Skip to main content
Back to Blog
AI 9 min read 30 April 2026

EU AI Act Article 4 AI Literacy: What "Reasonable Measures" Actually Look Like

EU AI Act Article 4 has been live since 2 February 2025 and is the most-overlooked obligation in the regulation. This guide explains what "reasonable measures" mean, what evidence regulators expect, and how SMEs satisfy the obligation pragmatically in 2026.

Article 4 of the EU AI Act is the obligation most SMEs do not realise applies to them, and most legal counsel did not flag in their first AI Act briefing. It has been in force since 2 February 2025 — six months after the regulation entered into force — and applies to providers and deployers regardless of the risk tier of the AI systems they handle.

It is the cheapest part of the EU AI Act to comply with and produces the worst audit findings when neglected. This guide explains what Article 4 actually requires, what "reasonable measures" look like in practice for an SME, and how to build an evidence pack in a week.

What Article 4 actually says

The text of Article 4 of Regulation (EU) 2024/1689:

"Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in, and considering the persons or groups of persons on whom the AI systems are to be used."

Three things the text does explicitly:

  • Applies to providers and deployers — i.e. anyone using AI in a professional capacity, not just AI vendors
  • Covers "staff and other persons" — including contractors, freelancers, and outsourced staff who operate or use AI systems
  • Sets a proportionality test — sufficient level given the technical knowledge, experience, education and context. Not a fixed curriculum.

What the text does not say: there is no prescribed format, no mandated duration, no required certification, and no specified intermediary. The flexibility is deliberate. The obligation is to produce the outcome (sufficient AI literacy in your staff), not to follow a particular path.

Why Article 4 is misunderstood

Three common misunderstandings:

Misunderstanding 1 — "We don't have AI, so it doesn't apply"

Most SMEs have AI in their stack and do not realise it. Microsoft 365 Copilot, AI features in HubSpot or Salesforce, AI-assisted code completion in IDEs, AI-powered customer-support tooling, embedded AI in marketing-automation tools — all in scope. The exemption for AI systems not used in a professional context is narrow.

Misunderstanding 2 — "We have an AI policy, that's enough"

An AI policy without training does not satisfy Article 4. The policy describes what people should do; literacy is whether they know enough to do it. The two are complementary, not substitutes.

Misunderstanding 3 — "We bought a third-party training course, that's enough"

Buying a course does not satisfy Article 4 if staff have not completed it, do not retain the material, or are not trained appropriately for their actual role. Evidence is required.

What "reasonable measures" look like in practice

For a UK or EU SME between 50 and 500 employees, a defensible Article 4 programme in 2026 has three layers:

Layer 1 — All staff: AI awareness baseline

A 60-90 minute foundation session for every employee covering:

  • What AI is and is not (managing the hype/fear extremes)
  • The AI tools the organisation has sanctioned and the data that may be entered into them
  • The data that must NOT be entered into AI tools (especially public LLMs) — customer PII, confidential commercial information, draft legal documents
  • How to recognise AI-generated content (deepfakes, AI-written emails) and what to do about it
  • The escalation path when a staff member sees something concerning

Delivered as: a recorded video session, an in-person briefing, or a self-paced module with a short knowledge check at the end. The format does not matter; the completion record does.

Layer 2 — Operators of AI systems: deeper training

For staff who operate, configure, or supervise AI systems — typically including IT operations, customer service teams using AI triage, marketing teams using AI-generated content, HR teams using AI screening tools — a deeper 3-4 hour session covering:

  • The four EU AI Act risk tiers and how to identify them
  • The organisation's own role under the regulation (provider, deployer, etc.)
  • Article 14 human-oversight expectations applicable to high-risk systems
  • Article 50 transparency obligations and what they look like in practice (chatbot disclosure, AI-generated content marking)
  • Recognising automation bias — the tendency to over-trust AI output — and the techniques to counter it
  • Logging, monitoring and incident-reporting obligations

Layer 3 — Senior leadership and AI governance: strategic literacy

Board members, C-suite, and the named AI lead need a different kind of literacy. Not how to operate AI systems, but how to govern AI risk:

  • Personal liability under NIS2 / corporate governance for AI-related incidents
  • The intersection between AI governance and existing risk frameworks
  • The major AI Act dates (2 February 2025, 2 August 2025, 2 August 2026, 2 August 2027) and what activates on each
  • The regulator landscape (AI Office, national competent authorities, ICO, market-surveillance authorities)
  • The investment profile of AI compliance and the cost of doing nothing

Delivered as a 60-90 minute briefing, typically once a year, with the AI lead presenting and Q&A.

