Artificial Intelligence and Human Resources – Employer AI Literacy Obligations under the EU AI Act

Partnerblog

Key Takeaway #1: The AI literacy obligation under Article 4 of the EU AI Act applies to all providers and deployers of AI systems commercialized or used in the EU — including where those entities are based outside the EU. It is a fundamental obligation to ensure staff and other individuals involved in AI deployment and/or development are educated and trained on risks, benefits and safeguards, ultimately supporting more informed human decision-making.

Key Takeaway #2: The AI literacy obligation is an obligation of means, not of result: no formal certification is required, but training must be concrete and tailored to the roles of the staff involved and the AI systems deployed.

Key Takeaway #3: Unlike all other obligations under the EU AI Act — which are risk-based — the AI literacy obligation applies to all AI systems regardless of risk level. Any organization deploying or commercializing AI in the EU is subject to it.

1. The AI Literacy Obligation under the EU AI Act

1.1. What is the Scope of the AI Literacy Obligation?

The EU AI Act defines ‘AI literacy’ as the skills, knowledge and understanding to enable the informed use and operation of AI systems and increase awareness of the opportunities, risks and possible harm they may present. The legal obligation requires employers to “take measures to ensure, to their best extent, a sufficient level of AI literacy” that is aligned with the technical knowledge, experience, education, and training of relevant staff as well as the context in which the AI system is used. While the compliance threshold is high, there is an element of proportionality, as organizations must take measures “to their best extent”.

1.2. Who Falls in Scope?

The EU AI Act requires all providers and deployers of AI systems in the EU to ensure that their staff — and any other person dealing with AI systems on their behalf — have a sufficient level of AI literacy. The obligation extends beyond employees to external contractors, service providers and, where applicable, customers, to the extent they are involved in the operation or deployment of an AI system on the organization’s behalf.

1.3. How Can Employers Comply?

There is no one-size-fits-all approach. The AI Office has issued guidance — including a Q&A, webinar and living AI literacy repository — to aid interpretation. Importantly, the AI Office does not impose mandatory training formats or certification, but calls for appropriate measures based on each target group’s level of knowledge and the context and purpose of the AI systems used.

The AI Office identifies four key steps in building an AI literacy programme:

  1. Organizations should ensure a general understanding of AI within the organization — what AI is, how it works, what AI systems are in use, and what opportunities and risks they present.
  2. Organizations should clarify whether they act as a provider or deployer of AI systems.
  3. They should consider the risk level of the AI systems concerned and what staff need to know when dealing with such systems.
  4. Organizations should build tailored AI literacy actions based on this analysis, accounting for differences in technical knowledge, experience and context across staff groups.

These steps necessarily incorporate legal and ethical dimensions, including an understanding of the applicable regulatory framework.

In practice, AI training tailored to staff roles and knowledge levels, followed by a documented competency test, is likely appropriate. Organizations have also implemented AI literacy through internal guidance documents, AI-specific induction sessions, knowledge hubs, communities of practice, and risk assessment frameworks. Organizations should maintain internal records of all training and awareness-raising initiatives as evidence of compliance.

The AI Office has also clarified two common scenarios. First, where employees use generative AI tools (e.g. LLMs) — including publicly accessible, consumer-grade tools — without the organization being a formal deployer, a minimum level of awareness-raising is still required, particularly regarding risks such as AI “hallucinations” (i.e., the propensity of such systems to generate inaccurate content presented with apparent confidence). Second, even where employees already hold AI qualifications, this does not automatically exempt the organization from its obligations; the organization must verify that their knowledge covers the legal and ethical aspects of the specific tools used and remains up-to-date, given the swift pace of technological developments.

2. Enforcement

Supervision and enforcement of the AI literacy obligation sits with national (EU Member State) market surveillance authorities. Although the obligation entered into force on 2 February 2025, enforcement will not commence until 3 August 2026, the deadline by which national authorities must be established and penalties defined. The AI Act does not prescribe specific penalties for non-compliance with Article 4 but leaves this to Member States; penalties should be effective, proportionate and dissuasive and may include administrative fines, warnings and non-monetary measures. The AI Office has noted that enforcement action is more likely where an incident is attributable to a lack of adequate training or guidance.

The EU AI Act provides an express right for any natural or legal person to file a complaint with a market surveillance authority where they consider an infringement has occurred. As regards private enforcement, the AI Act does not establish a private right of action, but compensation claims can be brought before national courts in accordance with applicable civil procedural law, including under the updated EU Product Liability Directive (which now expressly covers damages caused by AI systems).

3. Practical Recommendations

Organizations commercializing, developing or deploying AI in the EU should consider:

  • Mapping all AI systems in use and identifying the individuals — employees, contractors and, where applicable, customers — who operate them, to determine appropriate AI literacy measures.
  • Adopting a differentiated approach based on roles, knowledge levels, systems used and deployment context.
  • Documenting all actions taken — including training records, materials used and methodology choices — to demonstrate compliance with Article 4.

Crowell & Moring has experience with developing and providing AI literacy training across a range of different industries, sectors and AI knowledge levels – and can assist in developing tailored AI literacy training modules or point employers to relevant AI literacy resources.

For any questions regarding how the EU AI Act may impact your activities, please do not hesitate to contact our team.

Authors:

Lauren Cuyvers, Evelien Jamaels, Sofiane Fergali

Delen