When did the EU AI Act's AI literacy obligation take effect?

Article 4 became applicable on 2 February 2025. It is one of the earliest operational provisions of the EU AI Act to enter into force, alongside the Article 5 prohibitions. The rest of the Act's main obligations apply from August 2026 onwards, but the AI literacy duty has been in effect for over a year.

Does this apply to small businesses?

Yes. Article 4 applies to providers and deployers of AI systems regardless of size. A 'deployer' is any natural or legal person using an AI system in a professional capacity. There is no SME carve-out. The obligation is proportionate (the standard is 'best extent', considering staff knowledge and context) but there is no exemption from it.

Is generic AI awareness training enough?

No. Article 4 requires the literacy level to reflect the technical knowledge, experience, and education of the staff, the context the AI systems are used in, and the persons on whom the AI is used. A single generic awareness video for all staff will not meet that standard. The training must be appropriately tailored to roles and to the AI systems actually in use.

How does this relate to ISO 42001?

ISO 42001 contains explicit competence requirements (Clause 7.2) and awareness requirements (Clause 7.3) for AI management systems. An ISO 42001-compliant competence and awareness programme will substantially satisfy Article 4 when documented and delivered. For organisations not pursuing ISO 42001, the same competence and awareness elements provide a workable template.

What are the penalties for non-compliance with Article 4?

Article 4 is not tied to the highest penalty tier of the EU AI Act (which apply to prohibited AI practices and certain high-risk obligations, with fines up to 7% of global turnover or 35 million euro). Article 4 sits under the general obligations regime, where penalties of up to 3% of global turnover or 15 million euro apply. National competent authorities will set proportionate fines in practice. The greater risk is reputational and downstream regulatory scrutiny rather than a single fine for the literacy provision in isolation.

Mandatory AI literacy under the EU AI Act: what Article 4 requires

Article 4 of the EU AI Act has been in force since 2 February 2025. It requires every organisation that uses AI systems, not just those that build them, to ensure their staff have sufficient AI literacy. Most organisations are unaware they are subject to this obligation. Many of those that are aware have not yet acted on it.

The provision sits in a quieter part of the EU AI Act, well behind the headline-grabbing prohibitions on social scoring and the high-risk AI system rules. It is also one of the earliest operational requirements to apply, and it catches a wider audience than most organisations realise.

This piece sets out what Article 4 actually says, who it applies to, what AI literacy means in practice, and what a credible compliance programme looks like.

Key takeaways

Article 4 of the EU AI Act has applied since 2 February 2025. Most organisations are already in scope and have not yet acted.
The obligation falls on both providers and deployers of AI systems. The deployer category is broad and captures almost any organisation now using AI tools at work.
AI literacy is not a one-size-fits-all training programme. The obligation is to ensure staff have the knowledge appropriate to their role and the AI systems they interact with.
A documented, role-appropriate, refreshed programme is the floor of what supervisory authorities will expect.
The work pairs naturally with ISO 42001 competence requirements and existing GDPR transparency obligations. Done once, it satisfies several requirements at once.

What Article 4 actually says

The article is short. It requires providers and deployers of AI systems to:

take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf

The wording matters. Three elements drive the practical interpretation:

“Best extent.” This is an effort obligation, not a strict standard. The expected level scales with the size, resources, and complexity of the organisation. A 30-person consultancy is not expected to run the same training programme as a 30,000-person bank. But both are expected to do something credible.

“Taking into account their technical knowledge, experience, education and training.” The literacy level must reflect the audience. Training designed for developers is not training designed for HR. Training designed for executives is not training designed for customer service staff.

“And the context the AI systems are to be used in, and considering the persons or groups of persons on whom the AI systems are to be used.” The training must connect to the actual AI use case. Generic content disconnected from the AI tools the organisation actually uses will not satisfy the standard.

Who is in scope

The EU AI Act defines two main categories of obligation-bearer:

Providers. Organisations that develop AI systems or general-purpose AI models, or that have them developed, with a view to placing them on the EU market or putting them into service under their own name.

Deployers. Natural or legal persons using an AI system under their own authority in a professional capacity. The deployer category is the broad one.

Examples of deployer activity that triggers Article 4:

Using generative AI tools (ChatGPT, Claude, Copilot, Gemini) for work outputs.
Using AI features built into productivity software (AI summarisation in Microsoft 365, AI replies in Outlook, AI search in your knowledge base).
Using AI-powered HR tools (CV screening, interview analysis, performance prediction).
Using AI-augmented customer service tools (chatbots, sentiment analysis, ticket routing).
Using AI in marketing (content generation, audience analysis, advertising optimisation).
Using AI development tools (code generation, code review assistance, automated testing).

If your organisation uses any of these in a professional capacity, you are a deployer. Article 4 applies. There is no carve-out for small businesses.

What “AI literacy” means

The EU AI Act defines AI literacy in Article 3(56):

skills, knowledge and understanding that allow providers, deployers and affected persons, taking into account their respective rights and obligations in the context of this Regulation, to make an informed deployment of AI systems, as well as to gain awareness about the opportunities and risks of AI and possible harm it can cause

In practice, what this means varies by role.

Executives and the board. Strategic risks of AI use, regulatory landscape (EU AI Act, GDPR intersections, sector-specific rules), governance arrangements, accountability, escalation routes for material AI-related issues.

Procurement and legal. How to evaluate AI vendors and tools, contractual considerations for AI procurement, the EU AI Act risk classification, vendor obligations under the Act, data protection considerations for AI processing.

Developers and IT. Responsible AI development principles, the EU AI Act risk categories, technical documentation expectations, bias testing, explainability requirements, human oversight implementation.

