← All memos

AI literacy is now a legal duty.

Article 4 of the EU AI Act, in plain language.

Copenhagen · 1 May 2026

The short version

If you are an organization in the EU and you use AI tools at work, you have a legal obligation to make sure the people using those tools understand them. That obligation is called Article 4 of the EU AI Act. It came into force on 2 February 2025. Most small organizations have not heard of it. Most that have heard of it do not know what it actually requires of them.

This memo explains what Article 4 says, who it applies to, what sufficient AI literacy means in practice, what good-faith compliance looks like when you do not have a compliance officer, and what enforcement actually looks like today. If you run a school, a clinic, a small business, a nonprofit, a public office, a law firm, or any other organization that uses AI in any form, this applies to you. Read it.

This memo is plain-language explanation. It is not legal advice. For legal advice specific to your organization, consult a qualified lawyer.

What Article 4 actually says

The full text is short. Here is the official wording from Regulation (EU) 2024/1689, Article 4, on AI literacy:

Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in, and considering the persons or groups of persons on whom the AI systems are to be used.

Three things to notice. First, the obligation is on both providers (the companies that build AI) and deployers (anyone using an AI system in their work). Second, the required level of literacy is not fixed. It depends on context: who is using the AI, who is affected by it, and what the AI is doing. Third, the obligation is "to their best extent", meaning what is reasonable given your size and resources.

In plain English: if you use an AI system in your organization, you must make sure the people who use it have enough AI literacy to use it well. The level of literacy required depends on what the AI is doing, who it is being used on, and what the consequences are if it gets things wrong.

When did this start

The Article 4 obligation became applicable on 2 February 2025. It is law in all 27 EU member states. The European Commission has confirmed there is no grace period and no transitional arrangement specifically for Article 4. The obligation applies now. If you have been deploying AI in your organization since 2024 or earlier, you are already inside the obligation. If you are deploying AI today, you are inside it the moment the tool is turned on.

Who it applies to

If you are a deployer of an AI system inside the EU, Article 4 applies to you. The Regulation defines a deployer as any natural or legal person, public authority, agency, or other body using an AI system under its authority in the course of a professional activity. That is a wide net.

It catches:

• A school using an AI grading platform.
• A clinic using an AI triage or diagnostic tool.
• A small business using an AI accounting platform that auto-categorizes transactions.
• A nonprofit using an AI-driven CRM that scores donor likelihood.
• A law firm using an AI tool to draft contracts.
• A public office using AI-based document classification.
• A library using AI-based search recommendations.
• A municipality using a citizen-service chatbot.
• A bank using an AI tool to assess loan applications.
• A recruiter using an AI tool to rank CVs.

It also catches the obvious: any organization using ChatGPT, Claude, Gemini, Microsoft Copilot, Google Workspace AI features, or any other general-purpose AI tool in the course of professional work. The fact that the AI is built into software you already pay for does not exempt you. If your staff are using it for professional tasks, you are a deployer.

A few exclusions are worth knowing. Article 4 does not apply to AI used in purely personal, non-professional activity. The teacher using ChatGPT at home, off the clock, for her own writing is not bound by Article 4 for that use. It does not apply to AI used solely for personal household activity. And it does not currently apply to certain national-security and defense uses, which are governed by separate legal frameworks.

If you use AI at work, in any form, for any task that touches your professional duties, you are very likely a deployer and Article 4 applies to you.

What sufficient AI literacy actually means

Article 4 does not define a fixed standard. It does not say "your staff must pass an exam" or "you must spend X hours on training." The obligation is calibrated. What is sufficient for a small marketing agency using ChatGPT to draft posts is not sufficient for a hospital using an AI triage system on patients.

In practice, sufficient AI literacy means your staff must understand:

• What the AI tool actually does, in plain language.
• Where the tool fails or makes mistakes.
• How to recognize when an output is wrong, biased, or misleading.
• How to handle data responsibly when using the tool, including personal data under GDPR.
• What the limits of the tool are and when not to rely on it.
• What the consequences are for the people affected by the tool's outputs.

The European Commission and member-state authorities have repeatedly emphasized that Article 4 is outcome-oriented. That means it is not about a certificate. It is about whether your people actually know what they are doing when they use AI.

A concrete test. If a school is using an AI grading tool, the teachers using it should be able to answer: how does this tool score essays, when does it score them wrong, am I allowed to override its recommendation, what do I do if a parent challenges a grade the tool produced? If a clinic is using an AI triage tool, the staff should be able to answer: what does the tool flag, what does it miss, when should I escalate beyond what the tool suggests, what do I tell a patient who asks why an algorithm sorted them? If a nonprofit is using an AI tool to scan grant applications, the program officer should be able to answer: what features is the tool weighting, where could it be biased, how do I check that promising applications are not being filtered out?

Sufficient literacy means being able to answer those questions before something goes wrong, not after.

What good-faith compliance looks like for a small organization

Most small organizations cannot afford a Chief AI Officer, a dedicated AI compliance function, or a 40-hour staff training program. The law does not require any of those. The phrase "to their best extent" was put into Article 4 on purpose. It means: do what is reasonable, given your size, resources, and the risks the AI is creating.

Good-faith compliance for a small organization looks like six concrete steps.

