Skip to content
Confir.
Free trial
Blog

AI Literacy Policy Template: A Copy-Paste Skeleton for EU AI Act Article 4 Compliance

Template20 May 2026· 16 min read

A copy-paste AI literacy policy template for EU AI Act Article 4 — purpose, definitions, role-based training, records, review. In force since 2 February 2025.

Article 4 of Regulation (EU) 2024/1689 (the EU AI Act) requires providers and deployers to take measures to ensure a sufficient level of AI literacy among their staff and any other persons operating or using AI systems on their behalf. It has applied since 2 February 2025 — it is a live obligation, not a future deadline, and it bites regardless of whether your systems are high-risk.

The Regulation gives you no curriculum, no certification, and no minimum training hours. That openness is exactly why a written policy matters: it is the practical vehicle that turns an open-textured duty into something you can show an auditor or a market surveillance authority. This page gives you a copy-paste eight-section skeleton plus a role-to-training mapping table you can adapt today. A competent legal reviewer should localise it to your jurisdiction and AI portfolio before it goes live.

This template mirrors the structure of the AI policy template, but is the focused Article 4 artefact — the literacy document — rather than a whole-of-Act governance policy.

Why You Need an AI Literacy Policy (and Why a Template Helps)

Article 4 is in force now, not a future deadline

Article 4 has applied since 2 February 2025, the same date the Article 5 prohibitions took effect. It is not tied to the high-risk timeline. The duty attaches to providers and deployers of any AI system, regardless of risk tier — so a ten-person firm using one third-party invoice tool is in scope just as much as a provider of an Annex III system. Regulators can ask for literacy records going back to February 2025, which is why documenting from the start, rather than retrofitting later, demonstrates a sustained obligation.

A policy is how an open-textured duty becomes demonstrable

Article 4 is outcome-based: it mandates no specific course, badge, or hour count. It ties sufficiency to three things — the technical knowledge and training of the people involved, the context the systems are used in, and the persons on whom the systems are used. A written policy is the organisational form that duty takes. Without one, "we ensure AI literacy" is an assertion with nothing behind it; with one, you have role mapping, training logs, and a documented judgment about what proportionate literacy looked like for your systems and people.

Who should adopt this template

This skeleton suits any company that is a deployer (using third-party AI tools), a provider (building or rebadging AI systems), or both. It is deliberately a starting point — bracketed placeholders, optional bands, a mapping table — not a finished legal instrument. SMEs can adopt it in an afternoon and refine it over time; larger organisations should align it to existing HR onboarding and incident-management processes rather than build parallel ones. See AI literacy defined for the underlying concept.

What Article 4 Actually Requires Before You Write the Policy

The proportionality factors — Article 4

Article 4 names three factors that determine what "sufficient" means for your organisation:

  1. The technical knowledge, experience, education and training of the persons who will operate or use the systems.
  2. The context in which the AI systems are used.
  3. The persons or groups of persons on whom the systems are used.

The practical effect is that there is no single right answer. A data scientist building a model needs deeper literacy than a colleague who occasionally drafts emails with a generic assistant. The policy below encodes that proportionality through competence bands rather than a one-size-fits-all module.

Scope: staff and persons acting on your behalf

Article 4 reaches beyond direct employees. The phrase "other persons dealing with the operation and use of AI systems on their behalf" captures contractors, consultants, and third-party operators. The obligation attaches to the function, not the employment contract — if someone touches your AI systems' inputs or outputs on your behalf, they are in scope.

No mandated curriculum or certification

There is no EU AI Act AI-literacy certification. A third-party badge or a generic e-learning module is supporting evidence at best, never the substance of compliance. "Sufficient" means people understand what each system does, what it cannot do reliably, when to question its outputs, and how to escalate — not that they hold a credential.

For high-risk systems, Article 4 is sharpened by two further provisions. Article 26(2) requires deployers to assign human oversight to persons with the necessary competence, training and authority; Article 14 sets the substantive oversight standard the system must be designed to support. Full detail in the AI literacy requirements explained and Article 4.

