Building an EU AI Act Literacy Program: Minimum Requirements & Compliance Evidence
Post #2 in the sota.io EU AI Act AI Literacy Compliance Series
Article 4 of the EU AI Act (Regulation (EU) 2024/1689) has been in force since February 2, 2025, yet the vast majority of organisations deploying or providing AI systems have no formal AI literacy program. When National Competent Authorities (NCAs) open enforcement proceedings after August 2, 2026, the first question will not be "which AI systems do you use" — it will be "show me your AI literacy records."
This guide answers exactly that question. We walk through the minimum legal requirements for an Art.4-compliant literacy program, what documentation regulators expect, and how to build an evidence package that survives an NCA inspection.
Why Article 4 Is Harder Than It Looks
On the surface, Art.4 reads simply: providers and deployers shall take measures to ensure a sufficient level of AI literacy for their staff and other persons dealing with AI systems on their behalf, taking into account their technical knowledge, experience, education and training, and the context in which the AI systems will be used.
The difficulty lies in what "sufficient" means. The Regulation does not define a minimum curriculum, a minimum number of training hours, or a test score threshold. Instead, it sets a contextual standard: sufficiency depends on the role, the AI system involved, and the operational context.
This contextual standard is deliberately flexible — but that flexibility comes with a burden of proof. If you face an NCA audit, you must demonstrate not just that training happened, but that the training was appropriate to the role and to the AI systems your team operates.
Three implications follow:
1. Generic AI awareness training is not enough. A two-hour "Introduction to AI" e-learning module applied to everyone equally does not satisfy Art.4. The NCA will ask whether the training covered the specific AI systems your organisation deploys, the risks those systems pose, and the decisions your staff make about them.
2. Documentation is inseparable from the obligation. Without training records, attendance logs, competency assessments, and a rationale for why each training level is "sufficient" for each role, the training might as well not have happened.
3. The obligation links to Art.26 deployer duties. Article 26 of the EU AI Act requires deployers of high-risk AI systems to designate staff to carry out human oversight and to ensure those staff have the authority, competence, and AI literacy to do so. An Art.4 program is the mechanism that produces the Art.26 competence requirement.
The Minimum Viable AI Literacy Program
Given the contextual standard, no single curriculum satisfies Art.4 universally. But the following five components are the minimum any organisation must have in place:
Component 1: AI System Inventory with Literacy Tiers
Before you can train anyone, you need to know what AI systems your organisation uses and what level of AI literacy each system demands from each type of user.
Map your AI systems to three tiers:
Tier 1 — Direct Operators: Staff who directly configure, monitor, or override AI system outputs (e.g. engineers deploying models, compliance officers reviewing AI-generated decisions, customer service agents acting on AI recommendations). These staff require deep literacy — understanding of the model's decision logic, failure modes, bias risks, and override procedures.
Tier 2 — Indirect Users: Staff who receive AI system outputs as inputs to their own decisions but do not operate the system directly (e.g. managers acting on AI-generated risk scores, HR professionals using AI screening results). These staff require moderate literacy — enough to critically evaluate AI outputs, recognise when to escalate, and understand the limits of the system.
Tier 3 — Peripheral Stakeholders: Staff whose work is affected by AI systems but who do not directly interact with them (e.g. employees in departments where AI-assisted decision-making applies to their performance evaluations). These staff require baseline literacy — awareness of what AI systems are being used, what decisions they influence, and how to raise concerns.
Document this mapping. It forms the backbone of your literacy program and is the first thing an NCA will review.
