AI & Law
Implementing the AI Literacy Obligation (Art. 4 AI Act): What Companies Need to Train
Since February 2, 2025, companies that use AI have had to do something concrete — and very few have documented it cleanly. The reason is Article 4 of the AI Act: the AI literacy obligation. It sounds like common sense, but there is more to it than meets the eye, because it applies to every company that uses AI — from the large corporation to the three-person office with a ChatGPT subscription. This article does not aim to show that the obligation exists, but how to implement it in practice: which content, for which roles, in which format, and with what audit-proof evidence. (Professional analysis, not legal advice for an individual case.)
Implementing the AI literacy obligation under Art. 4 of the AI Act means: mapping your own AI inventory, defining roles and competence levels, training in a risk-appropriate way, and documenting everything without gaps. The obligation has applied since February 2, 2025; official enforcement through national market surveillance kicks in on August 2, 2026. The regulation does not prescribe a specific format or certificate — but it does require a demonstrable, role-adapted training approach.
As of May 2026. The legal situation around the AI Act is in flux: on May 7, 2026, Parliament and Council reached a provisional agreement on the “Digital Omnibus,” which postpones the obligations for high-risk AI (Annex III to December 2, 2027). The AI literacy obligation under Art. 4 is not affected — it has applied unchanged since February 2, 2025. This article is updated on an ongoing basis; the version of the regulation in force at any given time remains authoritative.
What Art. 4 is really about
Art. 4 of the AI Act requires providers and deployers of AI systems to take appropriate measures to ensure a “sufficient level of AI literacy” among their staff — as well as among the persons who operate the systems on their behalf. The key point: the obligation is independent of the risk class. It applies not only to high-risk AI, but also to seemingly harmless tools such as ChatGPT, Microsoft Copilot, or Claude in everyday office use.
The regulation deliberately leaves “sufficient” open-ended: the factors to consider are technical knowledge, experience, education, and the specific context in which the persons concerned use the system. This openness is not a loophole but a risk-based mandate — and this is precisely where good implementation separates itself from poor implementation. For the definitional fundamentals (what, who, by when), see our detailed article on the AI literacy obligation under Art. 4; this article focuses on the how.
What exactly do companies need to train?
The regulation does not prescribe a fixed curriculum. In practice — and in line with the European Commission’s FAQ (May 2025) — a robust AI training program breaks down into three content dimensions:
- Technical fundamentals. How do AI and large language models work at their core? What are hallucinations, why do biases arise, and where are the limits of reliability? Employees need to understand why they must not adopt AI outputs blindly.
- Legal framework. The essentials of the AI Act, the interface with the GDPR, transparency obligations, avoiding discrimination, and how to handle business and personal data in prompts. This is where the most underestimated risk lies: AI plus personal data.
- Specific application context. The company-specific use cases, your own tools, your own risks, and your internal AI policy. Generic online courses almost never cover this layer.
Why “law and technology from a single source” is decisive here
It is precisely at the seam between dimensions 1 and 2 that most offerings on the market fall short. Pure law firms deliver the legal framework but do not know the systems in detail. Pure training and LMS providers deliver technical fundamentals, but the legal depth remains thin. An AI training program that explains technically correctly why a model hallucinates, and at the same time situates with legal precision when this creates a GDPR or liability problem, needs both competencies under one responsibility. More on this on the page about AI training for your team.
A robust AI training program only holds up when technology, law, and your own application context are brought together — if one dimension is missing, the Art. 4 evidence remains vulnerable.
Implementing the AI literacy obligation: step by step
The following sequence has proven itself for implementation in mid-sized companies:
- Map your AI inventory. Which AI tools are in use (including “shadow AI” such as privately used ChatGPT)? Who uses them, for which tasks, with what data? Without this inventory, “risk-appropriate” cannot be determined.
- Define roles and competence levels. Not everyone needs the same knowledge. Assign people to competence levels (see Table 1).
