SMEs do not need a universal certificate to demonstrate AI literacy; they need proportionate, role-based measures and reliable internal records. Training should cover everyone who uses, operates, configures, supervises, or governs AI systems on the company’s behalf. A practical evidence package consists of an AI literacy plan, role matrix, training register, and attendance records.
Legal status reviewed on July 14, 2026. This article provides operational guidance and is not a substitute for legal advice.
Why has AI literacy been an executive responsibility since February 2025?
In many mid-sized companies, AI adoption did not begin through a formal transformation program. An employee used an assistant to revise a customer email. An estimator summarized tender documents. A service technician converted a voice memo into a field report. Human resources tested a tool for writing job advertisements. Isolated experiments gradually became routine work.
Use AI with clear rules and responsibilities
KrambergAI helps companies establish practical AI compliance structures for internal rules, data handling, approvals, responsibilities and responsible use in daily work.
Structured guidance · Responsible implementation · Made in Germany
Article 4 of the EU AI Act addresses this type of operational reality. The requirement has applied since February 2, 2025 and covers providers and deployers of AI systems. It is not limited to companies that develop AI products. It also affects businesses using ChatGPT, Microsoft Copilot, AI phone services, image generators, translation tools, knowledge assistants, and AI functions embedded in existing business software.
Management cannot delegate the entire issue to the IT department, the data protection officer, or an external vendor. Executive leadership must ensure that the company has an operational approach to AI use. That approach should identify who may use each system, what data may be processed, who verifies outputs, and what knowledge each role needs.
The original version of Article 4 requires providers and deployers to take measures intended, to the best of their ability, to ensure a sufficient level of AI literacy. The final Digital Omnibus on AI text dated July 8, 2026 replaces that language with a duty to take measures supporting the development of AI literacy. It also states that companies are not required to guarantee a specific level of literacy for every individual. Publication of the amending regulation in the Official Journal was still pending on the review date.
The practical direction remains similar under either wording. A company needs measures that reflect prior knowledge, assigned role, system functionality, use context, and the people affected by the system. A general statement that employees are familiar with AI is not a dependable governance measure.
What does the EU AI Act mean by AI literacy?
AI literacy is broader than writing effective prompts. Article 3 describes it as the skills, knowledge, and understanding needed to support informed deployment of AI systems and awareness of their opportunities, risks, and possible harms.
The first element is recognizing where AI is being used. This is increasingly difficult because AI functions are embedded inside CRM systems, office suites, contact centers, image-editing tools, ERP modules, recruitment platforms, accounting software, and industry-specific applications.
The second element is understanding the system at an appropriate level. A language model does not automatically retrieve information from an authoritative source. It generates responses based on patterns, instructions, and the context available to it. An image-recognition system does not establish objective truth; it classifies input according to the model and training data. An automated score is not inherently unbiased simply because software produced it.
The third element concerns appropriate use. Employees need to know which tasks may be assigned to the system, when outputs require professional review, and what information must not be entered. In construction and project-based businesses, sensitive content may include pricing calculations, unpublished change orders, bills of quantities, technical drawings, and customer information. In HVAC and electrical services, it may include addresses, equipment data, fault descriptions, readings, photographs, and service histories.
The fourth element is awareness of effects on other people. A flawed internal draft does not carry the same consequences as AI-assisted applicant ranking, a technical safety recommendation, an automated credit decision, or a customer answer that appears to establish a binding price.
The European Commission identifies a general understanding of AI, the company’s role, the risks of the systems involved, and the knowledge, experience, education, and use context of the relevant people as core considerations.
AI literacy therefore combines technical awareness, operating rules, professional judgment, legal context, and an understanding of where human responsibility remains necessary. The balance varies by industry and by system.
Which employees should receive training?
Article 4 covers staff and other people who operate or use AI systems on the company’s behalf. The relevant group may include employees, contractors, freelance specialists, outsourced administrators, call-center providers, and project-based service partners. The Commission’s interpretation expressly extends beyond the company’s direct workforce.
