Article 4 is the only provision of Regulation (EU) 2024/1689 that applies to deployers of all AI systems, not only those classified as high-risk under Annex III. Every business that has deployed an AI tool in any workflow, including AI writing assistants, customer service chatbots, AI-powered analytics platforms, and AI scheduling or workflow tools, is subject to Article 4. The compliance failure rate in this provision is likely the highest in the Regulation, precisely because it applies universally but has received far less attention than the headline high-risk AI obligations.

Key takeaways

  • Article 4 of Regulation (EU) 2024/1689 entered into force on 2 February 2025. It applies to all deployers and providers of AI systems within the Regulation's scope, irrespective of the system's risk classification. Deployers of non-high-risk AI are subject to Article 4 even though they are not subject to Articles 9 through 17 or Article 26.
  • The obligation is to take measures ensuring a sufficient level of AI literacy for staff dealing with AI systems. Sufficiency is contextual: it must be proportionate to the person's role, the risk level of the AI system, and the person's existing technical knowledge, experience, education, and training, per Recital 20.
  • Article 4 does not specify a training format or certification requirement. The obligation is outcome-based: deployers must demonstrate that the persons dealing with their AI systems have adequate literacy. How that is achieved is within the deployer's discretion, but it must be documented.
  • Article 4 is the foundation for Article 26(2) compliance. Deployers of high-risk AI systems who must assign competent oversight persons under Article 26(2) cannot do so without first ensuring baseline AI literacy across their organisation.
  • The connection to insurance is direct. An enterprise that cannot demonstrate AI literacy measures for its staff has not met the basic governance standard that AI insurers and underwriters are beginning to require as a condition of coverage. The absence of a documented literacy programme is an underwriting red flag.

The text and scope of Article 4

Article 4 of Regulation (EU) 2024/1689 reads in full: "Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in, and considering the persons or groups of persons on whom the AI systems are to be used."

Three elements of this text require close attention. First, the obligation falls on both providers and deployers. It is not limited to one category. A business that acts only as a deployer, using a third-party AI service in its internal processes, is subject to Article 4 in the same way as a company that both builds and deploys AI systems.

Second, the obligation applies to all AI systems within the Regulation's scope, with no carve-out for non-high-risk AI. The Regulation's scope under Article 2 covers AI systems placed on the market, put into service, or used in the EU. A business using an AI tool licensed from a provider for internal use is a deployer under Article 3(4) and is subject to Article 4. The only systems clearly outside scope are AI for exclusively personal or non-professional use, which Article 2(9) excludes, and certain research and development activities.

Third, the standard is "to their best extent," which introduces a proportionality qualifier. The obligation is not absolute: a deployer is not required to achieve a defined literacy level regardless of the practicability of doing so. The "best extent" qualifier does not, however, create a de minimis threshold below which no action is required. Recital 20 clarifies that AI literacy should enable informed deployment of AI systems and awareness of risks and possible harms.

What "sufficient level of AI literacy" means in practice

Regulation (EU) 2024/1689 does not define AI literacy or specify the content of a sufficient literacy programme. Recital 20 provides the clearest guidance: AI literacy means skills, knowledge, and understanding that allow providers, deployers, and affected persons to make an informed deployment of AI systems, as well as to gain awareness of the opportunities and risks of AI and of possible harms it can cause. This definition is deliberately broad, and the Regulation explicitly calibrates sufficiency to the person's role and existing knowledge.

In practice, this means different staff members require different literacy interventions. A compliance officer responsible for approving AI deployments requires literacy about risk classification under the EU AI Act, about the governance obligations that different risk levels trigger, and about how to assess whether a proposed AI system meets the requirements for deployment. An operations manager supervising a team using an AI customer service tool requires literacy about what the tool can and cannot do reliably, how to recognise signs of failure or hallucination in its outputs, and how to escalate concerns. A developer integrating AI APIs into internal tools requires technical literacy about model behaviour, output uncertainty, and the boundaries of the model's reliable performance.

