Lyron
Team talking around a table with a tablet – a symbol of AI training and AI literacy in a company
Guide · EU AI Act

EU AI Act Article 4: The AI Literacy Obligation for SMEs from August 2026

· 12 min read

The AI literacy obligation in the EU AI Act applies to every company that uses AI – including small ones. It has been in force since February 2025, but from 2 August 2026 it becomes enforceable in Germany. The good news: you don't need an AI officer or a certificate. The bad news: most mid-sized companies don't have a single record on file yet. This guide explains what is actually required – and a pragmatic four-step roadmap.

What it is: the AI literacy obligation in one paragraph

Article 4 of the EU AI Act requires providers and deployers of AI systems to ensure a sufficient level of "AI literacy" among their staff and the people acting on their behalf. In plain terms: anyone in the company working with AI needs to understand what the tool can do, where its limits are and what risks it carries. This obligation has applied since 2 February 2025 – regardless of company size. There is no "only from X employees" threshold.

2 August 2026: what actually happens

An important clarification, because it's often reported wrong: on 2 August 2026, no new training deadline "comes into force". The literacy obligation itself has been running since February 2025. What changes is enforcement: from that date, national market surveillance begins. From then on, companies must be able to show that they have prepared their staff to use AI on a "best efforts" basis – that is, with reasonable effort.

2 August 2026 is in any case the day the most comprehensive part of the AI Act becomes applicable – including the obligations for high-risk AI systems (Annex III) and active enforcement of the rules for general-purpose AI models (GPAI) by the EU AI Office.

In Germany: With the AI Market Surveillance and Innovation Promotion Act (KI-MIG), the Bundesnetzagentur becomes the central coordinating body for AI supervision. The Bundestag passed the law on 11 June 2026. For SMEs this means there will be a clearly responsible authority – and therefore an addressee for records.

Who the obligation applies to

Article 4 addresses providers (those who develop AI systems or offer them under their own name) and deployers (those who use AI under their own responsibility). The second case applies to practically every company: as soon as someone on the team uses ChatGPT for text, an AI feature in the CRM, or an AI agent, the firm is a "deployer". Even the three-person business. There is no employee threshold and no exemption for "small" companies.


What "AI literacy" means – and what the EU does not require

This is where most of the unnecessary panic comes from. The EU AI Office has explicitly clarified what Article 4 does not require:

  • No certification requirement – you don't need an official AI certificate for your team.
  • No mandatory knowledge test – no one has to pass an exam.
  • No dedicated "AI officer" role – unlike the data protection officer, the law does not prescribe a named position.

Instead, a best-efforts standard applies: you must make a reasonable effort to ensure the people who use AI have the understanding they need – appropriate to their role, their technical background and the context in which the AI is used. "Sufficient" is relative: an employee using ChatGPT for internal notes needs less depth than someone running an AI system for applicant screening.


The reality in mid-sized companies

How far along are companies? The Bitkom AI study 2026 paints a sobering picture on training:

AI training in the company Share of companies
Training for all employees 8%
Training for a large part 21%
Training for selected staff 25%
No training offering at all 43%

And fittingly: according to the same study, a lack of employee competence ranks first among the barriers to AI adoption, at 53%. In other words: the biggest obstacle to AI is exactly what Article 4 addresses. The obligation is therefore not bureaucracy for its own sake – it forces something that is, in any case, the single most important lever for successful AI projects.


Your 4-step roadmap to being able to prove it

Best efforts means: you don't have to be perfect, but you do have to act – and be able to document it. These four steps put a law firm, an agency or a trades business on equally defensible ground.

Step 1: Build an AI inventory – including shadow AI

You can only train on what you know about. List every AI system actually used in the company: ChatGPT, Microsoft Copilot, AI features in your CRM or accounting tool, an in-house chatbot, AI agents in n8n. The crucial part is shadow AI – the tools employees use without approval. That's where the biggest risk sits, because nobody knows what data ends up there. An honest inventory is the foundation for everything else.