1. Inventory. Make a list of the AI tools your organization actually uses. Include AI features inside tools you already have: Microsoft Copilot, Google Workspace AI, your CRM, your accounting software, your email's smart-reply, your applicant-tracking system, your translation tool. You will probably find more than you expected.
2. Document. For each tool, write down: what it does, who in the organization uses it, what data goes into it, what decisions it influences, and what could go wrong if it gets things wrong. One page per tool. No more.
3. Brief. Make sure the people using each tool have read the documentation. Confirm in writing that they have read it. This can be a short email reply. It does not need to be a formal training certificate. The point is that you can show, if asked, that the people using AI tools were briefed on what they do and where they fail.
4. Set rules. Write down basic rules for using AI tools: do not put personal data into a generative AI tool without checking the privacy settings; do not rely on AI-generated outputs without verifying them; disclose to clients, patients, students, or applicants when AI is used in a decision that affects them; do not use AI tools for purposes outside what they were designed for. One page. Short sentences. Make it readable.
5. Designate. Name one person as the contact for AI literacy questions. The director, the office manager, the IT person, the data protection officer if you have one. They do not need to be an AI expert. They need to be the person who knows where the policies are and who answers staff questions.
6. Review. Revisit all of the above every twelve months. If technology moves faster than annual reviews, or a major new AI tool is introduced, or an incident occurs, update sooner.

That is reasonable Article 4 compliance for an organization with five staff or fifty. A larger organization would do the same things with more rigor: a written policy, formal training records, an annual audit, a designated AI governance committee. The shape of the work scales with the organization. The legal duty does not change.

What Article 4 does NOT require

Several myths are worth correcting.

• Article 4 does not require a formal AI training certificate.
• It does not require you to ban AI in the workplace.
• It does not require a Chief AI Officer.
• It does not require expensive consultancy.
• It does not require staff to become AI engineers.
• It does not apply only to "high-risk AI." The literacy obligation applies to all AI systems used in professional contexts, whether high-risk or not.

What Article 4 does require is that you take reasonable, documented measures to make sure your staff understand the AI tools they are using and the people those tools affect. That is the whole obligation.

Enforcement, as it stands now

The EU AI Act creates a structure where national authorities in each member state enforce the Regulation. In Denmark, the Danish Agency for Digital Government (Digitaliseringsstyrelsen) is the central coordinating authority for the AI Act, working alongside the Danish Data Protection Agency (Datatilsynet) and sector-specific regulators such as the Danish Financial Supervisory Authority (Finanstilsynet) and the Danish Medicines Agency (Lægemiddelstyrelsen) for AI in their domains. The exact division of responsibilities is being clarified through implementing legislation. Other EU member states are doing the same.

Penalties for non-compliance with Article 4 fall under Article 99 of the AI Act. Breach of obligations like Article 4 can result in administrative fines of up to EUR 15 million or 3 per cent of global annual turnover, whichever is higher, for businesses. For public bodies and EU institutions, fines are framed differently and are set by member-state law. The fines are maxima. National regulators have discretion to scale penalties to the actual harm and the resources of the organization.

In practice, regulators in 2025 and 2026 have focused enforcement attention on high-risk AI systems: biometric identification, employment screening, credit scoring, education, essential services. Article 4 enforcement against small organizations has been limited so far. That does not mean it will stay that way. The legal exposure is real, and the more public deployment of AI grows, the more enforcement will follow.

The deeper point. Article 4 exists not because regulators want to collect fines from small nonprofits or village clinics. It exists because AI systems are being deployed at scale in places where the people using them have no idea what the systems do. The point of the law is that you do something about that before harm happens, not that you fill out a form after.

What the Foundation will do

The AI Literacy Foundation will publish two plain-language guides on Article 4 compliance in the next six months. The first will cover compliance for organizations with under 50 staff. The second will cover compliance for organizations operating across multiple jurisdictions.

We will deliver Article 4 training cohorts, free at the point of access, for organizations that cannot afford a commercial provider. Cohorts will run in English and Danish. Each cohort covers what AI is, where it fails, how to verify outputs, how to handle data responsibly, and what good-faith compliance looks like for the specific kinds of AI the organization uses.

We will offer free tool reviews for small organizations that want to understand what an AI tool is actually doing before they deploy it. The review will document the kinds of literacy required for the tool, in plain language, so the organization can use the review directly as part of its Article 4 documentation.

If you are unsure where to start, write to us.

A practical checklist

For the person who just wants to know what to do this week:

1. Inventory the AI tools your organization uses.
2. Document what each one does, who uses it, what could go wrong.
3. Brief your staff on each tool and get a written confirmation that they have read the brief.
4. Write down basic rules for using AI (data, verification, disclosure).
5. Designate a contact person for AI literacy questions.
6. Review annually or after any major change.

That is Article 4 compliance for a small organization, in six steps. Done in good faith, with documentation that you can show, this is what reasonable looks like.

Closing

Article 4 is not the most complicated part of the EU AI Act. It is, however, the part that applies to the most organizations. Every workplace using AI is a deployer. Every deployer is on the hook for AI literacy.

Compliance, done reasonably and in good faith, is achievable for organizations of any size. It does not require lawyers, certificates, or AI engineers. It requires you to take seriously the fact that AI is now making decisions inside your organization, and to make sure the people running those decisions know what they are doing.

The Foundation exists to help that happen.

Ali Al Mokdad

Founder, AI Literacy Foundation

hello@ailiteracyfoundation.eu

ailiteracyfoundation.eu

---

This memo is plain-language explanation. It is not legal advice. For legal advice specific to your organization, consult a qualified lawyer.