EU AI Act Article 4: What European SMEs Actually Need To Do

Article 4 of the EU AI Act has been legally binding since 2 February 2025. National market surveillance authorities begin enforcing it on 2 August 2026. That gives most European SMEs about three months to put something in place — and right now, the vast majority have done nothing.

Here is what the regulation actually says, who it applies to, and the five specific things you need to have on file before regulators start asking questions.

# What Article 4 actually requires

The full text of Article 4 is short:

Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in, and considering the persons or groups of persons on whom the AI systems are to be used.

Three things matter in that sentence:

1. It applies to "deployers", not only AI vendors. If your sales team uses ChatGPT, your developers use Copilot, or your CRM has built-in AI features, you are a "deployer" under the Act.
2. "Sufficient" is deliberately vague. The legislators left implementation flexible so it scales from a 5-person startup to a 5,000-person bank.
3. It is risk-proportionate. The training a finance analyst running an AI fraud model needs is not the same as what a marketing assistant using ChatGPT needs.

# Who has to comply

Almost everyone. The European Commission's own Q&A is explicit: any natural or legal person under the authority of an employer or contractor who deals with AI systems in a professional capacity is in scope. Three concrete examples:

• A 12-person law firm whose paralegals use Microsoft Copilot for first-draft contract review.
• A 60-person e-commerce business whose customer service team uses an AI chatbot.
• A 200-person SaaS company whose engineers use GitHub Copilot.

All three are "deployers" and all three need an Article 4 compliance posture.

# What "sufficient" means in practice

Because the regulation does not define a curriculum, regulators will look at three things when assessing whether your AI literacy programme is "sufficient":

1. Is it documented? Untrained staff is bad, but undocumented training is almost as bad — there is nothing to show an inspector.
2. Is it role-relevant? A generic "Intro to AI" video sent to 200 employees will not satisfy a regulator if a high-risk role (HR running CV screening, or finance running fraud detection) only got the same generic content.
3. Is it proportionate to the AI systems actually in use? If your team uses ChatGPT and Copilot daily but the training only covers theoretical AI ethics, that is a gap.

The CIPL Best Practices on AI Literacy, which national supervisors have publicly endorsed, recommends a similar three-layer approach: foundational AI literacy for everyone, role-specific modules for high-touch roles, and ongoing updates as your AI tooling changes.

# The five things you need on file by August 2026

If a Dutch ACM inspector knocked on your door tomorrow under Article 4, these are the five documents they would expect to see. None of them require certification — they require evidence.

1. AI usage inventory. A list of every AI-powered tool used in the company. ChatGPT counts. Microsoft 365 Copilot counts. The AI features in your HubSpot, Salesforce, or Notion count. If you do not know what AI you are deploying, you cannot train staff on it.
2. Risk classification. For each tool, a short note: is it general-purpose (low risk), part of a high-risk use case under Annex III (HR screening, credit scoring, biometric ID), or in the prohibited-practices list under Article 5? Most SMEs find their inventory is overwhelmingly low-risk — but knowing that on paper is the point.
3. Training programme. Foundational module for everyone, role-specific modules for staff who touch higher-risk systems. Aligned to the tools you actually use.
4. Training records. A record per employee: name, modules completed, date completed. A spreadsheet is fine. A learning management system with completion certificates is better.
5. AI usage policy. A short company policy document covering acceptable use, what data may and may not be put into AI tools, and an incident reporting procedure if an employee notices an AI giving harmful or biased output.

That is the entire defensible package. There is no certification, no accreditation, no audit body — Article 4 is about evidence, not credentials.

# What the actual penalty looks like

This is the part most coverage of the AI Act gets wrong. Article 4 by itself has no direct fine. Article 99 of the Act lists fines up to €35 million or 7 % of global turnover, but those penalties attach to specific violations: prohibited AI practices (Article 5), high-risk system breaches (Articles 6–22), and so on. Article 4 has no entry in that fine schedule.

What Article 4 does do is sit underneath everything else. Read Recital 20: non-compliance with literacy requirements is treated as an aggravating factor in any other AI Act enforcement action. So the practical risk is not "you will be fined for Article 4." It is "if you ever face investigation for any other AI Act issue, the lack of training and documentation makes that investigation worse."

For most SMEs that translates into a real but bounded risk profile: civil liability if an untrained employee causes harm with an AI system, reputational damage, and downstream contract problems if your enterprise customers add Article 4 attestation clauses to their procurement (which several already have).

# Practical first step

If you have done nothing, the highest-leverage 30 minutes you will spend this quarter is taking a proper inventory of every AI tool actually in use across your company. You cannot train people on systems you do not know you have. Once that exists, the rest of the package is straightforward.

If you would rather not build it from scratch, that is what we do — start with the free 2-minute compliance check to see where you currently stand.