Privacy & Information Security Law Blog

On May 7, 2025, the European Commission published a Q&A addressing AI literacy obligations under the EU AI Act. The Q&A provides further detail on Article 4 of the EU AI Act, clarifying the measures that entities in scope are required to employ to ensure AI literacy.

Key Takeaways

The European Commission sets out the steps and objectives that should be achieved by an entity when developing and implementing an AI literacy compliance program, including to:

• Ensure a general understanding of AI within the entity covering the following topics: What is AI? How does it work? What AI is used in the entity? What are its opportunities and dangers?
• Consider the role of the entity in scope (e.g., provider or deployer of the AI systems).
• Consider the risk of the AI systems provided or deployed, including the following questions: what do staff need to know when dealing with such AI systems? What are the risks they need to be aware of and do they need to be aware of mitigation?
• Concretely build the AI literacy compliance program taking into account the analysis of the points above and: (1) the differences in technical knowledge, experience, education and training of the staff and other persons; and (2) the context in which the AI systems are to be used in and the persons on whom the AI systems are to be used.

With regards training, the European Commission notes that frequent and specific training will need to be part of AI literacy compliance programs; simply referring staff members to instructions that accompany AI systems will generally not be considered sufficient. The content of trainings will not be fixed, may vary based on the experience of the staff, and will have to be evaluated on a case-by-case basis. Trainings should also cover the risks that may emerge from the use of common generative AI systems when such systems are used (e.g., hallucination). If staff members from third-parties engage with the AI systems, training may be provided directly by the entity in scope and/or training requirements may be, for example, established in contracts with such third-parties.

The European Commission confirms that entities in scope should record and document the measures implemented to comply with Article 4 of the AI Act. However, external certification is not required.

Timing

Article 4 of the AI Act entered into application on February 2, 2025. Hence, the obligations relating to AI literacy already apply to in-scope entities.

However, in the Q&A, the European Commission clarifies that supervision and enforcement rules will only apply from August 3, 2026 onwards. Penalties for non-compliance with AI literacy obligations will be based on the national laws to be adopted by EU Member States by August 2, 2025. Private enforcement is already possible where an individual suffers harm and considers that this is due to an entity in scope not complying with the obligations deriving from Article 4 of the AI Act.

Read the European Commission’s AI Literacy Q&A.