EU AI ActAI LiteracyArticle 4

The AI Act deadline you missed because you heard it was delayed

Behzad Motaghi31 May 20269 min read

I had the same conversation three times last month. A CTO, a head of product, and a compliance lead at three different companies. Each one opened with some version of the same line: “The AI Act got delayed, so we have more time, right?” Each time, I had to explain that the part of the AI Act that applies to them right now -- the part that requires their people to actually understand the AI tools they use -- did not move by a single day.

This is not a niche compliance trap. Across 12 AI advisory mandates since 2019, spanning financial services, healthcare, manufacturing, legal, and logistics, I have seen the same pattern: the companies most exposed are not the ones who never heard of the AI Act. They are the ones who heard “delayed” and stopped planning. If your organisation uses Copilot, ChatGPT, or any LLM-powered tool in daily operations, this article is for you.

What the Omnibus actually changed

The confusion is understandable, but it usually comes from two different things getting merged into one. The simplification packages the Commission published in early 2025 touched sustainability and corporate reporting rules. They did not amend the AI Act. The instrument that actually changes the AI Act is a separate one: the Digital Omnibus on AI, a Commission proposal published in November 2025. That is the text people half-heard about and assumed bought them more time.

Here is what the Digital Omnibus does to Article 4, and what it does not. A provisional political agreement between the Parliament and the Council was reached on 7 May 2026. It softens Article 4. It does not delete it. The agreed change replaces the duty to ensure a sufficient level of AI literacy with a duty to take measures to support the development of that literacy among your staff. Your organisation is still the party on the hook. The standard moves from guaranteeing a result to demonstrating genuine effort. That is a real difference, but it is not the difference between an obligation and no obligation.

Two dates anchor everything. Article 4 took effect on 2 February 2025. The enforcement date, when national market surveillance authorities start acting on non-compliance, is 2 August 2026. Neither of those moved. And the softened wording is not law yet. As of today the formal text has not been adopted or published in the Official Journal. Until it is, the current Article 4 obligation remains in force exactly as written.

What does that mean in practice? Even once the Omnibus softening is formally adopted, the enforcement date did not move, the national implementing laws already enacted do not automatically roll back, and -- most importantly -- the customer questionnaires arriving in your inbox do not wait for the Official Journal. The regulatory ground is shifting. The commercial pressure is not.

What Article 4 actually requires

Article 4 of the EU AI Act places an obligation on both providers (the companies building AI systems) and deployers (the companies using them in their operations) to ensure that their staff have sufficient AI literacy. The full text, available at artificialintelligenceact.eu, is deliberately non-prescriptive. There is no mandated certification. No required number of training hours. No approved curriculum.

What the obligation requires is proportionality: literacy measures must be tailored to the role of the person and the specific AI system being used. A developer integrating an AI API needs a different depth of understanding than a customer service agent using an AI-assisted ticketing tool. The Commission clarified this in its AI Literacy FAQ (last updated November 2025, at digital-strategy.ec.europa.eu), confirming that the obligation is risk-based and context-sensitive.

In practice, you cannot satisfy Article 4 with a single company-wide e-learning module and call it done. It also means that if an authority asks you how your organisation meets the obligation, “we sent everyone a 20-minute video” is not a sufficient answer. What they want to see is that you have thought about which roles interact with which AI systems, what understanding is genuinely necessary for each, and how you have built that understanding in a way you can demonstrate.

The AI Office has built a living repository of literacy practices drawn from organisations of various sizes. The range of approaches is wide. That range is the point: there is no single template, which means there is no excuse for waiting to find one. I wrote separately about why AI readiness is not the same thing as data readiness, in the context of the EU AI Act readiness questions growing companies face. The literacy piece is one specific output of a wider readiness assessment.

Does the AI Act apply to small companies? No size exemption, and deployers are in scope

This is the question I hear most often from scale-up founders and heads of operations at mid-sized companies. “We are 80 people. This is for the big tech firms, right?”

