AI Compliance Roadmap for Companies: EU AI Act Article 4 Guide

Artificial intelligence is now part of the daily workflow of companies of every size. So what is the legal responsibility of organisations that use these tools? Article 4 of the European Union Artificial Intelligence Act (EU AI Act) has been in force since 2 February 2025, and it places a concrete obligation on every organisation that uses or develops AI: ensuring that staff have a sufficient level of AI literacy. This guide explains the obligation step by step and provides a fill in the blanks corporate policy template your company can use directly.

Quick Answer

EU AI Act Article 4 places an obligation on all organisations that develop (providers) or use (deployers) AI systems to ensure their staff have a "sufficient level of AI literacy." The obligation came into force on 2 February 2025 (Article 113(a)) with no transition period. The supervision and enforcement powers of national authorities apply from 3 August 2026. The obligation applies to all AI systems regardless of risk level, and the proof of compliance is documentation: a written policy, role based training, and records.

What Exactly Does EU AI Act Article 4 Say?

The official text of Article 4 reads as follows:

"Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in, and considering the persons or groups of persons on whom the AI systems are to be used."

The article sits under Chapter I (General Provisions) and its related recital is Recital 20. The aim is to ensure that both the opportunities and the risks of AI are understood within the organisation, and that AI is used in a conscious, safe, and controlled manner.

Effective Dates: 2 February 2025 and 3 August 2026

Two dates are often confused, so let us be clear about the distinction:

Date	What happens?
2 February 2025	Article 4 (AI literacy) and Article 5 (prohibited practices) entered into force. Under Article 113(a), Chapters I and II began to apply on this date. There is no transition period.
2 August 2025	Obligations for general purpose AI (GPAI) model providers and governance provisions took effect.
3 August 2026	Supervision and enforcement of the obligations, including Article 4, begins to be exercised by national authorities.

In other words, the obligation is already in force today. The "we will comply in 2026" approach is mistaken. 2026 is the date when penalties begin to be imposed.

Who Is Responsible? Provider and Deployer Distinction

Provider: An organisation that develops, or has developed, an AI system and places it on the market under its own name. For example, a technology company that trains its own model and offers it as a product.

Deployer: An organisation that uses an AI system under its own authority. Most companies fall into this category. Any business using ChatGPT, Copilot, a CV screening tool, or a call centre bot is considered a deployer.

Important point: The obligation applies to all AI systems regardless of risk. Using a low risk generative AI tool does not place you outside the scope.

The Legal Situation in Turkey

What about Turkey? There is not yet a single binding, AI specific framework law in force in Turkey. But this does not mean "there are no rules in Turkey." The matter is directly connected to several regulations, and organisations need to prepare now:

• Personal Data Protection Law No. 6698 (KVKK): Binding and in force for personal data processed with AI. Obligations of data minimisation, disclosure, explicit consent, and data security apply equally when entering data into an AI tool.
• AI Law Bills (Turkish Parliament): Turkey's first AI law bill was submitted to the Grand National Assembly on 24 June 2024, with further bills in 2025. They cover definitions, liability, transparency, and sanctions, but have not yet been enacted and remain under committee review.
• Internet Law No. 5651 (proposal): Proposals to make the source of AI generated content transparent to users are on the agenda via this law.
• National AI Strategy: The national policy framework run by the Presidency's Digital Transformation Office and the Ministry of Industry and Technology supports a responsible corporate AI approach.
• Extraterritorial effect of the EU AI Act: Turkish organisations offering products or services to the EU market, or whose output is used in the EU, may be directly subject to obligations including Article 4 due to the EU AI Act's extraterritorial reach.

Practical takeaway: Even before an AI specific framework law is enacted in Turkey, KVKK compliance is already binding, and the EU AI Act already applies to organisations doing business with the EU. So establishing a written AI policy, data classification, and literacy training now is the right approach from both the Turkish and EU perspectives.

What Happens If You Do Not Comply?

The administrative fines under the EU AI Act are high. Prohibited practices (Article 5) can attract fines of up to 35 million euros or 7 percent of global annual turnover, while other breaches can reach up to 15 million euros or 3 percent. For the Article 4 literacy obligation, enforcement is applied by national authorities from 3 August 2026. In addition, a lack of compliance aggravates the organisation's negligence liability in the event of AI related harm or a data breach.

What Should Companies Do? Step by Step Roadmap

The following eight steps form the backbone of achieving Article 4 compliance in practice. Record every step, because the proof of compliance is documentation.

1. Create an AI inventory. Identify which AI tools are used within the organisation, by which units, and for what purpose. List all tools, both free and subscription based.
2. Make Shadow AI visible. Use surveys and technical inventory to uncover tools that employees use without organisational approval, and publish an approved tools whitelist.
3. Classify your data. Clarify which data may and may not be entered into AI tools: the distinction between public, internal, confidential, personal, and special category data.
4. Create a written AI use policy. Acceptable use, prohibitions, roles, and responsibilities should be gathered in a single approved document. The DOCX template in this guide is exactly that.
5. Assess employees' AI risk awareness. Measure the current level of knowledge and determine training needs on a role basis.
6. Plan and deliver role based AI literacy training. Use internal or external expert support if needed, at separate levels for all staff, heavy users, managers, and developers.
7. Record the training and the measures taken, and create a file. Attendance lists, content, dates, and assessment results should be kept ready for audit. Recommendation: at least 3 years.
8. Update the process regularly. Review the policy at least once a year, and immediately upon any change in legislation or tools.

