Article 4 EU AI Act: What the AI Literacy Obligation Really Means for SMBs

A conversation in April

Two weeks ago I sat in a video call with the CEO of a mid-sized engineering company from the Black Forest. 280 employees, well-run family business, healthy books. Nine months ago she rolled out Microsoft 365 Copilot to half her workforce, plus a ChatGPT Team licence for engineering. It works. Employees are happy, marketing output has measurably accelerated.

Her question in that call: "My lawyer tells me I need to train my people now. Because of Article 4. Do we really have to? And what exactly?"

The honest answer is: yes, you do. Since 2 February 2025. National market surveillance authorities have been designated since 2 August 2025 — in Germany, that is the Bundesnetzagentur. Fines become enforceable from 2 August 2026. What Article 4 EU AI Act specifically requires of you is considerably less dramatic than it sounds at first — and at the same time more concrete than how most companies are currently implementing it.

This article is written for managing directors and executives who already deploy AI — typically ChatGPT, Copilot or Claude — and now want to understand what the AI literacy obligation means in practice. No alarmism, no legal boilerplate, with the ambition that after reading you know what to do.

A seven-minute self-assessment: Where does your organisation stand on Article 4? Our free AI Check reveals the five most common gaps in mid-sized companies and gives you a pragmatic roadmap.

What Article 4 actually requires — and what it does not

The wording of Article 4 is short. In essence: providers and deployers of AI systems shall take measures to ensure, "to their best extent," a sufficient level of AI literacy among their staff and other persons dealing with AI systems on their behalf. The measures take into account technical knowledge, experience, education and the context in which the AI is being used.

Three points in that wording matter.

First: you are in scope. As soon as your employees use ChatGPT, Copilot, Claude, Gemini or any other AI system in a professional capacity — even just to draft a customer email — you are a deployer within the meaning of the EU AI Act. The threshold is zero. Unlike some other obligations under the Act, there is no SMB exemption for Article 4. The only carve-out concerns purely private, non-professional use — employees using ChatGPT at home, not at work.

Second: "to their best extent" is an open-ended norm. In May 2025 the European Commission explicitly clarified in its AI Literacy Q&A that there is no prescribed curriculum, no specific certification requirement, no minimum number of hours. What you have to do is context-dependent: a manufacturer using AI only for emails has a different obligation than a consultancy using AI for client recommendations. This openness is also the catch: you cannot discharge the obligation simply by purchasing an e-learning licence — training must be fit for purpose.

Third: you do not need to certify anything — but you must be able to demonstrate compliance. Article 4 itself requires no documentation. But when the Bundesnetzagentur asks in 2026 what you have done, you need to be able to show something. Verbal-only training without any record is in practice indefensible.

What Article 4 does not require:

• No external certifications for your employees
• No equivalent of a data protection officer specifically for AI (that is a separate matter, regulated under high-risk classification)
• No mandatory quarterly refresher (annual refresh is best practice though)
• No requirement to formally approve every AI tool in use

The potential sanctions, however, are not trivial. Breaches of deployer obligations — which include Article 4 — can be sanctioned under Article 99 EU AI Act with up to 15 million euros or 3 percent of global annual turnover, whichever is higher. National authorities will realistically not bring the hammer down on mid-sized companies at first — but documented procedures will become the entry ticket for every public procurement process, every M&A due diligence and many supplier questionnaires.

The five typical gaps in mid-sized companies

Over the past months I have spoken with more than 30 management teams across the DACH region about Article 4. In roughly four out of five cases the same five gaps are present. They are rarely dramatic, but all five are there.

Gap 1: No complete AI inventory

Almost no managing director answers the question "Which AI systems are your employees currently using?" correctly. The official answer is usually "Copilot and ChatGPT"; the actual reality looks different: marketing uses Midjourney, engineering uses Claude and Cursor, sales runs Apollo.io with its AI features, recruiting uses LinkedIn AI features, HR experiments with DeepL Write, and someone in accounting is letting ChatGPT analyse expense reports. We call this shadow AI, and it is considerably more widespread in mid-sized companies than the IT department typically realises. Without an inventory, you cannot train anyone — because you do not know what to train them on.

Gap 2: No written AI policy

Eight out of ten mid-sized companies have no written, management-approved AI usage policy. They often have a "gut feeling" — no customer data into ChatGPT, no IP-related code — but it is not documented, not communicated, and therefore not usable for Article 4. A serviceable policy runs three to five pages, covering use cases, prohibited inputs, accountabilities and the response to suspected hallucinations.

Gap 3: Training without documentation

Many companies have trained — usually as part of a Copilot rollout. The problem: no attendance list, no table of contents, no record. If the Bundesnetzagentur asks for central compliance evidence in 2027, "We did something on this in summer 2025" gets you nowhere. You need a versioned training package, a dated attendance record and ideally a knowledge check whose results are archived.