No. Article 4 has no headcount threshold. No revenue threshold. No exemption for companies below a certain size. The classification that matters is not how large you are. It is whether you are a provider or a deployer of an AI system under the Act.

A deployer is any organisation that uses an AI system under its own authority in a professional context. If your team uses Microsoft Copilot to draft internal documents, you are a deployer. If you use ChatGPT or a GPT-powered product to handle customer queries, you are a deployer. If your CRM, your recruitment platform, or your financial reporting tool has LLM capabilities baked in, you are a deployer. The key is use in a professional context, not whether you built the tool.

Most growing companies I work with have five to fifteen distinct AI tools in active use across the business. Most could not list all of them accurately before I did an inventory together. That inventory is not optional. It is the first prerequisite for any honest compliance assessment.

Denmark moved first

For companies operating in Denmark, there is an additional layer worth understanding. Denmark was the first EU member state to enact national implementing legislation under the AI Act. Lov nr 467 of 14 May 2025 designated Digitaliseringsstyrelsen as the coordinating national authority and built out the supervisory infrastructure. For most deployers, Digitaliseringsstyrelsen is the primary supervisory contact; Datatilsynet covers the prohibited-practice provisions that intersect with personal data.

Digitaliseringsstyrelsen has published dedicated AI literacy guidance at digst.dk. It proposes concrete measures: e-learning, AI communities of practice, awareness campaigns, and literacy ambassadors within organisations. These are not mandates -- they are a menu of approaches the authority considers appropriate evidence of compliance effort. If Digitaliseringsstyrelsen comes to your organisation with questions, the existence of a literacy program built around their own guidance is a considerably stronger position than a blank look and a reference to the Omnibus.

Denmark being first matters because it also means the supervisory infrastructure is already built. The authorities are not waiting to figure out how to enforce this. The runway between now and August 2026 is shorter in practice than the calendar suggests.

The deadline that matters more than August 2

Here is the reframe that changes how most of my clients think about Article 4. The regulator’s enforcement date is August 2, 2026. Your enterprise customers’ procurement teams are already asking about it now.

If you sell to larger organisations -- particularly in financial services, healthcare, or the public sector -- you may have already seen AI-related questions appear on supplier questionnaires. Some are broad (does your organisation have an AI governance policy). Some are specific (how do you meet your Article 4 obligations under the EU AI Act). The companies sending these questionnaires are not waiting for August. They are conducting supplier diligence now, and if your answer is “we’re working on it,” that has commercial consequences before any regulator ever contacts you.

I have seen this pattern before with NIS2. Long before NIS2 enforcement began, regulated entities started pushing supplier audit requirements down their supply chains. Non-regulated SaaS vendors selling into financial services or healthcare found themselves fielding NIS2 security questionnaires from customers who were themselves under regulatory pressure. The dynamic with AI literacy is the same, and it is already in motion. I wrote about the NIS2 supplier audit pressure pattern in detail for companies in that position.

The commercial deadline, in short, is not August 2026. It is the next RFP you respond to from an enterprise buyer who has added AI governance to their vendor checklist.

What does an AI literacy program actually look like?

Given that Article 4 is deliberately non-prescriptive, “what does compliance actually look like” is the right question to ask. Based on the mandates I have run across sectors, the work breaks into four pieces.

The first is an AI inventory. Before you can assess literacy, you need to know what AI systems are in active use across the organisation. This is harder than it sounds. In most companies, AI adoption has happened faster than governance has. Tools get adopted at team level before anyone in operations or legal has reviewed them. The inventory needs to cover not just centrally procured tools but anything individual teams have pulled in under a departmental or individual licence.

The second is role-differentiated literacy mapping. Once you know what tools exist, you map which roles interact with which tools and what literacy is genuinely required for each. The Commission’s guidance points to role and system-specific proportionality, which makes a uniform-only approach hard to defend. A developer integrating an AI system into a product pipeline needs a different depth of understanding than a marketing manager using an AI writing assistant. The mapping does not need to be exhaustive, but it needs to be defensible.

