There's a legal obligation almost no one noticed
While everyone was debating the bans and the high-risk systems, the AI Act introduced an obligation that affects far more companies than they realise: training staff on artificial intelligence.
It isn't a recommendation. It's Article 4 of Regulation (EU) 2024/1689, in force since 2 February 2025. And unlike most of the AI Act, which comes into application in stages through 2027, this obligation is already operational today.
The logic is simple: you can't use a technology as powerful as AI if the people using it don't know what they're doing. That's why we built a dedicated page on the AI Act training obligation, but in this article we dig into the detail of the rule.
What Article 4 says exactly
The text is short. In the official English, it reads:
"Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in."
In plain terms: if your company uses AI, you have to make sure the people using it have skills appropriate to their role. What AI is, how it works, what risks it carries, what you can and can't do with the data.
Who is covered: providers and deployers (i.e. almost everyone)
The obligation applies to two categories, and the second is much broader than it sounds.
Providers are those who develop or customise AI systems. If you build a product that integrates a model, or customise a system for your clients, you are a provider.
Deployers are those who use AI systems under their own responsibility. This is where most companies fall: if your marketing team generates copy with AI, if HR uses screening tools, if finance analyses data with an assistant, your organisation is a deployer.
The point many miss: the obligation isn't only for those who develop AI. Simply using it is enough. If your teams work with ChatGPT, Claude or Copilot, the obligation to train them is already yours.
Do you need to bring your company into compliance?
30 minutes to discuss your specific case.
What "a sufficient level of literacy" means
The rule doesn't set a precise benchmark. It doesn't say how many hours of training are needed, nor does it impose a standard curriculum. It asks for proportionate measures, calibrated to three factors: the technical skills already in place, the context of use and the level of risk.
In concrete terms, that means training has to be differentiated. An executive who uses AI to summarise documents has different needs from a developer building agents, who in turn has different needs from a customer-care agent.
This flexibility is a double-edged sword. On one hand it gives you freedom. On the other it removes the alibi of "I did the mandatory course": what counts isn't the checkbox, it's that people have genuinely understood. On how to structure these programs we've written a practical guide to mandatory AI training.
You don't need a certificate, but you do need documentation
Good news: the law doesn't impose formal certifications, nor a mandatory role like the GDPR's DPO, nor a dedicated governance structure.
It is, however, strongly recommended that you document your initiatives internally: who was trained, on what, when, with what content. This documentation isn't bureaucratic box-ticking for its own sake. It's the evidence that, in the event of an audit or dispute, shows you have met the obligation.
The parallel with GDPR is instructive. There too, training wasn't directly sanctionable, but its absence was central to many proceedings: a company that doesn't train its staff is a negligent company. The same logic applies to AI.
The deadlines: already in force, penalties from 2026
Two dates matter.
On 2 February 2025 Article 4 came into force. The obligation is already active: it's not something coming, it's something that's here.
On 2 August 2026 oversight by the national supervisory authorities begins, with the power to monitor and impose penalties. The AI Act's penalties are proportionate to the seriousness of the breach and the size of the company, up to a maximum of 35 million euros or 7% of annual global turnover.
We're therefore in the window where the obligation exists but enforcement hasn't started yet. It's the right moment to get into compliance calmly, rather than playing catch-up. For Italian companies there's an extra layer: Law 132/2025 and the national regulatory framework.