AI literacy has applied since February 2025

AI literacy has applied since 2 February 2025 under Article 4 of the EU AI Act. Providers and deployers of AI systems must take measures to ensure a sufficient level of AI literacy among staff and other persons (such as contractors) who operate or use those systems on their behalf. This obligation accounts for people’s existing knowledge, experience, the specific context of use, and the individuals affected by the AI.[1][2]

Many teams still treat Article 4 as a future 2026 or 2027 issue because it lacks the prescriptive technical documentation, conformity assessments, or certification required for high-risk systems. National market surveillance authorities can already inquire about measures taken. The requirement is live, flexible in format, and designed to support transparency, human oversight, and responsible deployment. Organizations that act now build defensible evidence while strengthening internal practices ahead of broader enforcement.[3]

Updated: 20 April 2026 What changed: One year after the 2 February 2025 application date, the AI Office’s living repository now holds more than 40 real-world practices, yet market surveys and compliance discussions show many teams have taken no structured action. This update adds an operational quick-start table, role-specific examples, and a realistic action checklist. No change to the core legal text of Article 4. What to do now: Run a one-hour AI user mapping workshop this month, log the measures you have already taken, and create a lightweight review cadence. The free AI Literacy Planner below turns these steps into ready-to-use artifacts.

Law status (May 2026)

• Current law: Article 4 has applied since 2 February 2025 to all providers and deployers of AI systems. It is a general provision alongside the prohibitions. National market surveillance authorities are responsible for supervision; penalties become available from August 2026.[1]
• Digital Omnibus proposal (November 2025): Would replace the direct duty on providers and deployers with an obligation on the Commission and Member States to encourage literacy initiatives. As of April 2026 this remains under negotiation and has not been adopted. Continue to meet the existing Article 4 obligation.[4][5]

Article 4 is one of the first parts of the EU AI Act to enter into force. Since 2 February 2025, every organization that develops or uses AI systems in the EU must take measures to ensure sufficient AI literacy. “Sufficient” is deliberately contextual: it depends on the technical knowledge, experience, education, and training of the people involved, the specific ways the AI system will be used, and the potential impact on individuals or groups affected by its outputs.[3]

“Other persons dealing with the operation and use of AI systems on their behalf” extends beyond employees. It can include contractors, service providers, and, in some risk-sensitive cases, clients or partners. The goal is to reinforce related obligations such as human oversight and transparency while protecting fundamental rights.[1]

There is no obligation to formally test or certify knowledge levels. There is no requirement to appoint a dedicated AI literacy officer. The European Commission explicitly states that the approach should be proportionate and tailored. The AI Office has published a Q&A document and a living repository of more than 40 company and public-sector practices to support implementation. Replicating any of those practices does not create a presumption of compliance; they are shared for learning and exchange only.[6]

Enforcement sits with national market surveillance authorities. While major penalty activity is expected to intensify from August 2026, the legal duty has been live for over a year. Authorities can already ask what measures you have taken.

The obligation feels “softer” than high-risk requirements. There is no technical documentation template, no CE marking, no fundamental rights impact assessment, and no mandatory registration. Many compliance roadmaps still begin with the August 2026 high-risk date, so Article 4 is deprioritized.

The flexible wording (“take measures… to their best extent”) is sometimes misread as optional. Teams assume a single annual e-learning module for all staff meets the bar, or that literacy only matters for high-risk use cases. In practice, generic training misses the contextual tailoring the law explicitly requires.

Because no certificate or badge is issued, it is easy to treat the topic as cultural rather than regulatory. Many organizations have not created any record of what they have done, leaving them with nothing to show if a market surveillance authority asks. Meanwhile, the AI Office’s repository and webinar activity demonstrate that leading organizations are already treating this as business as usual.

Ignoring Article 4 now creates two risks: regulatory questions that can arise earlier than expected, and a weak foundation for later obligations around transparency, human oversight, and high-risk systems. Literacy is not a checkbox — it is the human layer that makes the rest of the Act workable.

