AI literacy: what the EU AI Act requires from your business since 2025

AI literacy has been mandatory under the EU AI Act since February 2025. Best Byte explains what the rule covers and what you need to do.

Mees Ruijgrok

Guidance

Reading time:

4 minutes

Your employees use AI. Someone has ChatGPT rewrite a quote, someone quickly translates a customer email with it. That is happening now, often without any agreements about it. What most business owners do not know: since February 2025, the law says you have to do something about it.

That obligation is called AI literacy. It sounds heavier than it is. No mandatory course, no certificate, no separate compliance track. Just making sure the people who work with AI understand what they are doing. Here is what the rule covers, who it applies to, and what you actually need to arrange.

What is AI literacy?

AI literacy is the knowledge and skill someone needs to use AI sensibly. It comes down to skills, knowledge and understanding: knowing how the technology works at a basic level and being able to weigh up its opportunities and risks. That is not just technical. It sits just as much on the ethical and practical side. What do you put into a tool and what do you keep out, and how do you judge what comes back.

AI literacy has been mandatory under the EU AI Act since February 2025

The rule sits in article 4 of the EU AI Act and has applied since 2 February 2025. It states that providers and users of AI systems must ensure a sufficient level of AI literacy among their staff and among others who work with AI on their behalf. For most businesses it is that second role that matters. You do not build AI yourself, you use it. Even then you are responsible. That makes AI literacy mandatory for almost any business that uses AI, whether heavily or now and then.

Who does this apply to?

The obligation does not stop at your own staff. It reaches everyone who works with AI on behalf of your business. So that includes the freelancer you hire, the agency running a campaign for you, and the service provider working with your systems. In some cases even customers fall under it, depending on how and with what risk they come into contact with an AI system. The rule of thumb: if someone works with AI on your behalf, the right level of literacy comes with it.

This applies even if you only use something like ChatGPT. A business whose employees use ChatGPT for, say, copy or translation falls under the rule all the same. The European Commission names that example itself. Those people need to be aware of the specific risks, such as hallucinations: a model that confidently makes up something that is not true. Anyone who does not catch that takes faulty output at face value.

Is the bar the same for everyone?

No. The law is risk-based. The higher the risk of the AI use, the more is expected of the literacy. Someone using ChatGPT as an idea generator needs less than someone using AI for decisions that affect people. That is why ticking off a course or forwarding a manual is not automatically enough. Relying on the instructions for use alone is often insufficient, according to the Commission. What someone needs to know depends on their role, the tool and the context.

What happens if you leave it alone

There is a legal side and a practical side. Supervision and enforcement start from August 2026, in the hands of the national market surveillance authorities. They can impose sanctions. The approach is proportionate, so a fine does not appear out of nowhere. A sanction does become more likely if there is an incident that traces back to a lack of training. There is a private-law side too. Article 4 is the provision that makes this literacy mandatory. If someone suffers harm and that points to an organisation not complying with that duty, that organisation can be held liable. For most businesses the practical risk weighs heavier still. Employees who use AI wrongly without realising it put a wrong figure in a quote or share information that does not belong there. You only notice when it goes wrong.

No mandatory training, just a fitting approach

This is the reassuring part. There is no mandatory training, no certificate, no AI officer like the one privacy law has, and no separate governance structure. You do not have to formally measure anyone's knowledge. An internal record of what you have done, which explanations or sessions you have offered, is enough as documentation. What does count is a general understanding of AI in your organisation. People need to know the opportunities and the risks, and your approach fits the role and the risk level. Start with the question of who works with what and which level belongs to it. A short session or an AI literacy training aimed at each role works better than one general email to everyone. It does not have to be big. It has to fit what people do.

Running into questions about AI literacy in your organisation? Our AI policy service turns your team's actual AI use into clear, workable guardrails.

Sources

Stay in the loop

Get the latest on AI and software, straight to your inbox

By submitting your details you hereby agree to our Terms & Conditions and Privacy Policy. You may always opt-out from our mailing lists in accordance with the Privacy Policy.

Stay in the loop

Get the latest on AI and software, straight to your inbox

By submitting your details you hereby agree to our Terms & Conditions and Privacy Policy. You may always opt-out from our mailing lists in accordance with the Privacy Policy.

Stay in the loop

Get the latest on AI and software, straight to your inbox

By submitting your details you hereby agree to our Terms & Conditions and Privacy Policy. You may always opt-out from our mailing lists in accordance with the Privacy Policy.