← auditaisdk.com · All articles
Article 4 is the first EU AI Act obligation enterprise procurement asks about. The deadline is retroactive — the duty applies from 2 February 2025 under Article 113(a), more than 18 months ahead of the main provider duties on 2 August 2026. A B2B SaaS receiving an AI vendor security questionnaire in 2026 will see the literacy question early and concrete: "Provide evidence of your Article 4 AI literacy programme. Include the policy, the role-based training matrix and the completion log."
Three things make Article 4 the cleanest procurement signal in 2026:
The procurement-stage cost of missing Article 4 in 2026 is in most cases higher than the current fine exposure under Article 99(4). The deal is the thing.
Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in, and considering the persons or groups of persons on whom the AI systems are to be used.
The text breaks into five operative components:
The cleanest implementation pattern in 2026 segments staff and operators into five role bands. Each band gets a scoped curriculum and a separate training log entry.
Engineers, ML researchers, data scientists, applied AI engineers shipping the model or feature. Deepest curriculum: scope of the EU AI Act, risk classification under Annex III, technical risk and bias under Article 10, evaluation methodology, human oversight design under Article 14, post-market monitoring under Article 72, documentation duties under Annex IV. Two to three hours initial, one hour annual refresh.
DevOps, SRE, platform engineers running the AI system in production. Operations-focused literacy: monitoring, automatic logging under Article 12, incident response, serious-incident reporting under Article 73, log retention windows, post-market signal handling, change-management gate to FRIA update. Ninety minutes initial, forty-five minute annual refresh.
Annotators, content moderators, human-in-the-loop reviewers. Oversight-focused literacy: how outputs are reviewed, when to override under Article 14(4), escalation paths, complaint mechanism under Article 27(1)(f) for high-risk deployer flows, well-being safeguards under the Article 14 oversight regime. Two hours initial, one hour annual refresh.
Sales, marketing, customer support, internal staff using AI tools in the workflow (LLM assistants, AI search, drafting tools, internal copilots). Applied literacy: AI tool boundaries, sensitive-data avoidance, output verification, prompt-handling hygiene, when to escalate. Forty-five to sixty minutes initial, thirty minute annual refresh.
Executives, general managers, accountable senior persons (typically a C-suite member or VP for AI compliance). Governance literacy: scope of the Regulation, classification regime, fundamental rights overview, risk acceptance, sign-off duties, Article 26 deployer accountability where applicable, Article 4 sign-off authority. Ninety minutes initial, thirty minute quarterly regulatory briefing.
New hires complete a thirty-minute literacy onboarding module within the first ninety days of joining, regardless of band. The module covers the AI Act scope, the company's AI systems inventory, the policy statement, and the role-band the new hire is assigned to (with a pointer to the band-specific module). The onboarding completion is logged separately from the band module.
Every staff member should fall into at least one band; many fall into two. A back-end engineer who also runs the production deploy of an AI system is both a builder and an operator and is expected to complete both modules. A founder running an AI-first SaaS is typically leadership plus builder plus operator. The role assignment is documented in the training matrix.
Article 4 does not prescribe a format. The Commission's Living Repository on AI Literacy under Article 4, published in May 2025 and updated through 2026, signposts approaches taken by signatories but does not mandate any of them. The implementation pattern that has stabilised in 2026 B2B SaaS audits is a three-document package:
1
A short policy signed by an accountable senior person at the company. States the scope (every employee and every contractor handling AI systems), the standard (sufficient level of literacy under Article 4), the role bands, the cadence (initial within 90 days of joining; annual refresh), the accountable owner, and the review cycle. The signed PDF lives in the company's compliance repository and is the document handed to procurement on first request. Half a page of text; signature page on the back. The signature is meaningful — most national authorities read absence of signed sign-off as absence of organisational adoption.
2
A table mapping every staff role to one or more bands. Lists each role on the rows and each band on the columns; an X marks the band(s) the role is assigned to. The matrix is reviewed quarterly to capture new roles, departures and band reassignments. The matrix is the document that proves the company has thought about scope at the person level, not just at the organisational level. National authorities in 2026 working-group statements have flagged absence of a role-level matrix as the most common evidence gap.