- Create a training framework. Specify who learns what and when — risk-based and tiered by role and prior knowledge. This framework will later be your central piece of evidence.
- Deliver the training. Choose suitable formats (see Table 2): in-person, webinar, e-learning, train-the-trainer. Combining them is allowed and often makes sense.
- Anchor an internal AI policy. An AI usage policy translates the training into binding rules for daily work (permitted tools, prohibited data, approval processes).
- Document without gaps. Record who learned what and when (details below).
- Update regularly. New tools, new roles, new legal situation — review the framework at least annually and whenever there is a triggering event.
Table 1: Roles, competence levels, and content
| Role / group | Competence level | Training focus |
|---|---|---|
| Management / leadership | Strategic | Obligations under the AI Act, liability, governance, investment decisions |
| Compliance / data protection | In-depth (legal) | The AI Act in detail, GDPR interface, evidence keeping, supervision |
| Power users / departments using AI | Application-strong | Correct prompting, data protection in prompts, hallucination check, use-case risks |
| AI development / integration | Technically deep | Model behavior, bias mitigation, provider/deployer obligations, documentation |
| Remaining workforce (only marginal AI) | Basic awareness | What I may (not) do, basic understanding, internal AI policy |
| External service providers “on your behalf” | Depends on the task | Contractually secured minimum level analogous to internal roles |
Who has to be trained?
Covered are all persons who use AI on behalf of the company — and this expressly includes external service providers and business partners who operate the systems on your behalf (per the European Commission FAQ of May 2025). Secure this contractually with external parties.
SMEs are not exempt either. Art. 4 sets no size threshold; a small company must fulfill the obligation, but may design the effort in a risk-appropriate — and therefore leaner — way.
Do I have to train employees who don’t use AI at all? Anyone who demonstrably does not use AI does not need in-depth training. A brief basic awareness session is nonetheless advisable: it prevents the uncontrolled use of private AI tools (“shadow AI”) and is part of a credible overall concept.
Does this also apply to ChatGPT, Copilot, and Claude? Yes. The obligation does not depend on the tool but on its use within the company. Anyone who uses one of these tools for business purposes is a deployer within the meaning of the AI Act and is therefore covered by Art. 4.
Documenting training evidence correctly
An official certificate is not required — the European Commission leaves the format open. In practice, however, auditability is mandatory: you must be able to demonstrate to the supervisory authority that you have taken appropriate measures. For this reason, keep records of:
- Participants and date of each measure (who, when)
- Content and version of the training (slide deck, agenda, status)
- Trainer / source of the training (internal or external)
- Role-specific learning objectives per group (linked to the training framework)
- The applicable AI policy including employees’ acknowledgment of receipt
- Updates (when the framework was reviewed, what changed)
Rule of thumb: your training framework plus attendance records plus AI policy together tell the story that counts if it ever comes to that — clean, dated documentation is worth more than any generic certificate.
Deadline, enforcement, and penalties — the correct legal situation
This is where factual accuracy parts ways with fear marketing. Two dates must be kept apart:
- Since February 2, 2025, the AI literacy obligation has been directly applicable (at the same time as the prohibition of certain AI practices under Art. 5).
- From August 2, 2026, official enforcement through national market surveillance takes effect. In Germany, the Federal Network Agency (Bundesnetzagentur), among others, plays a central role.
And the fines? An important clarification: Art. 4 does not carry a standalone fine in the penalty catalog of Art. 99 of the AI Act. The widely cited amounts of “up to €15 million / 3% of annual turnover” relate to other breaches (provider/deployer obligations under Art. 99(4)); “up to €35 million / 7%” applies to prohibited practices under Art. 5. So anyone claiming that a missing AI course costs “up to €35 million” is legally off the mark.
This does not mean that Art. 4 is without consequences. Enforcement takes place through national market surveillance measures, and an indirect liability and damages risk arises: if an AI incident (for example a data protection breach or a wrong decision) can be traced to a demonstrable lack of competence, this has an aggravating effect — under both civil and supervisory law. So the serious driver is not a fantasy fine but real liability and auditability.
