General purpose (email drafting, summarisation) vs. limited risk (chatbots, recommendation engines) vs. high risk (hiring tools, credit scoring, medical, law enforcement).

Any process where an AI system produces a decision that affects a person (hiring, pricing, credit, benefits) needs special attention.

External parties operating AI systems to deliver services to you may fall under Article 4’s scope for your organisation.

Most employees need baseline literacy. Staff handling high-risk AI systems or making AI-influenced decisions need deeper training.

If you use any AI system in a professional context — even third-party software with AI features — you are a deployer and Article 4 applies.

This determines your training programme size and cost. Every employee who regularly uses AI tools at work is in scope.

Format: spreadsheet or document listing tools, users, risk level, and decisions influenced. This becomes part of your compliance record.

Use a team plan or bulk enrolment for efficiency. Every employee who uses AI tools in their role should be included in this cohort.

Download and store each certificate immediately on completion. Do not rely on employees to hold their own — the obligation to evidence compliance sits with the employer.

Every new hire who will use AI tools should complete training before or during their first month. Build this into your standard onboarding checklist.

Staff handling high-risk AI applications (hiring, credit, medical) need training that goes beyond baseline literacy. Identify these roles and procure appropriate supplementary content.

Request evidence of AI literacy training from contractors/vendors who operate AI systems on your behalf, or include them in your own programme.

Give employees a firm deadline — not “when you get a chance.” Recommended: at least 30 days before August 2026, so there is buffer for any follow-up.

A brief note explaining: “Training covered general AI literacy applicable to all AI tools used in the business, including [list].”

One paragraph explaining why you consider this training sufficient for your context: the AI tools you use, the roles that use them, and the risk levels involved. This is your audit defence.

A simple spreadsheet: employee name, role, training completed, date, certificate reference. Updated whenever someone completes training or joins the company.

Regulators and clients will ask when you implemented your Article 4 programme. Having a documented start date matters — especially if an incident occurs.

Article 4 compliance is not one-and-done. As your AI tools evolve, your training may need updating. Annual review is a reasonable minimum cadence.

If a client or regulator asks for your Article 4 compliance evidence today, you should be able to produce it within 24 hours. Test this — find your folder and check it is complete.

A document covering: approved AI tools, prohibited uses, data privacy requirements, escalation procedures. Does not need to be long — one to two pages is sufficient for most SMEs.

When a team wants to adopt a new AI tool, who reviews it? What is the approval process? This prevents ungoverned AI sprawl and demonstrates proactive compliance.

If an employee notices an AI tool producing biased, incorrect, or harmful outputs — who do they tell? How is it reported and resolved? Document this procedure.

When procuring services from vendors who will handle your data or use AI on your behalf, ask for their Article 4 compliance evidence. This protects you and signals the market.

Employees should know your organisation’s AI usage policy exists and where to find it. A reference in the employee handbook or code of conduct is sufficient.

A one-page document you can send to clients who ask about Article 4 compliance: what training programme you use, when staff completed it, certificate format. Produces this in seconds when asked.

If you use AI for hiring, credit, healthcare, or law enforcement — you have additional obligations beyond Article 4. Identify and address these separately.

Senior leadership should be aware of your Article 4 programme, the August 2026 deadline, and the business risks of non-compliance. This needs a board-level sign-off, not just HR ownership.

Roles that regularly interact with AI systems should list AI literacy as a requirement or competency. This embeds compliance into your hiring process going forward.

Your legal advisers should be aware of your Article 4 programme so they can defend it if challenged. Send them a copy of your compliance documentation.

The AI landscape evolves rapidly. Annual re-training (or re-certification) keeps your team current and your documentation up to date.

When a new AI tool is adopted company-wide, assess whether it changes your training sufficiency picture and update accordingly.

The Commission publishes guidance on Article 4 implementation. Staying current means your training remains compliant as the regulatory picture develops.

Revisit your sufficiency rationale each year. Is the training still relevant to the AI tools you now use? Does it cover new risk categories that have emerged?

Aligns with standard employment record retention. Certificates and training registers should be retained even after an employee leaves.

Each EU member state may issue country-specific Article 4 guidance. Check your national market surveillance authority for any supplementary requirements.

Once a year, verify: all employees trained, all certificates stored, AI tool list current, policy document updated, compliance owner still assigned. 30 minutes, once a year.

Update clients, partners, and board members on your continued Article 4 compliance status. A brief annual compliance statement demonstrates ongoing commitment.