AI Literacy under the EU AI Act: mandatory and useful
Article 4 of the EU AI Act requires organisations to ensure that staff who work with AI have sufficient AI literacy. No mandatory certificate — but demonstrable effort is expected, and the practical upside is real.
What is AI literacy?
AI literacy is the combination of knowledge, skills, and understanding a person needs to use AI systems responsibly and effectively. It is not about programming or mathematics. It is about understanding what AI does, what it does not do, when you can trust its output, and when you should be sceptical.
A staff member with adequate AI literacy knows that a language model sometimes produces confident but incorrect information — what is often called a 'hallucination'. They know how to write a good prompt, which data they may and may not enter into a tool, and how to evaluate an AI system's output critically. That might sound like a high bar, but in practice it comes down to straightforward, applicable knowledge — comparable to how we expect employees to know how to use the internet safely.
The term has been around in research and education for a while, but it now has formal legal standing thanks to European legislation.
Why is AI literacy now mandatory?
On 2 February 2025, Article 4 of the EU AI Act came into force. That article requires both providers and deployers of AI systems to ensure that their staff — and, in the case of providers, their suppliers — have an adequate level of AI literacy.
The EU AI Act is an EU regulation and therefore applies directly as law in all member states. You do not need to be a large tech company to fall within scope. If you use an AI tool to draft quotes, summarise customer calls, or analyse figures, you are a deployer and the obligation applies to you.
What the law actually requires — and what it does not
The obligation in Article 4 is deliberately broadly worded. There is no mandatory certificate, no standard exam, and no minimum number of training hours set out in the law. What the legislator asks is that organisations take appropriate measures 'to the best of their ability' to promote AI literacy, taking into account the technical background of those involved, the type of AI being used, and the associated risks.
In practice this means: if a regulator comes knocking tomorrow, you need to be able to show you have done something. Think training sessions, internal guidelines, documented awareness workshops, or participation in an external programme. 'We did nothing' is no longer an acceptable position.
The broader picture: more than compliance
I notice that organisations treating AI literacy purely as a compliance exercise get the least out of it. The real value lies in a different conversation: staff who understand what AI does use it more smartly, ask better questions, and spot sooner when a result is off. That leads to better outcomes — regardless of what any regulator thinks.
What does this mean for SMEs?
As the owner or director of an SME, you might be thinking: surely this is for large corporates? That is a misconception I hear regularly. The EU AI Act makes no distinction based on company size for the AI literacy obligation. It does distinguish based on the risk classification of the AI system — but Article 4 sits outside those risk categories and applies broadly.
That said, the law asks for proportionate effort. A ten-person business using one AI writing assistant does not need to set up a full compliance department. What you do need is a considered approach: knowing which tools you use, who works with them, and making sure those people understand the basics.
The three most common risks from insufficient AI literacy
- Blind output acceptance: staff take AI output at face value without checking, leading to incorrect documents, flawed advice, or wrong decisions.
- Privacy breaches: sensitive customer or employee data is entered into a public AI tool without understanding what happens to it.
- Reputational damage: externally shared content — quotes, reports, emails — contains AI errors that your clients notice before you do.
The five components of AI literacy
In the training I run, I work with five components that together form a practical foundation. They are not academic — each one has direct application in day-to-day work.
1. Understanding what AI can — and cannot — do
AI language models are impressively good at generating text, summarising, rephrasing, and reasoning about language. They are less suited as a factual database, cannot 'think' the way humans do, and have no context unless you provide it explicitly. Understanding this lets you pick the right tool for the right task.
2. Recognising hallucinations and unreliability
A language model has no concept of truth — it produces the most probable continuation of text based on its training data. That sometimes leads to plausible-sounding but factually incorrect information. Recognising this risk, and systematically verifying critical output, is a core skill.
3. Privacy and GDPR
Which data may you enter into which system? What are the data-processing terms of the tools you use? Where is entered data stored, and what is it used for? These are questions every employee who works with AI needs to be able to answer — or at least know where to find the answer.
