GovCompass
NL
AI governance
ReferenceAccountabilityHuman oversight

Art. 4 EU AI Act: AI literacy obligations for organizations

By GovCompass.ai· Last verified June 2026· Aligned with the consolidated EU AI Act, including the 2026 Omnibus amendments.

Art. 4 has required organizations since 2 February 2025 to ensure a sufficient level of AI literacy among staff who operate or use AI systems, proportionate to the system and the role. It applies to all AI use, not only high-risk systems, and must be demonstrable.

Updated: June 2026

Introduction: literacy as a legal obligation

Article 4 of the EU AI Act introduced something novel in EU technology regulation: a skills obligation. Not a documentation requirement, not a technical standard, but a requirement that organizations ensure the people who work with AI actually understand it. Art. 4 applies to all providers and deployers, regardless of riskriskIn the EU AI Act's terms, the combination of the probability that a harm occurs and the severity of it if it does. The link between a principle (via the harm that would breach it) and a control (the measure that reduces it). Naming the harm and assessing its risk is required by Art. 9 before any mitigation measure is chosen. See harm, control, residual risk.Open full entry → class, and has been in force since 2 February 2025.

The obligation is deceptively simple to state but complex to implement: "Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacyAI literacySufficient understanding of AI's workings, capabilities and risks for one's role — an explicit expectation for provider and deployer staff under the EU AI Act.Open full entry → of their staff and other persons dealing with the operation and use of AI systems on their behalf."

This article analyses what "sufficient AI literacy" means in practice, how to build a proportionate training program, and how to document compliance for supervisory purposes.

Who is covered by Art. 4?

The personal scope of Art. 4 is broad: "staff and other persons dealing with the operation and use of AI systems." This includes:

  • Employees who directly use AI systems in their work
  • Managers who oversee AI-assisted processes
  • IT staff responsible for AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry → integration and maintenance
  • Compliance and legal staff assessing AI systems
  • External contractors who operate AI systems on the organization's behalf
  • Board members responsible for governancegovernanceThe system through which an organization steers itself: corporate governance, risk management, compliance, lines of accountability, risk appetite, and the operating model. It exists across everything the organization does, before and beyond AI. AI governance is this same system extended for AI. See AI governance, governance design, execution level.Open full entry → of AI deployment

The obligation does not extend to every employee in the organization, only those involved in AI operation and use. However, for most modern organizations, this is a substantial portion of the workforce.

What does "sufficient AI literacy" mean?

The EU AI Act does not define a minimum curriculum. Instead, it specifies the objective: understanding sufficient to enable responsible and informed use of AI systems. The relevant preamble (Recital 20) identifies three dimensions:

  1. Technical literacy: Understanding how AI systems work, including their limitations, potential for error, and the nature of their outputs
  2. Domain literacy: Understanding the specific risks and implications of AI in the relevant professional context
  3. Regulatory literacy: Understanding the applicable legal obligations and the organization's policies

The level required is proportionate to the role. A manager who approves AI-generated loan decisions needs deeper technical and regulatory literacy than an employee who uses a spell-checker. A supervisory authority assessing compliance will evaluate whether the literacy level matched the risk level of the AI system in use.

Building a proportionate literacy program

Step 1: stakeholder mapping

Map every AI system in use against the staff who interact with it. Create a matrix: role × AI system × required literacy level (basic / intermediate / advanced).

Step 2: baseline assessment

Assess current AI literacy levels. This can be a simple self-assessment survey combined with a structured knowledge test. The gap between baseline and required level determines your training investment.

Step 3: training program design

Design differentiated training by role and AI risk level:

  • All staff: Basic AI awareness (what AI is, what it is not, how to recognize AI-generated content)
  • AI system users: System-specific training including limitations, override procedures, and escalation paths
  • High-risk AI users: Full Art. 26 obligations, human oversighthuman oversightDesigned-in human ability to monitor, intervene in, override or shut down an AI system — meaningful only when the human has authority, information and time to act.Open full entry → procedures, incident reporting
  • AI governance staff: Regulatory framework, classification methodology, documentation requirements

Step 4: documentation and evidence

For supervisory purposes, maintain records of: training completion by staff member, training content and date, assessment scores, and annual refresh cycles. This documentation demonstrates your "best extent" efforts under Art. 4.