Step 2: Define roles and competence levels

Not everyone needs the same knowledge. A simple tiering works well: basic knowledge for everyone who uses AI occasionally (what may go in, what must not, how do I spot hallucinations?), deeper knowledge for power users and process owners, and strategic responsibility for leadership, who decide on use and approvals. That's how the effort becomes "appropriate" – instead of sending everyone through the same training.

Step 3: Roll out training and document it

The record is the core of the obligation. Training without documentation doesn't exist as far as the authority is concerned. Capture: who was trained, when, on what content? It can be an onboarding module, a web seminar or an internal workshop – what matters is the participant list with date and topic. Tip: route new hires into the basic training automatically via onboarding, so no record is missing.

Step 4: Governance – a responsible person, an AI policy and a review

Even though no "AI officer" is required: name a responsible person to coordinate the topic. Write a short, readable AI policy (which tools are approved, which data must never go into public AI, how outputs are handled). And set a yearly review – tools and risks change fast. For more context, see our EU AI Act overview for SMEs.

Documentation checklist for your file

  • check AI inventory (incl. shadow AI), dated and kept up to date
  • check Role and competence-level concept
  • check Training records: who, when, which content
  • check Written AI policy, communicated to everyone
  • check Named responsible person + a yearly review date

Penalties: what's at stake – and what's still open

Here, honesty matters more than drama. The AI Act does not explicitly list Article 4 in its penalty catalogue (Article 99). For breaches of deployer obligations, the general framework provides for fines of up to EUR 15 million or 3% of worldwide annual turnover – exactly how breaches of the literacy obligation will be sanctioned in Germany is only being worked out via the KI-MIG.

The real risk for SMEs is therefore rarely the maximum fine. It's the burden of proof when something goes wrong: if an AI use goes sideways (a wrong answer, a data incident, discrimination in applicant screening) and the question comes up – "Did you even train your people?" – you want to be able to present a file with records, not a shrug.


Important context: the Digital Omnibus

You may have read that the obligation is "being scrapped again". That's an oversimplification. On 19 November 2025, the European Commission proposed, in the Digital Omnibus on AI, to soften Article 4: providers and deployers should have to promote the development of AI literacy rather than guarantee a specific level. So the obligation would be modified, not deleted.

And crucially: as of mid-2026 this is a proposal still going through the legislative process – not applicable law. Relying on it would be risky. On top of that, even the softened version requires you to actively promote AI literacy. The four steps above satisfy both variants. Whoever acts now is on the safe side either way – and gains the most important success factor for AI projects along the way.


How Lyron helps

We treat AI literacy not as a compliance chore but as part of clean automation. Concretely, we help SMEs with three things: setting up an honest AI inventory (including the shadow AI), writing a lean AI policy your team will actually read, and embedding training records into existing onboarding workflows so the documentation doesn't fail in day-to-day operations. If you want to use AI productively anyway, the 90-day plan from pilot to agent has the right method.

Make AI literacy provable – without bureaucracy overkill


FAQ

What is the AI literacy obligation (Article 4 EU AI Act)?

Article 4 of the EU AI Act requires providers and deployers of AI systems to ensure a sufficient level of AI literacy among their staff. The obligation has applied since 2 February 2025 and is independent of company size – there is no employee threshold.

What happens on 2 August 2026?

From 2 August 2026, national market surveillance begins in Germany. From that point, companies must be able to demonstrate that they have prepared their staff to use AI on a best-efforts basis. The literacy obligation itself has applied since February 2025.

Does my company need an AI officer or a certificate?

No. The EU AI Office has clarified that Article 4 requires no certification, no mandatory knowledge test and no dedicated "AI officer" role. A best-efforts standard applies: appropriate, documented measures are enough.


Note: this article is for information and does not constitute legal advice. The provisions mentioned (in particular Article 4 and Article 99 of Regulation (EU) 2024/1689, the KI-MIG and the Digital Omnibus proposal) are summarised and reflect the status as of 22 June 2026. For a binding assessment in a specific case, please seek qualified legal advice.

About Lyron: Lyron is an automation and AI consultancy based near Düsseldorf/Neuss. We help small and mid-sized companies use AI and automation productively, documented and GDPR-compliant.