Article 4 of the EU AI Act (Regulation (EU) 2024/1689) requires providers and deployers of AI systems to take measures ensuring that their staff possess a sufficient level of AI literacy. No mandatory certificate or examination is required. That said, organisations are not free to document nothing at all. In the event of an audit or enforcement procedure, they must be able to demonstrate that a genuine effort has been made. This article explains what documentation supervisory authorities are expected to accept as evidence, and where the limits of the "to the best of their extent" standard under Article 4 lie.
The standard: a best-effort obligation
Article 4 establishes a best-effort obligation. The Regulation states that providers and deployers shall take measures "to their best extent". The European Commission confirms in its Q&A on AI literacy that no certificate is required and that organisations may maintain an internal record of training and other guiding initiatives. National market surveillance authorities assess, in the context of enforcement, whether an organisation has made a genuine best-effort attempt. Proportionality is central to this assessment: the level of documentation expected is linked to the nature and risk level of the AI systems in use.
What documentation counts as evidence
Although the Regulation does not provide an exhaustive list of evidence, the text of Article 4 and the Commission's guidance together point clearly to the types of documentation that supervisory authorities will consider relevant:
- AI system inventory: an overview of which AI systems the organisation uses, for what purpose, and with what risk classification. This forms the basis for any assessment of the required literacy level.
- Training plan or learning programme: a written plan describing which staff members follow which training, tailored to their role and the type of AI system they work with.
- Certificates of participation or attendance records: evidence, per training session, e-learning module, or workshop, that staff actually completed the training. This may be an automatically generated certificate from a learning platform, or a signed attendance list.
- Internal AI policy or AI guidelines: a document describing how the organisation manages AI use, which tools are permitted, how incidents are reported, and who holds responsibility.
- Role-based mapping: documentation showing that the literacy level has been calibrated to the individual employee, taking into account their technical knowledge, experience, and the context of use. Article 4 explicitly lists these factors.
What supervisory authorities in the Netherlands review
From 2 August 2026, national market surveillance authorities are empowered to enforce Article 4. In the Netherlands, the Autoriteit Persoonsgegevens (AP) and the Rijksinspectie Digitale Infrastructuur (RDI) are the central coordinating supervisory authorities. Sectoral authorities such as the AFM, DNB, and IGJ supervise within their own domains. The AI Act Implementation Act (UAIV), which underwent public consultation until 1 June 2026, codifies the division of powers in national law.
When carrying out an inspection, supervisory authorities assess whether the organisation has demonstrably considered who uses AI, what risks that entails, and what measures have been taken. An organisation that can only provide a verbal assurance that its staff "know how AI works", without any written evidence, will find it difficult to pass that test. The Commission explicitly notes that enforcement may be more stringent where there is evidence of an incident caused by inadequate staff training.
The role of sectoral supervisory authorities
The AP is the proposed market surveillance authority for high-risk AI applications in sectors without a dedicated sectoral supervisor, such as education, employment, and law enforcement. In the financial sector, the AFM and DNB act as market surveillance authorities; in healthcare, the IGJ. Sectoral authorities are familiar with the specific context of AI use in their domain and can therefore ask targeted questions about the adequacy of the literacy level in place. A bank using an AI system for credit assessment will face higher documentation expectations than a company using only a generic AI writing assistant.
What is not required
The European Commission states explicitly that there is no obligation to formally test employees' knowledge or obtain an external certificate. There is also no obligation under Article 4 alone to appoint an AI officer or establish an AI governance board. Internal assessments and certificates of participation are recommended as evidence, but are not themselves a statutory requirement. Organisations decide which measures are appropriate, provided those measures are demonstrable and proportionate to the risk level of the AI systems in use.
Recommended minimum documentation package
For organisations seeking to demonstrate compliance with Article 4, a minimum documentation package is advisable, comprising: (1) an AI system inventory with risk classification, (2) a training plan with role-based mapping, (3) certificates of participation per employee per training session, and (4) an internal AI policy with clear responsibilities. This package provides a demonstrable starting point in an audit and shows that the organisation takes its best-effort obligation seriously. The more significant the risk level of the AI systems in use, the more comprehensive the supporting documentation that will be expected.