EU AI Act Article 4 Explained: How to Build an AI Literacy Programme That Actually Satisfies AESIA

Most Spanish organisations know the EU AI Act is coming. Most have started thinking about high-risk AI systems, risk classification, and technical documentation. Very few have looked at the compliance obligation that has already been in force for over a year.

Article 4 of the EU AI Act has been legally binding since 2 February 2025.

It requires every provider and deployer of AI systems to ensure that their staff — and anyone else operating AI on their behalf — has a sufficient level of AI literacy proportionate to their role. Not "some awareness." Not "a one-hour webinar." A level of literacy appropriate to the specific AI systems they use, the risks those systems carry, and the decisions their outputs inform.

If your organisation uses AI tools — and in 2026, virtually every organisation does — this obligation applies to you today. Not from August. Not when the national AI law passes. Right now.

AESIA has confirmed it will assess AI literacy compliance as part of its broader EU AI Act supervisory activity from 2 August 2026. The European AI Office has noted that enforcement action is more likely where incidents can be attributed to inadequate training. Lack of a documented AI literacy programme will be treated as an aggravating factor in broader EU AI Act investigations — meaning it increases your exposure on every other compliance issue, not only Article 4 itself.

This guide explains exactly what Article 4 requires, what "sufficient" means in practice, who the obligation covers, what AESIA expects to see as evidence, and how to build a programme that genuinely satisfies the legal standard.

What Article 4 Actually Says

The full text of Article 4 of the EU AI Act reads:

"Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in, and considering the persons or groups of persons on whom the AI systems are to be used."

Every phrase matters:

"Shall take measures" — this is a binding obligation, not a recommendation. The word "shall" in EU regulatory language signals a legal requirement.

"To their best extent" — this is not a loophole. It is a proportionality clause. It means you must do what is reasonably achievable given your organisation's size and resources. It does not mean you can skip the obligation. A 10-person SME is held to a different standard than a 10,000-person bank — but both are held to a standard.

"A sufficient level" — not a fixed level. Not a minimum number of hours. A level that is appropriate to the individual's role, their existing knowledge, and the AI systems they interact with. Sufficiency is assessed per person in context.

"Staff and other persons" — the obligation is not limited to employees. It extends to contractors, service providers, and anyone else operating AI on the organisation's behalf.

"Taking into account their technical knowledge, experience, education and training" — the organisation must assess what each person already knows before designing training. An experienced data scientist working with AI systems does not need the same programme as a customer service representative using an AI-powered ticket routing tool.

"The context the AI systems are to be used in" — literacy must be calibrated to the specific AI system, not just AI in general. A person operating a credit scoring system needs literacy about credit risk, algorithmic bias, and financial regulation. That is different from what a person using a content generation tool needs.

"Considering the persons or groups of persons on whom the AI systems are to be used" — literacy must also account for the impact side. If your AI system affects vulnerable groups — elderly customers, job applicants, social benefit recipients — the people operating it need to understand that specific risk landscape.

The timeline:

• 2 February 2025 — Article 4 entered into application. The obligation is already in force.
• 2 August 2026 — AESIA and other national market surveillance authorities begin formal supervision and enforcement of Article 4.  

Who the Obligation Covers — The Scope Is Wider Than You Think

The most common misunderstanding about Article 4 is that it only applies to the people who technically operate AI systems — data scientists, engineers, developers. This is wrong.

The obligation extends to every person who deals with the operation and use of AI systems on the organisation's behalf. The European Commission has clarified this scope explicitly:

Employees in any function that uses AI tools — HR managers using CV screening software, finance staff using AI-powered analytics, customer service staff using AI chatbots, sales teams using AI-driven CRM tools. If they interact with an AI system in their work, the Article 4 obligation applies.

Contractors and service providers — a call centre contractor operating an AI-based call triaging tool on behalf of a Spanish telecommunications company must be trained on that tool under Article 4. The obligation does not stop at the organisation's legal boundary. If a person operates AI on the organisation's behalf, the deployer is responsible for ensuring their literacy.

