Art. 4 AI Literacy: What 'Sufficient Competence' Actually Looks Like

Article 4 of the EU AI Act requires that providers and deployers of AI systems take measures to ensure a sufficient level of AI literacy among their staff. The provision has been in force since February 2025, making it one of the earliest enforceable obligations in the Act.

The language sounds straightforward. In practice, the question DPOs, HR teams, and compliance leads are struggling with is: what does "sufficient competence" actually look like when a regulator asks for evidence?

What Art. 4 says, and what it leaves open

The Act specifies that literacy measures should take into account the technical knowledge, experience, education, and context of the individuals concerned. It does not prescribe a specific training format, duration, or certification standard. It does not define what "sufficient" means in absolute terms.

This flexibility is intentional. A developer building agentic pipelines needs a different level of AI literacy than a sales executive using Copilot to summarise emails. A one-size-fits-all training module serves neither well.

But flexibility without documentation is exposure. If your organisation cannot demonstrate that it assessed each role's literacy needs and took proportionate measures, the open-ended language of Art. 4 becomes a liability rather than an asset.

Why one-off training slides are not enough

The most common response to Art. 4 is to run a company-wide AI literacy webinar, record attendance, and file the completion records. This approach satisfies the letter of the obligation on day one. It does not satisfy it on day 366.

AI is evolving faster than annual training cycles. A session delivered in early 2025 covered a different landscape than the one your employees are operating in today. New capabilities, new risks, new regulatory guidance, and new tools have emerged in the intervening period. Employees who completed training 18 months ago may be using models and features that did not exist when they were trained.

Regulators auditing your AI governance will ask not just whether training happened, but whether it was current, proportionate, and actually reflected in how employees use AI. A completion certificate from a generic 2024 webinar, filed against a 2026 audit, raises more questions than it answers.

What regulators are likely to look for

Based on how GDPR enforcement has developed as a reference point, Art. 4 compliance is likely to be evaluated on the following dimensions:

• Role-appropriate coverage. Did you identify which roles interact with AI systems and at what level? Did your literacy measures reflect the actual risk and complexity of each role's AI use?
• Evidence of completion. Per-person records with timestamps, not just aggregate headcounts. Regulators want to know which specific individuals received which training, when.
• Currency. Is your training content up to date? Has it been refreshed as the AI landscape has changed?
• Actual competence, not just attendance. This is the harder question. Did employees actually acquire competence, or did they sit through a mandatory session and click "complete"? Regulators may push beyond attendance records to ask how you assessed understanding.
• Ongoing measurement. Is literacy a one-time event or an ongoing programme? Organisations that can demonstrate continuous literacy development are in a stronger position than those that can point only to a historical training session.

The competence measurement gap

Most organisations have reasonable answers to the first two questions. Role mapping is straightforward. Completion records are easy to generate from an LMS.

The gap is in demonstrating actual competence and ongoing development. Traditional training approaches cannot easily answer: is this person genuinely competent at selecting appropriate AI models for their tasks, structuring prompts to reduce risk, and recognising when AI output requires human review?

Assessment quizzes at the end of a training module are a start. But they measure what employees recall immediately after training, not how they behave in practice over time.

How Acta supports AI literacy evidence

Acta includes an AI literacy scoring capability built around how employees actually use AI in their work. Rather than relying solely on training completion records, it analyses behavioural signals from real AI usage: prompt quality, model selection appropriateness for the task type, whether employees are using AI in ways consistent with their role's guidance, and patterns that suggest either strong or developing competence.

This is not surveillance. Acta does not perform emotional analysis, infer personal characteristics, or score employees in ways that feed into performance management. The purpose is specifically competence measurement for Art. 4 compliance, generating evidence that an organisation can present to a regulator as documentation of its literacy programme.

The scoring builds over time. At minimum, around one month of usage data is needed to generate meaningful literacy indicators for a given user or team. The output is an evidence base that supplements training completion records with behavioural data, offering a more complete picture of actual competence than attendance alone.

For HR and DPO teams preparing for an AI governance audit, this provides a layer of documentation that training slides cannot. It demonstrates that literacy is monitored on an ongoing basis, not just assessed once at onboarding.

Building a defensible Art. 4 programme

A programme that is designed to hold up under regulatory scrutiny typically includes the following elements:

1. Role mapping. Document which roles use AI systems, at what frequency, and with what level of autonomy. This forms the basis for proportionate literacy requirements.
2. Role-appropriate training content. Separate modules for different user groups, not a single generic session for all staff.
3. Completion records with timestamps. Per-person, per-module, exportable in a format suitable for regulatory disclosure.
4. Periodic refresh schedule. At minimum annually, with triggered refreshes when significant new AI capabilities are introduced to your environment.
5. Ongoing competence indicators. Behavioural data or assessment results that demonstrate literacy is reflected in actual usage, not just training attendance.
6. Governance documentation. A written AI literacy policy, referenced in your broader AI governance framework, that explains how you have interpreted and operationalised the Art. 4 obligation.

The audit question you need to be ready for

Regulators investigating an AI-related incident or conducting a routine audit are likely to ask: "What did you do to ensure your staff had sufficient AI competence, and how do you know it worked?"

"We ran a training session" is a starting point. "We ran role-appropriate training, tracked completion per person, refreshed content twice in the past year, and have ongoing literacy indicators from actual usage data" is a defensible programme.

Art. 4 is one of the more achievable EU AI Act obligations. The organisations that will struggle are not those who failed to run any training. They are those who ran training once, filed the records, and stopped thinking about it. Competence, under Art. 4, is designed to be an ongoing organisational state, not a box checked at onboarding.

Disclaimer: This article is for informational purposes and does not constitute legal advice. Regulatory interpretation of Art. 4 will develop over time as enforcement practice matures. Consult qualified legal counsel for guidance specific to your organisation.