A literacy programme that addresses all three profiles with the same generic content will not satisfy Article 4, because Article 4 requires calibration to each person's existing knowledge and the context of the AI systems they deal with. A deployer operating AI in three different workflows, each with different staff roles and different AI risk profiles, must build three differentiated literacy interventions rather than one uniform one.

Calibration to existing knowledge, experience, and training

The text of Article 4 specifies that literacy measures must take into account staff members' "technical knowledge, experience, education and training." This calibration requirement has a practical implication: deployers cannot rely on a one-size-fits-all approach, and they cannot ignore what staff already know.

A team of software engineers who build and maintain AI-integrated systems already possess substantial relevant knowledge. Requiring them to complete a basic AI awareness course designed for non-technical staff satisfies neither the calibration requirement nor any meaningful definition of sufficiency for their roles. Conversely, a team of customer service representatives who use an AI tool without any prior technology training requires a different intervention than a team with prior digital literacy experience.

The calibration requirement also means that deployers should baseline their current staff literacy before designing any programme. An organisation that does not know what its staff currently understand about AI cannot demonstrate that its programme achieves a sufficient uplift from the current position. A pre-programme assessment, even a brief structured questionnaire, both documents the starting point and informs the design of the intervention.

The connection to Article 26(2): competent oversight persons

Article 4 and Article 26(2) are not independent obligations that can be satisfied separately. They form a compliance sequence for deployers of high-risk AI systems, and satisfying Article 26(2) without first having satisfied Article 4 is structurally inconsistent with the Regulation's design.

Article 26(2) requires deployers of high-risk AI systems to assign oversight responsibility to natural persons who have the necessary competence, training, authority, and support to exercise the human oversight functions specified in Article 14(4). Those functions include the ability to fully understand the high-risk AI system's capabilities and limitations, to correctly interpret the system's outputs, and to decide not to use the system or to override its output where appropriate.

A person assigned oversight responsibility under Article 26(2) who does not have the AI literacy that Article 4 requires for their role cannot satisfy the competence requirement in Article 26(2). This creates a dependency: the Article 4 literacy programme is the foundational compliance step, and Article 26(2) oversight assignment builds on it. Deployers who have assigned oversight persons before establishing a literacy programme have put the obligation in the wrong order. For a full analysis of Article 26(2) and the complete deployer obligations under Article 26, see the Article 26 complete guide.

The connection to Article 9: AI literacy as a risk management enabler

Article 9 of Regulation (EU) 2024/1689 requires deployers of high-risk AI systems to implement a risk management system as an ongoing iterative process. The risk management system must identify and analyse risks to health, safety, and fundamental rights, estimate and evaluate the probability and severity of those risks, evaluate risks emerging from post-market monitoring, and adopt suitable risk management measures proportionate to the identified risks.

A risk management system maintained by staff who lack AI literacy is a risk management system that cannot function as intended. Risk identification requires staff to understand what AI systems fail at, in what contexts, and with what types of input. Risk estimation requires staff to assess the probability of AI system failure in the specific deployment context, which requires knowledge of the system's documented limitations. Risk evaluation requires staff to assess the severity of possible harms in light of the system's outputs and the affected population.

Article 4 literacy is therefore a prerequisite for meaningful Article 9 compliance, not a separate obligation. The EU AI Act's design logic connects the literacy obligation to every substantive governance requirement in the Regulation, because governance without understanding is procedural compliance with no functional effect. For the detailed requirements of Article 9, see the Article 9 risk management system guide.

What a compliant Article 4 programme looks like

No single template satisfies Article 4 for all organisations, because the obligation is calibrated to context. However, a compliant programme will contain the following elements, which together demonstrate that the deployer has taken genuine measures proportionate to their AI deployment profile.

