AI Literacy for Employers: Obligations Under the EU AI Act – Part 2

1. The AI Literacy Requirement under the EU AI Act

1.1. What Does the AI Literacy Requirement Entail?

The EU AI Act defines ‘AI literacy’ as the skills, knowledge, and understanding necessary for the informed use and operation of AI systems. This includes raising awareness about the opportunities, risks, and potential harm posed by AI technologies. The ultimate goal is to empower staff and other relevant individuals to make informed decisions about AI, including how to interpret AI outputs and understand the decision-making processes that affect individuals.

Under the EU AI Act, employers are legally required to “take measures to ensure, to their best extent, a sufficient level of AI literacy.” This mandates that AI literacy levels correspond with the technical knowledge, experience, education, and training of relevant personnel, as well as the context in which the AI system is deployed. Thus, while the legal compliance appears demanding, organizations can employ a proportional approach by taking measures “to their best extent.”

1.2. Who Is Affected?

The EU AI Act requires all providers and deployers of AI systems to implement effective measures ensuring that their staff—and anyone acting on their behalf—possesses adequate AI literacy. This obligation extends beyond just employees; it also includes contractors and service providers involved in the operation or utilization of AI systems.

Specifically, the term “persons dealing with AI systems on behalf of” encompasses external contractors, service providers, and customers as long as they participate in the operation or deployment of an AI system. For example:

• • Employees at a customer call center engaged by Organization X, who operates Organization X’s AI-driven call triaging tool, must be trained to understand how to utilize the tool, the inherent risks, and how to mitigate them (e.g., through appropriate human oversight).
  • Staff members of a customer, who have acquired and are now implementing Organization X’s AI-based CV screening tool, must comprehend how to use the tool, recognize the associated risks (such as bias), and know how to address them.

1.3. What Steps Can Employers Take for Compliance?

It’s important to note that there is no universal solution for compliance. While Article 4 of the EU AI Act outlines fundamental compliance principles, it lacks specificity regarding how organizations can meet these requirements.

The AI Office, responsible for coordinating and enforcing AI policy under the EU AI Act, has provided guidance to facilitate understanding of the AI literacy principle, including a (non-binding) Q&A, a webinar, and a living AI literacy repository (where AI literacy practices from various organizations can be consulted). Rather than imposing formal requirements or mandatory training formats, the AI Office advocates for measures tailored to the knowledge, context, and purpose of AI systems. Given the diversity of AI systems and varying levels of expertise, different training or educational approaches may be suitable. However, merely directing staff to an AI system’s instructions may prove ineffective, especially if those instructions are overly technical for some employees.

The AI Office has identified four essential steps for establishing an AI literacy program:

(a) Cultivate a general understanding of AI: What is AI? How does it function? What AI systems are implemented in the organization? What benefits and risks do they entail?

(b) Define the organization’s role: Is it a provider of AI systems or merely a deployer of third-party solutions?

(c) Assess the risk level of AI systems provided or deployed: What do employees need to know? What potential risks must be recognized, and what mitigation strategies are available?

(d) Develop AI literacy initiatives based on this analysis, factoring in variance in technical expertise, experience, education, and training across different staff groups, as well as the context in which the AI systems will be utilized, including sector, purpose, and affected individuals.

The AI Office emphasizes that these four steps must incorporate legal and ethical considerations: Familiarity with the applicable regulatory framework, particularly elements of the AI Act, is encouraged.

Typically, AI training tailored to staff roles and knowledge levels, followed by a brief documented competency test, is advisable. Organizations have implemented AI literacy in various ways beyond just formal training, including internal guidance documents, codes of conduct, AI-specific induction sessions, knowledge hubs, online portals, communities of practice, and risk assessment frameworks, as outlined in the Commission’s Living Repository on AI Literacy Practices^[1].

For compliance and documentation purposes, organizations must maintain an internal record of all training and awareness initiatives undertaken as evidence during inspections.

Regarding two commonly raised questions or scenarios, the AI Office clarifies:

• • For organizations whose employees are allowed to use generative AI tools (e.g., Large Language Models or “LLMs”)—even if the organization is not a formal deployer of such tools—awareness-raising is necessary among employees where professional use is identified. This obligation particularly pertains to the risks associated with such systems, including the potential for generating inaccurate content presented confidently (the “hallucination” phenomenon).
  • Having employees (or certain employees) with degrees in or prior experience with AI does not exempt employers from their obligations. The assessment depends on the specific AI system and the qualifications of the employee. Organizations need to determine if these individuals are familiar with the relevant legal and ethical aspects of AI and whether their knowledge is current, given the rapid evolution of technology.

2. Enforcement

The responsibility for overseeing and enforcing the AI literacy requirement under the EU AI Act lies not with the EU AI Office, but with national market surveillance authorities in the EU Member States. Although the AI literacy requirement came into effect on February 2, 2025, enforcement will not begin until August 3, 2026, by which date national authorities must be established and penalties for non-compliance defined. The AI Act itself does not specify penalties for non-compliance with Article 4; it leaves that to the Member States, which could result in variations in penalties across different EU Member States.

Penalties need to be effective, proportionate, and deterring, and may include administrative fines, warnings, and non-monetary measures.

The AI Act outlines several factors that authorities should consider when imposing administrative fines, including the severity of the infringement, the size and market share of the operator, cooperation with competent authorities to rectify the infringement, and whether the act was intentional or negligent (art. 99.7 (a-j)). Importantly, the AI Office has indicated that enforcement action is more likely when there is evidence of an incident caused by inadequate training or guidance provided to staff or other relevant individuals.

It is noteworthy that the EU AI Act guarantees the right for all individuals or legal entities to file a complaint with a market surveillance authority if they believe an AI Act violation has occurred; this means investigations can be initiated either spontaneously by the authority or based on complaints.

In terms of private enforcement, while the AI Act does not establish a private right of action for individuals or entities, compensation claims can still be pursued in accordance with national civil procedural law. Notably, the EU Product Liability Directive has been updated to include specific provisions addressing damages caused by AI.

3. Practical Recommendations