based on AI output every day.
Tier 3 applies to the senior underwriter serving as human-in-the-loop. They need Article 14-level competence: understanding automation bias, knowing the system’s failure modes, having the authority and knowledge to override it, and understanding what triggers an incident report.
And there’s a dimension most insurers won’t think about on their own. The affected persons — policyholders whose claims are processed by AI. Article 4 doesn’t create a direct obligation to train your customers. But internal AI literacy needs to be sufficient that staff can explain AI-assisted decisions to policyholders who challenge them. That connects to transparency obligations under Article 50 — and to the practical reality that someone will ask “why was my claim denied?” and the answer can’t be “the algorithm said so.”
Second Scenario - The 30-person e-commerce company
A small company. Shopify’s AI-powered product recommendations. ChatGPT for customer service drafts. An AI accounting tool. They didn’t build any of this. Pure deployers.
What they think: We just use tools. AI literacy isn’t our problem.
What the law says: they’re deployers. Article 4 applies.
What “to their best extent” looks like for a company this size: an internal AI use policy — one document listing which AI tools are in use and the basic rules for using them. A team briefing. Making sure the marketing manager using ChatGPT knows about hallucination risks. Making sure the customer service team understands the limits of AI-generated responses before sending them to customers.
This company doesn’t need a three-tier training program with a dedicated AI literacy officer and a quarterly assessment cycle. But it needs something documented and demonstrable. A written policy. A record that the conversation happened. Evidence that people know what they’re using and what can go wrong.
The bar is lower. It is not zero.
Third Scenario - The startup building an AI product
Five people. All technical. Building an AI-powered legal research tool for law firms.
Their AI literacy gap is the opposite of what you’d expect. They understand transformers and embeddings. They can explain attention mechanisms over coffee. Their technical AI knowledge is deep.
Their regulatory AI literacy might be zero. They can build an AI system. They cannot tell you what Article 6 says about it.
As a provider, they need to understand what obligations attach to their product. That the AI Act requires specific documentation. That the system will need instructions for use. That their customers — law firms deploying the tool — will have their own obligations under the Act, and the startup’s product needs to support those obligations.
“To their best extent” here means documented internal policies on AI Act compliance. Evidence that the team has studied the relevant obligations. Someone assigned to regulatory responsibility — even if it’s the co-founder spending Saturdays reading guidance documents. Training doesn’t need to be a formal program. But the knowledge needs to exist. And it needs to be demonstrable.
The Third Group in the Definition — Affected Persons
The definition of AI literacy in Article 3(56) covers three groups: providers, deployers, and affected persons. The people on the receiving end of AI decisions.
Article 4 itself only imposes the obligation on providers and deployers regarding their staff. But Recital 20 goes further — affected persons need “the knowledge necessary to understand how decisions taken with the assistance of AI will have an impact on them.”
Wait — does that mean I have to train my customers?
No. Not directly. But it creates an expectation. And it connects to transparency obligations elsewhere in the Act — particularly Article 50, which requires deployers to inform people when they’re interacting with certain AI systems.
The practical implication: your internal AI literacy program needs to be good enough that your staff can explain AI-assisted decisions to the people affected by them. The patient who asks how AI influenced their diagnosis. The job applicant who wants to know why they were screened out. The policyholder disputing a claim decision.
If your staff can’t explain it — because they don’t understand it themselves — you have both an AI literacy problem and a transparency problem. They compound.
Penalties and the Aggravating Factor
The penalty tier for Article 4 violations falls under Article 99 — likely up to €15 million or 3% of total worldwide annual turnover, whichever is higher. I say “likely” because the exact tier applicable to Article 4 is not perfectly clear from the penalty structure.
However, nobody is getting fined €15 million because their training program was weak. That’s not how this plays out.
The scenario regulators are actually preparing for is different.
A high-risk AI system causes harm. An investigation follows. The regulator discovers that the deployer’s staff didn’t understand the system’s limitations. Didn’t know how to interpret its outputs. Didn’t recognise the risk signals. The regulator asks: what AI literacy measures did you have in place?
If the answer is “none” or “a generic webinar from 2025 that nobody remembers” — that absence of literacy becomes evidence of broader non-compliance. It amplifies the penalty for the primary violation.
Article 4 doesn’t bite on its own. It bites when something else goes wrong — and it proves the failure was systemic.
