Most conversations about the EU AI Act focus on high-risk systems, fines, and compliance projects that only kick in during 2026 or later. That focus hides a far more immediate obligation, one that already applies to almost every Dutch SMB: AI literacy.
AI literacy is the legal duty under Article 4 of the EU AI Act that requires every business to ensure its staff have enough knowledge and skill to operate the AI systems they use responsibly. The obligation has applied since 2 February 2025, the same date the AI Act's rules on prohibited practices took effect.
This article explains what Article 4 actually requires, who it applies to, how it's enforced, and the concrete steps you take to comply.
What does the AI literacy obligation actually require?
Article 4 requires both providers and deployers of AI systems to take measures to ensure, to their best extent, a sufficient level of AI literacy among their staff and anyone operating AI on their behalf. For SMBs, the deployer role matters most: you put AI systems to work, whether you built them yourself or bought them off the shelf.
The law doesn't prescribe a fixed curriculum. Instead, you have to match the level of knowledge to four factors: the technical knowledge, the experience and education of your staff, and the context in which the AI is used. A marketer using ChatGPT for first drafts needs different knowledge than an HR manager using an AI tool to screen CVs.
In practice, sufficient literacy means your people understand:
- What the system does and what data it bases its output on.
- Where the limits are: AI invents facts, misses context, and can amplify existing bias.
- Which risks apply to their specific task, such as leaking customer data or blindly acting on a flawed recommendation.
- When a human has to step in and keep the final say.
This isn't a one-off course you tick off. It's an ongoing obligation that grows with the tools you use. For the wider picture, read our pillar on AI legislation in the Netherlands and the EU AI Act.
Who does this requirement apply to?
A common assumption is that the AI Act mainly affects big tech. It doesn't. Article 4 applies to every organization that uses AI systems in a professional context, regardless of size or sector.
Does your business use ChatGPT, Microsoft Copilot, an AI chatbot on your website, a transcription tool, or an AI feature in your CRM? Then you're a deployer under the law and you fall under the obligation. The vast majority of Dutch SMBs fit this profile, often without realizing it.
| Business profile | Covered by Article 4? | Notes |
|---|---|---|
| SMB using ChatGPT or Copilot | Yes | Deployer of an AI system in a work context |
| Webshop with an AI support bot | Yes | Customer-facing use raises the risk context |
| Agency reselling AI tools | Yes | Combines deployer and provider roles |
| Freelancer using AI privately | No | No professional use within an organization |
| Business with no AI tools at all | No | No AI system in use |
One thing that's easy to miss: the duty extends to external people who operate AI on your behalf, such as contractors or a marketing agency running your AI tools. Their literacy is your responsibility too.
Your company size doesn't change the duty itself, only how much effort is reasonable. A five-person business isn't held to the same standard as a two-hundred-person organization. But doing nothing isn't an option for either. The law asks for a demonstrable effort tailored to your situation, not for perfection.
How is Article 4 enforced?
Article 4 doesn't set a specific fine and doesn't mandate a certificate. It's an outcome obligation: your staff must genuinely understand the AI they use, including its risks and limits. A box-ticked e-learning without real understanding doesn't cut it.
Enforcement sits with the national supervisory authorities. In the Netherlands, the Dutch Data Protection Authority and the sector regulators coordinate oversight of the AI Act. Their enforcement powers are being phased in through 2025 and 2026, as the national designation of authorities and penalties takes shape step by step. To see what else you need to cover, use our AI compliance checklist for SMBs.
Article 4 has applied since 2 February 2025. The question isn't whether you need to comply, but whether you can show you've handled it the moment a regulator or client asks.
In practice, what counts most is being able to demonstrate your effort. A regulator who checks in, or a business client asking about your AI policy in a tender, wants to see proof: documented training, an AI-use policy, and a record of who received which knowledge. Without documentation you have nothing to point to, even if you did your best.
Save 3 hours per week on ad-hoc answers to questions about AI use and literacy
How do you comply with the AI literacy obligation?
Meeting Article 4 doesn't have to be a big project. For most SMBs it comes down to five structured steps you can work through in a few weeks.
Step 1: map your AI use
List every AI tool running inside your business, including the ones staff adopted on their own. That last part is often underestimated. A shadow AI policy for SMBs helps surface hidden tools, because you can't build knowledge around AI you don't know is in use.
Step 2: define the knowledge needed per role
Link each tool to the roles that use it and decide the appropriate level of knowledge. A director needs an overview of risks and policy; a hands-on employee needs practical knowledge of the specific tool and its pitfalls.
Step 3: deliver role-appropriate training
Train staff at the level their task requires. This can range from a short internal session to a focused course. Our guide on training employees in AI tools covers how to do this without grinding the whole organization to a halt for weeks.
Step 4: set an AI-use policy
Write down what's allowed and what isn't: which data can go into which tool, when a human has to check, and who's accountable. A two-page document is already a strong base and gives you something concrete to refer to.
Step 5: document and repeat
Keep a record of who had which training and when. Schedule an annual refresh, because your AI tools change and so do their risks. This documentation is your proof of compliance. A simple table with names, roles, training completed, and dates is enough; you don't need an expensive system. Whenever you introduce a new AI tool, fold in a short briefing and a policy update at the same time, and your literacy stays current on its own.
Learn more about AI consulting?
View serviceConclusion
AI literacy is the most immediate EU AI Act obligation for SMBs, and at the same time the most achievable. It has applied since 2 February 2025, touches nearly every business that uses AI, and asks not for an expensive certification program but for a demonstrable, ongoing effort to help your people understand the tools they use every day.
The biggest trap is assuming this is a problem for later. Businesses that inventory their AI use now, set up role-appropriate training, and document everything don't just meet the law; they also work more safely and effectively with AI. Treat it as part of a wider compliance program rather than a standalone checkbox.
Want to know whether your organization meets the AI literacy obligation? Book a no-obligation discovery through our AI consulting and we'll review your AI use, your roles, and the steps that make sense for your business.