21 May 2025

Cut off one head, and two grow in its place. Even Hercules needed help to defeat the Hydra!

The EU AI Act introduced a requirement that’s easy to overlook, but not simple to implement: AI literacy. It sounds straightforward. It should be straightforward. But it isn't. 

Read on for some insights and information... 

What Is It?

The requirement for "sufficient AI literacy" became a requirement in February 2025 and affects a wide range of organisations. If you’re building, deploying, or modifying AI systems in the EU, it’s not a nice-to-have. It’s an obligation. And it’s one that raises more questions than it answers.

Here’s what the law says, what the European Commission has clarified (and not), and how to get started before enforcement begins.

What the EU AI Act Says About AI Literacy

The Act defines four types of AI "operators":

• Providers – those who develop and place AI systems on the market
• Deployers – those who use AI systems in professional settings
• Importers
• Distributors

Under Article 4, both Providers and Deployers must ensure that their staff (and any relevant contractors or third parties) have a sufficient level of AI literacy. That obligation applies right now, even though enforcement is still over a year away.

So what does "AI literacy" actually mean?

The Legal definition has ambiguity. Article 3(56) defines AI literacy as:

“Skills, knowledge and understanding that allow providers, deployers and affected persons, taking into account their respective rights and obligations in the context of this Regulation, to make an informed deployment of AI systems, as well as to gain awareness about the opportunities and risks of AI and possible harm it can cause.”

In other words: it depends. The required level of literacy will vary by context, role, and risk. There’s no checklist. No curriculum. No test. Just a broad expectation that your team should “know enough” to deploy AI responsibly. This leaves relevant operators in an awkward position. In the (admittedly unrelated) words of Christopher Hitchens, "created sick and commanded to be well"

What the European Commission’s Q&A Adds — and Doesn’t

The European Commission recently released a Q&A document to shed light on what “sufficient AI literacy” might mean. It offers some helpful direction and it also confirms just how fluid the obligation is.

What are some key takeaways from the Q&A?

A basic understanding of what AI is and how it works

• Awareness of how AI is used in the organisation
• Role-specific literacy based on interaction with AI systems
• Understanding of associated risks and mitigation
• Awareness of the regulatory landscape
• Recognition that AI literacy isn’t limited to high-risk systems
• Sensitivity to sector-specific context and use

But the Q&A also confirms:

• No requirement to test or certify literacy
• No required metrics or documentation standard
• No defined level of “sufficiency”

In short: you’re responsible for determining what’s appropriate. You are also responsible for proving that you've taken the obligation seriously if investigated.

The Compliance Catch-22

This creates a compliance dilemma:

• How do you prove your team is “sufficiently” AI literate?
• How do you know when you’ve done enough?
• How do you keep up as AI systems and roles evolve?

It’s like playing a game of higher/lower but when you flip the card, it’s blank. AI is evolving fast, and literacy will need to evolve with it.

Is the Requirement Already in Force?

Yes. The AI literacy obligation took effect in February 2025.

Enforcement begins in August 2026, when market surveillance authorities (many of which are still being established) will begin assessing compliance. Financial penalties will be applied based on proportionality.

What About Importers and Distributors?

They’re not off the hook. The AI Act says Importers and Distributors become de facto Providers if they:

• Place the AI system on the market in their own name (e.g., white-labelling)
• Modify the system in a way that affects compliance
• Change its intended purpose (e.g., using an AI model trained for weather forecasting to make hiring decisions)

When that happens, all Provider obligations (including AI literacy) apply. Be warned!

Practical Steps You Can Take Now

While the law is vague, the steps you can take are clear.

✅ Map your AI systems – Identify where AI is used, how it functions, and who interacts with it
✅ Understand your roles – Are you a Provider, Deployer, or both?
✅ Segment your teams – Legal, technical, operational, leadership… each role requires a different kind of literacy
✅ Start awareness-building – Create internal guidance, deliver short sessions, or use curated resources
✅ Document everything – Keep a record of your assessments and training efforts
✅ Build a basic risk register – Track AI-related risks and who’s responsible for mitigation

Conclusion

The AI literacy requirement isn’t just a tick-box exercise. Over time, it will become inseparable from how organisations build trust, resilience, and legal defensibility in AI governance.

You don’t need to be Hercules to tame this Hydra — but you do need to start now. Reach out to receive a copy of my FREE AI literacy starter kit for more information. 

This content is informational only and not legal advice. GLF is not a law firm regulated by the SRA.