Focus on four practical outcomes: visibility into who uses AI, role-relevant content, evidence of delivery, and a living review process. You do not need an enterprise learning management system or external consultants to start.

Use this Article 4 quick-start table to structure your work:

Allocate one owner (often in compliance, people, or legal) and aim to complete the first three steps within 30 days. The record and review cadence can be lightweight — a shared Notion page or spreadsheet is enough for most organizations.

Small startup example A 12-person SaaS company uses generative AI for code assistance, marketing copy, and customer support scripting. They mapped three user tiers: prompt-heavy developers, reviewers, and casual users. They created a 15-minute role-specific deck plus a one-page “red flag” checklist (bias, hallucinations, disclosure rules). Delivery happened in an all-hands meeting and via onboarding checklist. They log completions in their HR tool and review every six months. Total effort: under 10 hours.

Agency example A mid-sized creative agency deploys AI image, video, and copy tools for client campaigns. Account managers need Article 50 transparency knowledge when handing over assets; creatives need deepfake and disclosure awareness. The agency built a client-facing one-pager explaining their AI use and literacy measures. Internal training is role-split and recorded in their project management tool. They reference the AI Office repository for fresh examples but adapt everything to client deliverables.

HR team with sensitive tools example An HR department uses AI resume screening and employee sentiment analysis. They mapped bias-awareness, human-oversight, and data-protection intersections for recruiters and analysts. Training includes real examples of discriminatory outcomes and mandatory human review steps. Records are kept in their existing compliance folder, with a quarterly refresh tied to performance review cycles. This directly supports future high-risk obligations.

These examples show that “sufficient” looks different by size, sector, and use case. The common thread is deliberate mapping, tailored content, and basic evidence.

Are we already late on Article 4? No, but the clock has been running since 2 February 2025. If you have taken no structured measures, start immediately. Authorities are unlikely to penalize good-faith early efforts; they will look for whether you have begun the process of understanding your AI usage and addressing literacy gaps. The existence of the AI Office repository and Q&A shows the Commission expects organizations to be actively learning.

What is the minimum we can do now? Map your AI users and uses (even roughly), define one or two role-specific guidance items, deliver them to the most exposed people, log what you did, and set a review date three to six months out. This creates a defensible minimal record while you build more comprehensive materials. Avoid the trap of “we sent a company-wide email once.”

• Delivering one generic annual training video and calling it done.
• Limiting scope to permanent employees while ignoring contractors, agencies, or key clients who operate the systems.
• Creating beautiful training materials that never reach the people who actually use the AI.
• Keeping no records or evidence of measures taken.
• Treating literacy as a pure compliance checkbox instead of linking it to real risks (bias in HR tools, disclosure failures in marketing, over-reliance in decision support).
• Waiting for “official templates” or high-risk rules before starting.
• Assuming the Digital Omnibus proposal has already removed the obligation — it has not.

• [ ] Complete AI user and use-case mapping this month
• [ ] Draft role-aware guidance for the three highest-exposure roles
• [ ] Deliver initial training or briefing and log participation
• [ ] Create a central literacy register with dates, content, and owners
• [ ] Schedule the first review date and assign responsibility
• [ ] Review one or two practices from the official AI Office repository and adapt them
• [ ] Share the register with your compliance or legal lead

Ready to move from awareness to evidence?

Use the AI Literacy Planner to generate your user map, role matrix, and record template automatically.

See what a completed output looks like in the marketing agency AI literacy plan sample report.

Subscribe for notifications when new repository practices or enforcement guidance appear. For deeper reading see our Article 4 AI literacy guide.

Sources (official and primary where available): European Commission AI Literacy Q&A, AI talent/skills/literacy page, AI Act Service Desk timeline and Article 113 page, living repository of AI literacy practices, and the consolidated AI Act text. All legal statements are anchored to these materials. This page is not legal advice and does not create any presumption of compliance.