First, an inventory of AI systems in use. A deployer cannot calibrate literacy to the context of their AI systems without knowing what AI systems they deploy. The inventory should record the systems in use, the workflows they support, the staff roles that interact with them, and the risk level each system represents under the EU AI Act's classification framework. This inventory also serves the risk management function under Article 9 and the post-market monitoring function under Article 72.

Second, a staff mapping exercise. The deployer should identify all staff who deal with AI systems in their professional capacity, mapped to the specific systems they use and the nature of their interaction. The mapping distinguishes between staff who make decisions about AI deployment (governance and compliance roles), staff who operate or configure AI systems (technical roles), and staff who use AI system outputs in their work (operational roles). Each category requires different literacy content.

Third, a literacy gap assessment. The deployer should establish what relevant knowledge each staff category currently has and what gaps exist relative to the sufficiency standard for their role. This assessment is the calibration mechanism that Article 4 requires and the evidence base for demonstrating that the programme is proportionate to existing knowledge.

Fourth, differentiated literacy content. The programme delivers appropriate content to each staff category based on the gap assessment. Content for governance and compliance staff covers the EU AI Act classification framework, deployer obligations, risk assessment methodology, and oversight responsibilities. Content for technical staff covers model behaviour, output uncertainty, documentation requirements, and integration security. Content for operational staff covers the specific system's capabilities and limitations, how to recognise anomalous or unreliable outputs, and the escalation procedure for concerns.

Fifth, documentation and record-keeping. The deployer records who received what training, when, and at what assessed level of completion. This documentation is evidence that Article 4 has been satisfied and is the document that a market surveillance authority would expect to see in an investigation. It is also, increasingly, the document that AI insurance underwriters request as part of the evidence of governance infrastructure.

Enforcement and penalty exposure

The EU AI Act does not specify a penalty tier explicitly for Article 4 violations. The enforcement architecture in Article 99 establishes three tiers: violations of the prohibited practices in Article 5 carry the highest penalties of up to EUR 35 million or 7 per cent of global turnover; violations by providers of obligations relating to high-risk AI systems carry up to EUR 15 million or 3 per cent; and supply of incorrect information to authorities carries up to EUR 7.5 million or 1.5 per cent. Article 4 violations would be assessed by national market surveillance authorities, and the applicable penalty tier would depend on how the authority characterises the breach in the context of a broader compliance investigation.

The more immediate consequence of Article 4 non-compliance is evidentiary. In any supervisory investigation or litigation arising from a harm caused by an AI system, the deployer's AI literacy programme, or lack of one, is a direct indicator of the deployer's general governance standard. A deployer who cannot demonstrate that their staff dealing with AI had a sufficient level of AI literacy has structural difficulty defending the claim that they exercised reasonable care in their AI operations. For an analysis of how governance documentation connects to insurance coverage, see the compliance documentation and insurance evidence guide at agentinsured.eu.

Practical steps for deployers not yet in compliance

For deployers who have not yet taken Article 4 measures, the starting point is not a training course. The starting point is an inventory and a gap assessment. Without knowing what AI systems you operate and what your staff currently understand, any training programme is arbitrary. The five-step sequence in the previous section applies: inventory, mapping, gap assessment, differentiated content, documentation.

For most organisations, the primary compliance gap is not the absence of AI knowledge in the organisation. AI knowledge exists among technical and product staff who have worked with AI tools. The gap is typically the absence of that knowledge among governance, compliance, legal, and senior management staff who make decisions about AI risk without the literacy to evaluate those decisions well. A programme that closes the literacy gap at the governance level and then cascades appropriate content to operational staff is likely to be both proportionate and sufficient.

The connection between Article 4 compliance and the certification and insurance markets is becoming concrete. Certification assessments under the FP Certified framework and assessments conducted under the AIUC-1 standard both include governance literacy as an evaluated dimension. An organisation preparing for AI governance certification that does not have an Article 4-compliant literacy programme will find that gap reflected in the certification assessment. For context on how the certification dimensions connect to EU AI Act obligations, see the seven dimensions and EU AI Act obligations map at agentcertified.eu.

