Article 4 of the EU AI Act requires providers and deployers of AI systems to take measures to ensure a sufficient level of AI literacy among their staff. The regulation does not prescribe specific training formats, but establishes that literacy levels must reflect each person's technical knowledge, experience, education, and the context in which AI systems are used. This means an employee who uses only a chat assistant has fundamentally different knowledge requirements than a compliance officer or an AI developer. A clear role-based framework helps organisations translate this obligation into practice.
Why differentiation is required
Recital 20 of the Regulation clarifies that AI literacy may vary across actors. The knowledge a provider needs during the development phase differs from what a deployer requires when overseeing an automated decision-making process. For affected persons, meaning those subject to AI-assisted decisions, the relevant knowledge concerns understanding how those decisions affect them. The European Commission confirms that a one-size-fits-all approach is insufficient: the organisation's role (provider or deployer), the risk category of the system, and the employee's existing knowledge level together determine what is sufficient.
Four roles as a starting point
For the practical implementation of Article 4, four organisational roles serve as a useful starting point. These roles correspond to the actors named in the Regulation (provider, deployer, operator) and align with the SAIG certification levels.
End user works daily with an AI application, such as a generative writing assistant or an AI-supported scheduling tool, but is not involved in its configuration or management. Required literacy includes a basic understanding of how the system works, recognition of incorrect or biased outputs, familiarity with internal use policies, and awareness of when human review is required.
Operator or functional administrator configures and manages AI systems within the organisation, sets parameters, and monitors performance. This requires deeper knowledge of the system's technical workings, its limitations, escalation procedures, and the transparency requirements under Article 13 of the Regulation.
Compliance and risk professional assesses whether the deployment of AI systems meets the Regulation and other applicable legislation, including the GDPR. This requires thorough knowledge of the risk categories in the Regulation, the obligations for high-risk systems (Annex III), fundamental rights impact assessments, and the rules on human oversight (Article 14) and transparency.
Board member or senior responsible officer establishes the framework for AI deployment, makes procurement decisions, and sets policy. Required literacy covers strategic risk awareness, the liability structure under the Regulation, governance requirements, and the penalty exposure for non-compliance.
What the supervisory authority expects
The Autoriteit Persoonsgegevens (AP) has published an iterative four-step model for systematically building AI literacy: identify, set goals, implement, and evaluate. The AP emphasises that AI literacy is not a one-off project but an ongoing process that must be established at board or senior management level and requires dedicated budget. Organisations must document the measures taken, although the European Commission confirms that no certificate is required: internal records of training and progress are sufficient as evidence of compliance.
Connection to the SAIG system
The SAIG system distinguishes certification levels that align with the role-based framework above. An end user working exclusively with low-risk applications will generally be able to demonstrate sufficient literacy at a lower SAIG level than a compliance officer assessing high-risk systems. Three factors that Article 4 also identifies are relevant when selecting the appropriate SAIG level: the employee's technical knowledge and experience, the context of the AI system, and the persons or groups on whom the system is used. The greater the potential impact on affected individuals, the higher the required level of literacy.
Providers versus deployers
In addition to internal roles, organisations must establish which legal position they occupy. A provider, being a party that develops or places an AI system on the market under its own name, bears broader responsibilities than a deployer that uses an existing system. Both are subject to Article 4, but the required depth of knowledge differs. An organisation acting simultaneously as provider and deployer must take measures covering both positions. This distinction has direct implications for the design of the role-based framework and the selection of the appropriate SAIG level per function.
Practical steps for implementation
A workable implementation path begins with an inventory of the AI systems in use, including their risk category and the functions that work with them. The organisation then establishes a competence profile and corresponding learning objective for each role group. The Digitale Overheid distinguishes three practical levels: employees who develop or procure AI, employees who bear responsibility for its use, and all employees with AI-related tasks. This aligns with the AP's approach, under which the obligation extends to self-employed contractors and service providers working on behalf of the organisation. Enforcement by national market surveillance authorities applies from 2 August 2026.