Khairos AI

EU AI Act Compliance

Does the EU AI Act Apply to ChatGPT? What Article 4 Actually Requires

If your staff are using ChatGPT at work, your company is almost certainly a deployer under the EU AI Act — and Article 4 already requires you to act. Here is what AI literacy really means in practice.

· 5 min read · By Khairos AI

Does the EU AI Act apply to ChatGPT? Yes. If your employees are opening ChatGPT, Copilot, or any similar general-purpose AI tool during working hours, your company qualifies as a deployer under EU AI Act Article 3(4). That single fact triggers real obligations starting now.

Most SME leaders assume the AI Act is a problem for Big Tech. It is not. The regulation explicitly covers the organisations that use AI systems, not just the companies that build them. And the first obligation to kick in, Article 4, is already live.

What Article 3 Says About Deployers

The Act defines a deployer as "any natural or legal person... who uses an AI system under its own authority." The definition is intentionally broad. When an employee pastes a customer complaint into ChatGPT to draft a response, your company is using that AI system. When your HR team screens CVs with an AI-assisted tool, your company is the deployer. The provider is OpenAI or Microsoft. You are the deployer.

Size does not grant an exemption. Article 26 sets out deployer obligations that apply regardless of headcount. A 25-person logistics firm using AI-assisted route planning faces the same basic framework as a 2,000-person corporation.

This matters because many SMEs have been waiting to see what happens. The Act is not waiting.

Article 4: The Obligation That Is Already In Force

Article 4 requires providers and deployers to take measures to ensure sufficient AI literacy of their staff. The Article entered into force on 2 August 2024. The Commission's phased timeline gave until 2 February 2025 for the prohibited-practices chapter to apply, but Article 4 had no such grace period.

So what does "sufficient AI literacy" actually mean? The Act links to Recital 20, which spells it out in plain terms: AI literacy means the skills, knowledge, and understanding that allow people to make informed decisions about AI systems, taking into account the specific context of each role.

Three things to notice in that definition:

  1. Context is role-specific. The literacy required for a recruiter using an AI screening tool is different from what a customer service agent needs when using an AI chatbot. One-size-fits-all training does not satisfy the obligation.
  2. It covers both opportunities and risks. Recital 20 mentions understanding "the opportunities, risks, and effects" of AI. Staff need to know what can go wrong, not just how to prompt effectively.
  3. It applies to staff with responsibility over AI. The obligation focuses on the people who actually make decisions involving AI systems, including managers who approve outputs.

What This Looks Like in a 50-Person Company

Take a typical Dutch SME with 50 employees. The finance team uses an AI tool to flag anomalous invoices. The marketing coordinator uses ChatGPT to draft copy. The HR manager uses LinkedIn Recruiter's AI features to rank candidates.

Under Article 4, that company needs to:

  • Identify which staff are using AI systems as part of their role. This is your AI use inventory. Without it, you cannot scope your literacy programme.
  • Map each use case to a risk level. Using AI to sort invoices is different from using AI to rank job applicants. The latter touches on high-risk territory under Annex III of the Act.
  • Design role-specific training. The HR manager needs to understand bias risks, the right to explanation, and when a human must review AI-assisted decisions. The finance analyst needs to understand false-positive rates and auditability. The marketing coordinator needs to understand output accuracy and intellectual property considerations.
  • Keep records. Article 4 does not specify a record format, but enforcement bodies will ask for evidence. A short training log with dates, topics covered, and staff names is the minimum defensible position.

None of this requires a legal team. It requires a documented process.

The Gap Most Companies Have Right Now

In practice, most SMEs have done one of three things: nothing, a generic "AI awareness" lunch-and-learn, or asked staff to watch a vendor webinar. None of these satisfy Article 4 reliably.

The generic awareness session fails the role-specificity test. Watching an OpenAI onboarding video does not constitute employer-led literacy measures. And doing nothing is simply non-compliance from August 2024 onward.

Penalties under Article 99 for non-compliance with deployer obligations reach up to €15 million or 3% of global annual turnover, whichever is higher. For an SME turning over €5 million annually, that ceiling is €150,000. The penalties are calibrated to the violation, and national supervisory authorities will likely focus first on high-risk use cases. But Article 4 non-compliance is a straightforward finding: either you have documented literacy measures or you do not.

Where GDPR and the AI Act Overlap

For Dutch companies, the Autoriteit Persoonsgegevens (AP) is the likely supervisory authority for AI Act enforcement involving personal data. The AP already enforces AVG/GDPR requirements around automated decision-making under Article 22 GDPR. When an AI system processes employee or customer data, you have both GDPR and AI Act obligations running simultaneously.

AI literacy training is one place where the two regimes reinforce each other. Staff who understand AI limitations are better equipped to handle data subject requests, spot unlawful automated decisions, and flag incidents. A single training programme can address both frameworks if it is designed with both in mind. The European Commission's digital strategy guidance makes clear that the AI Act was designed to complement GDPR, not replace it.

Three Steps to Take This Month

Article 4 compliance does not require a six-month project. It requires focus.

Step 1: Inventory your AI use. Ask every team lead to list the AI tools their team uses, including free consumer tools. Expect surprises. Most companies discover five to ten use cases they did not formally approve.

Step 2: Classify by role and risk. Flag any use case that involves hiring, performance evaluation, creditworthiness, health, or access to essential services. These map to Annex III high-risk categories and carry heavier obligations beyond Article 4.

Step 3: Run role-specific training and document it. Keep it short and practical. The goal is not certification; it is evidence that your people understand what the AI tools they use can and cannot do, and what to do when something goes wrong.

These three steps position you to answer a supervisory authority's first question: "What measures have you taken to ensure AI literacy under Article 4?"

The answer "we sent a company-wide email" will not hold up. A training log showing role-specific sessions with documented content will.

Not sure where your company currently stands? The free 2-minute compliance check at comply.khairos.ai walks you through your key deployer obligations under the EU AI Act, including Article 4, and shows you exactly which gaps to close first.

Need help getting compliant?

The free 2-minute compliance check shows you exactly where your gaps are. No email gate to see your score.

Start the free check →