Skip to content
Confir.
Free trial
Blog

AI Literacy Training Requirements Under Article 4 of the EU AI Act

Guide21 May 2026· 14 min read

What the EU AI Act requires for AI literacy: who is covered, the "sufficient level" standard, evidence to keep, and enforcement. In force since 2 February 2025.

Article 4 of Regulation (EU) 2024/1689 (the EU AI Act) obliges providers and deployers to take measures to ensure, to their best extent, a sufficient level of AI literacy among their staff and any other persons operating and using AI systems on their behalf. The obligation has applied since 2 February 2025, so it is live today — not a future deadline you can defer.

The text is short, but the duty is real and examinable. It is outcome-based: the law mandates competent people, not a specific course, certificate, or number of hours. It applies to every AI system you use, regardless of risk tier, so even a company running only a chatbot or a document-summarisation tool carries it.

This guide explains exactly what Article 4 obliges you to do: who is in scope, what "sufficient" competence means, how to scope a proportionate programme, what evidence regulators expect, and what happens if you fall short. For the foundational picture, start with what the EU AI Act requires; for the clause itself, see the Article 4 AI literacy obligation.

What Article 4 Actually Requires — and Why It Already Binds You

The obligation in one sentence — Article 4

Providers and deployers must take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf. "To their best extent" signals a proportionate effort standard, not a guarantee of perfection — but it is a positive duty to act, not an option.

The obligation applies to all AI systems regardless of risk tier, not only high-risk ones. A company that uses a single AI-assisted drafting tool owes its staff sufficient literacy to know what that tool can and cannot reliably do.

Distinguish Article 4 from Article 13. Article 4 governs the competence of people; Article 13 separately requires providers of high-risk systems to supply deployers with instructions for use covering capabilities, limitations, and human-oversight measures. One is an information-supply duty on the provider; the other is a competence duty on both provider and deployer. Do not conflate them.

Why "in force" matters — 2 February 2025

Article 4 has applied since 2 February 2025, the same date as the Article 5 prohibited-practices regime. That makes it a live obligation, not a future one. A regulator can examine your AI literacy records reaching back to that date, which is why building a documented programme from early 2025 forward demonstrates a sustained — rather than last-minute — posture.

Not affected by the Digital Omnibus delay

The Digital Omnibus reached a provisional political agreement on 6-7 May 2026, with the COREPER text confirmed around 13 May 2026. It agreed to defer stand-alone high-risk Annex III obligations (Article 6(2)) from 2 August 2026 to 2 December 2027, and Annex I product-embedded high-risk systems (Article 6(1)) from 2 August 2027 to 2 August 2028. It does not touch Article 4, which remains live.

Two caveats matter for accuracy. First, as of June 2026 the Omnibus deferral is agreed but not yet law: it still needs a European Parliament plenary vote, formal Council adoption, and publication in the Official Journal, so the statute as enacted still reads 2 August 2026 for high-risk Annex III until that completes. Second, the new dates are fixed calendar dates — the "stop the clock" proposal tying the delay to harmonised-standards availability was rejected. None of this changes the Article 4 date, which was never in scope of the delay.

Who the AI Literacy Requirement Applies To

Article 4 names two actor roles, and reaches beyond direct employees.

Providers — those who develop AI systems and place them on the market or put them into service under their own name or trademark — carry the duty for the people who build and operate those systems.

Deployers — those who use AI systems under their authority in a professional context — carry the duty for their operational staff.

Staff and "other persons operating on your behalf." The clause covers "other persons dealing with the operation and use of AI systems on their behalf," which captures contractors, external operators, and agency workers with hands on the system. The obligation attaches to the function, not the employment contract. If someone outside your payroll operates an AI system for you, your Article 4 duty extends to them — typically via training clauses in the contract and evidence that training was delivered before access.

Companies that are both provider and deployer. A company that builds an internal tool for its own use is simultaneously a provider and a deployer. It must address both literacy tracks: provider-side technical depth for the builders, and deployer-side operational competence for the users.

One point that catches buyers out: the obligation does not transfer to the vendor. Buying a system from a literate provider does not discharge your own Article 4 duty over your staff. For the precise legal meaning of the term, see AI literacy defined.

What a "Sufficient Level" of AI Literacy Means

The outcome the law is after — Article 3(56)

AI literacy is defined as the skills, knowledge, and understanding that allow providers, deployers, and affected persons to make an informed deployment of AI systems, and to be aware of the opportunities and risks and the possible harm it can cause. The target is competence, not credentials. Recital 20 frames literacy as enabling informed decisions by providers, deployers, and affected persons — reinforcing that the goal is genuine understanding, not a tick-box course.

