"Do I really have to train my staff on artificial intelligence?" The short answer is yes, and it is already a legal obligation. Article 4 of Regulation EU 2024/1689 (the EU AI Act) has required AI literacy since 2 February 2025, and it concerns virtually every company that uses AI tools — not only those who build them. The good news: the obligation is flexible and proportionate. Let's see what it really requires and how to turn it into a concrete programme.

What Article 4 actually requires

The text is concise but precise. Providers and deployers of AI systems must take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training, the context of use, and the persons on whom the systems will be used.

Three points not to miss:

  • It covers almost everyone. The obligation is not just for big tech: it applies both to the provider (who develops or places an AI system on the market) and to the deployer (who uses it under their authority). If your company uses a chatbot, a CV-screening tool or a generative assistant, you are a deployer.
  • It is a duty of means, not of result. "To their best extent" and "sufficient level" signal proportionality: you don't need to turn everyone into a data scientist, but to enable each person to use AI consciously relative to their role.
  • Official definition. Under Art. 3(56), AI literacy is the set of "skills, knowledge and understanding" that allow an informed deployment of AI systems and awareness of the opportunities, risks and possible harm they can cause.

The obligation has applied since 2 February 2025; the supervision and enforcement powers of national market surveillance authorities start from 2 August 2026.

What changes with the Digital Omnibus (2026 update)

In November 2025 the Commission proposed, with the Digital Omnibus package, to lighten several parts of the AI Act. The final text — approved by the European Parliament on 16 June 2026 and the Council on 29 June 2026, awaiting publication in the Official Journal — softens Article 4 but does not delete it.

The original proposal would have shifted the burden onto Member States; the final deal is more moderate: providers and deployers must still take measures to support the development of AI literacy among staff, with the clarification that this does not require guaranteeing a specific level of competence for any individual. The Commission and Member States must support businesses and publish practical compliance examples.

The operational takeaway for an SME is simple: the obligation still exists. Moreover, for those using high-risk systems, the duty — set out in the human-oversight provisions — to train the people tasked with overseeing the system remains fully in place. In practice, the programme described below is needed either way.

How to build a compliant programme in 5 steps

  1. Map roles and systems. Start from the inventory of AI systems in use and, for each, record who uses it, who decides based on its output, and who configures it. Without this map you cannot calibrate the content.

  2. Define minimum content by level. Not everyone needs the same training. A proportionate grid:

    Group Example role Minimum content
    Basic use Users of generative tools What an AI system is, risks (errors, hallucinations, personal data), responsible use, when to involve a human
    Decision use Those using AI for decisions on people (HR, credit) Bias, human oversight, data-subject rights, system limits
    Technical roles Those developing, integrating or configuring AI AI Act obligations by risk category, logging, technical documentation
    Governance Management, DPO, compliance Risk classification, provider/deployer obligations, evidence management
  3. Deliver in the most suitable format. The Commission has clarified there is no single format: e-learning, classroom sessions, internal guidance and onboarding all work. What counts is relevance to context, not form.

  4. Document the evidence. No certificate is required, but keep an internal record: who was trained, on what, when and with which materials. In an inspection, documentary evidence is what separates a met obligation from a statement of intent.

  5. Update on a cadence. AI evolves and so do the risks. Set at least an annual review, plus targeted training whenever you introduce a new system or a significant new use case.

The most common mistakes

  • A "one-size-fits-all" course that ignores roles: it is not proportionate and leaves the highest-risk profiles uncovered.
  • Training without documenting. If there is no trace, the activity is not demonstrable to an authority.
  • Confusing literacy with a privacy notice. They are different: Article 4 is about understanding AI systems, not merely consent to data processing.
  • Stopping at theory. Operational skill is needed: what to do when an output is doubtful, when to escalate to a person, how to spot misuse.

Where to start

An effective AI literacy programme starts from an honest snapshot: which systems we use, who touches them, what risks we run and which skills are missing. That is exactly what emerges from an independent gap assessment, which turns a regulatory obligation into a training plan with priorities, content and owners. If you want to start from the ground up, our training services page describes how we design tailored paths for SMEs.