This does not mean that every person needs the same course. An employee who neither uses AI nor makes decisions about purchasing, configuration, approval, or oversight may need only basic awareness. A person who regularly uses generative AI for customer communication, quotations, documentation, research, or analysis needs job-specific instruction.
A skilled-trades business may have several affected groups. Office employees use AI for email, appointment preparation, and proposal drafts. Field technicians create service reports through voice input. Dispatch teams use automated intake and prioritization. Management uses assistants for summaries and decision materials. An external IT provider manages accounts, integrations, and system logs.
A traffic-management company may also use AI in work preparation, field planning, documentation, and customer intake. The training should explain that a generated summary of a job site, traffic-control plan, or regulatory requirement does not replace professional review or an official traffic order.
In a technical service organization, the contact center may use an AI phone assistant to collect fault reports. Dispatch employees review the structured information. Technicians search an internal knowledge system. Administrators maintain sources, permissions, and interfaces. Each role requires a different part of the overall competency framework.
Employees working in human resources, customer service, marketing, sales, quality assurance, production management, workplace safety, or technical project leadership deserve particular attention because their AI-supported work may affect customers, applicants, workers, safety, or contractual commitments.
The company should also account for people who approve AI-generated outputs even when they do not personally enter prompts. A project manager who signs off on an AI-assisted proposal, a supervisor who accepts an automated maintenance recommendation, or an HR manager who relies on a candidate score may need more training than the employee who first used the tool.
Why does a field technician need different training from an administrator?
A field technician does not need to understand model training in order to use an AI-assisted service-report tool responsibly. The technician should be able to identify what the system reformulated, added, or inferred, verify measurements and equipment details, and prevent an assumed cause from appearing as a confirmed diagnosis.
An administrator needs additional knowledge. The administrator must understand where data is stored, which users can access each source, what logs are available, whether the vendor uses inputs for model improvement, and how permissions are inherited across connected systems. Model changes, service accounts, system prompts, interfaces, and technical safeguards also belong to this role.
An AI governance or system owner needs a broader organizational perspective. That person must maintain the inventory, determine company roles under the AI Act, classify use cases, coordinate approvals, and evaluate significant changes. The role also requires knowing when to involve privacy, information security, procurement, human resources, employee representatives, and professional subject-matter owners.
Differences also exist within a single department. A sales employee using AI to improve an email has different responsibilities from a sales director introducing automated lead scoring. An HR employee drafting a job advertisement works in a different context from a manager using a system to rank or exclude candidates.
Training should therefore be based on actual duties, system access, data categories, and impact rather than job titles alone. A person may hold several AI-related roles at once, each with its own learning needs.
How should users, administrators, and accountable owners be differentiated?
| Role | Typical activities | Required competency areas | Suitable measures | Useful evidence |
|---|---|---|---|---|
| User | Generate text, images, summaries, service reports, or research | permitted use, data rules, system limitations, output verification, copyright, error handling | foundation session, system onboarding, practical exercises, job aid | attendance record, assigned role, training status |
| Professional reviewer | Assess and approve outputs used for customers, projects, or decisions | professional validation, source review, decision impact, escalation, documentation | department-specific cases, review criteria, approval rules | role matrix, documented approval authority, refresher record |
| Administrator or integrator | Configure systems, manage permissions, operate interfaces | data flows, access control, logging, model changes, prompt injection, security, fallback procedures | technical onboarding, vendor documentation, configuration and incident exercises | administrative authorization, technical training record, change logs |
| System owner | Own the purpose, operation, and development of a system | risk classification, vendor management, controls, quality metrics, incidents, change management | governance workshop, system file, periodic operating review | system-owner designation, review minutes, action register |
| Executive or governance lead | Define policy, resources, responsibilities, and approvals | organizational roles, business and liability exposure, AI Act, privacy, procurement, oversight | executive briefing, decision workshop, scheduled updates | management decision, role matrix, approved literacy plan |
This model can be scaled to smaller organizations. One person may hold more than one role. The managing director may also be the system owner, while an outsourced IT firm handles administration. The roles should still be recorded separately so that duties do not disappear between the company and the service provider.