Train in-house or commission externally?
An honest assessment — even though we offer training ourselves:
Table 2 / 3: In-house, external, or blended?
| Criterion | Train in-house yourself | External provider | Blended (external + internal) |
|---|---|---|---|
| Legal depth | only with in-house expertise | high (if legally well-founded) | high |
| Currency of the legal situation | hard to maintain | in the provider’s interest | good |
| Company-specific context | very high | low, unless tailor-made | very high |
| Internal effort | high | low | medium |
| Evidence / auditability | to be built yourself | usually included | included + internally anchored |
| Cost | ”hidden” personnel costs | transparent, calculable | medium |
For many mid-sized companies, blended is the best path: an external, legally accountable framework (concept, role-based content, evidence templates) plus internal anchoring in your own AI policy and your own use cases. If you want an implementation that covers law and technology from a single source, contact us for a legally sound, GDPR-compliant AI training program — ideally starting with a no-obligation initial consultation.
Frequently asked questions (FAQ)
Is a one-time online course enough?
For very low-risk use with basic awareness, a good online course can be a starting point. It is only “enough” if it is role-specific and documented. Because tools and the legal situation change, refreshers (at least annually, and whenever triggered by an event) are part of the obligation.
Do I need an official certificate for Art. 4 of the AI Act?
No. Neither the AI Act nor the European Commission prescribes any specific certificate. What is required is an appropriate, documented training approach — auditability is what counts, not a certificate logo.
Do I also need an internal AI policy?
It is not expressly required, but it is practically indispensable. The AI usage policy translates the training content into binding everyday rules and is at the same time strong evidence of your measures.
By when does implementation have to be in place?
The obligation has applied legally since February 2, 2025. Anyone who still has nothing in place should not wait for August 2, 2026 (the start of enforcement) — because by then you will be missing the clean, dated history that is convincing in an audit.
Does the obligation also apply to my small company?
Yes. There is no exemption for SMEs. However, the scope may be risk-appropriate — and therefore leaner — than in a large corporation.
Sources — as of 10.05.2026
- Regulation (EU) 2024/1689 (AI Act), Art. 3(56), Art. 4, Art. 99 — primary source (EUR-Lex)
- Art. 99 AI Act (penalties, full text) — https://ai-act-law.eu/de/artikel/99/
- European Commission FAQ on AI literacy under Art. 4 (May 2025), prepared by the Otto Schmidt IT law blog — https://www.otto-schmidt.de/blog/it-recht-blog/faq-der-eu-kommission-zur-ki-kompetenz-nach-art-4-ki-vo-was-fur-arbeitgeber-gilt-und-ab-wann-ITBLOG0007892.html
- Noerr — Article 4 AI Act: obligations and opportunities for companies — https://www.noerr.com/de/insights/artikel-4-ki-vo-pflichten-und-chancen-fuer-unternehmen-im-umgang-mit-ki-kompetenz
- Bundesnetzagentur (Federal Network Agency) — AI literacy (national supervision in Germany) — https://www.bundesnetzagentur.de/DE/Fachthemen/Digitales/KI/7_Kompetenz/start.html
- Council of the EU — “Artificial Intelligence: Council and Parliament agree to simplify and streamline rules” (Digital Omnibus provisional agreement, May 7, 2026) — https://www.consilium.europa.eu/en/press/press-releases/2026/05/07/artificial-intelligence-council-and-parliament-agree-to-simplify-and-streamline-rules/
This article reflects the situation as of May 2026 and is no substitute for legal advice in an individual case. This is general information, not legal advice. — Leon Lotz, business lawyer (Wirtschaftsjurist)
Leon Lotz
Leon Lotz is a business lawyer and founder of MusketierSoftware. He combines legal depth with real software craft.
