APFerrer
Back to blog
Artificial intelligenceAlfabetización en IA

AI Literacy - What Article 4 of the EU AI Act Mandates and Who Must Comply

APFerrerJuly 09, 202615 min
Lead

Since 2 February 2025, the European AI Regulation (EU 2024/1689, known as the EU AI Act) requires every company in the European Union to ensure that its staff possesses a "sufficient level of AI literacy". There are no exceptions by comp…

AI Literacy - What Article 4 of the EU AI Act Mandates and Who Must Comply

Since 2 February 2025, the European AI Regulation (EU 2024/1689, known as the EU AI Act) requires every company in the European Union to ensure that its staff possesses a "sufficient level of AI literacy". There are no exceptions by company size or sector. A Spanish SME with 12 employees is as bound by it as a multinational.

This is not a future requirement. It applies now.

What follows is not my interpretation. These are Articles 3.56, 4 and 6 of Regulation 2024/1689, translated into what they genuinely mean for a business, what auditors look for when they inspect, and what penalties apply if you fail to comply.

What Article 4 Actually Says

The regulation defines AI literacy as "the set of capacities, knowledge and understanding that enables a person to understand how AI systems work, assess their effects and make informed decisions about their use".

It then requires that AI providers and deployers take "appropriate measures to ensure that personnel directly dealing with the AI system have a sufficient level of AI literacy".

That's all it says. No mandatory certificate. No minimum hours. No prescribed format. But we'll come back to "sufficient level".

Who Must Comply in Your SME

Here's where it gets tricky. "User of an AI system" doesn't just mean whoever builds it. It means whoever deploys it, uses it or is affected by how it works.

Role / Situation Must they upskill? Minimum level
Marketing team using ChatGPT to draft copy Yes, direct user Know what data they're uploading, risks of hallucination, how to review the output
Administrator loading data into AI for document classification Yes, direct user Understand input, process, output; be able to validate results
Legal lead reviewing documents generated by AI Yes, affected by decisions Know capabilities and limits; how to verify accuracy
Managing director (doesn't use AI directly) Depends. If overseeing teams using it or legally accountable for compliance: yes Understand governance, risks, company liability
Admin staff in company that doesn't use AI Not formally required But if they use a tool with embedded AI tomorrow (e.g. a CRM with predictions): yes

The distinction lies in the intended use context. If your CRM has an "AI-powered sales forecasting" module and your sales team uses it, they must train. If they don't use it, they don't.

Critical note: the regulation doesn't mandate uniform training. The company's legal counsel and sales rep don't need the same level. That's "proportionality"; it's what auditors look for.

What "Sufficient Level" Really Means

This is the question keeping most companies up. Is there a benchmark? A rubric?

No. The regulation requires determination of the level "on a case-by-case basis in each specific context, taking into account the prior knowledge, technical abilities, experience, education and training of the personnel, as well as the intended use context of the AI systems".

Translation: sufficient level is not a universal label. It scales to what the person needs.

Examples of what counts as "sufficient level":

  • For a generic ChatGPT user: know what a language model is, how it works (analyses patterns, generates text), what it doesn't do (doesn't understand like a human, hallucinates), what risks exist (sensitive data in the prompt, false outputs). A 2-hour session with written material is enough.

  • For someone uploading sensitive information (financial, medical, legal): beyond the above, understand the difference between public and private data, know whether the tool encrypts it or stores it, what data agreement the AI company has with your organisation.

  • For a director managing teams using AI: know which systems your company uses, what risks they pose, who is legally liable if something goes wrong, how you verify compliance.

What does NOT count as "sufficient level":

  • Reading a LinkedIn article about AI.
  • Watching a TikTok video on ChatGPT.
  • A generic PowerPoint about "The Future is AI".
  • Assuming people already know because they're using ChatGPT.

What Evidence Passes an Audit

This is where many companies stumble. They claim "we trained people in AI" but when the AESIA (Spanish AI supervisory authority) or AEPD (Spanish data protection authority) arrive, they have nothing to show.

The regulation doesn't require a third-party certificate. But it does require you to demonstrate it happened.

Evidence auditors will accept:

  1. Documented syllabus (minimum)

    • What was taught. Can be a document, slides, or an email saying "on 15 January, everyone in sales attended a session on AI hallucinations".
    • Doesn't have to be formal. A spreadsheet listing topics works.
  2. Attendance record

    • Who attended, when, how long.
    • Signatures, email list or screenshot of the video call all work.
  3. Evaluation or comprehension check

    • A 5-question quiz on what ChatGPT does.
    • A confirmation email: "I've read the material and understand not to upload passwords to ChatGPT".
    • A simple rubric: "User demonstrates knowledge of what data is safe to upload".
  4. Documented internal policy

    • Which AI tools your company uses.
    • Which are banned, which are allowed.
    • Who's responsible for updating this.
  5. Frequency

    • The regulation requires training to be "sufficient" but also "continuous or periodic".
    • A single training session in 2025 likely won't meet requirements in 2026.
    • Annual refresh or when you change tools is standard.

Example of a file that will survive audit:

  • Company email, February 2025: "From today, we all use ChatGPT with guardrails. Topic: how to use it safely."
  • 15-minute presentation on what not to upload (passwords, bank details, client names).
  • Email list of who watched the recording and when.
  • Quiz: "Is it safe to upload a client contract to ChatGPT?" Documented answer.
  • Annual update log: "January 2026, refresh. We now use Gemini too. Session on differences."