Component 2: Role-Specific Training Curricula
For each tier, build a training curriculum that covers:
For Tier 1 (Direct Operators):
- The specific AI system's purpose, inputs, outputs, and confidence thresholds
- Risk categories under the EU AI Act (prohibited, high-risk, limited risk, minimal risk) and where your systems fall
- Failure modes: hallucination, distributional shift, adversarial inputs, feedback loops
- Human oversight procedures (Art.14 of the EU AI Act): when to override, how to document overrides, escalation paths
- Data governance: what data feeds the system, how it was trained, known biases in training data
- Incident reporting: how to detect and report anomalous outputs, Art.73 incident notification obligations for high-risk AI
For Tier 2 (Indirect Users):
- What the AI system does and what it does not do (scope limitations)
- How to critically evaluate AI recommendations: red flags, explainability features
- The legal and organisational accountability chain: who owns the AI decision, who carries liability
- How to escalate when an AI output seems wrong
For Tier 3 (Peripheral Stakeholders):
- What AI systems affect them and in what ways
- Their rights: the right to receive meaningful explanations about AI-assisted decisions that significantly affect them, the right to appeal AI-informed decisions affecting them
- How to raise concerns via internal channels
Component 3: Assessment and Competency Verification
Training without assessment does not produce defensible evidence of "sufficiency." Each training module should conclude with a competency verification step, appropriate to the tier.
For Tier 1 staff, this may mean a practical assessment: can the staff member correctly identify an anomalous model output in a test scenario? Can they execute the override procedure correctly?
For Tier 2 and Tier 3 staff, a written or online knowledge assessment with a passing threshold (document the threshold and the rationale for setting it at that level) is sufficient.
Minimum documentation per assessment:
- Date of assessment
- Staff member role and tier assignment
- Assessment format and passing criteria
- Result (pass/fail/score)
- Remediation path if failed (when re-assessment is scheduled)
Component 4: Refresh Cycles
AI literacy is not a one-time activity. Article 4 requires that literacy be maintained as AI systems evolve and as staff roles change. Build refresh cycles into your program:
- At system update: When a significant update to an AI system changes its behaviour, risk profile, or operating context, Tier 1 and Tier 2 staff should receive an incremental training update within 30 days of deployment.
- At role change: When a staff member moves into a role that increases their tier (e.g. from Tier 2 to Tier 1), they should complete Tier 1 training before assuming AI oversight responsibilities.
- Annual baseline refresh: All staff should complete a refreshed baseline awareness module at least annually to account for changes in regulatory requirements and emerging AI risks.
Component 5: Program Governance
Designate an AI Literacy Program Owner — typically the Head of AI/ML, the Data Protection Officer, or a senior compliance officer. This person is responsible for:
- Maintaining the AI system inventory and tier assignments
- Commissioning and updating training curricula
- Maintaining training records
- Reporting program status to senior management
- Coordinating with legal counsel on updates to AI Act obligations
Document the governance structure formally. An NCA auditor will want to see who is accountable.
Building Your NCA-Defensible Evidence Package
When an NCA conducts a market surveillance inspection (under Art.74 of the EU AI Act), they may request evidence of AI literacy compliance as part of a broader review of your Art.26 deployer obligations or your Art.17 quality management system.
Structure your evidence package around five categories:
Evidence Category 1: Program Documentation
- AI Literacy Policy: a formal document stating the organisation's approach to AI literacy, the tier system, refresh cycles, and governance structure
- AI System Inventory with Tier Assignments: the mapping of AI systems to literacy tiers described above
- Training Curricula: the actual training materials or links to training platforms, with version history
- Assessment Instruments: copies of quizzes, practical assessments, and passing criteria
Evidence Category 2: Staff Training Records
Maintain individual training logs for each staff member in scope. Each log entry should include:
- Staff member identifier (anonymised if necessary for GDPR)
- Role and tier assignment
- Training module completed
- Completion date
- Assessment result
- Next scheduled refresh date
Retain these records for at least four years post-completion (consistent with Art.18 documentation retention for high-risk AI technical documentation).
Evidence Category 3: Completeness Attestation
A periodic attestation (at minimum annually, and after each significant system update) signed by the Program Owner confirming:
- All staff in scope have been identified and tiered
- All Tier 1 and Tier 2 staff have completed required training within the past 12 months
- All assessments have been completed with passing results or remediation plans are in place
- No significant gaps in the program have been identified
Evidence Category 4: Sufficiency Rationale
This is the component most organisations miss. You need a documented rationale for why each training curriculum is sufficient for each tier and AI system combination.
The rationale should explain:
- What risks the relevant AI systems present
- Why the training content addresses those risks
- What level of competency the assessment verifies
- How the training connects to Art.26 human oversight obligations
The Art.13 obligation (transparency and provision of information to deployers) helps here: providers of high-risk AI systems must supply information about the system's purpose, technical specifications, accuracy, and limitations. Use this information in your sufficiency rationale — document that your training was built from the provider's Art.13 documentation.