A role-based model also makes training easier to maintain. When a new employee joins, the company assigns the relevant roles and the training register identifies the required modules. When an employee gains administrative access or approval authority, additional training can be assigned before those rights are activated.
Why is a general one-hour AI course often insufficient?
A one-hour introductory session can be a useful starting point. It can explain basic concepts, common errors, and the company’s overall approach. It does not automatically address every system and every role.
The first limitation is scope. Many introductory courses focus only on generative AI even though the company may also use AI phone systems, computer vision, workforce software, knowledge retrieval, forecasting, or automated decision support. These systems create different operational and legal questions.
The second limitation is the connection to daily work. A field technician needs examples involving service notes, defects, photographs, customer statements, and measurements. Accounting employees need rules for invoices, banking information, and contractual documents. Marketing employees need guidance on labeling, intellectual property, image rights, approval, and brand consistency.
The third limitation is access. An ordinary user may only generate a draft. An administrator may connect a data repository, alter access permissions, change retention settings, or disable logging. Treating those people as having the same learning needs after a single shared presentation does not reflect their responsibilities.
AI systems also change. An office assistant may begin as a writing tool and later gain access to email, calendars, files, or CRM records. A phone assistant may move from recording callback requests to booking appointments and updating customer records. Earlier training may no longer match the expanded capability.
A broad one-hour course may nevertheless be proportionate for a narrow, low-impact use case when it is supported by an enforceable AI policy, system-specific instructions, and appropriate review requirements. Duration is not the main measure. The relevant question is whether the training addresses the system, the person’s role, prior knowledge, and potential consequences.
The training program should therefore be modular. A shared foundation creates a common vocabulary, while role and system modules address the decisions employees actually make.
What content belongs in a role-based training program?
Training for users should begin with the actual workflow. An HVAC business could demonstrate how a voice note becomes a service report, which fields require verification, and why a suspected cause must not be converted into a confirmed technical finding.
An electrical contractor could use a customer inquiry as a practical case. Employees can learn how to structure the request without shortening safety warnings or turning general information into a job-specific instruction. A construction or project-services company can work with a tender section, meeting record, and draft change order to show which outputs remain provisional.
Office users should receive guidance on permitted and prohibited data, confidential information, review of statements and figures, use of sources, copyright and licensing, internal approvals, customer communication, and reporting inappropriate outputs.
Administrators need additional technical content. Relevant topics include identity management, access rights, source permissions, tenant separation, logging, retention, model changes, vendor changes, API credentials, interface scopes, and protection against manipulated input. For a company knowledge system, the administrator must prevent an external partner from retrieving internal HR, pricing, or project information through the assistant.
System owners should understand how to document and operate the application. They need to record its intended purpose, users, affected people, data categories, outputs, human-review process, quality controls, incident handling, and retirement criteria.
Executives need more than a product demonstration. They must understand the responsibilities created by approving a system, the documentation expected from vendors, the business processes that should retain human decision-making, and the resources needed for governance.
Professional reviewers need training in a separate area that companies sometimes overlook. A person who approves an AI-generated output should know what evidence to request, how to identify unsupported assumptions, how to handle uncertainty, and when to reject an output rather than revise it.
Training should also address reporting behavior. Employees need an accessible route for reporting unexpected results, sensitive-data exposure, inappropriate access, misleading customer content, or a system that performs a function outside its approved purpose.
What evidence does Article 4 actually require?
The EU AI Act does not prescribe a specific certificate, examination, vendor, or training format. The European Commission states that companies may keep internal records of training and other guidance measures. A certificate is not required.
That does not make documentation optional from a practical perspective. Without records, a company may struggle to demonstrate what it did, which roles were addressed, and whether the measures matched the system’s use. This becomes especially important when an incident involves an unreviewed output, inappropriate data entry, or administrative misconfiguration.
