Article 4 of the EU AI Act requires providers and deployers of AI systems to take measures to ensure, to their best extent, a sufficient level of AI literacy among their staff. The Autoriteit Persoonsgegevens (AP) has published a practical four-step plan for this purpose in its guidance documents "Aan de slag met AI-geletterdheid" (March 2025) and "Verder bouwen aan AI-geletterdheid" (October 2025). This plan is not a one-off checklist but a cycle that organisations must repeat on a regular basis. The approach differs depending on the size of the organisation and the roles of the staff involved.

The four steps

The AP's four-step plan consists of four sequential, recurring steps:

Step 1: Identify. Map out which AI systems the organisation uses, who works with them, for what purpose, and what risks they entail. This includes purchased tools with AI components and so-called shadow AI.

Step 2: Set objectives. Determine, for each role group, what level of AI literacy is required. An employee who uses AI as a writing aid has different knowledge needs than a compliance officer who assesses high-risk AI systems. Document the objectives in competency profiles.

Step 3: Implement. Develop and deliver training aligned with the set objectives. Combine methods: e-learning for foundational knowledge, workshops for deeper understanding, and practical exercises with the organisation's own AI tools. Document participation and results demonstrably.

Step 4: Evaluate. Measure whether the objectives have been met through assessments and feedback rounds. Adjust the programme based on results and repeat the cycle at least annually. AI literacy is an ongoing process, not a one-off administrative task.

Implementation tips for small organisations (up to 50 employees)

Small organisations typically lack a dedicated HR or compliance department. The approach can be straightforward and pragmatic:

  • Designate one person (for example the director or an enthusiastic staff member) as the internal AI point of contact.
  • Start the identification step with a brief inventory: which AI tools are used daily (such as Microsoft Copilot, ChatGPT, or automated scheduling tools)?
  • Opt for a shared foundation training for all staff, followed by a short discussion about the specific applications within the organisation.
  • Record participation in a simple overview (spreadsheet or HR system) as demonstrable evidence for supervisory authorities.
  • Schedule the evaluation step as a standing agenda item at the annual staff review cycle.

Implementation tips for medium-sized organisations (50 to 500 employees)

Medium-sized organisations have more roles and departments, making a differentiated approach necessary:

  • Appoint an AI coordinator or AI officer to oversee the literacy programme and report to the board.
  • Create a role matrix at the identification step: who uses which AI systems, with what risk profile?
  • Work with role-specific training modules. Operational staff follow a different module than managers or procurement staff who assess AI contracts.
  • Use a progress dashboard or Learning Management System (LMS) to track participation and results.
  • Draw up a multi-year action plan, as recommended by the AP, with measurable annual targets and a yearly board evaluation.

Implementation tips for large organisations (more than 500 employees)

Large organisations have complex structures with a wide range of AI applications, including high-risk systems:

  • Establish a formal governance structure: an AI board or working group with representatives from HR, Legal, IT, and line management.
  • Conduct a comprehensive AI systems inventory at the identification step and include this in the data processing register (GDPR) where AI systems process personal data.
  • Develop a layered training programme with role-specific pathways, mandatory refresher training, and dedicated modules for executives.
  • Carry out a baseline assessment at the start of each cycle and repeat it to demonstrate progress to auditors and supervisory authorities such as the AP.
  • Systematically embed AI literacy in the onboarding process for new employees and in procurement terms and conditions for external AI suppliers.

Link to SAIG certification levels

The AP's four-step plan determines what organisations must do; the SAIG certification levels indicate the level of knowledge individual employees are required to demonstrate. The four levels align with the role-based differentiation described in the AP's guidance documents:

  • Awareness: for all employees who encounter AI occasionally or indirectly. Provides foundational knowledge of what AI is, what risks exist, and how the AI Act applies.
  • Basis: for employees who use AI tools on a daily basis. Deepens knowledge of responsible use, recognising bias, and individual obligations under Article 4.
  • Practitioner: for employees with a coordinating or implementing role, such as HR professionals and process owners. Covers drawing up competency profiles, assessing training programmes, and reporting on progress.
  • Advanced: for executives, compliance officers, and AI officers who bear ultimate responsibility for the literacy programme. Covers governance, multi-year action plans, risk analysis, and demonstrability towards supervisory authorities.

When carrying out step 2 (setting objectives) of the AP plan, it is advisable to use these levels as a reference framework when drawing up competency profiles for each role group.

A cyclical process, not a final destination

The AP explicitly emphasises that AI literacy is not a snapshot. AI systems and applications evolve rapidly, meaning the required knowledge must evolve too. The four-step plan is therefore deliberately designed as a cycle: after evaluation, the identification process begins again, with new or modified AI systems as the starting point. Organisations that carry out this process demonstrably and with proper documentation satisfy the best-effort obligation under Article 4 of the EU AI Act and are prepared for supervision and enforcement.