The AI Literacy Policy Template (Copy-Paste Skeleton)

The following is one clean block you can copy, paste, and fill in. Replace every bracketed placeholder such as [Organisation Name] and [Role/Function], and delete any band that does not exist in your organisation.

1. Purpose and Scope

Purpose. This AI Literacy Policy sets out how [Organisation Name] ensures a sufficient level of AI literacy among its staff and other persons operating or using AI systems on its behalf, in fulfilment of the obligation under Article 4 of Regulation (EU) 2024/1689 (the EU AI Act).

Scope. This policy applies to all employees, contractors, consultants, and third parties who develop, procure, operate, or use any AI system on behalf of [Organisation Name], whether the system is provided by a third party or built internally. The obligation attaches to the function performed, not the form of engagement.

2. Definitions

AI literacy means the skills, knowledge and understanding that allow the persons covered by this policy to make an informed deployment and use of AI systems, and to gain awareness about the opportunities and risks of AI and the possible harms it can cause (Article 3(56)).

AI system means a machine-based system designed to operate with varying levels of autonomy that may exhibit adaptiveness and that, for explicit or implicit objectives, infers from inputs how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments (Article 3(1)).

3. Roles and Responsibilities

  • AI Literacy / Governance Owner — accountable for this policy, the literacy programme, and the training records. Maintains the role-to-training mapping and the refresh schedule.
  • Data Protection Officer (DPO) — advises on the GDPR intersection and on training where personal data is processed.
  • Business-unit AI contacts — identify who in their function touches each system and submit them for the appropriate band.
  • All staff — complete the training required for their role and escalate incidents and uncertainties to the AI Literacy Owner.

4. Literacy Requirements by Role and Risk Level

The depth of required literacy is proportionate to (a) the risk tier of the AI system and (b) the band of staff involved. [Organisation Name] uses the role-to-training mapping table in the appendix to assign each person a competence band — technical builders, operational users, or governance/decision-makers — and a corresponding module. Staff working with high-risk (Annex III) systems require Article 26-grade competence; staff using only minimal-risk tools require proportionate baseline awareness.

5. Training Programme and Delivery

  • Baseline awareness for everyone who uses AI in a professional capacity: what AI literacy is, the organisation's approved-use rules, the limits of AI outputs, and how to escalate.
  • Role-specific modules mapped to the bands in Section 4.
  • Delivery format may be workshop, e-learning, or briefing as appropriate to the band.
  • An optional scenario-based competency check (not a formal exam) confirms understanding for higher bands.

6. Onboarding and Refresher Cadence

  • New starters complete the required training before they are granted access to in-scope AI systems.
  • All staff complete an annual baseline refresh at minimum.
  • A triggered refresh is required on deployment of a new system, on a substantial modification of an existing system (Article 3(23)), or following a material AI incident.

7. Record-Keeping and Evidence

For every training activity, [Organisation Name] logs: the session date, the attendees, the content covered, who delivered it, any competency check conducted, and the next scheduled refresh date. These records are retained as the primary evidence of Article 4 compliance and are made available for audit.

8. Review and Governance

This policy is reviewed at least annually, with a triggered review on material regulatory change (for example AI Office guidance or Digital Omnibus amendments). The AI Literacy Owner owns the review; approval rests with [Senior Management / Board].

Role-to-Training Mapping Table

The table below is the heart of the policy: it is where proportionality stops being a principle and becomes a roster. Populate it from your AI system inventory.

Role / BandExample rolesRisk exposureRequired literacyTraining moduleRefresh cadence
Band 1 — Technical buildersDevelopers, data scientists, ML engineersBuild/modify systems incl. high-riskModel behaviour, failure modes, data governance (Article 10), risk management (Article 9), Annex IV technical documentationDeep technical + regulatory moduleAnnual + on substantial modification
Band 2 — Operational usersHR managers acting on shortlists, claims handlers reading risk scoresUse system outputs, incl. high-riskWhat the specific system predicts, its documented limitations, the escalation route, the right to overrideRole-specific operational moduleAnnual + on new system
Band 3 — Governance / decision-makersCompliance, senior management, procurementOversight and sign-offArticle 6 classification triggers, oversight duties, how to question technical colleaguesGovernance briefingAnnual
Baseline — All AI usersAny staff using minimal-risk toolsLowApproved-use rules, limits of AI outputs, escalationBaseline awarenessAnnual

Mapping bands to risk tiers

Map each band against the system's risk tier. Staff touching high-risk Annex III systems need the deeper, Article 26-grade competence in Bands 1 and 2; staff using only minimal-risk tools sit in the baseline. The band determines the floor of required literacy; the risk tier raises it.

