What Does the EU AI Act Actually Require When It Comes to AI Literacy?
There is a lot of focus on the high-risk AI system requirements and the rules for general-purpose AI models under the EU AI Act. Both are significant and will require real effort from the organisations they apply to. But there is an obligation that receives far less attention, applies to a much wider range of businesses, and is still being overlooked by many: the AI literacy requirement.
If your business uses AI in any capacity, whether you have built your own system or simply use an AI-powered tool as part of your operations, you are likely already subject to this obligation. This guide explains what it actually requires and what meeting it looks like in practice.
What Does Article 4 of the EU AI Act Say?
Article 4 of the EU AI Act places an obligation on both providers and deployers of AI systems to take measures to ensure that their staff, and other people acting on their behalf when working with AI, have a sufficient level of AI literacy. This requirement has been in force since February 2025.
The Act defines AI literacy as the skills, knowledge, and understanding that allow people to make informed use of AI systems and to be aware of the opportunities and risks associated with them. The Act also specifies that the level of literacy required must be calibrated to the context: the AI systems being used, the role of the individual, and the potential consequences of how AI is being applied.
Who Does This Apply To?
The obligation applies to both providers, organisations that develop or place AI systems on the market, and deployers, organisations that use AI systems within their operations or products. In practice, this captures an enormous range of businesses.
If you use an AI-powered customer service tool, a recruitment screening platform, a content generation assistant, an analytics system, or any other AI-enabled technology as part of your day-to-day work, you are likely acting as a deployer, and the literacy obligation applies to you. It extends to anyone in your organisation who works with AI in any meaningful sense, not just technical teams or developers.
What Does "Sufficient" Actually Mean?
The Act does not prescribe a fixed curriculum or a minimum number of training hours. What it requires is that literacy be proportionate to the role of each person and the nature of the AI systems they interact with.
Someone building and deploying an AI model from scratch needs a substantially different level of understanding from someone who occasionally uses an AI writing assistant. The obligation scales with exposure and responsibility, which means your approach to AI literacy must reflect the actual ways that different people in your organisation use and interact with AI.
At a minimum, training should cover what AI is and how the specific systems in use actually function, what those systems can and cannot be relied upon to do, when and how human oversight should be applied, what your organisation's own AI governance policies require, and what the particular risks associated with the use case are.
What Does This Look Like in Practice?
This is where the obligation becomes more concrete. Here are some practical examples of what meeting the requirement looks like across different types of businesses.
A law firm that uses an AI tool to assist with document review could run a training session with the relevant fee earners explaining how the tool processes information, what kinds of errors it is known to make, and the circumstances in which a lawyer must review the output independently rather than relying on it. The session could be recorded and made part of the induction process for new joiners, giving the firm an ongoing record of compliance.
A retail business using AI for demand forecasting could provide its buying team with a briefing explaining what data the model uses, how confident its predictions typically are, and how the team should factor those predictions into their decisions rather than treating them as definitive. A short written summary of this, kept on file, demonstrates that the obligation has been taken seriously.
An HR function using AI to assist with CV screening would need a more considered approach, given the higher sensitivity of this use case. Training should cover how bias can enter AI systems, what the legal implications of automated or AI-assisted decision-making are under both the EU AI Act and data protection law, and how decisions must be documented to ensure accountability and consistency.
A technology company building AI products for clients would need to ensure that its engineers, product managers, and commercial teams all have a solid working understanding of the risk classification system under the AI Act, the documentation obligations for the systems they develop, and the compliance responsibilities that will pass to the deployers who use their products.
None of these examples requires an expensive or lengthy programme. What they require is intentional effort, appropriate documentation, and some thought about what each group of people actually needs to know.
What Training Formats Are Acceptable?
There is no prescribed format for AI literacy training. The EU Commission and the AI Office have signalled that what matters is the outcome, namely that people genuinely understand what they need to understand for their role, rather than whether a particular delivery method was used.
Training can take the form of internal workshops, e-learning modules, written guidance, team briefings, or external courses. The EU AI Office has acknowledged a list of recognised AI literacy programmes, available here, which can be a useful starting point for organisations looking for external resources to supplement internal efforts.
Whatever approach you take, keep records. A log of who completed what training, and when, is essential if you are ever asked by a regulator to demonstrate that you have met the Article 4 obligation.
How Should You Get Started?