Evidence Category 5: Incident and Override Logs
For Tier 1 direct operators of high-risk AI systems, maintain records of AI oversight events:
- Overrides of AI outputs (what was overridden, why, by whom, when)
- Escalations (what was escalated, what decision was made)
- Anomalous outputs flagged (nature of anomaly, resolution)
These logs serve dual purposes: they evidence that human oversight is actually occurring (Art.26 compliance) and they demonstrate that Tier 1 staff have the literacy to exercise meaningful oversight.
Connecting Art.4 to Art.26: The Oversight Competence Chain
Article 26 of the EU AI Act requires deployers of high-risk AI systems to assign human oversight to staff who have the necessary competence, training, and authority. Article 4 is how you build that competence.
The connection creates a dependency chain regulators will audit:
- You deploy a high-risk AI system.
- Art.26 requires you to designate an oversight person with the necessary competence.
- The competence of that person must be documented and evidenced.
- The evidence of competence is the Art.4 AI literacy program record for that person.
If any link in this chain is broken — if you cannot show who is responsible for oversight, or if that person has no documented AI literacy training, or if the training was generic rather than system-specific — you have an Art.26 compliance gap that can result in market surveillance action.
Integration with Art.17 Quality Management Systems
For providers of high-risk AI systems, Article 17 requires a quality management system (QMS) that encompasses, among other things, training and qualification of staff involved in the development and deployment of the AI system.
If your organisation is a provider (not just a deployer) of high-risk AI, your AI literacy program should be formally documented as a component of your Art.17 QMS. This means:
- Training curricula are version-controlled within the QMS
- Staff training completion is tracked as a QMS KPI
- The Program Owner has a defined role within the QMS governance structure
- Training gaps are tracked as QMS non-conformances requiring corrective action
This integration avoids duplicating effort: the Art.4 evidence package becomes part of your Art.17 QMS documentation, satisfying both obligations with a single governance framework.
Priority Actions Before August 2, 2026
| Action | Owner | Deadline | Priority |
|---|---|---|---|
| Complete AI system inventory and assign literacy tiers | Head of AI/ML | -8 weeks | Critical |
| Draft Tier 1 role-specific training curricula | AI/ML + Legal | -6 weeks | Critical |
| Build or procure Tier 2 and Tier 3 training modules | HR + Compliance | -5 weeks | High |
| Deploy training platform and import all curricula | IT | -4 weeks | High |
| Complete Tier 1 training and assessments | All Tier 1 staff | -3 weeks | Critical |
| Complete Tier 2 and Tier 3 training | All in-scope staff | -2 weeks | High |
| Compile initial evidence package | Program Owner | -1 week | High |
| Conduct internal evidence package review | Legal | 1 week before | Medium |
Common Gaps Regulators Find
Based on the draft guidance circulating among NCAs, the most common Art.4 compliance failures fall into three categories:
Gap 1: No program, only training. Organisations that have sent staff to AI training courses but have no formal program — no tier system, no completeness tracking, no refresh cycles — lack the governance structure that makes training evidence-of-literacy rather than just evidence-of-attendance.
Gap 2: Generic training applied uniformly. An online "AI for Everyone" module completed by all 500 employees does not satisfy Art.4 for Tier 1 direct operators of high-risk AI systems. The sufficiency standard is contextual and role-specific.
Gap 3: No sufficiency rationale. Even well-designed training programs fail audit if the organisation cannot explain why the training is sufficient — why these learning objectives, why this assessment threshold, why this refresh cycle. Document the "why" at design time, not retrospectively.
Next in This Series
Post 3 covers role-specific training in depth — the specific learning objectives, assessment criteria, and evidence requirements for Product, Engineering, Operations, and Customer Support teams. Post 4 addresses GPAI tool integration: how Copilot, Claude, and GPT-4 use in production environments creates Art.4 obligations that most engineering teams have not yet addressed.
Manage your EU AI Act compliance on EU infrastructure. sota.io deploys on Hetzner Germany — no CLOUD Act exposure, no US parent company, full GDPR alignment.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.