Article 4 of Regulation (EU) 2024/1689 — AI literacy. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 4 of Regulation (EU) 2024/1689 establishes a general AI literacy obligation for providers and deployers of AI systems operating within the scope of the Regulation. The article requires that providers and deployers take measures to ensure, to their best extent, that their staff and any other persons acting on their behalf who are involved in the operation and use of AI systems possess a sufficient degree of AI literacy.
The article defines AI literacy as the skills, knowledge, and understanding that allow persons to make informed decisions about AI systems, to deploy and use them properly, and to be aware of the impact those systems may have. Crucially, the obligation is calibrated: the required level of literacy must be proportionate to the technical knowledge, experience, education, training, and context of the individuals concerned, as well as to the AI systems they handle.
Article 4 therefore does not impose a uniform standard. Instead, it creates a due-diligence framework under which organisations must assess the competency needs of relevant staff relative to the AI systems in question and take appropriate corrective or developmental action where gaps exist. The provision reflects the legislature's intent — articulated in Recital 20 — that human oversight of AI systems is only meaningful where the humans exercising that oversight possess the foundational understanding needed to do so effectively. The obligation is horizontal in scope: it applies regardless of the risk category of the AI system concerned, making it one of the few provisions in Title I that generates direct, actionable obligations for all actors within the Regulation's reach.
What This Means in Practice
Article 4 creates an ongoing internal governance obligation. Any organisation that qualifies as a provider (placing an AI system on the EU market or putting it into service) or a deployer (using an AI system under its authority in a professional context) must actively assess and address the AI literacy of relevant personnel.
In practice, this means organisations should begin by mapping which roles interact with AI systems — whether building, integrating, operating, supervising, or reviewing AI outputs. A legal team using a contract-analysis tool, a HR department deploying a CV-screening system, or an engineering team maintaining a predictive-maintenance model all fall within scope. Each role-holder must have a level of AI literacy appropriate to their responsibilities.
Concretely, compliance actions may include:
- Conducting a skills-gap assessment across AI-adjacent roles
- Designing or sourcing role-specific training (technical staff require deeper knowledge of model behaviour, bias, and uncertainty; business users require awareness of limitations and escalation pathways)
- Documenting literacy measures taken as part of broader AI governance records
- Reviewing and refreshing literacy programmes as AI systems evolve or new systems are introduced
A logistics company deploying a route-optimisation model, for example, should ensure that operators who act on the model's recommendations understand the system's confidence ranges, known failure modes, and when to override. Similarly, a healthcare provider deploying a diagnostic-support tool must ensure clinicians understand what the tool does and does not do before relying on its outputs. The proportionality principle means a solo-practitioner deploying a simple AI tool will face lighter obligations than a multinational deploying high-risk systems at scale.
Key Obligations
- Assess AI literacy needs: Providers and deployers must identify which staff and appointed persons interact with AI systems and evaluate their existing level of AI literacy against the demands of those roles.
- Take appropriate literacy measures: Organisations must actively implement measures — training, documentation, guidance, or structured upskilling — proportionate to each person's role, existing competence, and the systems involved.
- Apply proportionality: The level of AI literacy required is not uniform; it must reflect the technical complexity of the AI system, the degree of autonomy it exercises, and the potential impact of the role-holder's decisions.
- Maintain ongoing coverage: The obligation is continuous. As AI systems change, as new systems are deployed, or as staff rotate into AI-adjacent roles, literacy measures must be reviewed and updated accordingly.
- Extend obligation to third parties acting on the organisation's behalf: The article explicitly covers persons acting on behalf of providers or deployers, meaning contracted staff, service providers, and agents involved in AI system operation are within scope.
- Document efforts: While Article 4 does not specify a documentation requirement, alignment with the Regulation's broader governance expectations (particularly for high-risk systems) means that records of literacy assessments and training activities constitute best practice and support demonstrable compliance.
Relationship to Other Articles
Article 4 sits within Title I (General Provisions) and functions as a horizontal enabler for the Regulation's more specific obligations. It is directly linked to Article 9 (risk management system for high-risk AI), which requires that persons responsible for AI risk management possess the necessary competence — a standard that presupposes baseline AI literacy. It reinforces Article 14 (human oversight), where meaningful oversight by natural persons depends on those persons understanding AI system outputs, limitations, and failure modes.
Article 4 also connects to Article 16(g), which requires providers of high-risk AI systems to take steps to ensure deployers can interpret and use the system appropriately, and to Article 26(2), which obliges deployers to assign human oversight to persons with the necessary competence. In the context of general-purpose AI models (Title VIII), Article 4 underpins the expectation that deployers building on GPAI model outputs understand the nature and limitations of those models. Reading Article 4 alongside Recital 20 clarifies the legislature's intent that AI literacy is a precondition for the effective exercise of all other obligations under the Regulation.
Compliance Timeline
The EU AI Act entered into force on 1 August 2024, twenty days after publication in the Official Journal. The Regulation applies in phases:
- 2 February 2025 — Prohibitions on unacceptable-risk AI practices (Article 5) became applicable.
- 2 August 2025 — Article 4 became applicable, along with provisions on general-purpose AI models (Title VIII) and the obligations governing notified bodies and market surveillance authorities. Organisations should have had AI literacy measures in place by this date.
- 2 August 2026 — Obligations for high-risk AI systems listed in Annex I (safety-component systems in regulated products) apply.
- 2 August 2027 — Obligations for high-risk AI systems listed in Annex III (standalone high-risk systems) apply in full, including Articles 9–14 and 26, for which Article 4 literacy is a prerequisite.
Organisations that have not yet conducted a literacy gap assessment or implemented any training measures are already non-compliant with Article 4 as of August 2025 and should treat remediation as an immediate priority.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Article 4 applies to providers and deployers of AI systems. Both categories must take measures to ensure that their staff and other persons dealing with AI system operation and use on their behalf have a sufficient level of AI literacy, taking into account their technical knowledge, experience, education, and training context.
No. Article 4 does not mandate a specific certification or standardised programme. It requires providers and deployers to take reasonable measures proportionate to each person's role, existing competence, and the nature of the AI systems involved. The obligation is outcome-oriented: staff must attain a sufficient level of AI literacy.
Article 4 became applicable on 2 August 2025, twelve months after the Regulation entered into force on 1 August 2024. It is part of the second wave of provisions to apply, alongside the rules on general-purpose AI models.
Recital 20 of the Regulation clarifies that AI literacy encompasses skills, knowledge, and understanding that enable informed deployment and use of AI systems, including awareness of opportunities and risks, how to use AI tools critically, and how outputs should be interpreted and verified.
Yes. Article 4 makes no exception based on company size. However, the proportionality principle embedded in the article means that the depth and formality of literacy measures may be scaled to the size of the organisation, the roles involved, and the complexity of the AI systems deployed.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.