If you've been told the EU AI Act got delayed, you were told a half-truth—and the half that's still live lands on the desk of every company whose employees use AI. The deadline most organizations think got pushed to 2027 did not move. The obligation to train your workforce on AI is already law, and formal enforcement begins this summer.
This is the part of AI regulation that hits learning and development squarely, because the remedy is training. Here's the obligation, the timeline, the exposure, and what a defensible program actually looks like.
Article 4: The Obligation Is Already In Force
Article 4 of the EU AI Act requires that providers and deployers of AI systems "take measures to ensure, to their best extent, a sufficient level of AI literacy" of their staff and any other persons operating AI systems on their behalf. It entered into application on 2 February 2025. It is not a recommendation or a best practice. It is a binding obligation, and it has been active for over a year.
The literacy duty is the single broadest obligation in the entire regulation. It applies regardless of risk tier—high-risk, limited-risk, or minimal-risk, it makes no difference—and it reaches beyond employees to contractors, service providers, and others working under your organizational remit. If a person touches an AI system on your behalf, their literacy is your responsibility to ensure and to evidence.
Who's In Scope: Almost Certainly You
The Act splits the world into "providers" (those who build or substantially modify AI systems) and "deployers" (those who use them in a professional capacity). The catch is how low the bar for "deployer" sits: an organization becomes a deployer the moment a staff member opens ChatGPT, Copilot, Gemini, or Claude—or any embedded AI feature inside a SaaS tool—to do their job.
Two facts make this unavoidable for most enterprises:
- The reach is extraterritorial. Like the GDPR before it, the AI Act follows your footprint, not your headquarters. A U.S. company with employees, operations, or customers in the EU is in scope.
- Shadow AI is already everywhere. Most organizations cannot name the AI tools their staff use, because employees adopt them independently. Every one of those tools—sanctioned or not—creates a literacy obligation you're presumed to be meeting.
In practice, if anyone connected to your work uses AI to produce output, plan for Article 4 as if it applies—because it almost certainly does.
The Timeline—and the "Omnibus" Confusion
Here's where so many companies have miscalculated. In spring 2026, the EU's "Digital Omnibus" simplification package deferred the heavy high-risk obligations—but it left the literacy duty untouched.
- 2 February 2025 — Article 4 entered into application. The obligation is live now.
- 2 August 2026 — national market surveillance authorities gain formal powers to supervise and enforce Article 4. This date did not move.
- 2 December 2027 — the deferred deadline for most high-risk (Annex III) obligations. This is the date that got pushed, and it's the one driving the "we have more time" headlines.
So the organizations relaxing because "the Act got delayed" have it backwards: the deadline that's closest, and the one most likely to apply to them, is the literacy deadline that was never deferred. The work you do for Article 4—your AI inventory, role mapping, and training records—is also the foundation for the high-risk documentation that arrives eighteen months later. Starting now solves two deadlines, not one.
What Non-Compliance Actually Costs
This is where responsible reporting matters, because the scaremongering is thick. The honest picture:
The AI Act does not attach a single bespoke fine to Article 4. Instead, enforcement runs through national market surveillance authorities beginning August 2026, and individual EU Member States set their own penalties—which means exposure will vary by country. The relevant penalty tier under Article 99 referenced for this category reaches up to €7.5 million or 1% of global annual turnover, whichever is higher.
The more probable real-world risk isn't a standalone literacy fine. It's that a gap in AI training becomes an aggravating factor in any broader investigation—and a source of civil liability if untrained staff cause harm. Regulators will look at whether you took reasonable measures and whether you can prove it. "We meant to" is not a defense; a documented program is.
This article is general information, not legal advice. Confirm your specific obligations with qualified counsel.
What "Sufficient" Literacy Means
The Act deliberately avoids prescribing hours, formats, or certifications. "Sufficient" is proportionate—calibrated to a person's role, the context the AI is used in, and the system's risk. A receptionist who occasionally uses a chatbot needs something very different from a data scientist tuning a scoring model.
The European Commission's AI Literacy Q&A sets a workable minimum. To comply, providers and deployers should at least:
- Establish general AI understanding across the organization—what AI is, how it works, which systems are in use, and their opportunities and risks.
- Account for your role—whether you build AI systems or merely deploy ones built by others.
- Calibrate to the risk of the specific systems in use—what your people need to know to operate them safely.
There's no obligation to test employees, and no required governance officer. But there is a clear expectation that you document what training was delivered, to whom, and when. The Commission even maintains a living repository of literacy practices from organizations of every size to model against.
The pattern early movers have settled on is consistent and sensible: a baseline module for all staff who touch any AI tool, deeper role-specific modules for technical staff who build or operate systems, and a named-overseer module for the people designated to provide human oversight of higher-risk systems.
The Real Deliverable Is Evidence, Not Attendance
Here's the trap that wastes training budgets: treating AI literacy as a one-time video everyone "watched." If you can't produce a per-person record when a regulator asks, the training effectively didn't happen for compliance purposes.
A defensible program generates an audit-ready trail for every learner—who completed what, in which role, on what date, against which module version, with what result. That record is your audit-defense document. It's also the thing most legacy training tools handle worst: they prove a video played, not that a person can now make an informed decision about an AI output.
How REACHUM Delivers Article 4-Ready Literacy
This obligation maps almost exactly onto how REACHUM was built—which is why we treat it as a learning problem, not a legal scramble.
- Role-based microlearning. Baseline, technical, and overseer tracks delivered as short, targeted modules scoped to the systems your people actually use—the proportionality Article 4 asks for, built in.
- Applied, not passive. Our AI role-play simulations put learners in real decisions—spotting a hallucination, handling a PII prompt, knowing when to escalate—so literacy is demonstrated, not just watched. (For the delivery model, see AI Microlearning: What Changes When You Add Artificial Intelligence?)
- Audit-ready by default. Every interaction produces decision-grade completion and performance data—the per-person evidence pack a market surveillance authority would expect.
- Refreshable. As the Commission's guidance and your AI estate evolve, modules update—so literacy is a maintained cycle, not a stale certificate.
AI literacy is one piece of a wider governance picture. For how the technical and policy guardrails fit around it, see our companion article, AI Guardrails for the Agentic Era.
Don't Wait for August
The literacy deadline is the closest live obligation in the AI Act, it applies to nearly every employer with an EU footprint, and the documentation it expects takes time to build. The organizations treating it as a checkbox will be the ones scrambling to assemble evidence after enforcement starts. The ones treating it as a workforce-readiness program will already have the record—and a measurably more capable workforce to show for it.
Ready to turn an obligation into an advantage? See how REACHUM works or talk to our team about a role-based AI literacy program built to prove itself.