3
A log evidencing completion of each module by each person, with the module name, completion date, version of the module content, and a delivery method (e-learning record, attendance record for live session, internal LMS export). Initial completion and annual refresh are logged separately. The log lives in the compliance repository and is exportable to PDF or CSV for procurement and audit. The log is the document a Datadog-style auditor will sample on first read — they will pick five people across bands and check the log entries.
Below is the policy template the auditai SDK populates via audit.export_article_4_policy(). Field names in angle brackets are populated by the company at first generation.
AI LITERACY POLICY
EU AI Act Article 4 — Provider and Deployer File
Document version: <1.0>
Date of policy: <2026-MM-DD>
Company: <legal name, address, contact>
Accountable owner: <name, role, email>
Review cycle: annual; next review <2027-MM-DD>
1. SCOPE
This policy applies to every employee, contractor, embedded consultant
and third-party operator who deals with the operation and use of any
AI system on behalf of <company>, regardless of role band, seniority
or contract type.
2. STANDARD
Every person in scope shall achieve and maintain a sufficient level of
AI literacy under Article 4 of Regulation (EU) 2024/1689 ("EU AI Act"),
calibrated to (a) their technical knowledge, experience, education and
training, (b) the context in which the AI systems are used, and
(c) the categories of persons on whom the AI systems are used.
3. ROLE BANDS
Builders — engineers, data scientists, ML researchers, applied AI
engineers.
Operators — DevOps, SRE, platform engineers running AI systems in
production.
Reviewers — annotators, moderators, human-in-the-loop reviewers.
Internal users — staff using AI tools in workflow.
Leadership — executives, accountable senior persons, GMs.
Every person is assigned to at least one band. Band assignment is
recorded in the training matrix referenced in clause 5.
4. CURRICULUM AND CADENCE
Each band has a scoped curriculum maintained by the AI compliance
owner. Curriculum content is reviewed annually and on material
regulatory updates (Commission guidance, AI Office statements, national
authority guidance).
Initial completion: within 90 calendar days of joining or band
reassignment.
Annual refresh: within 12 calendar months of last completion.
Leadership additionally: quarterly regulatory briefing (30 minutes).
5. EVIDENCE
A training matrix (band assignment per role) and a training log
(completion per person per module) are maintained in the company's
compliance repository. Both are exportable to PDF and CSV for
procurement, customer and authority requests.
6. SIGN-OFF AND ACCOUNTABILITY
The accountable owner reports to <Board / CEO / Designated Officer>
on programme status quarterly. Material gaps trigger remediation
within 60 calendar days.
7. SIGNATURE
<Name, Role, Date, Signature>
The signed PDF is the artefact procurement asks for. Keep the file under a stable URL inside the compliance repository so the questionnaire response can reference it directly.
The matrix is a simple table. Rows are roles in the company; columns are bands. The cell value is a date of last completion (initial or refresh, whichever is most recent). The auditai SDK populates the matrix via audit.export_article_4_matrix() from the HR roster plus the training log.
| Role | Builders | Operators | Reviewers | Internal users | Leadership |
|---|---|---|---|---|---|
| CTO | 2026-03-12 | — | — | — | 2026-03-12 |
| VP Engineering | 2026-02-04 | — | — | — | 2026-02-04 |
| Backend Engineer (Platform) | — | 2026-04-22 | — | 2026-04-22 | — |
| ML Engineer | 2026-04-08 | — | — | — | — |
| SRE | — | 2026-03-30 | — | — | — |
| Content Moderator (outsourced) | — | — | 2026-04-15 | — | — |
| Sales AE | — | — | — | 2026-04-02 | — |
| Customer Support | — | — | — | 2026-04-02 | — |
The matrix is exported to PDF for the procurement file and to CSV for internal review. A blank cell signals a person is not in that band. An expired cell (more than 12 months from today) is flagged for refresh and the person is notified.