Customers in some contexts — the Commission has noted that where customers operate AI systems on behalf of a provider or deployer (for example, in B2B software contexts where the customer configures and operates an AI tool provided by the vendor), the obligation may extend to ensuring those customers have appropriate literacy. This is particularly relevant for SaaS providers whose customers use AI features in high-risk contexts.

Senior management and board members — while not technically "operating" AI systems, the Commission's guidance and AESIA's approach to AI governance make clear that meaningful AI literacy at leadership level is expected. Leaders who cannot demonstrate any understanding of how AI systems work, what risks they carry, or what the EU AI Act requires of their organisation are unlikely to satisfy AESIA's assessment of governance maturity.

The practical implication for Spanish organisations: before designing your AI literacy programme, conduct an AI tool inventory — identifying every AI system in use across every function — and then map every person who interacts with it. That population is the scope of your Article 4 obligation.

What "Sufficient" AI Literacy Means

The EU AI Act does not define a minimum curriculum, a minimum number of training hours, or a required certification format. The Commission has confirmed: there is no one-size-fits-all standard. Sufficiency is assessed in relation to the individual's role, their existing knowledge, and the AI systems they interact with.

This flexibility is intentional — but it does not mean the standard is vague. Regulatory guidance and emerging enforcement patterns make clear what "sufficient" looks like in practice.

Sufficient AI literacy for a given individual means they can:

• Understand what the specific AI system they use does and how it produces outputs
• Recognise the system's capabilities and, critically, its limitations
• Interpret the system's outputs correctly without over-relying on them
• Identify when the system may be producing unreliable or problematic results
• Know when to escalate concerns or refer to a human decision-maker
• Understand the basic regulatory context — what the EU AI Act requires of their role
• Understand the ethical risks relevant to their specific use case (bias, discrimination, privacy)

Sufficient literacy is NOT:

• Knowing that AI exists and is changing the world
• Being able to describe what machine learning is in general terms
• Having watched a one-hour introductory video about AI
• Having clicked through a generic online awareness module
• Having received a one-page briefing on the EU AI Act

The Commission has been explicit: generic "introduction to AI" content that does not address the organisation's specific AI use cases is unlikely to satisfy the "sufficient" standard for individuals with operational AI responsibilities. The standard requires content that is specific, role-relevant, and addresses the actual systems the person works with.

As Travers Smith, the leading law firm, noted in their Article 4 analysis: "A lack of AI staff training will likely be seen by regulators as an aggravating factor in wider enforcement for other breaches of the EU AI Act — this is probably more likely than standalone enforcement of the AI literacy requirement." In other words, inadequate training increases your exposure across your entire EU AI Act compliance position.

What Generic AI Training Cannot Satisfy 

This section deserves specific attention because many Spanish organisations have already run some form of AI awareness training and believe this satisfies Article 4. For most, it does not — at least not for the majority of their staff.

A generic AI awareness session covers: what AI is, how large language models work in general terms, some examples of AI in industry, perhaps a brief mention of the EU AI Act.

What Article 4 requires that a generic session does not provide:

• Knowledge of the specific AI systems the individual uses in their role
• Understanding of the specific risks those systems carry in the specific deployment context
• Ability to identify when those specific systems are producing unreliable outputs
• Awareness of the specific regulatory obligations that apply to their role
• Knowledge of the organisation's own internal AI governance procedures, escalation paths, and incident reporting mechanisms

Consider the contrast. A compliance officer at a Spanish insurance company has attended a two-hour "AI and the Future of Work" workshop. They now know what neural networks are and that AI raises ethical questions. But they do not know:

• That the insurer's AI pricing model is a high-risk system under the EU AI Act
• That their role includes human oversight responsibilities under Article 14
• That they are required to be able to override the AI's pricing recommendation
• What a Fundamental Rights Impact Assessment is or whether one has been completed
• What to do if they suspect the pricing model is producing discriminatory outputs

This person has received AI awareness training. They have not received Article 4-compliant AI literacy for their role.

The Three-Tier Training Model

The most practical approach to Article 4 compliance is a role-based, tiered training architecture that provides appropriate literacy to different groups without over-training low-risk users or under-training high-risk operators.

Tier 1 — Foundation AI Literacy (All Staff Using Any AI Tool)

Who: Every employee, contractor, or service provider who uses any AI-powered tool in their work — including productivity tools, chatbots, AI-assisted search, or any software with AI features.