Relationship with other Art. 26 obligations

Art. 4 does not exist in isolation. Inadequate AI literacy creates downstream violations:

  • Art. 26.2 (human oversight): Oversight by a person who does not understand the AI output is not meaningful oversight. Courts and supervisors are expected to assess literacy as a precondition for oversight effectiveness.
  • Art. 26.5 (monitoring): Post-market monitoringpost-market monitoringProvider-side duty to systematically collect and act on experience from systems in use — the product-regulation half of continuous monitoring.Open full entry → requires users who can recognize anomalous system behavior.
  • Art. 73 (incident reporting): Identifying a "serious incidentserious incidentAn AI incident causing (or nearly causing) death, serious harm to health, property, fundamental rights or infrastructure — triggering regulatory reporting duties for high-risk systems.Open full entry →" requires staff who understand what constitutes unexpected AI behavior.

Compliance checklist

  1. Have you identified all staff and contractors who interact with AI systems?
  2. Have you assessed the required literacy level for each role based on the AI systems used?
  3. Is there a documented training program with differentiated content by role?
  4. Do you have evidenceevidenceThe concrete proof that a control is designed, implemented, and working: a test report, an audit trail, an impact assessment, a monitoring log. Each link in the governance chain produces an artifact, and together they are what an organization hands to its own board, a regulator, a customer, or an affected person to show, not say, that a system is governed. Its absence is itself the failure: a risk register without test results, or a mitigation claimed without validation, is a governance gap, not a paperwork one. The closing link of the governance chain. See control, governance.Open full entry → of training completion for all covered staff?
  5. Is there an annual refresh process for AI literacy training?
  6. For high-risk AI users: does training specifically cover the Art. 26 obligations relevant to their role?
  7. Does board-level governance include AI literacy elements?
Legal referencesArt. 4
Share Share on LinkedIn

More on Accountability

Art. 10 EU AI Act: data and data governance for high-risk AI

Reference

Art. 10 requires that the training, validation, and testing data for high-risk AI systems meets quality criteria: relevant, sufficiently representative, and as free of errors and complete as possible for the intended purpose. It also requires documented data governance practices covering collection, preparation, bias examination, and gap mitigation, and it permits the limited processing of special-category data where strictly necessary to detect and correct bias, under safeguards.

Art. 12 EU AI Act: record-keeping and logging for high-risk AI

Reference

Art. 12 requires high-risk AI systems to technically allow for the automatic recording of events (logs) over their lifetime. The logging must enable traceability of the system's functioning at a level appropriate to its intended purpose, support post-market monitoring, and help identify situations that may lead to risk or substantial modification. It is a design obligation on the provider that makes the system auditable by construction.

Art. 19 EU AI Act: keeping the automatically generated logs

Reference

Art. 19 requires providers of high-risk AI systems to keep the logs that the system automatically generates (under Art. 12) for as long as they control them, for a period appropriate to the intended purpose and at least six months unless other law requires longer. It is the retention counterpart to the Art. 12 logging capability, and it works alongside the deployer retention duty in Art. 26.6.

Art. 26.1 EU AI Act: following provider instructions as a deployer

Reference

Art. 26.1 requires deployers to use high-risk AI systems strictly in accordance with the provider's instructions for use. This means using the system only for its intended purpose, within its specified technical configuration, and by qualified users, and documenting that compliance. Deviating from the instructions can shift liability entirely to the deployer.

More on Human oversight

Art. 14 EU AI Act: designing high-risk AI for human oversight

Reference

Art. 14 requires providers to design and build high-risk AI systems so that they can be effectively overseen by humans during use. The system must let an overseer understand its capabilities and limits, watch for anomalies, resist automation bias, correctly interpret outputs, decide not to use the system, and intervene or stop it through a kill switch (Art. 14(4)(e)). It is the design obligation that makes the deployer oversight duty of Art. 26.2 possible.

Art. 26.2 EU AI Act: human oversight of high-risk AI

Reference

Art. 26.2 requires deployers to ensure that the people assigned to oversee a high-risk AI system have the competence, training, and authority to do so effectively. Valid oversight is substantive, not formal: the overseer must understand the system, be trained on its limitations, and hold genuine authority to override its outputs.

Art. 27 EU AI Act: Fundamental Rights Impact Assessment (FRIA)

Reference

Art. 27 requires certain deployers, public bodies and private deployers in defined sectors such as credit and insurance, to conduct a Fundamental Rights Impact Assessment (FRIA) before deploying a high-risk AI system, examining the impact on fundamental rights and the mitigation measures.

Agentic AI: governing actions, not just decisions

Analysis

Data governance asks whether you can trust the data. AI governance asks whether you can trust the decision. Agentic governance asks a third question that neither was built to answer: can you contain what the system does? Agentic AI is the eighth, integrating GovCompass element. It binds the other seven under the conditions that autonomy creates, because an AI system that takes actions on your behalf must satisfy all seven pillars continuously, across multi-step and multi-agent chains, without a human checkpoint between each step.