How to populate the table for your organisation

Start from an AI system inventory, list who touches each system's outputs, then assign the band and module. This mapping doubles as input to your risk-classification work, so it is not duplicated effort — the same roster that proves literacy also tells you who depends on each system. Cross-link this to employee AI training delivery.

How to Adapt the Template to Your Organisation

Right-size to your AI portfolio and headcount

Proportionality cuts both ways. A ten-person firm deploying one invoice tool faces a far lighter analysis than a 500-person insurer running an Annex III credit-scoring model. Adjust the bands, modules, and cadence accordingly — delete bands you do not have, and do not invent obligations the Regulation does not impose.

The three-question self-check

Before designing a module for any system, ask:

  1. Who acts on this system's outputs?
  2. What could go wrong if they misread them?
  3. What would a reasonable senior compliance officer expect them to know first?

The answers tell you the band and the content. If a system's outputs feed a consequential decision about a person, the literacy bar rises.

Get a legal reviewer to localise it

Replace all bracketed placeholders, align the policy to your existing HR onboarding and incident-management processes, and have a competent legal reviewer confirm the role definitions and jurisdiction before it goes live. The template is a starting point, not legal advice.

Where common specifications or harmonised standards on AI literacy are eventually adopted under Article 40, conformity with them creates a presumption of conformity with the corresponding requirement — so track AI Office publications and fold them into the review cycle. Begin the adaptation from a system inventory and classification baseline; confirm where you stand with the readiness assessment.

How the Policy Produces Audit Evidence

What a regulator or auditor will ask for

In an enforcement context, the answer to "show me your Article 4 compliance" is not "we use a certified provider." It is the records: the role mapping, the training logs, and the documented judgment about what proportionate literacy looked like for your systems and people. A certification badge does not survive that question; a dated, attributable log does.

The evidence chain from policy to record

Each section of the template is designed to leave an artefact. The chain runs:

Policy → role mapping → delivered training → completion records → refresh schedule.

Records should show training was systematic and role-appropriate rather than ad hoc. The minimum fields are date, attendees, content, deliverer, competency check, and next-refresh date.

Connecting literacy records to oversight obligations

Article 4 records do not sit in isolation. They feed the Article 26 human-oversight assessment — you cannot credibly assign oversight to a person whose competence you have not evidenced — and they support the Article 27 Fundamental Rights Impact Assessment where one is required. Because Article 4 entered force in February 2025, regulators can ask for records going back to that date, so documenting from the start demonstrates a sustained, not last-minute, obligation.

Penalties: Why the Records Matter

Article 4 itself does not carry a bespoke fine, but it sits inside an enforcement regime where literacy gaps surface as oversight and information failures. The tiers under Article 99 are:

Breach categoryMaximum fineArticle
Prohibited practices (Article 5)€35,000,000 or 7% of total worldwide annual turnover, whichever is higherArticle 99(3)
Most other operator obligations€15,000,000 or 3% of total worldwide annual turnover, whichever is higherArticle 99(4)
Incorrect, incomplete or misleading information to authorities or notified bodies€7,500,000 or 1% of total worldwide annual turnover, whichever is higherArticle 99(5)

For SMEs and start-ups, each fine is capped at the lower of the percentage or the fixed amount (Article 99(6)). The third tier matters here: if you cannot evidence literacy and supply an authority with an inaccurate account of your training measures, that misstatement is itself sanctionable. Honest, dated records are the cheapest insurance against the information-failure tier.