The proportionality factors named in the Regulation — Article 4

Article 4 expressly requires the measures to take account of:

  • the persons' technical knowledge, experience, education, and training;
  • the context in which the systems are to be used; and
  • the persons or groups on whom the systems are to be used.

The standard is therefore risk- and role-proportionate. A data scientist building a model needs different literacy than a claims handler acting on its output, and a system affecting vulnerable groups raises the bar for everyone who touches it.

Outcome-based, not curriculum-based

There is no prescribed curriculum, no mandatory contact hours, and no required certificate anywhere in Regulation (EU) 2024/1689. A third-party badge is, at most, supporting evidence — it is never the substance of compliance. The question a regulator asks is whether the people involved are genuinely competent for their role, and whether you can show how you reached that judgment.

Role-to-Literacy Mapping Table

The fastest way to scope coverage is to map each role to its literacy focus, anchor it to the relevant Article, and name the evidence artefact you will keep. The mapping reuses the AI inventory and risk-classification work you do for Articles 5 and 6 — it is not duplicated effort.

RoleTypical examplesLiteracy focusArticle anchorEvidence artefact
Developers / technical staffData scientists, ML engineersModel behaviour and failure modes, data governance, risk classification, technical documentationArticles 5-6, 10, Annex IVOnboarding training log + design-review checklist
Operational usersHR shortlisters, loan officers, draftersWhat the system can and cannot reliably do, known limitations, when and how to override, escalation routeArticle 14 (via 26)Role briefing + dated sign-off
Decision-makers / governanceRisk officers, approvers, board sponsorsEnough to exercise meaningful oversight, approve deployments, and ask the right questionsArticle 26Annual governance briefing record
Light / incidental usersOccasional tool usersWhat the tool is, confidentiality limits, basic escalation pathArticle 4Short written acknowledgment

Read the bands as competence depth, not job title. Band 1 staff need to understand their part in Annex IV technical documentation; Band 2 staff need the limitations and the override route; Band 3 staff need the competence Article 26 presupposes for human oversight on high-risk systems; Band 4 staff need proportionate awareness only.

How to Implement a Proportionate Programme in Four Steps

  1. Assess roles against your AI inventory. Inventory the AI systems in use, identify which teams operate them and what decisions they act on, then segment staff into competence bands. This same work feeds your Article 5/6 risk classification, so do it once and reuse it.
  2. Tailor training to risk and role. Design role-appropriate content per band. Forcing an operational user through a data-governance module wastes effort; giving a developer only a "what is AI" overview leaves a competence gap. The depth scales with the stakes.
  3. Document who was trained on what and when. Record the session date, attendees, material covered, who delivered it, any competency check, and the next refresh date. The demonstration of compliance lives in these records — not in a vendor badge.
  4. Refresh periodically and on triggers. Set an annual baseline refresh, plus triggered refreshes when a new system is deployed, when an existing system is substantially modified (a modification under Article 3(23) can change the risk class), or when a material incident occurs.

Keep it lean where the stakes are low. For an SME, a short role-differentiated workshop, a scenario check, and a logged completion record is defensible — proportionality cuts both ways. For ready-made starting points, use the AI literacy policy template, design the deeper programme with employee AI training, and scope your coverage by running a readiness assessment.

How to Evidence AI Literacy

The minimum record set

Because Article 4 is assessed against evidence, keep, for each system and role: training records, attendance lists, the materials used, the dates of delivery, and the scheduled refresh date. The records do not need to be elaborate — a structured log tied to HR onboarding is workable. The point is to show that training was systematic and role-appropriate, not ad hoc.

What an auditor will ask for

When a national authority asks you to demonstrate compliance, the answer is the records, the role mapping, and your documented proportionality judgment — not "we use a certified provider." Absence of records is not a proportionality argument; it reads as absence of a programme.

Connecting literacy to oversight duties

Literacy evidence should sit alongside two related obligations, because both depend on competent staff:

  • the Article 26 human-oversight duty, which requires deployers of high-risk systems to ensure that natural persons assigned to oversight have the necessary competence, training, and authority; and
  • for relevant high-risk systems, the Article 27 fundamental rights impact assessment.

Under Article 14, oversight personnel must understand the system's capacities and limitations, interpret its output, and be able to decide not to use it or to override it — competencies that only deliberate training produces.

Enforcement: How Article 4 Is Supervised and Penalised

National competent authorities supervise — Articles 70 and 74

Supervision and enforcement of operator obligations, including Article 4, sit with national competent / market-surveillance authorities. The obligation is live now, even though enforcement capacity across Member States is still maturing.

