Article 4 EU AI Act: AI Literacy Obligation Explained

Article 4 EU AI Act (AI literacy) requires providers and deployers of AI systems to ensure a sufficient level of AI literacy among their staff. The obligation has applied since 2 February 2025, covers all risk tiers and is met through documented, role-based training. Breaches risk up to EUR 7.5 million or 1.5% of worldwide annual turnover.

The AI literacy obligation is the most frequently underestimated provision in the entire AI Regulation. It is not a special high-risk rule but a baseline obligation that affects every company deploying AI in its operations - from the marketing copilot to the agentic research tool.

• Who? Providers AND deployers - for almost every DACH company, the deployer role applies.
• Since when? 2 February 2025, fully applicable. Not postponed by the Digital Omnibus (as of 2026, subject to formal adoption).
• How to comply? A documented, role-based training concept - no certificate required, but evidence is expected.

What Article 4 specifically requires

Providers and deployers must take measures to ensure, to the best of their ability, a sufficient level of AI literacy among their staff and other persons dealing with the operation and use of AI systems on their behalf. Three factors must be taken into account:

• the technical knowledge, experience, education and training of the persons concerned;
• the context in which the AI systems are to be used;
• the persons or groups of persons on whom the AI systems are to be used.

Importantly, the provision mandates no certificate and no external certification. However, documentation of the literacy programme is expected - and it is precisely this documentation that forms the basis on which a competent authority assesses compliance. Anyone unable to present a demonstrable measure will have a problem in the event of an audit, even if the staff is in fact trained.

Since when the obligation has applied - and why the Digital Omnibus does not change this

Article 4 has been in force since 2 February 2025, alongside the list of prohibitions in Article 5. AI literacy is therefore among the very first applicable obligations of the AI Regulation.

The European Parliament and Council reached political agreement on 7 May 2026 on the Digital Omnibus, which postpones the bulk of the high-risk obligations. This postponement concerns the substantive high-risk obligations - Annex III now from 2 December 2027, Annex I from 2 August 2028 (as of 2026, subject to formal adoption before 2 August 2026). Article 4 (AI literacy), Article 5 (prohibitions), the GPAI rules and the fines framework are expressly excluded from this. The postponement should not be understood as an invitation to pause governance work - until formal adoption, the original dates remain the legal default in any case.

For AI literacy, this means unequivocally: the obligation is live today. There is no longer any transition period.

Who the obligation affects - providers and deployers

Unlike most obligations of the AI Regulation, Article 4 does not differentiate by risk tier. It applies across all four tiers - including minimal-risk applications such as internal RAG agents over non-sensitive documents or code-generation copilots for internal use.

The key classification for the DACH mid-market: almost every company is a deployer, not a provider. Anyone using Microsoft 365 Copilot, Google Gemini for Workspace, OpenAI Enterprise, Anthropic Claude for Work or specialised vendor tools is a deployer and therefore subject to Article 4. A widespread fallacy is: "We only use Microsoft 365 Copilot, so we are out of scope." Wrong - the mid-market deployer is the responsible operator, and the AI literacy obligation applies to it regardless of the tool.

How to comply in practice: the training concept

The EU Commission's Q&A (published May 2025) emphasises a role-based and risk-proportionate approach. A practical programme covers at least the following content:

• Awareness of what AI is and how it differs from conventional software (in line with the definition guidelines of 6 February 2025).
• The four risk tiers and the basic obligations applicable to the company's specific applications.
• How to recognise a prohibited practice under Article 5.
• Recognising transparency triggers under Article 50 (chatbots, synthetic content, deepfakes).
• For staff with operational responsibility for high-risk systems: human oversight expectations (Art. 14, Art. 26(2)), incident reporting obligations (Art. 26(5), Art. 73), consultation obligations towards the works council/employee representation (Art. 26(7)).
• For developers and procurement: vendor due diligence, awareness of the Art. 25 substantial modification trap.
• For executives: fine risk (Art. 99) and governance responsibility.

Mapping roles to competence levels

Practical implementation begins with a role matrix. A mapping to the levels of leadership, management, operational, technical and end user is recommended. A 200-person mid-sized company typically manages with 3 to 5 distinct competence modules; a DAX/ATX/SMI corporation with 5,000+ employees is more likely to need 10+ modules.

Documentation, localisation and dovetailing

Four practical guardrails apply for robust compliance:

• Document training - attendance records, content versioning, periodic refreshers.
• Localise content - German for DE/AT, German/French/Italian for CH, taking into account the respective applicable anti-discrimination and data protection frameworks.
• Dovetail with works council consultation - AI literacy is often itself a topic in which works councils have a consultation interest.
• Refer to authoritative sources - the BNetzA AI Service Desk (Bonn), the RTR AI Service Point (Vienna) and FINMA's risk monitor materials (for staff in the financial sector).

The fine risk

Breaches of Article 4 fall into the general breach tier under Article 99(4): up to EUR 7.5 million or 1.5% of worldwide annual turnover, whichever is higher. This is admittedly the lowest of the three fine tiers - prohibition breaches under Article 5 carry up to EUR 35 million or 7%, deployer and transparency breaches up to EUR 15 million or 3%. It is, however, the most easily detectable breach in a routine audit: if the documented programme is missing, the finding is obvious.

For SMEs and start-ups, Article 99(6) applies the lower of the two figures (absolute amount or percentage), not the higher. The political agreement on the Digital Omnibus of 7 May 2026 extends this protection to small mid-cap companies (SMCs).

Worked example with figures

A DACH industrial mid-sized company with 180 employees and EUR 40 million annual turnover deploys an agentic research and quotation copilot (minimal risk). The management considers AI literacy "not relevant, because it is not a high-risk system".

Legally, this is a fallacy: Article 4 applies across all risk tiers. As the company clearly qualifies as an SME with fewer than 250 employees and below the turnover threshold, Article 99(6) applies the lower figure - here 1.5% of EUR 40 million = EUR 600,000 rather than the absolute EUR 7.5 million. Set against this is a compliant training concept: 4 modules for around 180 people, annual refreshers, documented attendance in the LMS - an effort in the low four- to five-figure euro range. The ratio of implementation effort to risk exposure makes the prioritisation unambiguous.

For agencies and B2B decision-makers

Marketing agencies are doubly affected: as deployers of their own AI tools (copywriting agents, image and video generators) and as advisers to their clients, who must themselves demonstrate AI literacy. Anyone who sets up a documented, role-based competence programme not only covers their own Article 4 obligation but also creates a sellable advisory module - including dovetailing with transparency obligations (Art. 50) and works council consultation (Art. 26(7)). For B2B decision-makers, AI literacy is the pragmatic entry point into the entire AI Act compliance: it is mandatory, due immediately and robustly achievable with manageable effort.

We support DACH companies and agencies in building an audit-proof AI literacy programme - from the role matrix through localised modules to the documentation structure.

Note: This article serves general information purposes and does not constitute legal advice. For a binding assessment of your specific individual case, please seek qualified legal counsel.