The log is per-person, per-module, append-only. The auditai SDK exports the log via audit.export_article_4_training_log() from the company's LMS or attendance system.
AI LITERACY TRAINING LOG EU AI Act Article 4 — Evidence File Export date: <2026-MM-DD> Format: append-only CSV; PDF rendering available. | Person ID | Role | Band | Module | Version | Type | Date | Delivery | |-----------|-----------------|----------------|------------------------------|---------|---------|------------|-----------------| | 0001 | CTO | Builders | builders-core-v3 | v3.1 | initial | 2026-03-12 | LMS e-learning | | 0001 | CTO | Leadership | leadership-governance-v2 | v2.0 | initial | 2026-03-12 | live workshop | | 0002 | ML Engineer | Builders | builders-core-v3 | v3.1 | refresh | 2026-04-08 | LMS e-learning | | 0003 | SRE | Operators | operators-monitoring-v2 | v2.1 | initial | 2026-03-30 | LMS e-learning | | 0004 | Content Mod. | Reviewers | reviewers-oversight-v2 | v2.0 | initial | 2026-04-15 | live workshop | | 0005 | Sales AE | Internal users | users-applied-v1 | v1.4 | initial | 2026-04-02 | LMS e-learning | | 0006 | New hire #ENG12 | Onboarding | onboarding-30min-v1 | v1.2 | initial | 2026-04-25 | LMS e-learning | Retention: minimum 5 years from completion date. Export to procurement: redact Person ID and Role per data-minimisation practice; aggregate by band and completion percentage if asked.
The log retention is set to five years by default; the AI compliance owner aligns it with the company's general document retention policy where that is longer.
Article 4 is the literacy floor. Several other obligations layer on top.
Article 14 requires providers to design high-risk AI systems to be effectively overseen by natural persons. Article 26(2) requires deployers to assign oversight to natural persons with the necessary competence, training and authority. The oversight personnel's literacy entry under Article 4 is the floor — they additionally need system-specific oversight training (instructions for use, override authority, escalation protocol). The training log shows both entries.
Article 13 requires providers of high-risk AI systems to ship instructions for use that include information on intended purpose, accuracy, robustness, cybersecurity, expected lifetime, and human oversight measures. The literacy curriculum for builders should cover the duty to author Article 13 instructions for use. The literacy curriculum for reviewers and operators should cover reading and applying them.
The Article 27 FRIA the deployer files for credit scoring, life and health insurance pricing, public bodies and public-service deployments requires the deployer to describe human oversight measures under item (e). The literacy of the named oversight personnel under Article 4 is what makes the FRIA's (e) credible. See the Article 27 FRIA template walkthrough.
Article 50 requires providers and deployers to inform users about certain AI systems including generative AI. The literacy curriculum for internal users should cover the company's transparency notices so internal staff can answer end-user questions consistently. The literacy curriculum for builders should cover the duty to instrument the notices in the product. See the Article 50 transparency walkthrough.
The auditai SDK ships four exports tailored to Article 4 evidence:
audit.export_article_4_policy(company, owner, signature_date) — generates the policy PDF populated with the company's identity, the accountable owner and the signature block. Outputs a versioned file ready for sign-off.audit.export_article_4_matrix(roster, log) — generates the role-based training matrix from the HR roster plus the training log. Outputs both PDF and CSV.audit.export_article_4_training_log(start_date, end_date, redact_pii) — generates the per-person, per-module training log for the date window. The redact_pii=True flag swaps person IDs for anonymised tokens and removes role labels for the procurement-facing export.audit.export_article_4_questionnaire_response() — generates the questionnaire-response paragraph the company hands procurement, populated with the policy URL, the matrix completeness percentage and the training log completion percentage by band. The response is one paragraph procurement can paste into the vendor file.The four exports together cover the procurement-stage Article 4 conversation end to end. A B2B SaaS that wires them into its compliance repository answers the literacy question on the next vendor questionnaire in one round.