A dependable record should answer three questions.
What was taught?
The record should identify learning objectives, topics, systems, examples, policies, and supporting materials.
Who received the measure?
It should identify participants, roles, departments, dates, and relevant external contractors.
Why was the measure appropriate?
The role matrix should connect duties, access rights, and system impact with the required learning content.
An attendance record alone does not establish that the employee can apply the material. It shows that the person participated. Practical exercises, a short knowledge check, supervised onboarding, or confirmation of a system walkthrough can provide additional evidence when justified.
The company does not need to create excessive personal performance profiles. Records should be limited to what is necessary for assigning, demonstrating, and updating AI literacy measures. Privacy, labor-law, and record-retention principles still apply to the training records themselves.
Evidence should also cover non-classroom measures. A revised job aid, mandatory system onboarding, an administrator workshop, a documented case review, or a policy briefing may all contribute to the company’s overall approach.
What should a training register, attendance record, and role matrix contain?
A training register is the central list of planned and completed AI literacy measures. Useful fields include the measure name, target audience, organizer, systems covered, learning objectives, date, delivery method, materials, version, and current status.
An attendance record connects a particular person with a particular measure. It may include the employee’s name, function, business unit, date, duration, module, instructor, delivery method, and completion of any practical exercise. For contractors, it can also identify the employer and underlying service engagement.
A role matrix connects duties and permissions to required competency areas. It should not rely solely on formal job titles. An employee may simultaneously be a generative-AI user, professional reviewer for proposals, and CRM key user. Each role may trigger different training modules.
A practical matrix can use the following levels:
- General awareness: recognizing AI, understanding company rules, and knowing which systems are approved.
- User competence: entering appropriate information, reviewing outputs, and applying the tool within a defined workflow.
- Review competence: approving outputs, evaluating sources, and handling decision-relevant content.
- Technical competence: configuring systems, controlling data access, managing logs, and implementing safeguards.
- Governance competence: classifying risk, managing vendors, approving systems, handling incidents, and evaluating changes.
The company does not need a complicated scoring model. A compact matrix is sufficient when it reflects actual duties and is maintained as roles and systems change.
The register and matrix should be connected. When a person receives a new role, the system should identify the corresponding training. When a course is updated, the company should know which role groups require the new version.
How can an SME build a simple AI literacy plan?
A practical AI literacy plan can be documented in a short internal paper. The value lies in connecting systems, roles, measures, and records rather than producing a lengthy policy document.
1. Purpose and scope
Define the companies, locations, employees, contractors, and AI systems covered by the plan.
2. Responsibilities
Executive management appoints an organizational owner. Business units identify system owners. IT, privacy, information security, procurement, HR, and employee representatives participate according to their responsibilities.
3. Target groups and roles
The role matrix distinguishes general users, regular users, professional reviewers, administrators, and accountable owners. Multiple roles may be assigned to one person.
4. Learning objectives
Each role receives expected outcomes. A user should recognize confidential information, review outputs, and report errors. An administrator should assess access control, data flows, logging, and model changes.
5. Measures
The program may combine an executive briefing, foundation course, system onboarding, practical workshop, job aid, learning video, case discussion, and vendor technical training. Not every person needs every format.
6. Evidence
Maintain the training register, attendance records, role matrix, material versions, and any practical completion records in a central location.
7. Update triggers
Define events requiring reassessment: a new system, new functionality, expanded data access, a different user group, an incident, a legal change, or repeated quality problems.
8. Connection to the AI policy
Training should explain the company’s actual rules, including approved systems, prohibited data, review duties, customer-facing disclosures, approvals, and reporting channels.
9. Connection to the AI inventory
Every approved system should have an assigned owner and relevant user roles. The inventory then becomes the basis for determining which training modules apply.
10. Operating review
Management or the governance owner should periodically review missing training, overdue updates, system changes, incidents, and upcoming deployments.
An SME can start with the systems that create the greatest operational impact and expand the program over time. This is generally more useful than attempting to cover every theoretical AI scenario before the company has addressed its current tools.
