Article 4 Is Already Law. Your AI Training Programme Probably Isn’t.

Article 4 of the EU AI Act started applying on 2 February 2025. It requires every provider and every deployer of AI systems to ensure their staff have a “sufficient level of AI literacy.” Not just AI companies. Not just high-risk systems. Every company using any AI system in the EU.

That includes your HR team running AI-powered CV screening. Your marketing department using AI content tools. Your finance team deploying automated reporting. If it meets the AI Act’s definition of an AI system and someone in your organisation operates it, Article 4 applies to them.

Most companies have done nothing. Some have assumed this obligation is too vague to enforce. Last week, the European Parliament proved that assumption wrong.

Parliament Just Voted to Keep This Obligation Intact

On 26 March 2026, the European Parliament adopted its position on the Digital Omnibus on AI. The Commission had proposed softening Article 4, shifting the AI literacy obligation from companies to member states and the Commission itself. In effect, removing the requirement that individual organisations train their staff.

Both Parliament and Council rejected this. The adopted positions reinstate the AI literacy obligation for providers and deployers. The Commission’s attempt to water it down failed.

This matters because it confirms that AI literacy is not a nice-to-have recommendation. It is a binding legal obligation. And enforcement supervision by national authorities begins on 2 August 2026. That is four months from now.

The Commission Defined It. Most Companies Ignored the Definition.

The AI Act defines AI literacy as “skills, knowledge and understanding that allow providers, deployers and affected persons to make an informed deployment of AI systems, as well as to gain awareness about the opportunities and risks of AI and possible harm it can cause.”

That sounds vague. The Commission’s Q&A published in May 2025 added useful detail. Companies must consider the technical knowledge, experience, and training of each person who interacts with an AI system. The context matters. A software engineer deploying a machine learning model needs different training than a recruiter using an AI screening tool.

The Commission also clarified that “other persons dealing with AI systems on their behalf” extends beyond employees. It includes contractors, service providers, and potentially even clients who use AI systems as part of a service relationship. A surprisingly broad interpretation.

There is no prescribed training format. No mandatory certification. No minimum number of hours. But the Commission made clear that simply asking staff to read an AI system’s user manual is “likely insufficient.” Companies need structured measures, not box-ticking.

No Fine on Paper. Plenty of Pain in Practice.

Article 4 carries no standalone financial penalty. You will not receive a €10 million fine specifically for failing to train your team on AI literacy.

That misses the point.

National market surveillance authorities can impose penalties and enforcement measures for Article 4 breaches starting 2 August 2026. More importantly, regulators have signalled they will treat AI literacy failures as an aggravating factor in enforcement actions for other AI Act breaches. If your high-risk AI system causes harm and the operator had no AI training, the penalty for the primary violation will be worse.

Think of it as the seatbelt analogy. Not wearing a seatbelt might only get you a small fine on its own. But if you crash without one, it changes the entire liability picture.

Civil liability is the other angle. From August 2025, when sanctions provisions became applicable, providers and deployers face potential civil claims if untrained staff cause harm through improper AI use. Employment law adds another layer. In jurisdictions with strong worker protection, dismissing someone for AI-related mistakes becomes harder to justify if the company never provided training.

What to Do Before August 2026

Inventory your AI systems. You cannot train people on tools you do not know exist. Identify every AI system deployed across your organisation. Include third-party tools, embedded AI features in existing software, and anything that meets the AI Act’s broad definition. Most companies are surprised by how many AI systems they actually use.

Map people to systems. For each AI system, identify who interacts with it. Not just the IT team who deployed it. The end users. The managers who rely on its outputs. The contractors who operate it on your behalf.

Design proportionate training. A one-size-fits-all e-learning module will not satisfy Article 4. The Commission’s Q&A emphasised that training must reflect the person’s role, the system’s risk level, and the context of use. An HR manager using AI recruitment tools needs different content than a developer building internal AI features.

Document everything. There is no mandatory governance structure. No required AI officer appointment. But you must be able to demonstrate what measures you took. Training records, attendance logs, policy documents. If a regulator asks what you did to ensure AI literacy, “we sent a company-wide email” will not impress them.

Review the Commission’s repository of AI literacy practices for frameworks and examples that match your organisation’s size and sector.

Article 4 Doesn’t Care What Industry You’re In

AI literacy is the only AI Act obligation that applies to every organisation using any AI system, regardless of risk classification. High-risk rules affect a subset of companies. Prohibited practices affect a narrow set of use cases. GPAI rules affect foundation model providers. Article 4 affects everyone.

The irony is that the Commission tried to make it softer, and both co-legislators said no. Companies that have been ignoring this obligation on the basis that it was too vague or too minor to matter just ran out of excuses. August 2026 is coming. Your AI literacy programme should already exist.