| Week | Action | Output |
|---|---|---|
| 1 | Draft policy statement; identify accountable owner; map roles to bands. | Policy v1 draft; role list with proposed band assignments. |
| 2 | Owner sign-off on policy; finalise role-band matrix; assign curriculum per band. | Signed policy v1.0; populated matrix; curriculum index per band. |
| 3 | Deliver leadership briefing and onboarding module (30 min). | Leadership completion logged; onboarding live. |
| 4 | Deliver builder and operator modules. | Builder and operator completion logged. |
| 5 | Deliver reviewer and internal-user modules. | Reviewer and internal-user completion logged. |
| 6 | Export questionnaire-response paragraph; publish in compliance repo; update vendor questionnaire library. | Procurement-ready evidence package live. |
Six weeks end-to-end is the conservative estimate. A focused team running this as a single workstream typically delivers in three weeks. The blocker in 2026 audits has never been time — it is the absence of executive sign-off on the policy.
The €199 managed audit ships the populated policy, the role-based training matrix, the training log scaffold and the procurement questionnaire response — sized to your AI systems inventory and reviewed against the AI Office Living Repository guidance.
Get the Article 4 package — €199Article 4 applies from 2 February 2025 under Article 113(a). It is the only operational obligation of the EU AI Act that entered into force before the main provider duties on 2 August 2026. Vendors that answer "we are working on it" in 2026 are answering for an obligation that has been in force for 15 months by mid-2026 — procurement reads this as non-compliance.
Providers and deployers of any AI system in scope of the Regulation. The duty covers every risk level and every system type — predictive, generative, decision-support. A B2B SaaS that integrates an LLM is a provider for that feature; the same SaaS using third-party AI tools internally is a deployer. Most SaaS organisations are both.
A standard calibrated to the person's technical knowledge, the context of AI use, and the persons on whom the AI systems are used. Engineers shipping the model owe deeper literacy than internal users running outputs through downstream workflows; reviewers owe oversight-specific literacy; leadership owes governance literacy. The standard is context-sensitive, not absolute.
No. Article 4 does not prescribe a template. The Commission's Living Repository on AI Literacy under Article 4 published in May 2025 and updated through 2026 signposts approaches but does not mandate any. The implementation pattern stabilised in 2026 audits is a three-document package: signed policy statement, role-based training matrix, training log.
Five bands cover most B2B SaaS organisations: builders (engineers and ML researchers), operators (DevOps and SRE), reviewers (annotators and moderators), internal users (staff using AI in workflow), leadership (executives and accountable senior persons). Every staff member should fall into at least one band; many fall into two.
There is no statutory length. The defensible baseline that has emerged in 2026 is one to two hours per band per year, plus a thirty-minute onboarding module within the first ninety days. Builders and reviewers typically run two to three hours; internal users run forty-five to sixty minutes; leadership runs ninety minutes plus a quarterly briefing.
Article 99(4) administrative penalties can apply — up to €15 million or 3 percent of worldwide annual turnover. The more immediate commercial consequence in 2026 is procurement failure: large enterprise customers' AI vendor security questionnaires test for literacy programme evidence, and absence stalls the deal at the compliance review stage. The deal cost is in most cases higher than the current fine exposure.
No. The duty stops at the operational perimeter — staff and persons acting on behalf of the provider or deployer. Article 13 (transparency to users) and Article 50 (transparency obligations including generative AI) cover the external transparency dimension. A complete compliance posture covers both — literacy programme inside, transparency notices outside.
Article 26(2) requires deployers of high-risk systems to assign oversight to natural persons with the necessary competence, training and authority. Article 4 is the literacy floor; Article 26(2) is the oversight ceiling for high-risk systems. Oversight roles need both — a general Article 4 literacy module and a system-specific oversight training entry. The training log shows two distinct entries for oversight roles.
This guide is operational analysis from a B2B SaaS engineering perspective, not legal advice. Article 4 is short and the obligation is best-efforts, but enforcement and procurement interpretation continue to evolve. Validate the literacy programme with legal counsel and the company's AI compliance owner before public sign-off. The auditai SDK is open source on GitHub and on PyPI.