Frequently asked questions

What does Article 4 of the EU AI Act require from deployers?

Article 4 of Regulation (EU) 2024/1689 requires providers and deployers of AI systems to take measures ensuring a sufficient level of AI literacy for all staff dealing with AI systems on their behalf. Sufficiency is calibrated to each person's existing knowledge and to the context of the AI systems they use. There is no mandatory training format or certification: the obligation is outcome-based.

When did Article 4 of the EU AI Act come into force?

Article 4 applied from 2 February 2025, the end of the six-month transitional period after the Regulation entered into force on 1 August 2024. It is not affected by the Digital Omnibus proposed delay, which addresses Chapter III high-risk AI obligations. Article 4 has been enforceable for more than a year as of June 2026.

Does Article 4 apply to deployers of non-high-risk AI systems?

Yes. Article 4 applies to all deployers of AI systems within the Regulation's scope, not only those deploying high-risk AI under Annex III. A business using an AI writing assistant, AI analytics tool, or AI customer service chatbot is a deployer subject to Article 4 even though those systems are not high-risk.

What is a 'sufficient level' of AI literacy under Article 4?

The Regulation does not define a fixed standard. Recital 20 clarifies that AI literacy means skills, knowledge, and understanding enabling informed deployment and awareness of AI risks and possible harms. Sufficiency is contextual: it must be adequate for the person's role, proportionate to the AI system's risk level, and calibrated to the person's existing technical background.

How does Article 4 relate to the human oversight requirement in Article 26?

Article 4 literacy is the foundation for Article 26(2) oversight compliance. Deployers of high-risk AI must assign oversight persons who have the competence to understand the system's capabilities and limitations. That competence requires the AI literacy that Article 4 mandates. Satisfying Article 26(2) without first satisfying Article 4 is logically inconsistent with the Regulation's design.

References

  1. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 (Artificial Intelligence Act), OJ L, 12.7.2024. Article 4, AI literacy obligations.
  2. Recital 20, Regulation (EU) 2024/1689. Provides the definition of AI literacy as skills, knowledge, and understanding enabling informed deployment of AI systems and awareness of opportunities and risks.
  3. Article 2, Regulation (EU) 2024/1689. Scope of application including persons who deploy AI systems.
  4. Article 3(4), Regulation (EU) 2024/1689. Definition of deployer as any natural or legal person using an AI system under their own authority.
  5. Article 2(9), Regulation (EU) 2024/1689. Exclusion for AI systems used solely for personal non-professional purposes.
  6. Article 9, Regulation (EU) 2024/1689. Risk management system obligations for deployers of high-risk AI systems.
  7. Article 14, Regulation (EU) 2024/1689. Human oversight requirements for high-risk AI systems, including Article 14(4) capability requirements for assigned oversight persons.
  8. Article 26(2), Regulation (EU) 2024/1689. Obligation on deployers of high-risk AI to assign oversight responsibility to competent natural persons.
  9. Article 72, Regulation (EU) 2024/1689. Post-market monitoring obligations for deployers of high-risk AI systems.
  10. Article 99, Regulation (EU) 2024/1689. Penalty framework and tiered maximum penalties for different categories of violation.
  11. European Commission Digital Omnibus package, March 2026. Proposes extension of Chapter III high-risk AI obligation dates from 2 August 2026 to 2 December 2027. Article 4 is Chapter I and is not within the scope of the proposed extension.
  12. AIUC-1 Certification Standard for AI Agents (AIUC, 2025). Seven certification dimensions include governance literacy as an evaluated component of the organisational governance assessment.
  13. ISO/IEC 42001:2023 (AI Management System Standard). Clause 7.2 on competence requires organisations to determine necessary competence for persons affecting the organisation's AI performance, consistent with the Article 4 literacy standard.