How failures feed the Article 99 penalty regime

Article 4 has no bespoke fine. But a literacy failure feeds the Article 99 penalty regime: it compounds your exposure when a related breach is investigated and signals weak governance overall. The tiers are precise:

BreachMaximum fineReference
Article 5 prohibited practicesEUR 35,000,000 or 7% of total worldwide annual turnover, whichever is higherArticle 99(3)
Most operator obligationsEUR 15,000,000 or 3% of total worldwide annual turnover, whichever is higherArticle 99(4)
Incorrect, incomplete or misleading information to authoritiesEUR 7,500,000 or 1% of total worldwide annual turnover, whichever is higherArticle 99(5)

For SMEs and start-ups, each fine is capped at the lower of the applicable percentage or the fixed amount under Article 99(6) — proportionality is built into the penalty design.

The realistic risk picture

Employee complaints are a second channel. Article 85 lets workers and their representatives raise concerns about AI systems with authorities, and an untrained employee harmed by an output they were never taught to question gives an authority a factual basis to look. Treat Article 4 documentation as a baseline that regulators read as a proxy for how seriously you take AI governance — which is exactly why a record stretching back to February 2025 is worth maintaining.

How Confir Helps

Confir tracks AI literacy and its evidence as part of the governance module. Each system in your AI inventory carries the roles in scope, the training provided, the completion dates, and the refresh cycle, producing a structured, timestamped audit trail that maps people to systems.

The synthesis logic is deterministic and rule-based: the same system profile and role mapping produce the same register structure and the same refresh triggers every time — the same logic every time, no model inference, no hallucination. That reproducibility is what makes the output audit-defensible. The register tracks literacy and its evidence; it does not auto-generate training content or certify staff. What it gives you is the organisational record that Article 4 implies, kept current as your AI inventory and roles change.

Frequently Asked Questions

Is AI literacy training mandatory under the EU AI Act?

Yes. Article 4 of the EU AI Act requires providers and deployers to ensure a sufficient level of AI literacy among staff and others operating AI on their behalf. It has applied since 2 February 2025 and covers all AI systems, not just high-risk ones. The law mandates the outcome — competent people — but not a specific course, certificate, or number of hours.

When did the AI literacy requirement come into force?

Article 4 has applied since 2 February 2025, the same day as the Article 5 prohibitions. It is a live obligation, not a future one, and it was not affected by the Digital Omnibus delay that would push high-risk Annex III duties to 2 December 2027. Regulators can examine your AI literacy records reaching back to February 2025.

Who does the AI literacy obligation apply to?

It applies to both providers and deployers of AI systems, covering their staff and any other persons operating or using the systems on their behalf — including contractors and external operators. A company that builds a tool for its own use is both provider and deployer. Buying from a literate vendor does not discharge your own duty over your staff.

What is a sufficient level of AI literacy?

Sufficient means the skills, knowledge, and understanding needed to make informed decisions about deploying and using AI and to recognise its risks. Article 4 ties the level to each person's technical knowledge, experience, and education, the context of use, and who the system affects. It is proportionate and role-based — a developer needs more depth than a light operational user.

Does the EU AI Act require an AI literacy certificate?

No. Article 4 prescribes no certificate, qualification, or fixed curriculum. The obligation is outcome-based: you must achieve genuine, role-appropriate competence and be able to evidence it through training records, attendance, materials, and dates. A third-party certification can be supporting evidence, but it does not by itself constitute compliance and is not required by the Regulation.

How do I prove AI literacy compliance to a regulator?

Keep evidence: training records, attendance lists, the materials used, delivery dates, who delivered it, any competency check, and the next refresh date — mapped to roles and systems. When an authority asks, the answer is these records and your documented proportionality judgment, not a vendor badge. A structured log tied to HR onboarding is sufficient for most SMEs.

What is the penalty for failing AI literacy obligations?

Article 4 has no standalone fine, but failures feed the Article 99 regime supervised by national authorities. Most operator-obligation breaches reach up to EUR 15 million or 3% of worldwide annual turnover (Article 99(4)); Article 5 breaches reach EUR 35 million or 7%. A literacy gap compounds exposure when a related breach is investigated and signals weak governance.

Related guides

Manage your EU AI Act compliance in one place

Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.

Start free trial →

Related guides

Guide

AI Bill of Materials (AI-BOM): What It Is and How It Supports EU AI Act Compliance

AI-BOM is an emerging practice, not a statutory term. Structures base models, datasets and GPAI dependencies to feed Article 11 / Annex IV docs.

Guide

EU AI Act Compliance Budget Planning: Cost Drivers for High-Risk AI

Budget for EU AI Act compliance: Article 9, Annex IV technical documentation, Article 43 conformity assessment, Article 72 monitoring. Dec 2027.

Guide

Who Owns EU AI Act Compliance in Your Organisation

EU AI Act creates obligations, not a job title. Who owns Art 9, 11, 14, 72, 73 duties — RACI structure, DPO/CISO split, and the small-company reality.