What is EU AI Act Article 4?

Article 4 of the EU AI Act requires providers and deployers of AI systems to ensure a sufficient level of AI literacy among their staff and others dealing with the AI, taking into account their knowledge, experience, training, and the context the AI is used in. The obligation has been in force since February 2, 2025, the second EU AI Act phase to go live after the prohibited-practice ban. Non-compliance is enforced as part of overall AI Act supervision and produces fines under Article 99.

Does our existing cybersecurity training cover Article 4?

No. Cybersecurity training covers not clicking phishing links, password hygiene, social engineering. AI literacy training covers what AI is, how it makes decisions, capabilities and limitations, when to trust output and when to verify, what the affected individual's rights are under DSGVO Art. 22 and AI Act Art. 86, the role of human oversight. The audiences overlap but the content is different. Auditors flag 'we have cybersecurity training that mentions AI' as a common Article 4 gap.

Who needs AI literacy training?

Everyone who deals with the AI system, including operation, use, configuration, monitoring, output evaluation, downstream decisions. Four tiers in practice: general users (occasional interaction), decision-makers (uses AI for HR/performance/coaching decisions, especially under Annex III), technical teams (builds or operates AI systems), DPO/compliance (governance oversight). Each tier gets training depth proportional to their interaction and the AI's risk classification. External contractors and integrators are also in scope if they touch the AI on your behalf.

How often should AI literacy training be refreshed?

Annual refresher is the minimum standard. For technical teams, quarterly refreshers are recommended given the pace of AI capability changes. BSI's 2026 guidance recommends annual for all tiers; faster for high-risk AI deployments. Trigger events for out-of-cycle refresher: EU AI Act phase changes, EDPB guidance updates, NIS2 updates, major AI system changes at your organization, serious incident requiring lessons-learned dissemination.

Does the Betriebsrat have rights over AI literacy training?

Yes, in Germany and Austria. Under BetrVG §87 (and Austrian equivalents), the Betriebsrat has co-determination rights on the design of mandatory training, particularly training that affects working time and skill development. AI literacy training falls under this. Practical effect: involve the Betriebsrat in curriculum design, document their input, include training provisions in the Betriebsvereinbarung KI. Not doing so is both a co-determination violation and an Article 4 gap.

AI Literacy + EU AI Act Art. 4: 2026 Training Guide

EU AI Act Article 4 requires providers and deployers of AI systems to take measures to ensure a sufficient level of AI literacy of their staff dealing with the AI system, taking into account their technical knowledge, experience, education, training, and the context the AI is to be used in. The obligation has been in force since February 2, 2025, the second of the EU AI Act phases to go live. Audit pressure has been growing through 2026 as national AI authorities (in Germany: BNetzA + BfDI + Bundesnetzagentur in coordination) begin formal supervision and inspectors start asking for evidence of completion.

Most companies are behind on Article 4 for the same reason: they assumed their existing cybersecurity training or compliance training covered it. It does not. Cybersecurity training is about not clicking phishing links; AI literacy training is about understanding how AI makes decisions, when to trust the output, when to require human verification, and what the affected individual's rights are under Articles 22 (DSGVO) and 86 (AI Act). The audience overlaps but the content is different.

The other reason companies are behind: there is no standardized training curriculum. Each organization has to design its own. Bitkom, IAPP, and BSI have published frameworks but none is mandatory. The result is wide variation in what counts as sufficient level, and auditors are starting to push back on training that is too thin or too generic.

This guide explains what AI literacy specifically means under Article 4, the 4 staff roles that need different training depth (general users, decision-makers, technical teams, DPO/compliance), how to design each tier, how to document completion in a way auditors accept, and the 5 most common compliance gaps to avoid. Written for the HR business partner, learning and development lead, or compliance owner responsible for AI literacy at scale.

For the broader EU AI compliance framework, see our AI governance and compliance EU pillar. For the Annex III high-risk regime that scales up the training stakes for HR-AI, see AI Act Annex III for HR.

Feb 2, 2025EU AI Act Art. 4 AI-literacy obligation went live (already in force)

4staff role tiers that need different AI literacy training depth

5most common Article 4 compliance gaps that audits flag

annualminimum refresher cycle expected for 'sufficient level' (BSI recommendation)

What Article 4 Actually Requires

The text of Article 4 is brief: Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in, and considering the persons or groups of persons on whom the AI systems are to be used.

Four phrases do the work: sufficient level (the standard is contextual, not absolute), AI literacy (defined elsewhere as understanding what AI is, how it works, its capabilities and limitations, and its impact), staff and other persons dealing with operation and use (employees, contractors, integrators), and context the AI systems are to be used in (HR-AI training looks different from customer-service-AI training).

What this means in practice: there is no one-size-fits-all curriculum, and sufficient is judged by the auditor based on the staff's actual interaction with the AI and the AI's risk classification. A general office worker who occasionally uses a Copilot-style assistant needs less depth than a recruiter using HR-AI screening tools (Annex III high-risk) or a developer integrating AI into customer-facing systems. The audit question is not did everyone get the same training? but did each role get training proportional to their interaction with the AI?

