Since 2 February 2025, training your staff on AI is not a nice-to-have — it is a legal obligation. Article 4 of the EU AI Act requires every company that uses AI in the European Union to ensure a "sufficient level of AI literacy" across its workforce. Most of the attention in June 2026 went to the Digital Omnibus, which pushed the high-risk AI deadlines back to December 2027. What almost nobody noticed: the AI literacy obligation was not delayed, the ban on prohibited AI practices was not delayed, the transparency rules landing on 2 August 2026 were not delayed — and national authorities gain their supervision and enforcement powers over Article 4 from 3 August 2026. If your marketing team uses ChatGPT, your recruiters screen CVs with AI, or your sales team runs a chatbot, this article is about you.

By Toni Dos Santos, Co-Founder, Spicy Advisory

Key Takeaways

  • AI literacy is already law. Article 4 of the EU AI Act (Regulation 2024/1689) has applied since 2 February 2025 to every provider and every deployer of AI systems — meaning any company whose staff use AI tools at work, whatever its size or sector.
  • Enforcement scaffolding arrives now. National market surveillance authorities begin supervising and enforcing Article 4 from 3 August 2026. The June 2026 Digital Omnibus delayed high-risk obligations to December 2027 — but it did not touch Article 4, the Article 5 prohibitions, or the Article 50 transparency duties.
  • The money at stake is real. Prohibited practices — including emotion recognition on employees, live in HR tools today — carry fines up to €35M or 7% of global turnover. Transparency breaches carry up to €15M or 3%. Article 4 breaches are sanctioned through national penalty regimes, and an untrained workforce aggravates every other violation.
  • The obligation covers more than employees. Article 4 explicitly extends to "other persons dealing with the operation and use of AI systems on your behalf" — contractors, freelancers, and agency staff included.
  • Certificates are not required — evidence is. The European Commission confirms no mandatory certification exists, but you must be able to show role-appropriate measures: an AI usage inventory, tailored training, internal policies, and records.

What Article 4 of the EU AI Act actually says

Skip the summaries — here is the full legal text, one sentence long, from the official regulation on EUR-Lex:

"Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in, and considering the persons or groups of persons on whom the AI systems are to be used."
— Article 4, Regulation (EU) 2024/1689 (EU AI Act)

Three words matter enormously here. "Deployers" means the obligation is not limited to companies that build AI — it covers every organisation that uses AI systems under its authority. A retail chain whose category managers use Copilot, a law firm summarising contracts with Claude, an industrial SME whose HR team ranks applicants with an ATS plug-in: all deployers, all covered. "Other persons" extends the duty beyond payroll to contractors, interim staff, and agencies operating AI on your behalf. And "to their best extent" makes this an organisational duty of means: you are expected to make a genuine, documented, proportionate effort — silence is not a defensible position.

The Act also defines what literacy means. Under Article 3(56), AI literacy is the "skills, knowledge and understanding that allow providers, deployers and affected persons […] to make an informed deployment of AI systems, as well as to gain awareness about the opportunities and risks of AI and possible harm it can cause." Note what that is not: it is not a data-science bootcamp. It is the ability of each person, in their role, to use AI deliberately — knowing what the tool can do, where it fails, and what the rules are.

Where does your company stand today? Our free EU AI Act Article 4 self-assessment takes 5 minutes and gives you a Red/Amber/Green compliance verdict with a downloadable gap report — the automated first step before any deeper audit.

The timeline: what applies now, what changed in June 2026

Because the AI Act phases in over four years — and the Digital Omnibus just reshuffled part of it — here is the state of play as of July 2026:

The strategic reading for leadership: the Omnibus bought time on high-risk system compliance, but it left the people obligations fully intact — and those are precisely the ones that come under active supervision this summer. Companies that treat the Omnibus as a general reprieve are misreading the law. For the full picture of risk categories and deployer obligations, see our complete EU AI Act guide for SMB, mid-market and enterprise leaders.

What you actually risk by ignoring Article 4

Article 4 carries no fixed fine of its own in the Act — which leads some advisors to file it under "soft obligations." That is a serious misreading, for four reasons:

1. National penalty regimes apply from August 2026. Under Article 99(1), each Member State must lay down "effective, proportionate and dissuasive" penalties for infringements of the Act — Article 4 included. From 3 August 2026, your national market surveillance authority can ask one very simple question: show us the measures you took. No inventory, no training records, no policy? You have your answer, and so do they.

2. Untrained staff cause the violations that do carry headline fines. Prohibited practices under Article 5 — using emotion recognition on employees, for instance — carry fines up to €35 million or 7% of global annual turnover, whichever is higher. Transparency failures under Article 50 carry up to €15 million or 3%. In practice, these breaches rarely come from the legal department; they come from an enthusiastic team lead switching on a feature nobody vetted. AI literacy is your first line of defence, and demonstrable literacy measures are exactly what a regulator weighs when deciding how hard to sanction.

3. Civil liability is the quiet risk. The Commission's own Q&A points out that Article 4 can be privately enforced. A rejected job applicant, a mis-sold customer, a works council: any of them can argue that damage was caused by staff who were never trained to use the AI system properly. In a negligence claim, "we had no AI literacy programme" is a gift to the opposing counsel.

4. The operational cost arrives before any regulator does. Employees pasting client data into unvetted consumer tools, hallucinated figures in board decks, shadow AI spreading faster than IT can track it — these are literacy failures, and they cost money and reputation today, fine or no fine.

Get your AI literacy audit — map your gaps before the regulator asks →

The risk map, department by department

Article 4 explicitly requires literacy to match "the context the AI systems are to be used in." One generic e-learning module for everyone fails that test by design. Here is what the obligation means concretely for each function — the real use cases, the specific risks, and what to put in place.

HR and recruitment: the most exposed department in the company

Concrete use cases: CV screening and candidate ranking inside the ATS, AI-assisted job-ad targeting, video interview analysis, performance-review drafting, skills mapping, attrition prediction, employee-monitoring dashboards.

The risks: This is the danger zone. Emotion recognition in the workplace is a prohibited practice under Article 5 — banned since February 2025, in the €35M/7% fine tier — and some video-interview and "engagement analytics" tools flirt with exactly that. Recruitment and promotion AI sits in Annex III: high-risk, with full obligations from December 2027, which is one procurement cycle away. Add algorithmic discrimination claims and GDPR exposure on top, plus Article 26(7): when you deploy high-risk AI at the workplace, you must inform affected workers and their representatives before putting it into service.

What to put in place: An inventory of every AI feature inside your HR stack (much of it arrives silently via vendor updates); a vendor questionnaire asking specifically about emotion inference and Annex III classification; human review that is real, not a rubber stamp, on every consequential decision; and role-specific training so recruiters can explain what the tool does to a candidate — or a labour court. Our guides on AI workflows for HR teams and our AI training for HR cover this ground in depth.

Marketing and communications: transparency rules land on 2 August 2026

Concrete use cases: Generative AI for copy, images and video; synthetic voiceovers; AI-personalised campaigns; social content at scale; website chatbots run jointly with sales.

The risks: Article 50 applies from 2 August 2026 and was not deferred by the Omnibus. Deepfakes — AI-generated or manipulated image, audio or video resembling real people, places or events — must be visibly disclosed. AI-generated text published to inform the public on matters of public interest must be disclosed too. Breaches sit in the €15M/3% tier. Beyond the Act: hallucinated product claims that create advertising-law liability, brand assets and strategy pasted into consumer tools with no enterprise data controls, and AI-generated content that infringes third-party IP.

What to put in place: A labelling workflow for synthetic content baked into the campaign checklist; a whitelist of approved tools with enterprise data protections; prompt hygiene rules for confidential briefs; and training that covers the disclosure duties — not just the creative tricks. See the CMO playbook for AI marketing operations and our AI training for marketing teams.

Sales and customer-facing teams: your chatbot must say it's a bot

Concrete use cases: Website and WhatsApp chatbots, AI lead scoring, call recording and summarising, AI-drafted proposals and outreach, CRM copilots.

The risks: From 2 August 2026, any AI system interacting directly with customers must make that fact clear — a chatbot that passes as human is a compliance breach, not a UX win. AI-drafted proposals with hallucinated specs, prices or delivery promises create contractual exposure the moment a client signs. Reps pasting full customer histories into free tools create GDPR incidents. And opaque lead-scoring that encodes bias can contaminate the whole funnel.

What to put in place: Clear AI disclosure on every conversational interface; a "verify before send" rule for AI-drafted commercial documents; approved-tool policies for anything touching customer data; and training that makes reps faster and safer — the two are not in tension. Start with AI-powered sales enablement and our AI training for sales teams.

Legal and compliance: you own the framework — and the evidence

Concrete use cases: AI contract review and clause extraction, legal research assistants, compliance monitoring, e-discovery, DPIA drafting support.

The risks: Double exposure. First, the department's own usage: privileged documents in unvetted tools, hallucinated case law reaching a filing, over-reliance without verification. Second — larger — institutional risk: when the market surveillance authority calls after August 2026, legal answers for the whole company. If there is no AI register, no policy, no training records, that conversation goes badly regardless of how careful legal's own AI usage was.

What to put in place: A company-wide AI system register (the single most valuable compliance artefact under the Act); AI clauses in vendor and agency contracts — classification warranties, notification of new AI features, audit rights; ownership of the Article 4 programme with documented completion; and verification protocols for legal's own AI work. Our guide to AI for legal teams and AI training for legal departments go deeper.

Finance and accounting: high-risk classification hides in your credit workflows

Concrete use cases: AI credit and solvency scoring of customers, fraud and anomaly detection, cash-flow forecasting, invoice processing, AI-assisted reporting and board-pack drafting.

The risks: Evaluating the creditworthiness of natural persons is an Annex III high-risk use case (fraud detection is exempt) — if your team scores sole traders or consumers with AI, you are on the December 2027 high-risk track and should start now. More immediately: hallucinated or silently rounded figures flowing into management reporting, unexplainable models behind decisions auditors will question, and forecasting tools fed with confidential financials through consumer accounts.

What to put in place: A source-verification rule for any AI-produced number that leaves the department; an inventory flagging anything touching creditworthiness; explainability requirements in finance-tool procurement; and training focused on verification and data handling. See AI workflows for finance teams.

CEO and C-suite: "to their best extent" means you, personally

Concrete use cases: Strategic analysis and scenario planning with AI, board-material drafting, M&A due diligence support — and, above all, the decisions that determine whether the rest of this article gets acted on.

The risks: Article 4 is an organisational obligation, and organisational obligations land on executive desks. An enforcement inquiry, a works-council escalation, an AI question in the due diligence of your next fundraise or exit — each one reaches the C-suite within a day. There is also a quieter failure mode: executives who cannot distinguish AI marketing from AI capability approve the wrong investments, and companies whose leadership skipped the literacy step see their AI initiatives stall in pilot purgatory. Meanwhile, buyers, insurers and investors increasingly ask for evidence of AI governance — Article 4 compliance is becoming a commercial credential, not just a legal one.

What to put in place: Executive-level AI literacy first — it is very hard to sponsor a programme you would fail yourself; a named owner and budget for the Article 4 programme; a governance committee that meets on a real cadence; and literacy KPIs on the leadership dashboard next to adoption metrics. This is exactly the gap addressed in C-suite AI literacy: why executive training comes first and our AI training for executives.

What "sufficient AI literacy" looks like in practice

The Commission's official Q&A deliberately avoids a one-size-fits-all standard, but it is specific on several points that busy compliance teams should note:

One more practical warning from the field: a single all-hands webinar in 2025 does not make you compliant in 2026. AI tools ship new capabilities monthly, and literacy that isn't refreshed decays. Build a cadence, not an event — we wrote about how in AI training that sticks.

Your 6-step Article 4 action plan

  1. Diagnose where you stand — today. Run our free 5-minute EU AI Act self-assessment for an automated Red/Amber/Green verdict and a gap report you can put in front of your leadership team this week.
  2. Inventory every AI touchpoint. Sanctioned tools, embedded features in your SaaS stack, and the shadow AI your teams already use. You cannot train for a context you haven't mapped.
  3. Classify against the Act. Flag anything near Article 5 prohibitions (emotion recognition, social scoring), Annex III high-risk (recruitment, credit), and Article 50 transparency (chatbots, synthetic content).
  4. Map roles to literacy needs. Define what "sufficient" means per function — HR, marketing, sales, legal, finance, leadership — taking existing knowledge into account, as Article 4 requires.
  5. Run role-based training and set the rules. Practical, use-case-driven sessions paired with a usable AI policy: approved tools, data rules, verification duties, disclosure duties. If your managers still lack prompt fundamentals, start with prompt literacy for non-technical managers.
  6. Document and review. Training records, policy sign-offs, the AI register, a named owner — and a review cadence (quarterly is realistic) so the programme tracks both the technology and the enforcement practice as it develops from August 2026. A right-sized governance framework keeps this manageable.

Where Spicy Advisory fits

Article 4 sits at the intersection of two projects most companies run separately: compliance and adoption. That is a mistake — and an opportunity. The same programme that satisfies the regulator is the one that finally gets your teams using AI well: trained people, clear rules, measured usage. Compliance is the floor; the ROI lives just above it.

Spicy Advisory is a founder-led AI advisory and training boutique. We have trained 1,500+ professionals across 50+ companies including L'Oréal, EssilorLuxottica and IGN, with a 4.98/5 client rating — in English and French. For Article 4, we work in three steps: an AI literacy audit that maps your real usage, your risk exposure and your literacy gaps against the Act; role-based training programmes for each department named above; and adoption support so the training turns into daily practice, not a binder on a shelf.

Start with the AI literacy audit →

Not ready for a conversation? Run the free automated self-assessment first — 5 minutes, instant verdict, PDF gap report.

Frequently asked questions

Is AI literacy training mandatory in the EU?

Yes. Article 4 of the EU AI Act, applicable since 2 February 2025, requires providers and deployers of AI systems to take measures ensuring a sufficient level of AI literacy among staff and anyone operating AI on their behalf. It is a duty of means — you must make a genuine, documented, context-appropriate effort. National market surveillance authorities begin supervising and enforcing it from 3 August 2026.

Does Article 4 of the AI Act apply to small companies?

Yes. The obligation applies to all providers and deployers of AI systems regardless of company size or sector. Proportionality shapes how extensive your measures need to be — a 20-person agency needs lighter measures than a bank — but no SME exemption exists. If your staff use AI tools at work, the obligation applies.

What are the penalties for non-compliance with Article 4?

Article 4 carries no fixed fine in the AI Act itself. Sanctions come through national penalty regimes, which Member States must make effective, proportionate and dissuasive under Article 99(1), and civil claims are possible. The larger financial risk is indirect: untrained staff cause the breaches that carry headline fines — up to €35M or 7% of global turnover for prohibited practices, and up to €15M or 3% for transparency violations — and absent literacy measures aggravate any investigation.

Did the 2026 Digital Omnibus delay the AI literacy obligation?

No. The Digital Omnibus — provisionally agreed on 7 May 2026 and approved by the European Parliament on 16 June and the Council on 29 June 2026 — defers obligations for Annex III high-risk AI systems to 2 December 2027 and Annex I embedded systems to 2 August 2028. Article 4 (AI literacy), Article 5 (prohibited practices) and Article 50 (transparency, applying 2 August 2026) were not deferred.

Do employees need an AI certificate to comply with the EU AI Act?

No. The European Commission's AI literacy Q&A confirms that no specific certificate, exam or hour-count is required. What matters is that measures are tailored to each person's role, technical knowledge and context of use — and that you keep internal records of trainings and guidance as evidence.

What should an AI literacy programme cover?

A defensible programme combines: a general foundation (what AI systems are, their opportunities, risks and possible harms, per the Article 3(56) definition); the company's role in the AI value chain (deployer vs provider) and applicable obligations; role-specific modules reflecting actual use cases in HR, marketing, sales, legal and finance; an AI usage policy covering approved tools, data handling, verification and disclosure; and documentation with periodic refreshes as tools and enforcement practice evolve.

Does the obligation cover freelancers and external contractors?

Yes. Article 4 explicitly covers "other persons dealing with the operation and use of AI systems on their behalf" — which includes contractors, interim staff and agency personnel using AI in your workflows. In practice: extend your AI policy and appropriate training or guidance to them, and address AI literacy in your contracts with agencies and service providers.

Sources and References:

About Spicy Advisory

Spicy Advisory helps SMBs, mid-market companies and enterprises across France, the UK and Europe turn AI regulation into working practice — through AI literacy audits, role-based training and hands-on adoption support. 1,500+ professionals trained across 50+ companies including L'Oréal, EssilorLuxottica and IGN, rated 4.98/5. No junior consultants, no legal jargon — measurable AI literacy from day one.

Book your AI literacy audit