A sensible first step is to map out which teams and individuals in your organisation interact with AI, in what capacity, and what the nature of those systems is. From there, you can identify what each group needs to understand and design training that is proportionate to their level of exposure.
You do not need to achieve a perfect programme immediately, but you do need to be able to show that you have taken the obligation seriously and made genuine progress. Regulators under the EU AI Act are expected to take a proportionate approach, particularly for smaller organisations, but proportionality still assumes that some real action has been taken.
If you are uncertain whether your current approach meets the standard required, or if you want guidance on structuring an AI literacy programme that aligns with your broader EU AI Act compliance plans, speaking with a specialist legal adviser is a sensible investment. The AI Act's requirements will only become more detailed and more actively enforced as the August 2026 deadline approaches, and building good foundations now makes everything that follows considerably easier.
Building an AI-Literate Culture in a Tech or SaaS Business
For tech and SaaS companies, AI literacy has a different texture than it does for most other businesses. You are not simply using AI tools; in many cases, you are building and distributing them. Your engineers work with models daily, your product team makes decisions about what AI features to ship, and your sales and customer success teams explain those features to paying customers. AI literacy needs to run through all of that, not sit in a training document that gets ticked off at onboarding and never revisited.
One of the most effective approaches is designating AI leads within each department rather than relying on a single company-wide session. Giving an engineer, a product manager, or a customer success lead ownership of keeping their team updated on relevant developments means AI literacy becomes an ongoing conversation rather than a one-off exercise. These people can flag new tools worth exploring, surface concerns early, and be the first point of contact when questions arise in their team.
Running regular internal demos and show-and-tells also works particularly well in tech teams. Engineers and product managers are frequently experimenting with new tools and techniques that the rest of the business never sees. Setting aside a brief slot in an existing team meeting for people to share what they have been testing, what worked, and what they discovered about limitations, spreads practical knowledge without requiring a formal programme to be built around it.
Embedding AI awareness into existing processes, rather than treating it as a separate track, is another approach that tends to stick. Adding an AI risk question to product review templates, including a brief AI check-in during engineering retrospectives, or building a section on AI-generated content into editorial and publishing workflows means that literacy becomes part of the work rather than an addition to it.
Publishing clear internal guidance on approved AI tools is essential for any SaaS team. Many people in these businesses are using AI tools informally and without any shared understanding of what is acceptable, what data can be shared with external AI systems, or when outputs require human review before being acted on. A simple internal AI usage policy gives people a framework to work within and creates the kind of documented governance that regulators expect to see.
Finally, it is worth thinking carefully about onboarding. New joiners in tech companies often pick up AI habits from whoever sits next to them. Building AI literacy into your onboarding process, including a session on the tools your company uses, the risks to be aware of, and the policies that govern AI use internally, means everyone starts from the same foundation and you have a record of having provided it.
How to Stay Up To Date With AI Advancements
One of the genuine challenges of AI literacy is that what counts as sufficient knowledge is a moving target. New models, new regulatory guidance, and new risk considerations emerge with a regularity that can make it difficult to feel genuinely on top of things. The regulation introduced six months ago, for example, may already have been supplemented by further guidance. A tool your team adopted last year may have changed in ways that affect how it should be used and governed. Staying informed is not a one-time effort; it requires building it into your team's routine in a sustainable way.
For anything compliance-related, official and regulatory sources should be your first stop. The EU AI Office publishes updated guidance, codes of practice, and enforcement news as the AI Act is implemented. The ICO covers AI and data protection from a UK perspective and publishes practical guidance for organisations navigating these obligations. The IAPP is widely read by compliance and legal professionals and covers international AI regulation in depth. The EU AI Act resource hub is one of the most efficient places for any tech or SaaS company operating in or selling into the EU to check regularly, as it is updated as new obligations come into force and includes practical analysis alongside the legal text.
For broader technical and industry developments, MIT Technology Review offers well-researched and accessible reporting on AI capabilities, limitations, and risks. The Alan Turing Institute covers AI research with a strong emphasis on safety and responsible use, and is particularly useful for businesses thinking about how AI interacts with public interest questions.
The most sustainable habit is building AI updates into your team's existing rhythm. A monthly internal briefing, a shared reading list, or a dedicated channel in your team communication tool where relevant news is shared and briefly discussed are all practical ways to keep awareness alive without creating excessive overhead.
How Can Gerrish Legal Help?
Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property.
We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements.
We are here to help you, get in contact with us today for more information.