That's sufficient to prove compliance to an auditor.

What isn't:

  • "People already use it, they must know".
  • "We posted an article in the WhatsApp group".
  • "One of our colleagues did a course on Udemy".
  • No record of who attended or when.

Penalties for Non-compliance

Active supervision and fines start formally on 2 August 2026. That doesn't mean it's legal to breach until then. It means that's when auditors can fine.

The European regulation sets fines up to EUR 15 million or 3% of global annual revenue, whichever is larger.

In Spain, the AI Organic Law structures violations into levels. For Article 4 specifically, there's still ambiguity whether it's "serious" or "very serious", but the Spanish law maximum reaches EUR 35 million or 7% of annual revenue.

Real perspective: a 50-person Madrid firm using ChatGPT but not documenting training won't get a EUR 35 million fine. But they can face a reprimand, a follow-up inspection and, if they don't fix it within 6 months, escalating fines.

If the breach coincides with harm (e.g. a data leak because an employee uploaded sensitive information without knowing they shouldn't), the penalty scales up.

Context: the AESIA (Spanish AI Supervisory Authority, based in A Coruña) and the AEPD already have remit to audit. In 2026, the first inspections will happen. Regulated sectors (finance, health) and large companies will be the first targets.

Minimum Compliance Route in 4 Steps

To keep your company covered during an inspection.

Step 1: Inventory of AI systems (1 week).

What tools your company uses. ChatGPT, Gemini, LinkedIn Sales Navigator, a CRM with automatic prediction, a chatbot on your website. Don't forget the small ones.

Who uses them. Marketing team, sales, support.

Step 2: Risk analysis by role (1 week).

For each team: what information do they handle? Is it sensitive? What could go wrong?

Sales: uploading client data to an unencrypted AI tool. High risk.

Marketing: drafting copy with ChatGPT. Low risk if you're not uploading live data.

Step 3: Documented training plan (2 weeks).

What topic. Which role. When. Who delivers the training (can be a video call with you).

Example:

  • January 2026: everyone in the company, general session "What is AI, how we use it in our company".
  • February 2026: sales team, specific session "Don't upload client data to ChatGPT".
  • Quarterly: refresh when you add tools.

Step 4: Documentation and record-keeping (ongoing).

Every time you run a session:

  • Keep the presentation.
  • Note who attended.
  • Ask for attendance confirmation (digital signature, list, email).
  • If online, capture the screen with names visible.
  • Store in a shared folder (Drive, OneDrive) that shows it's been audited.

Done. When an auditor arrives, pull out the folder and show you've complied.

Common Mistakes When Setting Up an AI Literacy Programme

Not all companies get this right.

Mistake 1: Generic training.

You bring in an external consultant who talks for an hour about "the future of AI in industry". Sounds important. Won't pass audit. The auditor is looking for proof that your people know which tool they use, what risks it has, what not to do.

Fix: role-specific sessions. 20 minutes. On the tool your company actually uses.

Mistake 2: One-off training.

"We trained people in 2025, we don't need to do it again". Tools change. Risks evolve. The regulation asks for "continuous or periodic" training. Annual minimum.

Fix: refresh calendar. January, all companies review. If you add a new tool, quick training on it.

Mistake 3: Not documenting.

The training happened, but nobody wrote down who attended or when. To the auditor: "Well, people received it". Doesn't work.

Fix: a 2-minute Google Form. "You confirm attendance at the AI training on 15/01". Save the responses.

Mistake 4: Delegating without oversight.

"Each manager trains their team" and then you don't ask for reports. Some teams train, others don't. The auditor interviews three random staff. One knows, two don't. Non-compliance.

Fix: a compliance owner (IT, HR, or you). Make sure each team did it and keeps evidence.

Mistake 5: Unnecessary over-compliance.

Spending EUR 20,000 on a Udemy course for everyone. The law doesn't ask for it. Fine if you do, but not proportionate for an SME. The regulation accepts internal training.

Fix: start minimal (30-minute session, quiz). Expand if you later spot gaps.

Closing

Article 4 of the EU AI Act is concrete and auditable. It's not interpretable. Companies have to document that their personnel using AI minimally understand what's happening, what risks exist and what not to do.

It's not complicated. It's discipline.

If your company:

  • Has an inventory of AI tools.
  • Documented who uses them.
  • Ran at least one training session with recorded attendance.
  • Updates that yearly or when tools change.

You'll survive an audit.

If you have none of that, 2026 will be uncomfortable when the auditor shows up.

If you need help designing an AI literacy plan that fits your company, auditing what AI tools you're using without realising it, or understanding how to document it all: book 30 minutes. In the session we map real risks, define what training you genuinely need (no more) and you leave with a template for the evidence folder that matters in audit.

If you'd rather direct training with your team on how an AI model works, hallucinations, privacy in public tools and internal use policies: that's chapter 2 of the series and you can tailor it to your company.


Next articles in this series

  • Chapter 2: Basics. How an LLM works without jargon.
  • Chapter 3: Data and privacy when using generative AI.
  • Chapter 4: AI literacy by role (marketing, sales, HR, finance).
  • Chapter 5: Prompt engineering applied. 7 patterns for the team.
  • Chapter 6: Shadow AI, internal policy and Article 4 audit.

Sources

AF
APFerrer
APFerrer · Consultora en datos y procesos
Author's note

Does it apply to your company? Tell me in 30 minutes and we'll see what fits.

Book 30 min