The 4 Staff Tiers and Their Training Depth

Tier	Who	Training depth	Typical duration
1. General user	Office worker, customer-service rep, anyone using AI occasionally	What AI is, capabilities + limitations, when not to trust output, basic prompt safety	1-2 hours annual, online module
2. Decision-maker / power user	Manager, HR business partner, recruiter using AI for hiring/performance/coaching decisions	Tier 1 + Annex III high-risk awareness, human-oversight role, Art. 22 + Art. 86 rights of affected individuals	4 hours initial + 2 hours annual refresher
3. Technical team	Developer, integrator, ML engineer building or operating AI systems	Tier 2 + permission architecture, drift defenses, audit-trail design, prompt injection mitigation, observability	8 hours initial + 4 hours quarterly
4. DPO / Compliance / AI governance	Data Protection Officer, AI governance owner, internal auditor	Tier 3 + full EU AI Act, DSGVO interplay, NIS2, Annex IV technical doc requirements, EDPB DPIA template, AIBOM	16+ hours initial + 8 hours quarterly + conference attendance

Audit Your AI Literacy Coverage

Free 8-minute AI governance assessment maps your staff against the 4 tiers and identifies who needs training, who is current, and where gaps remain. Structured AI report.

Try It Free

5 Most Common Article 4 Compliance Gaps

Compliant Article 4 practice

Tier-based training matched to staff role and AI risk classification
Documented completion records per individual with date + module + version
Annual refresher cycle minimum; faster for technical teams
Curriculum versioned with regulatory updates (EU AI Act phase changes, EDPB guidance)
Training content covers DSGVO Art. 22 + AI Act Art. 86 affected-individual rights
Co-designed with Betriebsrat per BetrVG §87 if applicable

Common audit findings

We have annual cybersecurity training; that covers AI
Generic AI literacy module with no role differentiation
Completion tracked in a spreadsheet that has not been updated since 2024
Training curriculum dated 2023; never updated for AI Act phase 1-2-3 changes
No mention of Art. 22 / Art. 86 individual rights in any training
Betriebsrat not consulted on training design despite §87 applicability

How to Document Completion for Auditors

Maintain a per-person training register

Each individual: name, role, AI-systems-they-interact-with, tier (1-4), modules completed (with version + date), next refresher date. Auditors expect this as a queryable record, not an Excel file. Most LMS platforms (Moodle, Cornerstone, SAP Litmos) can produce it.

Version the curriculum

Each training module has a version number tied to the curriculum it teaches. When the EU AI Act updates or EDPB publishes new guidance, you bump the version and re-deploy. The completion register links each completion to a specific version. Auditors can verify the version was current at the time of completion.

Test comprehension, not just attendance

Article 4 requires sufficient level, not attended training. Include a comprehension check at the end of each module: 10-15 questions covering capabilities, limitations, rights, oversight. Document the passing score. Auditors increasingly distinguish between completion and demonstrated understanding.

Tag training records with the AI system and risk classification

When a person completes training for HR recruitment AI (Annex III high-risk), that tag goes on the record. If the AI deployment changes or the risk classification changes, the tag tells you which training records need refreshing. Without this tag, finding affected personnel after a system change is a manual search.

Produce an annual training report

One report per year summarizing: total staff in scope, completion rates per tier, modules covered, curriculum versions deployed, gaps identified, remediation plan. Sign off by AI governance owner. This is the document auditors photograph; have it ready before they ask.

The single highest-leverage improvement: switch from attendance-tracking to comprehension-testing. A 10-15 question post-module quiz, with documented passing scores, is the difference between we did training and we demonstrated sufficient AI literacy. Auditors increasingly accept only the latter as evidence of Article 4 compliance.

Run an AI Readiness Check

Free 8-minute AI readiness assessment covers Article 4 compliance, tier-coverage, documentation maturity, and refresher cycles. Structured AI report you can share with HR and compliance.

Try It Free

Key Takeaways

1. Article 4 is in force since Feb 2, 2025. Audit pressure growing through 2026. Most companies are behind because they assumed cybersecurity training covered it.

2. Four staff tiers, four training depths. General user (1-2h), decision-maker (4h + 2h refresher), technical team (8h + quarterly), DPO/compliance (16h+ + quarterly). Tier matched to AI interaction and risk classification.

3. Five common gaps to avoid. Assuming cybersecurity training covers it; generic module without role differentiation; outdated curriculum; missing Art. 22 + Art. 86 content; no Betriebsrat involvement.

4. Document with a per-person, versioned training register. Each completion linked to module version, AI system, risk classification, and comprehension test passing score. Annual training report signed off by AI governance owner.

5. Switch from attendance-tracking to comprehension-testing. A 10-15 question post-module quiz is the difference between we did training and we demonstrated sufficient AI literacy.

AI Literacy and EU AI Act Article 4: The 2026 Training Obligation Most Companies Are Behind On

What Article 4 Actually Requires