One clause of the EU AI Act became enforceable almost a year before the rest. It is short, it is vague, and it applies to nearly every European employer whose staff use an AI tool at work. It is called Article 4, and it is already live.
This is the short, news-style version. If you want the deep read, our Article 4 pillar unpacks every phrase.
What the clause says
The text is one sentence. Providers and deployers of AI systems must take measures to ensure a sufficient level of AI literacy of their staff and other people dealing with the operation and use of AI systems on their behalf.
That is the whole obligation. No defined hours. No approved curriculum. No completion record scheme. Just a standard a regulator, a works council, or a plaintiff’s lawyer can measure you against after something goes wrong.
When it applies from
Article 4 entered into application on 2 February 2025, alongside the Act’s prohibited-practice list. Supervision and enforcement rules apply from August 2026. The deadline is not upcoming - the obligation is live; the supervisory framework arrives next.
The staged rollout of the rest of the Act runs through 2027. Article 4 itself is in application now; the supervision and penalty regime around it activates from August 2026.
Who it applies to
If your organisation builds AI systems, the provider obligations apply.
If your staff use an AI tool at work - any AI tool, including third-party ones - the deployer obligations apply to you. That is almost every European employer.
The wording “staff and other people dealing with the operation and use of AI systems on your behalf” is wider than payroll. It covers contractors, freelancers, agency staff, and embedded vendor teams. If they are doing the work under your brand, they are in scope.
What “sufficient” actually means
This is the question every compliance lead has asked us since late 2024. The Act does not define it. The Commission has issued draft guidance. National competent authorities are starting to publish their own.
Our working answer, distilled from the guidance that exists and from how adjacent EU laws have evolved:
- Staff can describe, in plain language, what the AI tool is doing on their behalf.
- Staff can name the common failure modes for that tool - hallucinations, bias, privacy leaks, outdated training data.
- Staff know when to treat AI output as a draft and when to treat it as finished work.
- Staff can document an AI-assisted decision after the fact, if asked.
Those four competencies, applied role by role, is what “sufficient” looks like in practice. Generic AI-awareness training does not clear the bar. Role-specific training tied to real work does.
What regulators are starting to ask for
Across the national competent authorities that have issued guidance, the pattern is consistent. Expect to be asked for four documents.
- A written AI literacy policy, scoped to your team and tools.
- Training records - who was trained on what, by whom, when.
- Assessment evidence - not a quiz score, but a review of actual work.
- An incident log, if anything AI-related has gone wrong.
If you cannot produce those four documents today, that is the gap to close before an incident or an audit forces the question.
What most employers are getting wrong
Three common mistakes we see.
Treating it as an IT procurement problem. The obligation sits on the employer, not the vendor. Buying a licence for a “compliant” tool does not satisfy Article 4.
Training once, never refreshing. The tools change every quarter. A once-a-year workshop is not a programme.
Over-documenting a vague policy. A short, scoped policy tied to real roles holds up better than a long, generic one written to look defensible.
What to do this month
If you have no literacy programme today, the cheapest, fastest move is to inventory where AI is being used across your team and write a one-page acceptable-use policy for it. That alone is more than most employers can produce.
If you have ad-hoc training, the move is to tie it to role-specific assessment - a sample of real work, reviewed against the four competencies above.
If you have a mature programme, run an audit-readiness check against the four-document pattern and close whatever gap you find.
Where to go next
- The long version: the Article 4 pillar.
- A read on your team’s current state: the Article 4 AI Literacy Readiness Scorecard. 10 questions, 4 minutes.
- A 20-minute conversation with a teacher: book a discovery call.