DE | EN

AI Literacy Is Mandatory

AI literacy is mandatory

Since 2 February 2025, Article 4 of the EU AI Act has applied. It obliges companies that use or provide AI systems to ensure sufficient AI literacy among their employees. This obligation applies regardless of the risk class of the AI system. Whoever uses ChatGPT for marketing texts is just as affected as a company with high-risk AI in HR.

What AI literacy means

The regulation defines AI literacy as the skills, knowledge and understanding to use AI systems competently and to be aware of the opportunities and risks. That sounds abstract, but concretely it means: whoever works with AI has to understand what they are doing. Not at the level of a data scientist, but appropriate to their own role and the system used.

A clerk who occasionally uses an AI assistant for text suggestions needs different knowledge than a team lead who is responsible for AI-based analyses for personnel decisions. The regulation takes this into account explicitly: prior technical knowledge, experience, training and the specific context of use determine which level of competence is appropriate.

Who is affected

The obligation applies to providers and deployers of AI systems. Providers develop AI or place it on the market under their own name. Deployers use AI systems under their own responsibility for professional purposes. For most small and medium-sized enterprises this means: they are deployers. Every company that deliberately uses AI tools or tolerates their use by employees falls into this category.

The scope is therefore broad. Microsoft Copilot in the Office suite, an AI-based CRM system, automated chatbots on the website or simply ChatGPT on the work computer: wherever AI systems are used professionally, Article 4 applies. The size of the company plays no role.

No rigid requirements

The regulation prescribes neither a particular training format nor specific content. That is intentional. A standardised mandatory programme would not do justice to the variety of use scenarios. Instead, the responsibility lies with the company to develop a suitable concept.

In its guidance paper, the German Federal Network Agency (Bundesnetzagentur) recommends an interdisciplinary and tiered approach. Interdisciplinary means: technical, legal and ethical aspects belong together. Tiered means: competence grows with the requirements of the respective role. A modular concept that combines foundational knowledge for everyone with in-depth modules for certain functions meets these requirements.

Possible formats range from self-learning programmes through workshops to structured training courses. External training is just as permissible as internal measures. What is decisive is not the format, but the result: employees must be able to use AI systems responsibly and assess risks.

No direct fines, but liability risks

A violation of Article 4 is not directly subject to fines. That distinguishes this provision from other parts of the regulation, which provide for substantial penalties. Nevertheless, it would be a mistake to take the obligation lightly.

If damage arises from faulty AI use, the question becomes relevant whether the company took appropriate precautions. Missing training or a non-existent competence concept can be deemed a breach of the duty of care. The liability then falls on the company, not the individual employee. Documented AI literacy measures are therefore also a protection against civil claims.

Prerequisite: knowing which AI is in use

Before training measures can be sensibly planned, clarity about the status quo is needed. Which AI systems are used in the company? By whom? For which purposes? These questions are answered by a systematic recording process that also includes shadow AI.

Without this basis, competence measures remain arbitrary. A complete AI register shows not only which systems exist, but also who uses them and in which context. From that, it can be derived which employee groups have which training needs. The DISCOVER phase of the NADOVO framework delivers exactly this transparency.

Practical implementation for SMEs

Three pillars carry a functioning AI literacy concept: first, training tailored to roles and areas of use. Second, clear responsibilities, ideally a named contact for AI questions. Third, documented guidelines for AI use in the company.

The effort has to fit the size of the company. A five-person team does not need a multi-stage certification programme. A documented onboarding, clear rules of use and the possibility to ask questions can be enough. What matters is traceability: which measures were taken, who was trained when, which systems are recorded.

The obligation for AI literacy is not a bureaucratic hurdle. It is an investment in the safe and productive handling of technology that has long arrived in everyday work. Companies that recognise this early benefit twice: they meet the regulatory requirements and at the same time create the basis for real value from AI.


About the author

Jochen Stier is co-founder of NADOVO with over 20 years of experience in process management and IT service management. He helps German SMEs implement the requirements of the EU AI Act systematically and pragmatically. His 5-phase framework NADOVO combines regulatory requirements with practical feasibility, without enterprise budgets or complex tools.

Further reading:

© 2026 Jochen Stier / contoro.solutions