When should training be updated or repeated?
Article 4 does not impose a fixed annual renewal period. A scheduled cycle can support administration, but event-driven updates remain important.
New training is appropriate when the company introduces another AI system, changes the intended purpose, or connects new data sources. The same applies when the level of automation increases. A tool that only drafts text creates a different learning need when it begins booking appointments, modifying CRM records, sending messages, or initiating operational actions.
Role changes matter as well. A user becoming a key user, reviewer, administrator, or system owner should receive the additional training before expanded rights or authority are granted.
Incidents should trigger reassessment. Examples include incorrect customer statements, defective proposals, unauthorized data access, inappropriate system output, or use of an unapproved service. The company should determine whether the cause was individual error, inadequate system design, weak controls, or a gap in the training program.
Vendor updates require attention. A new model, changed retention rules, added integrations, or revised terms of use may affect existing instructions. The responsible owner should assess whether users and administrators need updated guidance.
A yearly review is a practical baseline for many SMEs. Significant changes should create additional reviews rather than waiting for the next scheduled date.
The company should also consider whether training remains relevant to actual work. A course may still be technically current while failing to address the way employees now use the system. Feedback from users, administrators, reviewers, and incident records can help refine future modules.
Which four figures illustrate the need for action?
Workplace training has not yet caught up with increasing AI use. In a 2025 survey by the German digital-industry association Bitkom, only 20 percent of employees reported having completed AI-related professional training. Only 26 percent of the companies surveyed offered such training.
The implementation gap is also visible in industrial businesses. In another Bitkom survey, 42 percent of industrial companies identified insufficient expertise for integrating AI into existing processes as an obstacle.
This does not mean that every employee must become an AI developer. An OECD analysis published in 2026 concludes that less than 1 percent of workers need advanced AI-specific skills. For most roles, applied digital competence, data interpretation, professional judgment, problem-solving, and human skills are more relevant.
The practical model is therefore layered: broad awareness across the organization, role-specific instruction for regular users and reviewers, and deeper technical or governance training for administrators, developers, and accountable owners.
How can training, policy, and governance form a workable foundation?
Training has limited impact when the organization has not defined which systems are approved or what rules employees must follow. An AI policy also has limited value when employees cannot apply it to actual customer, project, service, and administrative situations.
A connected foundation works better. The policy identifies approved systems, prohibited data, review duties, customer-facing requirements, and responsibilities. The literacy plan assigns those rules to specific roles. The governance structure ensures that new systems are assessed, material changes are reviewed, and incidents are handled.
An SME does not need to begin with a large compliance department. A useful starting point may consist of an AI inventory, a concise policy, a role matrix, a small set of audience-specific training modules, and a defined approval workflow.
The package should be designed for expansion. New departments, systems, and workflows can then be added without rebuilding the entire approach.
KrambergAI GmbH, https://krambergai.com/, combines training, an internal AI policy, and a governance foundation for mid-sized companies. The intended outcome is not an isolated awareness session but an operating structure that can support additional AI systems and business processes.
Bring AI into daily operations in a structured way
The KrambergAI AI Introduction helps companies select suitable use cases, prepare workflows and integrate AI solutions into everyday operations in a controlled and practical way.
Structured implementation · Practical guidance · Made in Germany
Which sources support the figures used in this article?
Bitkom: One in Five Employees Has Received AI Training at Work
https://www.bitkom.org/Presse/Presseinformation/Ein-Fuenftel-im-Job-zu-KI-geschult
Bitkom: AI Adoption in Industrial Production
https://www.bitkom.org/Presse/Presseinformation/Industrie-4.0-Unternehmen-KI-Produktion
OECD: AI and Skills – What We Know So Far
https://www.oecd.org/en/publications/ai-and-skills_f843b352-en/full-report.html
Which sources belong in “Further reading”?
