The obligation everyone missed
Last week at a networking drinks, a mortgage adviser heard the question "are you AI-literate yet?" and at first thought it was a new LinkedIn campaign. Until his neighbour explained that it is an obligation under the AI Act and that enforcement is attached to it. The mortgage adviser finished his drink and googled it the next evening.
What he found was not what he expected. No vague Brussels bureaucracy, but an article that says surprisingly concretely what he should have done for his 32 employees, and that he is actually a year too late to arrange.
What Article 4 of the AI Act literally says
Article 4 of the AI Act, which has been in force since 2 February 2025, requires providers and deployers of AI systems to take appropriate measures to ensure a sufficient level of AI literacy among their staff and other persons dealing with AI systems on their behalf.
Translated, if you are a company that uses AI tools (and you are, almost certainly, and have been for years), the employees who use those tools must have an appropriate level of understanding of what AI is, how it works and what the risks are.
The obligation has applied since February 2025. Enforcement via the Dutch Data Protection Authority and the ACM starts on 2 August 2026, alongside the broader AI Act enforcement deadline. Between those two dates lies a year and a half in which no one checked you, but that year and a half counts, from August, as "you should have known this".
Who it concerns at your company
Not just your IT team. That is the crucial nuance missing from most summaries. Article 4 refers to staff and other persons dealing with AI systems on your behalf. In practice that means:
Everyone who uses ChatGPT, Copilot, Claude, Gemini or another AI tool for work. Everyone who uses a tool that has AI in it, even if the vendor does not call it that (think modern CRMs, Office Copilot, Outlook smart compose). Everyone who works with a supplier that uses AI and whose output reaches your customer. External contractors, freelancers and interns who work with your AI tools.
At a mortgage firm of 30 FTE, this probably means you touch almost everyone, not just "the IT people".
What AI literacy concretely involves
The law does not prescribe a specific course or certification. That is good news and bad news at the same time. Good, because you do not have to buy an 80-hour programme. Bad, because you have to determine yourself what is appropriate for your situation.
The European Commission and the Dutch Data Protection Authority give direction. The level depends on three factors. The person's role (an owner-director does not need to know the same as a data engineer). The type of AI system (a customer-service chatbot calls for something different than a credit-scoring model). The context (sector, sensitivity of data, customer impact).
For an average SMB employee, an appropriate level is roughly this. Understanding what an AI tool can and cannot do. Knowing when output must be verified. Knowing which data must not go into public tools, and why not. Understanding what a hallucination is and how to recognise one. Knowing who is responsible if the AI gets something wrong.
That is not rocket science. That is two to three hours of training plus a short reference card.
What you can put on one page today
If you want to start tomorrow and only bring in an external party on Tuesday, you can already roll something out today.
One, a register. Which AI tools are running at our company (official and unofficial), who owns each tool, which departments use it. Two, a short guideline of two pages. What may be used where, with which data yes and with which never. Three, a training plan per role. Owner-director and management team in a 2-hour session, customer-facing employees in a 2-hour session plus an annual update, IT and compliance in a 4-hour session. Four, a review moment every six months. What has changed in the tools, in the law, in our processes.
This is not a watertight compliance programme. This is a reasonably demonstrable minimum if the Data Protection Authority comes knocking tomorrow. For an owner-led company of 15 to 75 FTE with an appropriate risk profile, this puts you in a defensible position in principle.
The part most compliance checklists skip
In Article 4 there is a word that is more often forgotten than applied in practice, namely "appropriate". The law requires the literacy to fit the role and the risk. That means two things.
On the one hand, you do not have to put your whole team through the same generic training. A receptionist needs a different level than a mortgage adviser who works with customer data and Wft requirements. On the other hand, you cannot hide behind "we gave everyone a general course". If the Data Protection Authority later asks why a particular adviser pasted customer data into ChatGPT, "he took the general training" is not an answer.
What is appropriate cannot be worked out in an hour. That requires an inventory.
How an AI audit connects here
Two things we do as standard during an AI audit touch Article 4 directly. We map all AI tools, official and unofficial, and categorise per role which employee needs which literacy. And in the report we deliver an appendix that sets out, per use case, which type of training fits, not as an assignment but as advice.
That means the report you get after 14 days is automatically a starting document for Article 4. Not because we are lawyers, but because the inventory the law asks for is virtually the same as the inventory you have to do anyway for effective AI deployment. If you want to anchor it structurally, an AIOS engagement is the logical next step, because there tooling, training and compliance are kept together in the same layer.
If you do one thing before 2 August
Make the register. Without it, every further conversation about compliance is hard to have. With that register, you have already answered the first question from a Data Protection Authority investigator and you see for yourself what is actually running at your company. Often that list is longer than expected, and that is where the work begins.
AI that works in your field starts with knowing which AI is at work in your company.
The first step
Enforcement starts in twelve weeks. That is enough for an audit, a report and a first round of training. Not enough to wait another quarter.
Fourteen days later, you know which AI tools are running at your company, which employee needs which literacy and which three processes can become safer and faster at the same time.
