EU AI Act

Article 4 explained

Article 4 of the EU AI Act (Regulation (EU) 2024/1689) is short, and it lands the soonest. This article explains what it requires, who it applies to, what training has to look like, and what evidence auditors will want.

What Article 4 says

Article 4 — “AI literacy” — requires providers and deployers of AI systems to take measures to ensure, to their best extent, a sufficient level of AI literacy among their staff and other persons dealing with the operation and use of AI systems on their behalf. It is the only Article 4-specific obligation: there is no separate certification, no central registry, no inspector-stamp.

The obligation applies in proportion to:

• The technical knowledge, experience, education, and training of the people involved.
• The context in which the AI systems are used.
• The persons or groups of persons on whom the AI systems are to be used.

In plain terms: the bar is “sufficient AI literacy for the actual use” — not “every employee passes the same exam.” The proportionality is built in.

When it applies

2 August 2026 is the date on every CTO’s calendar. From that date, Chapter II of the Act — including Article 4 — applies in full. It applies regardless of company size; there is no SME carve-out. Failure to comply can attract administrative fines under Article 99, with the largest tier capped at €35,000,000 or 7% of worldwide annual turnover (whichever is higher) for the most serious infringements.

Most mid-market companies will not face the maximum tier — fines for Article 4 specifically are not at the top of the schedule — but the reputational and procurement consequences (“does your AI usage policy and training programme satisfy Article 4?” is becoming a vendor-questionnaire staple) are larger than the regulatory fine itself.

Who needs to be trained

Anyone at your company who interacts with an AI system in the course of their work. That includes:

• Employees using ChatGPT / Claude / Gemini / Copilot for daily work.
• Engineers calling AI APIs from internal systems.
• Marketers using AI features inside Notion / Linear / Slack / SaaS tools.
• Contractors using AI tools on company data.

It does not include staff who never interact with AI. The list is decided per-company; the audit needs to be able to defend the list.

A practical test: if a person has access to any tool listed as “Approved” in your AI inventory, they probably need Article 4 training.

What “training” actually means

The Act does not prescribe a specific format. What auditors look for is a defensible programme rather than a specific curriculum. Effective training programmes in mid-market companies typically include:

• A definition of what an “AI system” is in the legal sense, mapped to your tool stack.
• The risks specific to AI tool usage: data leakage, hallucination, biased output, prompt injection, IP exposure, failure modes that are not obvious from the UI.
• The company’s AI usage policy — what is and is not allowed, what data may go in, when to escalate.
• Practical guardrails — concrete examples of “don’t do this”, “do do that”.
• Article 4 itself — what it says, why we are tracking the training, what evidence looks like.
• Reporting paths for misuse or unexpected behaviour.

Length: 30 minutes to an hour for the initial session is normal. A short refresher every 12 months keeps it current. Material changes to the policy or tool stack trigger an abbreviated retraining.

What evidence has to look like

When an auditor asks “show me your Article 4 evidence”, they want to see:

• A written training plan — who is in scope, what is covered, how often. (See the training plan template.)
• A list of training events — when each session was held, who attended, what materials were used.
• Per-person completion records — date, attendee, outcome (e.g., quiz pass).
• A link from each AI tool to its training requirement — i.e., “users of Tool X must have completed Y training”. This is the piece most companies miss.
• Records of refresher cadence — proof that training is repeated, not just done once.

Auditors do not want to see the full training video. They want the records. AIRegistra’s Training module captures all of this and renders an Article 4 readiness PDF on demand.

What this means in practice

If you are a deployer (most mid-market companies), the practical next steps are:

1. Adopt a written AI usage policy — see the AI usage policy template.
2. Adopt an Article 4 training plan — see the training plan template.
3. Pick a date and run the first training session — even an informal 30-minute call with a recorded video is a valid v1.
4. Record the attendees and the materials used — this is the evidence.
5. Set a refresher cadence — typically annually.

Doing this before 2 August 2026 is the goal. Doing it imperfectly with evidence beats doing it perfectly with no records.

Where to go next

• Role declaration: Provider / Deployer / Importer / Distributor — figure out which role(s) you are.
• Evidence basics — what counts as evidence, common pitfalls.
• Key deadlines — full timeline of the Act’s phased applicability.

This is general information, not legal advice. Application to your company depends on your specific facts; consult your own counsel.

6 min read · Last updated 7 May 2026