What evidence regulators expect

The AI Act does not specify the evidence format, but the European Artificial Intelligence Board and national competent authorities have informally signalled what they will look for:

  • A documented AI literacy programme (not necessarily a long document — a one-page programme description is enough)
  • A list of staff and the training tier they completed
  • Completion records (date, module, score where applicable)
  • Training materials retained or referenced (link to recorded session, slides, course)
  • An annual review cadence with documented attendance
  • For new joiners: evidence that the literacy programme is part of induction
  • For sanctioned AI tools: a list of which tools, the relevant data classification rules, and which staff are trained in which tool

The auditor question to expect: "Show me a sample of five staff members who started in the last three months, the AI literacy training they received, and the dates."

Common failures to avoid

Failure 1 — One-off launch event with no follow-up

The training is delivered once at programme launch and then never refreshed. Six months in, half the staff have changed role or left and the new joiners have had nothing.

Fix: integrate AI literacy into induction. Mandatory completion within 30 days of joining. Annual refresh for everyone.

Failure 2 — Generic external course, no organisation context

Staff complete a generic third-party AI awareness course that does not mention your organisation, your tools, your data, or your AI policy. Article 4's "context the AI systems are to be used in" requirement is not satisfied.

Fix: wrap any external course with an internal 30-minute session covering the organisation-specific context. Refresh the wrapper when the AI tool stack or policy changes.

Failure 3 — Trainer-grade material delivered to all staff

The organisation deploys a 4-hour deep-dive session to every employee. Most staff disengage after the first hour and the literacy outcome is worse than a 60-minute targeted session would have produced.

Fix: tier the training. Layer 1 for everyone, Layer 2 for AI operators, Layer 3 for senior leadership and AI governance.

How to build a Layer 1 / Layer 2 / Layer 3 programme in a week

Day 1-2: write the AI policy if you do not have one. One page. Sanctioned tools, prohibited data, escalation path. Approved by senior leadership.

Day 3: build Layer 1 (60-minute video or in-person briefing). Use existing resources (NCSC AI guidance, ICO AI auditing framework material) plus your specific AI policy. Record it.

Day 4: build Layer 2 (3-4 hour modular session). Either commission a third-party training pack with the right scope, or build internally using the same regulation-led structure. Cover the EU AI Act risk tiers, your specific AI use cases, the human-oversight design.

Day 5: build Layer 3 (60-90 minute board briefing). Slide deck, AI-lead presentation. Schedule the first delivery within the next month.

Day 6: deploy. Email all staff with the Layer 1 link. Complete-by date 14 days. Layer 2 invitations to the AI-operating teams. Layer 3 scheduled.

Day 7: track completions. Build a sheet with every staff member, the layer they should complete, and completion status. This is your Article 4 evidence.

The cost-benefit reality

An external Article 4-compliant training course runs £400-£1,200 per delegate. For a 100-employee SME, the bill is £40,000-£120,000 — almost certainly more than the entire AI Act compliance programme budget.

An internally-built programme costs whatever the team's time costs. Quality is the dimension to manage, not cost. A pre-built white-label training pack with branded slides, trainer notes, knowledge assessment and certificate template is the middle path: lower than per-delegate external delivery, higher quality control than internally built from scratch.

Where SummitBridge Horizon fits

EU AI Act Training (White-Label) is a £499 one-time licence for a complete branded practitioner training pack — 5 modules, ~40 slides, 20-question assessment with answer key, fillable certificate template, branded with your company name and logo. Unlimited internal use. Designed to satisfy the Layer 2 / Layer 3 portion of an Article 4 programme; the Layer 1 awareness session can be derived from the Module 1 slides.

For organisations needing a custom Article 4 programme designed to specific sector requirements (financial services, NHS, public sector), our advisory team takes it further from £1,500.

Need help with this?

Our team can help you assess where you stand and build a practical remediation plan. Free 30-minute consultation — no obligation.

Book a Free Consultation

Related Articles