Enforcement Timeline — the Gap You Should not Misread
2 February 2025 — Article 4 started to apply.
2 August 2026 (if not postponed) — national market surveillance authorities begin supervising and enforcing.
That 18-month gap between obligation and enforcement is not a grace period in the “you can ignore this until August” sense. It’s runway. The Commission gave organizations time to build programs before inspections begin.
Germany has already designated the Bundesnetzagentur as its supervisory authority. It published guidance. It set up an AI Service Desk. Other Member States are at different stages — which means enforcement intensity will vary across the EU, at least initially.
But the question a supervisory authority will ask in August 2026 is not “do you have a program now?” It’s “what have you been doing since February 2025?” Fourteen months of doing nothing is not a defensible answer.
What to Do — Practically
You have at least until August 2026 before enforcement starts. But that’s not a lot of time if you’re starting from nothing. However, Article 4 doesn’t ask for perfection. It asks for measures taken “to your best extent.” Demonstrable, proportionate, real.
Start with an inventory. Which AI systems does your organization use? Who uses them? In what context? You can’t build a literacy program around tools you haven’t mapped. This is also the exercise that feeds risk classification under Article 6 — so it’s not wasted work.
Identify your tiers. Not everyone needs the same training. Sort your people into the three categories — general awareness (everyone), role-specific competence (people working with AI daily), and specialised oversight (human-in-the-loop roles under Article 14). The Commission’s Q&A supports this approach explicitly.
Build the floor first. General AI awareness for the entire organization. What AI is. Which systems you use. What the risks are. What to do if something looks wrong. This can be an e-learning module, an internal policy document, a briefing — whatever fits your size. The format is flexible. The fact that it happened needs to be documented.
Then go deeper for the people who need it. Role-specific training for anyone operating AI systems or making decisions based on AI output. What the system does. What it can’t do. When to distrust it. What to do when something doesn’t look right. For high-risk AI with human oversight requirements, this becomes Article 14-level competence — and that standard is higher than a training session.
Write it down. The AI Act doesn’t prescribe documentation formats for Article 4. But when a supervisory authority asks what you’ve done, “we had some conversations” is not an answer. A written AI literacy policy. Training records — who was trained, when, on what. An internal AI use policy listing your tools and the rules for using them. Evidence that the program evolves as your AI use changes.
Check what your providers give you. If you’re a deployer, your AI literacy depends partly on the information your providers disclose — instructions for use, capabilities, limitations. If the documentation is thin, your ability to train your staff on that system is compromised. That’s a conversation worth having with your vendors before the regulator has it with you.
The Foundation That Makes Everything Else Work
There’s a reason Article 4 applies before almost everything else in the AI Act.
Risk classification requires someone who understands what the AI system does well enough to assess which Annex III category might apply. Conformity assessment requires people who can prepare and review technical documentation. Human oversight — Article 14 — explicitly requires competence and training. Transparency obligations require understanding what the AI actually does before you can tell anyone else about it. Post-market monitoring requires identifying issues. Incident reporting requires recognising when a serious incident has occurred.
Every single one of those obligations assumes that the people doing the work understand what they’re working with. Article 4 is that assumption, written into law.
AI Literacy will never headline a conference panel. It won’t generate breathless LinkedIn posts or €50K consulting proposals. It sits there — one sentence, one article — doing the structural work of making everything else in the regulation possible.
A company that gets AI literacy right will find the rest of the AI Act manageable. A company that skips it will find every other obligation harder, every assessment shallower, every oversight function weaker.
The regulation gives you flexibility on the how. Not on the whether.
Fourteen months are already gone. The people using AI in your organization — right now, today, across every department and every risk level — either understand what they’re working with, or they don’t.
That’s the question. Not whether you need a program. Whether the one you have is enough.
I really enjoyed reading this - thank you for making the AI Act a little less legalese and a little more English ;)
I was reading the other day about AI literacy vs AI enablement and how they’re really not the same thing. Giving people tools to use is not the same as actually knowing what those tools could do. I’m also guilty of automation bias, especially when it’s something a little less cognitive - and “sure, good enough” won’t hold up in an audit!
I didn't consider the impact of the DPO requirement. Thank you!
It definitely set a clear standard of accountability to get compliance started. The tiering system you mention doesn't have the same dedicated role with an expert required.