Gap 4: No systematic engagement with hallucinations

The probability that an employee forwards a factually incorrect AI output unchecked to a customer correlates closely with the maturity of their training on exactly this point. In practice the topic either does not come up at all or is dispatched in a single slide ("AI can also get things wrong"). What is missing are concrete exercises: employees should learn to verify plausible AI answers, trace sources back and recognise edge cases. This is the only training component that makes a real difference in the event of an incident.

Gap 5: External service providers outside the scope

Article 4 applies to "other persons dealing with the operation and use of AI systems on their behalf". That includes your freelancers, your IT vendors, your marketing agency — and they must be brought into your AI literacy measures just like your own employees. Contracts with external service providers almost never reflect this. A short AI clause in the engagement letter (two sentences are enough) closes the gap and shifts the burden of proof.

Where do you stand on these five gaps? Our seven-minute AI Check uses concrete questions to assess how well you are positioned for market surveillance starting August 2026 — including a personalised action roadmap.

Compliant implementation in four to six weeks

The good news: the effort for a mid-sized company with 50 to 500 employees is manageable. A realistic timeline for an initial compliant implementation looks like this.

Week 1 — inventory and risk sorting. Send a short survey to every department head: which AI tools are actually being used in your area, under which licence, by whom, and for what data? Consolidate this into a one-page table. Sort the tools by whether they handle only non-sensitive data (low risk) or potentially process customer, employee or IP data (elevated risk).

Week 2 — write and internally approve the policy. A serviceable AI usage policy can be kept to three to five pages. It covers: permitted use cases, prohibited inputs (customer data, candidate data, IP, contractual secrets), approval process for new tools, accountabilities (e.g. an AI champion per department), behaviour when hallucinations are suspected. The policy is countersigned by management and stored on the intranet. Important: it only counts once all employees have acknowledged receipt in writing.

Weeks 3 and 4 — baseline training for everyone. All employees who use AI on the job, or might do so, complete a 60 to 90-minute baseline training. Content: what generative AI is technically (10 min), which legal frameworks apply (10 min), what you may and may not do (15 min), hallucination recognition with three concrete examples from your business (20 min), quiz with record-keeping (10 min). Training can be delivered as a live webinar (scales better for larger workforces), an in-person workshop (better for risk roles such as sales and HR) or as quality e-learning. We recommend a mix: e-learning for foundations, in-person for the hallucinations exercise.

Week 5 — advanced module for risk functions. Staff in sales, HR, legal, compliance, finance and product development additionally receive a two-hour advanced module with function-specific use cases. Concrete domain framing pays off here — and this is where external support helps, because internal trainers typically lack the market overview to cleanly separate candidate screening from candidate prioritisation, for example.

Week 6 — contracts and documentation finalised. Add a short AI literacy clause to your standard service-provider contracts. Open a file for each training cohort: date, attendance list, final version of the training material, quiz results. Set a reminder for the annual refresher. Done.

Run this and by August 2026 you are not only formally compliant but have also materially reduced the typical downstream issues (data leaks, compliance risk in procurement, M&A findings). Total effort for a 200-person company: 25 to 40 person-days spread over six weeks. For most of our clients that is well below what a single mis-answered customer query through a ChatGPT hallucination would cost.

What you should do this week

Three steps that are realistic today.

First: ask the three most relevant departments (IT, marketing, sales) to give you, by end of the week, a handwritten list of which AI tools are in use. You will be surprised.

Second: check whether a written AI policy exists. If it does, is it current? If not, put it on the agenda for the next management meeting.

Third: clarify with your lawyer or compliance officer whether you qualify as a high-risk deployer under the AI Act — certain sectors (medical, candidate screening, credit scoring) carry considerably stricter obligations beyond Article 4. For a broader view of the regulatory landscape, see our EU AI Act roadmap for C-Level.

With these three points handled, the rest is mechanical. The obligation is serious, but it is achievable — and achievable in normal business hours, without standing up a major compliance programme.

A pragmatic starting point: If you want to see where your company concretely stands, take our AI Check. Specific questions, seven minutes of your time, a personalised priorities roadmap at the end — free, no sign-up. If you would rather have the implementation supported, our AI Training packages are tailored to mid-sized European companies.

Article 4 is the simplest obligation in the EU AI Act. It is also the one most companies will fail, because it looks too incidental. It does not have to be that way.

Sources

• EU AI Act, Article 4 (AI Literacy)
• EU AI Act, Article 99 (Penalties)
• European Commission, "AI Literacy — Questions & Answers", Digital Strategy 2025
• Bundesnetzagentur, "Artificial Intelligence — AI Service Desk and market surveillance"