EU AI Act Article 4: a practical guide to AI literacy compliance

What Article 4 requires

Article 4 of Regulation (EU) 2024/1689, the EU AI Act, places a direct obligation on providers and deployers of AI systems to ensure, to their best extent, a sufficient level of AI literacy among their staff and any other persons dealing with the operation and use of AI systems on their behalf. The standard is proportionate: it must take into account the individuals' technical knowledge, experience, education and training, and the context in which the AI systems are used, including the persons or groups affected.

AI literacy is defined in Article 3(56) as the skills, knowledge, and understanding that allow providers, deployers, and affected persons to make an informed deployment of AI systems and to gain awareness about the opportunities and risks of AI and the possible harm it can cause.

Who is covered, and when

• Providers, that is, organizations developing AI systems or placing them on the EU market under their own name or trademark.
• Deployers, that is, organizations using AI systems under their authority in a professional context. This covers most businesses that use third-party AI tools.
• The obligation applies regardless of the risk classification of the AI system, and it has been in force since 2 February 2025.

For a deeper breakdown of the obligation itself, see our companion piece on AI literacy obligations under the EU AI Act.

What "sufficient" looks like in practice

The Act does not prescribe a single curriculum, but the European Commission's Q&A and the AI Office guidance converge on a few building blocks that an organization should be able to evidence:

• A baseline of AI literacy training covering what AI systems are, how they fail, and how to use them responsibly.
• Role-appropriate depth, with additional content for people who configure, monitor, or oversee AI systems, or who work with high-risk use cases.
• Coverage of risks specific to your context, including bias, hallucination, data protection, intellectual property, and human oversight obligations.
• Evidence of understanding, not just attendance. Typically an assessment with a defined pass threshold.
• Records showing who completed what, when, and at what level, retained long enough to satisfy auditors and supervisory authorities.

Documenting compliance: training, assessment, records

The three artefacts most organizations need are straightforward to describe and harder to keep consistent at scale:

1. A documented training programme with content, learning objectives, target audience, and version history.
2. An assessment with a transparent scoring rule and a pass threshold, so the same answers would always produce the same result.
3. Per-person records showing who took the assessment, when, what version of the content they were tested on, and the outcome, held in a way that resists silent edits.

For an auditor, the question is rarely "did you provide training?" and almost always "show me the records." If those records can be edited after the fact, they are weak evidence; if they cannot, the audit is short. Our deep-dive on training documentation for EU AI Act compliance walks through each artefact in more detail.

Why deterministic scoring and immutable records matter

QLANKR Certify is built so the evidence-side of Article 4 holds up under scrutiny:

• Deterministic scoring. Every assessment is scored server-side against a fixed answer key. The same answers always produce the same outcome, with no model-generated grading and no hidden randomness.
• Server-issued certificates. A certificate is only issued after a server-verified pass. Clients cannot insert certificate rows directly.
• Tamper-evident records. Training records and issued certificates are append-only. The public verification page proves a given certificate exists and was issued by us.
• Public verification. Auditors and counterparties can confirm a certificate against the issuer without going through the certificate holder.

A practical Article 4 checklist

• Identify which AI systems your organization provides or deploys.
• Map roles that interact with each system and the depth of literacy each role needs.
• Adopt or build training that covers fundamentals plus role-specific risks.
• Assess understanding with a defined pass threshold, not just attendance.
• Keep tamper-evident records, retained for the lifetime of the obligation.
• Review annually, or whenever the AI systems or their use changes materially.

Evidence and audit FAQ

The questions we hear most from compliance, HR, and legal teams working through Article 4 for the first time.

What does EU AI Act Article 4 require?

Article 4 requires providers and deployers of AI systems to ensure, to their best extent, a sufficient level of AI literacy among staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training, and the context the AI systems are to be used in.

Who must comply with Article 4?

Both providers (organizations that develop or place AI systems on the EU market) and deployers (organizations that use AI systems under their authority) are covered. The obligation applies regardless of the risk classification of the AI system.

When did Article 4 start applying?

Article 4 has applied since 2 February 2025, ahead of most other provisions of the EU AI Act.

How can an organization demonstrate AI literacy compliance?

By documenting role-appropriate training, assessing understanding with deterministic scoring, and retaining tamper-evident records of who completed what training and when. The records must be available for inspection by management, auditors, or supervisory authorities.

What evidence will an auditor ask for?

Typically: the training programme (content, version, target audience), the assessment instrument and its pass threshold, and per-person completion records linking a named individual to a dated outcome on a specific version of the content.

Is attendance enough, or do we need to test understanding?

Attendance alone is weak evidence. Article 4 talks about a sufficient level of literacy, which implies the organization can show people actually understood the material. A scored assessment with a defined pass threshold is the cleanest way to evidence understanding.

How long should we keep AI literacy training records?

There is no fixed retention period in Article 4 itself. Most organizations align retention with their broader compliance and HR record policies (commonly the duration of employment plus a defined post-employment window) so the records remain available across the lifetime of the obligation and any later inspection.

Do we need to retrain when AI tools change?

Yes, in practice. Article 4 is context-dependent: when the AI systems in use, the way they are used, or the risks they introduce change materially, the literacy baseline should be refreshed and re-evidenced for the affected roles.

Are publicly verifiable certificates required by Article 4?

No. Article 4 does not mandate any specific certificate format. Public verification is a way to make the underlying record harder to forge or repudiate, which strengthens the evidentiary value of the training record in an audit.