What they need to know:

• What AI systems are and how they differ from traditional software
• That AI outputs can be incorrect, biased, or unreliable and why
• The basic EU AI Act regulatory framework at a headline level
• Your organisation's AI acceptable use policy
• How to recognise when an AI tool may be producing problematic results
• How to report AI-related concerns through your organisation's internal channel

Format: 2–4 hours of structured training, delivered online or in person. Must include a knowledge check — not merely attendance. Completed by all relevant persons within a defined timeframe, with completion records held.

For Spanish organisations: This tier is your broadest and most urgent obligation. Every person in scope must complete it — and if you have not started, you are already over a year into non-compliance with Article 4.

Tier 2 — Operational AI Literacy (Staff With Active AI Responsibilities)

Who: Staff who use AI systems that inform significant decisions, manage AI system configurations, work with AI outputs in client-facing contexts, or have procurement responsibility for AI tools.

What they need to know:

• Everything in Tier 1
• The specific AI systems they use: how they work, what data they use, what decisions they inform
• The risk classification of those systems under the EU AI Act
• The specific limitations and known failure modes of those systems
• Your organisation's governance procedures for those specific systems — escalation paths, override authority, logging requirements
• The specific ethical risks of their use case (e.g., for HR AI: algorithmic bias in hiring; for credit AI: fair lending obligations)
• What the EU AI Act requires of deployers using their specific system type

Format: 4–8 hours, role-specific. Delivered separately to different functional groups (HR, finance, legal, operations) with content tailored to their specific AI tools and contexts. Must include practical exercises and a knowledge check.

Tier 3 — Full AI Compliance Competency (AI Oversight Personnel)

Who: Individuals designated as responsible for human oversight of high-risk AI systems (Article 14), AI compliance leads, DPOs with AI governance responsibilities, senior managers with AI governance accountability, and any professional providing AI compliance advice or services.

What they need to know:

• Everything in Tiers 1 and 2
• Full EU AI Act framework: risk classification, Articles 9–15 obligations, Article 26 deployer requirements, Article 27 FRIA, Article 4 obligations
• ISO 42001 alignment and the AI management system framework
• AESIA's structure, powers, guidance, and enforcement approach
• How to conduct or supervise a risk management assessment
• How to produce or review Annex IV technical documentation
• How to conduct a Fundamental Rights Impact Assessment
• How to implement and document human oversight mechanisms
• Incident identification, escalation, and reporting procedures

Format: Structured professional training — typically 10–20 hours — with formal assessment and a verified credential. This is the tier where the Compliance with the EU AI Act and Ethics in AI certification from the Spanish Compliance Institute directly applies. The certification's 15 hours of expert-led content across 7 modules, combined with its formal assessment and verified digital certificate, provides the documented, assessed evidence of competency that Article 14 and Article 26 require for oversight personnel.

What Your AI Literacy Programme Must Cover

Across all tiers, your AI literacy programme must address five areas that regulators — including AESIA — will assess:

1. AI system capabilities and limitations Staff must understand what the specific AI systems they interact with can and cannot do. Not AI in general — the specific tools in their workflow. A credit analyst using an AI scoring model needs to understand that the model is trained on historical data, that it can perpetuate historical biases, and that its confidence scores are not certainties.

2. Risks specific to the deployment context Generic AI risk awareness is not sufficient. The risk landscape for an AI system used in employment decisions is materially different from the risk landscape for one used in inventory forecasting. Training must address the specific risks of the specific deployment, including the populations affected and the fundamental rights at stake.

3. How to critically evaluate AI outputs The EU AI Office has specifically highlighted "automation bias" — the tendency to over-rely on AI outputs without appropriate critical review — as a key literacy issue. Training must actively develop the ability to question, verify, and when necessary disregard AI recommendations. This is directly linked to the human oversight requirement of Article 14.

4. Regulatory context and organisational obligations Staff need to understand, at a level appropriate to their role, what the EU AI Act requires of your organisation and of them specifically. This includes knowing when they are operating a high-risk system, what their oversight responsibilities are, and what your internal governance procedures require.