European Commission: AI Literacy Questions and Answers
https://digital-strategy.ec.europa.eu/en/faqs/ai-literacy-questions-answers
German Federal Network Agency: AI Literacy Under Article 4
https://www.bundesnetzagentur.de/EN/Areas/Digitalisation/AI/07_Literacy/start.html
European Commission: Repository of AI Literacy Practices
https://digital-strategy.ec.europa.eu/en/policies/repository-ai-literacy-practices
FAQ
Does Article 4 already apply to mid-sized companies?
Yes. The AI literacy requirement has applied since February 2, 2025, regardless of industry or company size. It covers organizations that provide AI systems and those that deploy them in business operations. The appropriate measures depend on the systems involved, employee responsibilities, prior knowledge, use context, and possible effects on other people.
Does every employee need to attend an AI training course?
Not necessarily at the same level. Training should focus on people who use, administer, supervise, purchase, approve, or govern AI systems. Other employees may need only basic awareness. The deciding factor is whether the person works with AI on the company’s behalf or has responsibility for approving, controlling, or supporting its use.
Does the company need a recognized AI certificate?
No. Article 4 does not prescribe a specific certificate, accredited provider, or examination. Internal and external measures are both possible. The company should document the audiences, content, systems, dates, and relationship to each role. That evidence should demonstrate why the selected measures were proportionate to the relevant tasks and risks.
Is a general one-hour AI course sufficient?
It may be proportionate for a narrow, low-impact use case, but it is not automatically sufficient for regular users, reviewers, administrators, or system owners. These roles require system- and task-specific content. The foundation course should be supported by the company’s AI policy, practical examples, job aids, and deeper onboarding where the impact is greater.
Do external service providers also need training?
They may need appropriate AI literacy when they operate or use AI systems on the company’s behalf. Examples include outsourced administrators, freelancers, contact-center providers, and project specialists. Contracts should define the expected competence, responsibility for onboarding, access to company instructions, and evidence the provider must supply before receiving system access.
Should administrators receive the same course as ordinary users?
No. Administrators also need knowledge of data flows, permissions, logs, interfaces, model changes, security controls, service accounts, and incident handling. Users focus more on permitted input, output review, and professional application. A shared foundation module can support both groups, but it should be supplemented with technical content for privileged roles.
Must executive management personally attend training?
The law does not mandate a particular executive course. Management must nevertheless understand enough to decide responsibilities, approvals, resources, and risk treatment. A focused executive briefing on company roles, governance, vendor obligations, prohibited uses, and decision authority is therefore usually appropriate, even when operational training is delegated to other teams.
Is a knowledge test required after training?
No standardized test is required by Article 4. A short knowledge check, practical exercise, or supervised system onboarding may still be useful for administrators, reviewers, and higher-impact applications. It can show whether participants are able to apply the company’s rules, recognize inappropriate output, and use escalation procedures rather than merely confirming attendance.
How often should AI training be repeated?
There is no universal renewal interval. A periodic review, often scheduled annually, can provide a useful baseline. Additional instruction should follow significant changes in systems, purpose, data access, permissions, automation, or legal requirements. Incidents, recurring quality issues, vendor changes, and employee role changes may also require an earlier update.
What information belongs in a training register?
The register should include the measure, target audience, learning objectives, systems covered, date, delivery format, organizer, materials, and version. It should also connect participants with assigned roles. This allows the company to identify completed training, missing modules, outdated content, new employees awaiting onboarding, and contractors who still require access-related instruction.
Can an AI training program be delivered entirely internally?
Yes. A company may develop and deliver its own program when the content, instructor, and format fit the use case. External expertise may be useful for specialized technical or legal topics. Internal training is particularly effective when it uses the company’s approved systems, real workflows, internal data rules, customer examples, and known operating problems.
Does business use of ChatGPT already trigger Article 4?
It can. Employees using a general-purpose AI assistant for business tasks should understand confidential-data restrictions, possible inaccurate output, verification duties, copyright issues, and internal approvals. The program may remain compact when use is limited to narrow, low-impact tasks, but the organization should still document its rules, target users, and selected measures.