HR. AI in recruitment and performance management, the high-risk classification of AI in employment under the Act, transparency obligations to employees, GDPR Article 22 considerations.

Customer-facing staff. Identifying when AI is generating output, disclosing AI use to customers where required, handling complaints about AI-driven decisions, recognising the limits of AI tools.

All staff. Acceptable use of AI tools, what may and may not be input (personal data, confidential information, regulated data), what to escalate, how to recognise issues, where to get help.

A useful test: if a member of staff is interacting with an AI system in any way that affects their work or affects other people, the question for the literacy programme is what they need to know to do that responsibly.

What a compliance programme looks like

In our experience, supervisory authorities and certification auditors will look for a handful of practical elements when assessing Article 4 compliance.

An AI system inventory. A documented record of which AI systems are in use across the organisation, by whom, for what purpose. Without this, the rest of the programme has no anchor. This is also the foundation of any ISO 42001 implementation.

Role mapping. A documented mapping of which staff roles interact with which AI systems, and the literacy level required for each combination.

A documented training programme. Role-appropriate, tailored to the AI systems in use, with content that goes beyond generic AI awareness. Often a mix of delivery formats: short e-learning for broad audiences, deeper workshops for specialised roles, executive briefings for leadership.

Completion records. Evidence that staff have actually completed the relevant training, mapped to the AI systems they use. This is standard records management, but it is often the gap when supervisory authorities ask for evidence.

A refresh cycle. AI capabilities, vendor tools, and the regulatory landscape are all moving quickly. Annual refresh is the minimum credible cadence. Material changes (new AI tool deployment, change in regulatory guidance, EU AI Act phase transitions) should trigger out-of-cycle updates.

Connection to acceptable use policy. The training should be reinforced by clear policy on what is and is not permitted, particularly around inputs (personal data, confidential information, regulated content) and outputs (verification, transparency, attribution).

Awareness of escalation routes. Staff should know who to contact when they encounter something that does not fit the standard pattern, whether that is an unexpected output, a regulatory question, or a customer complaint about AI use.

Common pitfalls

Across early advisory work on Article 4 compliance, the same gaps recur.

The fifteen-minute video approach. A single generic video shown to all staff at induction does not satisfy the standard. The Act explicitly requires the literacy level to reflect technical knowledge, role, and AI context.

Missing the shadow AI users. Many organisations have staff using personal ChatGPT or Claude accounts for work, often without explicit approval. These users are still using AI on behalf of the organisation. Compliance has to address them, either by formalising or restricting the practice.

One-off training without refresh. Treating AI literacy as a one-time exercise like fire safety induction. The pace of change in AI capability and regulation makes this approach quickly obsolete.

Generic vendor training as the entire programme. A vendor’s product training (how to use a specific tool) is useful input but does not cover the EU AI Act content, the risk awareness, or the broader literacy elements the Act requires.

No documentation of delivery. Programmes that exist informally but produce no records of who completed what, when, will be hard to demonstrate to a supervisory authority on request.

Relationship to other frameworks

Article 4 sits inside a wider compliance landscape. Several existing obligations create overlap that can be exploited.

ISO 42001 competence and awareness (Clauses 7.2 and 7.3). ISO 42001 contains explicit competence requirements for people involved in the AI management system and awareness requirements for staff who can affect AI outcomes. A compliant ISO 42001 programme will substantially satisfy Article 4 when documented and delivered. The standards are designed to be mutually reinforcing.

ISO 27001 Annex A.6.3 awareness training. The existing security awareness programme is a natural home to extend to AI literacy. The delivery infrastructure, records keeping, and refresh cadence are already in place. The content needs to be expanded, not invented from scratch.

GDPR transparency and accountability. Many AI use cases process personal data. The literacy programme can address the GDPR-AI intersection (lawful basis, automated decision-making under Article 22, DPIA considerations) as part of the same training rather than as a separate workstream.

NIS2 cybersecurity awareness. For organisations in NIS2 scope, the existing cybersecurity awareness obligations create another natural integration point. AI-augmented attack vectors and AI-related security risks fit inside the same training pattern.

What supervisory authorities will look for

Enforcement of Article 4 will fall to designated national supervisory authorities under each member state. In Ireland, the Data Protection Commission has been allocated supervisory responsibilities for parts of the Act intersecting with data protection. Other competent authorities are still being designated under the Irish implementing legislation.

When supervisory authorities ask about Article 4 compliance, the practical questions will be:

What AI systems do you use?
Who interacts with them, and in what capacity?
What training have those people received?
When did they receive it? How is it kept current?
How is this documented?
Where does this sit in your governance arrangements?

An organisation that can answer these clearly, with documents to back the answers, will be in good shape. An organisation that cannot will be in a much weaker position regardless of how good its actual practice is in reality.

Practical questions to ask now

If Article 4 has not yet been formally addressed in your organisation:

Do you have a current inventory of AI systems in use? Including shadow AI?
Have you mapped which staff roles interact with which AI systems?
Do you have role-appropriate training that goes beyond generic AI awareness?
Are completion records being maintained?
When was the training last refreshed? When is the next refresh planned?
Does the training reference the EU AI Act explicitly, or just generic responsible-AI principles?
Where does this work sit in your governance arrangements? Who owns it?

If most of these answers are not clear, the work to address Article 4 should be on the next quarter’s compliance plan. The obligation is in force. The supervisory authorities are being designated. The longer the gap between effective date and credible compliance, the harder it becomes to defend.

How we can help

If you would like support designing an AI literacy programme that satisfies Article 4 and integrates with your wider compliance programme, get in touch. Our AI Governance and ISO 42001 services cover the compliance pathway, and our Risk and Governance work covers the broader governance arrangements that Article 4 sits inside.