4. Prompting effectively
The quality of the output depends largely on the quality of the instruction. Good prompting skills are not complicated — give context, assign a role, specify the desired format, and iterate on the result. Mastering this consistently produces better results from the same tool.
5. Critically evaluating AI output
Probably the most important skill: the habit of treating AI output as a first draft, not a finished product. Is the reasoning sound? Are the sources verifiable? Does the tone fit your organisation? Is the information current? Asking these questions automatically means you work safely with AI — regardless of which tool is popular next month.
How to get started: five concrete steps
Below I describe the approach I recommend to SMEs that want to take AI literacy seriously. It is not a large project — most steps take an afternoon to a day at most.
Step 1 — Inventory which AI tools are already in use
Ask your team which tools they use, including personal tools used for work purposes. You will be surprised how many are already active. ChatGPT for drafting emails, Copilot in Word, an AI summary feature in your CRM. Create an overview and categorise: who uses what, for what purpose, and with what data?
Step 2 — Draft basic guidelines
Write a short AI-use policy: which tools are approved, which data may be entered, what must always be checked before publishing or sending. One page is enough to set the most important boundaries. This document is also your first demonstrable compliance step.
Step 3 — Run a hands-on awareness session
Not a presentation about 'the future of AI'. A session where people work with it themselves: seeing a hallucination live, comparing a bad prompt with a good one, thinking through a privacy scenario. Learning by doing sticks; learning by listening does not.
Step 4 — Document it
Record who was trained, when, and what the content covered. Not for an external audit — but so that in two years, when the organisation has grown and the tools have changed, you can identify who needs a refresher.
Step 5 — Repeat and update
AI literacy is not a one-time checkbox. Tools change quickly, applications expand, and new staff join. Plan at least one annual refresh and update your guidelines whenever you adopt new tools.
Common misconceptions
Finally, a few misconceptions I regularly encounter — so you can avoid them.
- "We don't use AI" — Almost certainly untrue. Microsoft 365 Copilot, AI features in your accounting software, automated chatbots on your website: AI is already embedded in many standard tools.
- "Only the IT department needs to understand this" — Article 4 specifically targets the people who work with AI, not just the people who install it. Sales, operations, HR — anyone using AI tools falls within scope.
- "There is a certificate you need to obtain" — That does not currently exist as a legal requirement. What counts is demonstrable effort towards adequate AI literacy, not a diploma.
- "This is too complicated for our team" — AI literacy at a working level requires no technical background. It requires common sense, critical thinking, and a few hours of targeted training.
- "We are waiting for more clarity on the law" — Article 4 is already in force. Waiting increases your risk; acting reduces it.
AI literacy as a foundation
Organisations that take AI literacy seriously are building something that outlasts any specific tool. Staff who understand how AI works, what it can do, and what it cannot do are equipped to evaluate and use any new tool effectively. That is a competence that retains its value — regardless of which model is released next quarter.
The law now gives you a reason to do something you should have been doing anyway: preparing your team for a world in which AI is here to stay. Start small, start concrete, and start now.
Key takeaways
- AI literacy is legally mandatory for organisations that deploy AI systems, under Article 4 of the EU AI Act (in force from 2 February 2025).
- There is no mandatory certificate — the law requires demonstrable effort: training, guidelines, documentation.
- The five core components are: understanding what AI can and cannot do, recognising hallucinations, privacy and GDPR, prompting effectively, and critically evaluating output.
- Practical steps: inventory your current AI use, draft basic guidelines, run a hands-on awareness session, and document it.
- AI literacy is not a one-off project but an ongoing competence — teams that master it consistently extract more value from every AI tool.
Want to build AI literacy practically within your team?
In the AI cohort you work alongside other SME professionals on real applications — including the critical skills the EU AI Act requires. Hands-on, in your own context, with immediate practical value.
View the AI cohort