On timing: the Article 5 prohibitions and Article 4 literacy duty have both applied since 2 February 2025. The provisional Digital Omnibus political agreement of 6–7 May 2026 (COREPER text confirmed around 13 May 2026) would defer stand-alone high-risk Annex III systems under Article 6(2) from 2 August 2026 to 2 December 2027. As of June 2026 this is agreed but not yet law — it still needs a European Parliament plenary vote, formal Council adoption, and Official Journal publication — so the statute still reads 2 August 2026, and the Article 4 literacy duty is unaffected and already live.

How Confir Helps

A literacy policy is only as good as the system inventory and classification that underpin it. You need to know which AI systems are in scope and what each one's risk tier is before the role mapping carries any weight.

Confir's rule-based workflow registers every AI system with its risk tier and actor role under Articles 5 and 6 with Annex III logic — which is the natural foundation for mapping which staff need which level of training. For each system, you can then log the staff roles in scope, the training provided, completion dates, and scheduled refresh cycles, producing the documented audit trail Article 4 requires. Those literacy records sit beside the Article 26 oversight assessment and the Article 27 FRIA in the same compliance file, so the dependency between competence and oversight is visible in one place.

The engine is deterministic and rule-based: the same intake yields the same finding, every time, with no model inference and no hallucination, and every output is written to an immutable audit log. Confir structures the policy, the role mapping, and the evidence record — it does not deliver the training itself. The training content and its delivery remain your organisation's responsibility.

Frequently Asked Questions

What is an AI literacy policy? An AI literacy policy is an internal document setting out how an organisation ensures staff and contractors who operate or use AI systems have the competence to do so responsibly. It defines roles, role-based training requirements, refresher cadence, and record-keeping, providing the documented evidence that demonstrates compliance with EU AI Act Article 4.

Is an AI literacy policy required under the EU AI Act? The EU AI Act does not require a document titled "AI literacy policy", but Article 4 — in force since 2 February 2025 — requires providers and deployers to ensure sufficient AI literacy among staff. A written policy is the practical way to make that open-textured duty demonstrable and auditable, so most organisations adopt one.

When did EU AI Act Article 4 come into force? Article 4 has applied since 2 February 2025, the same date as the Article 5 prohibitions. It is not tied to the high-risk deadline. Any organisation that provides or deploys AI systems has been subject to the AI literacy duty since then, and regulators can examine records going back to that date.

Who needs AI literacy training under Article 4? Anyone who operates or uses AI systems on the organisation's behalf — employees, contractors, consultants, and third-party operators. The duty attaches to the function, not the employment contract. The depth of training is proportionate: technical builders need more than occasional operational users of minimal-risk tools.

Does Article 4 require AI literacy certification? No. The EU AI Act prescribes no certification, credential, or minimum training hours for AI literacy. A third-party badge can be supporting evidence but is not the substance of compliance. What matters is documented, proportionate measures: role mapping, training logs, competency checks, and refresh dates appropriate to your systems and people.

How do you write an AI literacy policy? Start from your AI system inventory, map who touches each system, and assign competence bands. Then draft eight sections: purpose and scope, definitions, roles, requirements by role and risk level, training and delivery, onboarding and refresher cadence, record-keeping, and review. Adapt a template, replace placeholders, and have a legal reviewer localise it.

What records prove AI literacy compliance? At minimum: training session dates, attendees, content covered, who delivered it, any competency check conducted, and the next scheduled refresh date. Records need not be elaborate — a structured log tied to HR onboarding works. The aim is to show training was systematic and role-appropriate rather than ad hoc, since these records are your primary Article 4 evidence.

Related guides

Manage your EU AI Act compliance in one place

Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.

Start free trial →

Related guides

Template

AI Use Policy Template for EU AI Act Compliance

EU AI Act AI use policy template: 12 sections covering Art 5 prohibitions, Art 6 risk classification, Art 14 oversight, and Art 73 incident timelines.

Template

EU Declaration of Conformity for High-Risk AI: Article 47 and Annex V Explained

EU Declaration of Conformity for high-risk AI: Article 47 and Annex V template, all 7 required fields, worked example, and 10-year retention rules.

Template

Annex IV Technical Documentation Template for Credit-Scoring AI

Worked Annex IV template for credit-scoring AI under EU AI Act Annex III point 5(b). All 9 content areas with credit-scoring examples. Deadline 2 Dec 2027.