The aim is not to ban artificial intelligence, but to ensure its safe, conscious, and controlled use.

Which Data Can Be Entered Into AI? Input Rules Table

Data classification is the most practical part of Article 4 compliance. The table below is a starting framework:

Data class	Example	Public AI tool	Corporate or contracted AI tool
Public	Published content	Allowed	Allowed
Internal	Internal procedure, draft	Prohibited	Conditional, with approval
Confidential	Contract, financial data	Prohibited	Conditional, with approval
Personal data	Name, ID number, customer data	Strictly prohibited	Only with a legal basis and DPA
Special category data	Health, biometric, belief	Strictly prohibited	Generally prohibited
Secret, intellectual property	Source code, trade secret	Strictly prohibited	Conditional, isolated environment

Golden rule: Before entering any data into a public AI tool, ask: "Would the organisation be harmed if this information were published on the internet?" If the answer is yes, that data is not entered into that tool.

How to Plan AI Literacy Training

Article 4 envisages not a "one size fits all" approach to training, but a role and context based programme. The recommended structure is:

• All staff (Basic): What AI is, opportunities and risks, privacy, acceptable use. Annual, 1 to 2 hours.
• Heavy AI users (Intermediate): Prompt hygiene, hallucination and verification, bias, data classification. Twice a year.
• Managers (Governance): Legal obligations, risk, accountability. Annual.
• IT, developers, and providers (Advanced): Model security, evaluation, documentation, Article 5 and Annex III. Twice a year.
• New joiners (Onboarding): Policy and basic literacy. At the time of hiring.

Training should be adapted taking into account the participant's technical knowledge, experience, and the context in which the AI will be used. This is the explicit wording of Article 4.

Documentation: The Only Proof of Compliance

In an audit, saying "we care about AI literacy" is not enough. The proof is documentation. Keep at least the following:

• An approved and versioned written AI use policy
• An up to date AI inventory
• A role based training calendar and content
• Training attendance records and assessment results
• A data classification matrix
• The policy's review dates and revision history

The DOCX template includes ready made tables for all of these items.

At DSET, We Apply This Too

As an organisation that uses AI assisted systems in its own cyber security operations, DSET also applies the principles of EU AI Act Article 4 internally: a written AI use policy, data classification, AI literacy training for the team, and human oversight. You can find the details of this approach on our AI Literacy and Responsible AI Statement page.

Frequently Asked Questions (FAQ)

When did EU AI Act Article 4 enter into force?

Article 4 entered into force on 2 February 2025. Under Article 113(a), the provisions of Chapters I and II of the act began to apply on this date, with no transition period granted. Supervision and enforcement powers apply from 3 August 2026.

Which companies does Article 4 cover?

It covers all organisations that develop (providers) or use (deployers) AI systems. Any business using ChatGPT, Microsoft Copilot, CV screening software, or any AI tool is considered a deployer and is subject to the obligation. The risk level does not matter.

What exactly does the AI literacy obligation require?

It requires the organisation to take measures, to its best extent, to ensure that its staff and persons operating AI systems on its behalf have a sufficient level of AI literacy. In practice this means a written policy, role based training, and documentation of these measures.

Do I have to comply as a small company?

Yes. Article 4 grants no exemption based on company size. However, the obligation is proportionate: for a small organisation, a basic written policy, a simple data classification, and an annual awareness training is a reasonable start.

What is the penalty if I do not comply?

EU AI Act administrative fines can reach up to 15 million euros or 3 percent of global turnover depending on the type of breach (35 million euros or 7 percent for prohibited practices). Enforcement for Article 4 is applied by national authorities from 3 August 2026. A lack of compliance also aggravates negligence liability in the event of harm.

Is there a ready template?

Yes. From the link on this page, you can download the EU AI Act Article 4 compliant, fill in the blanks corporate AI use policy template in Word (DOCX) format, free of charge. The template includes 17 sections, 6 annex forms (including an employee undertaking and an acknowledgment of receipt document), and ready made tables.

Sources

This guide is based on the following official and primary sources:

• Regulation (EU) 2024/1689 (Artificial Intelligence Act), official text, EUR-Lex: https://eur-lex.europa.eu/eli/reg/2024/1689/oj
• EU AI Act Article 4, AI literacy: https://artificialintelligenceact.eu/article/4/
• EU AI Act Article 113, Entry into force and application: https://artificialintelligenceact.eu/article/113/
• European Commission, AI Literacy Questions and Answers: https://digital-strategy.ec.europa.eu/en/faqs/ai-literacy-questions-answers
• Turkish AI Law Bill, Grand National Assembly of Turkey: https://www.tbmm.gov.tr
• Turkish Personal Data Protection Law No. 6698 (KVKK): https://www.kvkk.gov.tr

This content is for general information purposes and does not constitute legal advice. Consult a qualified legal counsel for implementation specific to your organisation.