The third is the evidence artifact. Literacy is not demonstrable without documentation. The evidence artifact is the record of what your organisation has defined as appropriate literacy for each role, what measures have been taken to achieve it, and how you verify that understanding exists. This is what you show a regulator, a customer, or an auditor who asks how you meet Article 4.

The fourth is an operating model. AI tools change fast. People change roles. New tools get adopted. The program needs a simple governance layer that keeps the inventory and the literacy mapping current, rather than treating compliance as a one-time project that produces a dusty document.

Dansk Industri (DI) has published an AI literacy compliance guide (danskindustri.dk) that gives a practical framework for this, oriented toward Danish companies. It is worth reading alongside the Digitaliseringsstyrelsen guidance.

In the companies I have worked with, typically 40 to 250 people with a handful of AI tools in active use and no formal AI governance in place yet, this full program is typically 0.3 to 0.5 FTE of internal effort over 8 to 12 weeks, assuming someone is driving it with external support for the legal and risk framing. It is not a training department buildout. It is a structured piece of work with a defined output that gives you a defensible compliance position. I wrote about what this kind of AI readiness assessment looks like in practice, in the context of helping growing companies structure their approach to the Act.

The deadline that didn't move

The Omnibus may soften Article 4 on paper once formally adopted. The enforcement date did not move. The national implementing laws already enacted did not roll back. And the enterprise customer asking about your AI literacy posture in the next procurement round does not read the Official Journal. The commercial deadline is the next RFP, not the regulator's calendar.

If you need a defensible Article 4 position before the next enterprise questionnaire lands, that is the work I help growing companies scope: the AI inventory, the role-differentiated literacy mapping, and the evidence artifact, as a fixed-scope engagement. The services page has the detail.

Frequently asked

Was the EU AI Act delayed by the Omnibus package?

The Digital Omnibus on AI, a Commission proposal from November 2025, reached a provisional political agreement on 7 May 2026 that softens Article 4. It changes the duty from ensuring a sufficient level of AI literacy to taking measures to support its development. The formal text has not been adopted or published in the Official Journal. The current Article 4 took effect February 2, 2025. Enforcement starts August 2, 2026. Neither date has moved.

What does Article 4 of the EU AI Act require?

Providers and deployers must ensure that staff working with AI systems have sufficient AI literacy, proportionate to their role and the specific AI system in use. There is no mandated training format or certification. The obligation is that understanding exists and can be demonstrated.

Does the EU AI Act apply to small companies?

Yes. There is no size exemption for Article 4. Any company deploying AI tools -- including Copilot, ChatGPT, or LLM-powered SaaS products -- is a deployer and falls within scope. A 50-person company is as much in scope as a 5,000-person enterprise.

What is the enforcement date for AI literacy under the EU AI Act?

National market surveillance authorities begin enforcement on August 2, 2026. The obligation itself took effect on February 2, 2025. Article 4 is not separately listed in the AI Act penalty tiers, and there is no standalone fine for an AI literacy gap on its own. The practical risk is that weak literacy undermines related obligations that do carry penalties, and that it surfaces as audit, procurement, and supervisory exposure.

How has Denmark implemented the EU AI Act?

Denmark was the first EU member state to enact national implementing legislation (Lov nr 467, May 2025). Digitaliseringsstyrelsen, the coordinating national authority, has published dedicated AI literacy guidance. Proposed measures include e-learning, AI communities of practice, awareness campaigns, and literacy ambassadors. Datatilsynet supervises the prohibited-practice provisions that intersect with personal data.

What does an AI literacy compliance program look like for a growing company?

The core work is four things: an AI inventory of tools in active use, a role-differentiated literacy mapping, an evidence artifact that documents what literacy looks like per role, and an operating model for keeping it current. In the companies I have worked with, this is typically 0.3 to 0.5 FTE internal effort over 8 to 12 weeks. It is not a training department buildout.

Next step

Let's work out what you actually need.

30-minute scoping call. Free and non-binding. One live trigger is enough to start. If it's not a fit I'll tell you, and point you somewhere that is.

Book a scoping call