5. Escalation, incident reporting, and ethics Every person with AI responsibilities should know how to flag a concern, what constitutes a serious incident under Article 73, how your organisation's escalation process works, and what ethical principles (fairness, non-discrimination, transparency) are relevant to their AI use context.

How to Build the Programme: A Practical Five-Step Process

Step 1: Conduct an AI System and People Inventory

Before you can design training, you need to know what AI systems your organisation uses and who uses them. This means:

• Listing every AI-powered tool in use across every function — including third-party SaaS tools with AI features, internal AI models, and AI tools employees use on their own initiative (shadow AI)
• For each tool, identifying who uses it, how often, and in what context
• Mapping each tool to its EU AI Act risk classification
• Identifying which staff are operating high-risk systems that require Tier 3 literacy

This inventory is also the foundation of your broader EU AI Act compliance programme, so the effort is multiplied across multiple compliance workstreams.

Step 2: Conduct a Needs Assessment

For each group of staff identified in the inventory, assess their current AI literacy level. The Commission has confirmed that organisations should take into account the technical knowledge, experience, education and training employees already have. You are not required to provide training that teaches people what they already know.

In practice, this means a short baseline assessment for each tier group, identifying gaps between current knowledge and what Article 4 requires for their role. Document the methodology and findings — this is the first piece of documentation AESIA may request.

Step 3: Design Role-Specific Training Content

Based on the needs assessment, design training content for each tier that addresses the identified gaps. The content must be:

• Specific to your organisation's AI systems and deployment contexts — not generic
• Proportionate to the risk level of the systems the group interacts with
• Practical — including exercises, scenarios, and decision-making practice, not just information transfer
• Assessable — including a knowledge check or practical exercise that produces evidence of comprehension, not just attendance

For Tier 3 (AI oversight personnel), consider structured professional training or certification programmes rather than internal content alone. The depth, rigour, and verifiability of an accredited external programme provides stronger evidence of the "necessary competence, training and authority" that Articles 14 and 26 require.

Step 4: Deliver Training and Build Evidence Records

Deliver the programme according to your training calendar, maintaining the following records for each participant:

• Name and role
• AI systems they work with (and the risk classification of those systems)
• Training content received (curriculum summary or link to materials)
• Date of completion
• Assessment result (pass/score, not just attendance)
• Any follow-up action required

These records are the audit artefacts that AESIA will request when examining Article 4 compliance. Keep them in your compliance documentation system alongside your AI system inventory and risk management records.

Step 5: Establish Refresh Triggers and a Review Cycle

Article 4 is a continuous obligation — not a one-time training event. Your programme must be refreshed when:

• New AI systems are introduced or existing ones significantly updated
• Staff move into new roles involving different AI systems
• New regulatory guidance on Article 4 implementation is issued
• An incident occurs that reveals a gap in staff AI literacy
• An annual review of the programme identifies areas for improvement

Establish a documented review cycle — at minimum annual — and a trigger-based update process for significant system changes. Document all reviews and updates in your compliance log.

What AESIA Expects to See as Evidence

When AESIA supervises Article 4 compliance from 2 August 2026, it will assess whether your organisation has taken genuine, proportionate measures to ensure sufficient AI literacy. Based on AESIA's published guidance and the EU Commission's AI literacy FAQ, investigators will typically seek:

The Commission has confirmed that a formal certificate is not required — organisations can maintain internal records. However, for Tier 3 personnel (high-risk AI oversight staff), an externally verified credential from a structured training programme provides significantly stronger evidence than internal records alone, particularly when AESIA is assessing whether those individuals have the "necessary competence and training" required by Article 14.

For a full guide to what AESIA examines when it investigates an organisation's compliance, see: What to Expect From an EU AI Act Audit.

The Relationship Between Article 4 and Other EU AI Act Obligations

Article 4 does not stand alone. It is the foundational obligation that enables every other EU AI Act compliance requirement to be met in practice.

Article 14 (Human Oversight) requires that persons assigned to oversee high-risk AI systems have the necessary competence and training. This is impossible without a genuine AI literacy foundation. An individual who cannot critically evaluate AI outputs, recognise unreliable results, or understand the system's limitations cannot effectively exercise human oversight. Article 4 is the baseline; Article 14 is the higher standard required for oversight personnel.

