Article 4 of the EU AI Act (Regulation (EU) 2024/1689) became applicable on 2 February 2025. The provision is distinctive in one key respect: it applies to all organisations that use or provide AI systems, regardless of how those systems are risk-classified. Whether an organisation deploys ChatGPT for content editing or a high-risk AI system for credit decisions: the AI literacy obligation is in force. What the law requires, who is bound by it, what "sufficient level" means in practice, and how organisations can demonstrate compliance are all addressed below.

The legal text

The full text of Article 4 reads:

Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in, and considering the persons or groups of persons on whom the AI systems are to be used. — Regulation (EU) 2024/1689, Article 4

Article 4 falls within Chapter I (General Provisions) and is therefore systematically decoupled from the risk classification framework. The obligation applies regardless of whether an organisation is dealing with prohibited AI, high-risk AI, or low-risk tools.

Who is subject to the obligation?

The obligation rests on two categories:

  • Providers: organisations that develop or commission an AI system and place it on the market under their own name or label.
  • Deployers: organisations that use another party's AI system professionally, under their own responsibility.

Most Dutch businesses, public authorities, and non-profits fall into the second category. Any organisation using Microsoft Copilot, ChatGPT, an AI feature in an HR system, or an automated advisory tool is a deployer and therefore subject to Article 4. Company size is irrelevant: the obligation also applies to SMEs.

The obligation furthermore extends to "other persons dealing with the operation and use of AI systems on [the organisation's] behalf". The European Commission clarifies in its official Q&A that this is not limited to employees: contractors, service providers, and in certain cases clients are also covered, to the extent that they act within the organisation's sphere of responsibility.

What does "sufficient level" mean?

There is no legally prescribed standard for what "sufficient" means. The EU AI Office deliberately maintains flexibility. The minimum requirement means that an organisation must:

  1. Ensure general AI understanding: staff know what AI is, how it works, which systems are in use within the organisation, and what the associated opportunities and risks are.
  2. Define the organisation's role: is it a provider or a deployer?
  3. Identify system-specific risks: what do staff need to know about the specific AI system they work with, and which risks must they be aware of and able to mitigate?
  4. Tailor training to individuals: taking into account technical knowledge, experience, education, and the context of use.
  5. Cover legal and ethical dimensions: links to the AI Act, data protection legislation (GDPR), and governance principles are encouraged.

For high-risk AI systems (Annex III), Article 26 imposes additional requirements: staff must be sufficiently trained to exercise meaningful human oversight. Simply referring employees to a system's instructions for use is insufficient in those cases.

Obligations by organisational type

How Article 4 is fulfilled varies by role and context:

  • Providers share responsibility for the information they pass on to deployers. Article 53(1)(b) requires providers of GPAI models to supply AI system providers with sufficient information to enable them to meet their literacy obligations.
  • SME deployers may engage with European Digital Innovation Hubs (EDIHs), which offer AI-related training and workshops. There are 251 EDIHs across Europe, with several active in the Netherlands.
  • Public authorities using high-risk AI make decisions that directly affect citizens' lives, for example in benefits, enforcement or admissions. The national Algorithm Framework (Algoritmekader) offers practical guidance per role, and the Algorithm Register supports the identification phase.

Demonstrability and documentation

There is no mandatory certificate and no compulsory examination. Organisations choose their own approach. They must, however, be able to demonstrate at an inspection or following an incident that concrete measures were taken. Recommended documentation includes:

  • An inventory of AI systems in use and the staff involved
  • An AI policy and a role matrix specifying the required knowledge level per function
  • Attendance records and certificates from completed training
  • Records of evaluations and reports to governing bodies
  • Contractual arrangements with suppliers and contracted personnel

The Autoriteit Persoonsgegevens (AP) has published two guidance documents, Aan de slag met AI-geletterdheid (January 2025) and Verder bouwen aan AI-geletterdheid (October 2025), which set out an iterative four-step plan: identify, set objectives, implement, and evaluate. Although these documents are not binding norms, demonstrable compliance with them is a strong indicator of meeting the Article 4 requirement.

Enforcement and penalties

Article 4 has been in force since 2 February 2025. The supervision and enforcement rules for national market surveillance authorities take effect on 2 August 2026. In the Netherlands, the Autoriteit Persoonsgegevens (AP) acts as the coordinating supervisory authority, in cooperation with the Rijksinspectie Digitale Infrastructuur (RDI).

Infringement of deployer obligations, including Article 4, falls under the mid-tier penalty category of Article 99: fines of up to €15 million or 3% of total worldwide annual turnover, whichever is higher. For SMEs, the lower amount applies. In practice, a failure to ensure AI literacy is more likely to be treated as an aggravating factor in broader enforcement proceedings than as a standalone ground for a fine, but when an incident or complaint arises, documentation of measures taken is critical.

The obligation to take measures to ensure AI literacy of staff has been in force [since 2 February 2025]. The supervision and enforcement rules apply from 2 August 2026. — European Commission, Q&A on AI Literacy (2025)

Digital Omnibus: a possible amendment on the horizon

In November 2025, the European Commission proposed via the Digital Omnibus to shift the Article 4 obligation away from a direct organisational duty and towards a promotion task for member states and the Commission. This agreement had not yet been formally adopted at the time of publication. For organisations deploying high-risk AI, the training requirement for human oversight under Article 26 remains in force regardless. Until a formal legislative amendment is adopted, the current text of Article 4 applies in full.