AI Literacy Under the EU AI Act: Definition, Obligation, and What It Requires
AI literacy is defined in Article 3(56) of the EU AI Act. Article 4 has been mandatory since 2 February 2025 — for all AI systems, not just high-risk.
AI literacy is one of the first EU AI Act obligations to have taken effect. Since 2 February 2025, providers and deployers of AI systems have been required to take measures ensuring a sufficient level of AI literacy among their staff and anyone else operating or using AI systems on their behalf. Understanding what that means in practice starts with the statutory definition.
The EU AI Act definition
Article 3, point 56 of Regulation (EU) 2024/1689 defines AI literacy as:
"skills, knowledge and understanding that allow providers, deployers and affected persons, taking into account their respective rights and obligations under this Regulation, to make an informed deployment of AI systems, as well as to gain awareness about the opportunities and risks of AI and the possible harm it can cause."
Three elements are worth noting. First, AI literacy is not a property of the organisation — it belongs to the individuals operating or affected by AI systems. Second, the definition is rights-and-obligations aware: what someone needs to know is shaped by their role under the Regulation. A developer of a high-risk recruitment system has a different knowledge requirement than a customer-service representative using a chatbot. Third, the definition covers both sides of the ledger: the opportunities AI enables and the risks and harms it can generate.
"Affected persons" is a deliberately broad category. It is not confined to employees. Individuals who interact with, or whose interests are shaped by, an AI system can be in scope.
The Article 4 obligation
Article 4 of Regulation (EU) 2024/1689 translates the definition into a concrete duty:
Providers and deployers of AI systems shall take measures to ensure, to the best of their extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are used in.
Who it applies to. Both providers (Article 16 — companies that develop and place AI systems on the market under their own name) and deployers (Article 26 — companies that use AI systems in a professional capacity) carry this obligation. It is not limited to companies selling AI products. Any business deploying off-the-shelf AI tools in its workflows is a deployer under the Regulation and owes the Article 4 duty to its staff.
When it applies. Article 4 has been in force since 2 February 2025. It is one of the earliest obligations the Act activated — alongside the Article 5 prohibitions — and it applies right now, not at a future deadline.
Scope: all AI systems, not just high-risk. This is the clause most companies miss. Article 4 is not gated on risk classification. A company using a scheduling assistant, a document-summarisation tool, or a code-generation product is a deployer of those systems and owes the literacy obligation to its relevant staff, even if none of those uses are high-risk under Article 6 and Annex III.
No prescribed curriculum. The Regulation does not specify a course, a certification, or a minimum number of training hours. What it requires is that the measure be proportionate: calibrated to each person's "technical knowledge, experience, education and training and the context the AI systems are used in." A data scientist building a model needs a different baseline than a finance analyst whose team has recently started using an AI-assisted forecasting add-on.
What "sufficient" AI literacy looks like in practice
Because the Regulation gives no template, companies must design their own approach. The obligation is best understood as a proportionality test: is this person equipped to deal responsibly with the AI systems they are operating or using on the organisation's behalf?
For staff with no technical role — office workers, customer-service agents, HR professionals who use AI tools — sufficient literacy typically means awareness of: what the AI system does and does not do; the types of error it can make; when a human should override or escalate; and how to report a problem. It does not mean understanding how the model works internally.
For staff in operational or supervisory roles — compliance officers, IT leads, managers overseeing AI deployments — sufficient literacy typically adds: the organisation's obligations under the AI Act relevant to the systems in use; the distinction between provider and deployer obligations; and the process for monitoring performance and flagging concerns.
For staff developing or configuring AI systems — engineers, product managers, ML practitioners — sufficient literacy extends to: the risk-classification logic under Articles 5 and 6; the high-risk requirements under Articles 9–15; data-governance obligations under Article 10; and the technical documentation requirements under Article 11 and Annex IV.
In all cases, the threshold is "sufficient" — a deliberately non-absolute standard. The Act recognises that capability varies and that requiring uniform depth across an entire workforce would be disproportionate.
Documentation matters. While Article 4 does not mandate a formal training record, demonstrating compliance in the event of an inquiry requires evidence. A company that has run a 20-minute onboarding module for AI-tool users and can produce a log of who completed it is in a materially better position than one that has done nothing and cannot show its reasoning. Treat the literacy measure as something you can defend: what you did, for whom, why it was proportionate.
Ongoing, not one-off. AI deployments change. Staff turn over. New tools are introduced. A literacy measure appropriate at one point can become inadequate when the context shifts. A practical reading of the obligation is that it continues as long as the AI system is in use — not a box ticked at onboarding and forgotten.
Frequently Asked Questions
Q: Does the AI literacy obligation apply only to high-risk AI systems?
No. Article 4 applies to providers and deployers of AI systems generally — the Regulation does not restrict it to the high-risk tier. If your organisation is providing or deploying any AI system in a professional capacity, you owe the literacy obligation to the staff and other persons dealing with its operation and use. This is one of the clearest ways Article 4 differs from the bulk of the Act's obligations, which are concentrated on high-risk use cases under Article 6 and Annex III.
Q: When did Article 4 come into force?
Article 4 has applied since 2 February 2025, the same date as the Article 5 prohibitions on unacceptable-risk practices. It is already live. Companies that have not yet acted are not waiting for a future deadline — they are currently out of step with an obligation that has been in force for over a year.
Q: Does the obligation require formal training courses or certifications?
No certification or specific format is prescribed. Article 4 requires "measures" that are proportionate to each person's knowledge, experience, education, training and the context in which they use AI. That can be a targeted internal briefing, an online module, a checklist review, or a structured training programme — depending on the role and the complexity of the AI system involved. What matters is that the measure is substantive enough to produce "sufficient" understanding, and that you can demonstrate it was designed and delivered with the relevant role in mind.
Q: Are contractors and third-party service providers covered?
Article 4 applies to "staff and other persons dealing with the operation and use of AI systems on their behalf." That "on their behalf" framing can extend beyond direct employees to contractors, agency workers, and outsourced functions that operate the organisation's AI systems in practice. Whether a particular external relationship falls within scope depends on the degree to which those persons are acting under the organisation's authority in relation to the AI system.
Q: Does a very small company still owe this obligation?
Yes. Article 4 contains no size threshold or SME carve-out. A company deploying AI tools — regardless of headcount — owes the literacy obligation to its relevant staff. The proportionality standard does mean that a five-person team's literacy programme will look quite different from a 2,000-person organisation's, but the obligation itself applies to both.
Q: What is the relationship between Article 4 and Article 10?
They cover different things. Article 10 governs data and data governance for high-risk AI systems — requirements around training, validation and testing data, and data-quality measures. It is not about staff knowledge. Article 4 is entirely about people: ensuring that the humans operating AI systems have adequate understanding to do so responsibly. Old guidance sometimes conflated the two; they are separate obligations with different scopes.
Related terms
- EU AI Act Article 4: the full AI literacy obligation
- Employee training for EU AI Act compliance
- What is the EU AI Act?
- Deployer: definition and obligations under the EU AI Act
- Provider: definition and obligations under the EU AI Act
- EU AI Act summary and key obligations
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →