EU AI Act Article 4: What Organizations Need to Know About AI Literacy
Here is the short version most compliance summaries get wrong: the EU AI Act's Article 4 AI literacy duty has applied since 2 February 2025, it was not deferred by the Digital Omnibus, and from 2 August 2026 national authorities can actually enforce it. The much-quoted December 2027 date belongs to a different part of the Act — the high-risk system obligations. If you filed AI literacy under "postponed, deal with it later," this article is your correction. It was ours too: an earlier version of our own EU AI Act guide made exactly this mistake.
AI literacy, as the EU AI Act defines it, means the skills, knowledge and understanding that let providers, deployers and affected persons make informed use of AI systems — and stay aware of the opportunities, the risks, and the harm AI can cause.
Paraphrasing Article 3(56), Regulation (EU) 2024/1689The dates that actually matter
The AI Act entered into force on 1 August 2024 and applies in stages. After the Digital Omnibus agreement of May 2026, the staging looks like this:
| Date | What applies | Status |
|---|---|---|
| 2 Feb 2025 | Article 4 AI literacy duty + Article 5 prohibited practices | In force — unchanged by the Omnibus |
| 2 Aug 2025 | General-purpose AI model obligations, governance chapter, national penalty regimes | In force — unchanged |
| 2 Aug 2026 | General applicability: Article 50 transparency (AI disclosure, deepfake labeling), market surveillance, enforcement of the duties already in force | On schedule — "a live compliance date" |
| 2 Dec 2027 | High-risk obligations for standalone Annex III systems | Deferred here from Aug 2026 by the Digital Omnibus |
| 2 Aug 2028 | High-risk obligations for Annex I regulated products | Deferred here from Aug 2027 |
What the Digital Omnibus changed — and what it didn't
The European Commission proposed the Digital Omnibus in November 2025; the EU institutions reached political agreement in early May 2026, with formal adoption expected before the 2 August 2026 deadline. Two things moved: standalone high-risk system obligations (Annex III) shifted to 2 December 2027, and high-risk obligations for AI embedded in regulated products (Annex I) shifted to August 2028. One transitional detail also moved — machine-readable marking of AI-generated content for systems already on the market got a grace period to December 2026.
What did not move: Article 4. The final agreement adjusted its wording — operators are to "support the development" of AI literacy among their staff rather than guarantee a specific level — but the duty stands, its February 2025 application date stands, and the 2 August 2026 enforcement machinery stands. Article 50's transparency obligations were not moved either. Anyone summarizing the Omnibus as "the AI Act is postponed to 2027" is reading one line of a longer table.
What Article 4 actually requires
All providers and deployers of AI systems must ensure a sufficient level of AI literacy in the people who operate and use those systems on their behalf — staff and contractors alike — accounting for their technical knowledge, experience, education, and the context the AI is used in. "Deployer" is broad: a company whose analysts use a general-purpose chatbot for work is deploying an AI system. In 2026 that is practically every organization.
There is no mandated curriculum and no certification scheme. That cuts both ways: you cannot buy a checkbox, and you cannot claim compliance with a generic all-hands webinar. What you need to be able to show, when an authority or an enterprise customer asks, is that training happened, that it matched people's roles and the systems they actually use, and that it is documented.
The three-week question
Between now and 2 August 2026 the practical question is not "can we be fined tomorrow" — it is "can we evidence the duty we have carried since February 2025." A defensible minimum:
- An inventory of which AI systems your teams actually use, including the unofficial ones.
- Role-specific training records — who, what, when — rather than a single completion list.
- Proof of understanding, not just attendance: an assessment, a produced artifact, a measurable score.
That last point is where most programs fail, and it is the gap the Protocol was built for: a personal, role-specific plan with documented daily tasks and a measurable score — evidence of AI readiness one person can show an employer, or an employer can keep on file.
Sources
- Regulation (EU) 2024/1689 (EU AI Act), EUR-Lex — Articles 3(56), 4, 50, 99, 113.
- European Commission — AI Act regulatory framework
- EU Artificial Intelligence Act — implementation timeline
- Gibson Dunn — EU AI Act Omnibus agreement analysis (May 2026)
Frequently asked questions
Has EU AI Act enforcement been delayed to 2027?
Only for high-risk systems. The Digital Omnibus moves the Annex III high-risk obligations to 2 December 2027 (and Annex I embedded systems to August 2028). The Article 4 AI literacy duty and the Article 50 transparency obligations were not deferred: Article 4 has applied since 2 February 2025, and 2 August 2026 remains the date the rest of the Act — including enforcement — becomes applicable.
What are the penalties for ignoring Article 4?
Article 4 has no dedicated fine tier in the AI Act itself. It is enforced through the national penalty regimes Member States adopted under Article 99(1), which authorities can apply from 2 August 2026. Indirect exposure is real too: AI literacy evidence gets requested in audits, procurement questionnaires, and incident investigations. By contrast, the Article 50 transparency obligations carry EU-level fines up to EUR 15 million or 3% of global annual turnover.
Does Article 4 apply to small companies?
Yes. Article 4 covers all providers and deployers of AI systems, with no SME carve-out. If your staff use AI systems in their work — including general-purpose tools like ChatGPT or Claude — you are a deployer. The required level of literacy is proportionate: it accounts for technical knowledge, experience, education, and the context the systems are used in.
What counts as a "sufficient level" of AI literacy?
The Act does not prescribe a curriculum, and the AI Office has not mandated specific training programs. In practice, defensible compliance has three properties: the training is role-specific (a payroll clerk and a data scientist need different things), it is documented (you can show who was trained, on what, when), and it covers both opportunities and risks of the systems actually in use.