Article 26 (Deployer Obligations) requires deployers to ensure that persons assigned to human oversight of high-risk systems are properly trained. Article 26 and Article 14 together create the qualification requirement for oversight staff. Article 4 creates the baseline literacy requirement for everyone else.

Article 50 (Transparency) requires that users are informed when they are interacting with an AI system. Staff who lack AI literacy cannot reliably implement this transparency obligation — they may not recognise when they are using an AI system or understand what disclosure is required.

Article 27 (FRIA) requires deployers of high-risk systems to assess impacts on fundamental rights. A meaningful FRIA requires the compliance team to have genuine literacy about how the AI system works, what risks it carries, and what rights it affects. See our dedicated FRIA guide.

The strategic insight: organisations that treat Article 4 as a compliance checkbox to be completed and forgotten are doing so twice — once when they tick the box, and once when they discover they cannot meet the substantive requirements of Articles 14, 26, and 27 because their staff lack the literacy foundation those obligations require.

The workforce that completes your Article 4 programme is the same workforce that will operate high-risk AI systems under Article 26, exercise human oversight under Article 14, and implement transparency obligations under Article 50. Investment in genuine AI literacy now compounds across your entire EU AI Act compliance position.

Article 4 and the Digital Omnibus: Do You Need to Wait?

On 7 May 2026, the EU Council and European Parliament reached a provisional agreement on the Digital Omnibus, which among other things proposed to shift Article 4's primary obligation from individual organisations to Member States and the European Commission — making AI literacy promotion a state-level responsibility rather than a direct organisational legal requirement.

Should you wait to see if this passes before investing in your AI literacy programme?

No. Three clear reasons:

First, the Digital Omnibus is a provisional political agreement. It has not been formally adopted into law. Until it is, the current Article 4 obligation applies in full — and has done since February 2025.

Second, even if the Omnibus version of Article 4 is enacted exactly as proposed, the higher-bar requirements of Articles 14 and 26 — requiring that persons responsible for high-risk AI oversight have the necessary competence and training — remain entirely unchanged. Your Tier 3 training obligation survives any Article 4 amendment.

Third, documented AI literacy remains an aggravating or mitigating factor in AESIA investigations regardless of Article 4's precise formulation. An organisation that can demonstrate genuine, systematic AI training investment will be treated differently from one that cannot — and that difference matters for every EU AI Act obligation, not just Article 4.

Build your programme now. Monitor the Digital Omnibus for any changes that affect your approach. Adjust if necessary. But do not use a proposed amendment as a defence for current inaction.

For context on the Digital Omnibus and its implications for your broader EU AI Act compliance timeline, see our complete compliance guide.

Build Your AI Literacy Programme Before August

Article 4 has been in force since February 2025. AESIA begins formal enforcement in August 2026. Every month without a documented, role-specific AI literacy programme is another month of compliance deficit — one that will be visible to AESIA when it examines your broader EU AI Act governance.

The Compliance with the EU AI Act and Ethics in AI certification from the Spanish Compliance Institute is structured to meet Article 4's requirements for your compliance, legal, HR, and management teams — the people who need Tier 3 literacy and whose credentials AESIA will examine first:

• 15 hours of expert-led training across 7 modules — covering EU AI Act obligations, AESIA's regulatory framework, risk classification, FRIA, human oversight, ISO 42001, and Spanish legal context
• Formal assessment with mock and final exams — producing verifiable evidence of comprehension
• Verified digital certificate — externally validated proof of competency for oversight personnel
• Spain-specific content — AESIA, AEPD, Spanish draft national AI law, sector examples
• Annex IV templates and FRIA workshop — practical compliance tools included

Continue Reading: Related Guides in This Series

• Ethical AI and EU AI Act Compliance: The Professional's Complete Guide for Spain
• AESIA: Spain's AI Regulator Explained — What It Means for Your Business
• EU AI Act Certification: Why It Is Becoming Non-Negotiable for Compliance Professionals
• How to Write a Fundamental Rights Impact Assessment (FRIA) Under the EU AI Act
• What to Expect From an EU AI Act Audit: A Step-by-Step Walkthrough for Spanish Organisations