Does EU AI Act Article 4 apply to my company?

If your staff use any AI system in the course of work (including general tools like ChatGPT, Claude, Gemini, or Copilot), your organisation is a deployer under the AI Act and Article 4 applies. It has applied since 2 February 2025. There is no small-company exemption, though the required level of literacy is proportionate to context, system complexity, and each person's role.

When is Article 4 AI literacy enforced?

The obligation has applied since 2 February 2025, but national market surveillance authorities gain their formal supervisory and enforcement powers on 2 August 2026. From that date they can investigate and sanction non-compliance under penalty rules adopted in national law.

What counts as sufficient AI literacy under Article 4?

There is no fixed standard. Literacy must be proportionate to the context the AI is used in, the system's complexity, and the role of the person using it. The European Commission's guidance stresses documented, role-appropriate measures. Generic one-off training is weaker evidence than ongoing, contextual measures. For example, guidance delivered at the moment an employee is about to share sensitive data with an AI tool.

What is the penalty for breaching Article 4?

Article 4 breaches are sanctioned under national penalty regimes that Member States adopted under the AI Act framework, sitting in the Act's intermediate fine tiers, meaning potential seven-figure exposure. More practically, an Article 4 failure rarely stands alone: the same incident that reveals untrained staff usually also reveals a data leak, pulling in GDPR fines of up to €20 million or 4% of turnover.

EU RegulationJune 6, 20269 min read

EU AI Act Article 4: The AI Literacy Duty Your Company Already Has

It is the shortest article in the AI Act, it has applied since February 2025, and from 2 August 2026 a regulator can ask you to prove it. Most companies could not.

AIovert Security Team

GDPR & EU AI Act practitioners

Quick answers

Who does Article 4 apply to?

Every provider and deployer of AI systems. If your employees use ChatGPT, Claude, Gemini, or Copilot at work, you are a deployer. Article 4 applies to you, and has since 2 February 2025.

When can regulators enforce it?

From 2 August 2026, when national market surveillance authorities receive their formal powers under the Act.

What evidence do I need?

Documented, role-proportionate measures: who uses which AI systems, what guidance they received, and proof the measures operate in practice. Not just a slide deck from last year.

What the law actually says

Article 4 of Regulation (EU) 2024/1689 is one sentence:

“Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in, and considering the persons or groups of persons on whom the AI systems are to be used.” Article 4, Regulation (EU) 2024/1689

Unpacking the load-bearing phrases:

“Providers and deployers”: not just AI companies. A deployer is any organisation using an AI system under its authority. A marketing team drafting copy in ChatGPT makes the company a deployer.
“Shall take measures”: an active, ongoing duty. Doing nothing is non-compliance by default.
“Sufficient level of AI literacy”: proportionate to three factors: the context of use, the system's complexity, and the person's role. A recruiter screening CVs with AI needs more than someone summarising meeting notes.
“To their best extent”: an effort standard, which cuts both ways. It forgives imperfection but punishes inaction. The question a regulator asks is “show me the measures.”

The enforcement timeline

Article 4 began to apply on 2 February 2025. What changes on 2 August 2026 is that the national market surveillance authorities designated under the Act receive their formal supervisory powers, and with them, the ability to investigate and sanction. The European Commission's own Q&A confirms the duty applies now, with formal oversight beginning August 2026. The Digital Omnibus agreement of May 2026, which deferred the high-risk rules to 2027–2028, did not touch Article 4.

In other words: eighteen months of grace are ending. Companies that treated AI literacy as aspirational are about to meet regulators who treat it as overdue.

What “sufficient” literacy means for ordinary AI use

For the vast majority of organisations, the relevant AI use is not exotic. It is employees using chat assistants with company information. For that context, sufficient literacy means staff understand at minimum:

What not to share. Customer personal data, credentials, source code, confidential terms, and why: consumer AI tiers may retain and train on inputs.
Output limitations. Models hallucinate; outputs need verification before decisions or publication.
Which tools are sanctioned for which data categories, and what the escalation path is when a new tool is needed.

And the organisation must be able to document all of it. The Commission's guidance does not require measuring literacy levels, but it does stress keeping records of the measures taken.

Why annual training fails the “best extent” test

The standard corporate response (an annual e-learning module) has two weaknesses as Article 4 evidence:

It is static while the risk is continuous. Employees adopt new AI tools monthly. A training record from January says nothing about the tool an employee started using in June. Without visibility into actual AI usage, you cannot even say whom the training needs to cover. The shadow AI problem is an Article 4 problem.

It does not change behaviour at the moment of risk. The point of literacy is that the employee about to paste a customer database into a chatbot stops. A slide viewed eleven months ago rarely achieves that; an explanation that appears at the exact moment of the paste does. In-the-moment education is both the most effective measure and the most persuasive evidence, because every intervention is logged.

Building an Article 4 file a regulator will accept

Map real usage. Deploy browser-level visibility to learn which AI systems staff actually use and which data categories flow toward them. This defines the scope “to their best extent” demands.
Train proportionately. Role-based guidance: heavier for HR, finance, and engineering; lighter for occasional users. Record completion.
Reinforce at the point of risk. Real-time warnings and explanations when sensitive data is about to reach an AI tool turn policy into practice, and generate a timestamped record that the measure operates.
Review on a cycle. Quarterly: new tools discovered, incident classifications trending, repeat-risk users retrained. Minute it.

The cost of getting it wrong

Article 4 breaches are sanctioned under the national penalty regimes Member States adopted for the Act, with intermediate-tier exposure reaching into the millions. But the realistic scenario is worse, because an Article 4 failure is rarely discovered on its own. It surfaces when an untrained employee causes an incident, typically a personal-data leak into an AI tool. At that point the organisation faces the AI Act question (“where were your literacy measures?”) and the GDPR questions (Articles 32 and 33, with fines up to €20M or 4% of turnover) for the same event. The cheapest moment to fix both is before the incident.

Turn AI literacy from a slide deck into evidence

AIovert Guard educates employees at the exact moment they try to paste sensitive data into ChatGPT, Claude, or 21 other AI tools, and blocks the paste before it leaves the browser. Every intervention is logged, giving you a living Article 4 record alongside your GDPR audit trail. Deploys in 15 minutes via Google Workspace or Intune.

Get started Get a demo