AI Literacy as a New Requirement: EU AI Act Turns Training Processes Upside Down

AI literacy – or AI competence – refers to the ability to understand, critically evaluate, and responsibly use AI systems. In the context of the EU AI Act, it is not about deep technical programming knowledge, but about the practical understanding of risks, legal boundaries, and correct application.

The EU AI Act distinguishes between different roles. For most companies, the role of the deployer (operator/user) is relevant: You use existing AI tools like ChatGPT, Microsoft Copilot, or specialized industry software in your daily work.

AI literacy in practice means:

• Data Protection: Knowing which data may be entered into AI tools.
• Quality Control: Recognizing when AI outputs (e.g., hallucinations) must be checked.
• Legal Certainty: Basic knowledge about copyrights and discrimination bans in AI generation.
• Human Oversight: Knowing where AI supports and where human decisions strictly remain mandatory.

Article 4 of the EU AI Act lays the foundation for the competent handling of artificial intelligence. The regulation explicitly obliges deployers to ensure that persons operating AI systems possess a sufficient level of AI competence. In doing so, the principle of proportionality applies: The training measures must correspond to the risk and context of the deployed AI system.

• Low Risk (e.g., text generation, internal research): Basic training and refreshers are sufficient here.
• High Risk (e.g., AI in the HR sector for applicant selection): Significantly stricter requirements apply here regarding professional competence and the seamless documentation of training.

The AI Act formulates an outcome-oriented obligation. It does not prescribe what the training must look like – but it does prescribe that it has taken place and was appropriate.

Many companies introduced AI policies in 2023 and 2024. These contain important basic rules (e.g., "Do not enter customer data into public AI tools"). Such guidelines are an important basis – but they do not create verifiable competence.

If the question arises during audits or quality checks as to how AI competence is ensured in the team, referring to a PDF sent via email is legally and organizationally too little. The EU AI Act demands an active process:

• Active Knowledge Transfer: Content must be prepared and trained in an understandable way.
• Comprehension Control: It must be verifiable that the core points have been understood.
• Up-to-Date Relevance: Since AI technology develops rapidly, training must be adjusted regularly.

Structured training with practical examples ensures a uniform minimum level across the entire company and gives employees real confidence in their actions.

A compliance-compliant training concept can be built modularly and flexibly. In practice, the following building blocks have proven successful:

Basic Module (for all employees)

• How AI works (opportunities and limitations)
• Introduction of the tools approved in the company
• Typical risks (hallucinations, bias, data protection)
• Overview of internal AI guidelines

Role-Specific Deep Dive

• HR / People Teams: Special due diligence obligations for personal data, avoidance of discrimination risks through AI pre-selection.
• Marketing & Sales: Copyright for AI images/texts, data protection in customer communication.
• IT & Compliance: Technical interfaces, containing shadow AI, monitoring data flows.

Simple Knowledge Verification

• A short quiz or reflection questions (e.g., 5 multiple-choice questions at the end of a module) ensures that the most important do's and don'ts have been understood.

For compliance, the verifiability of the training is crucial. A structured overview removes the complexity from the process. The following data should be recorded:

Whether you use an existing Learning Management System (LMS) or a simple, centrally maintained matrix (e.g., in Notion or Excel) is up to you. Crucial is the seamless traceability.

The good news: You do not need a six-figure budget to meet the requirements of the EU AI Act. Small and medium-sized enterprises in particular can solve the topic agilely and cost-effectively:

• Use Internal Multipliers: Designate AI-affine employees in the team to act as "AI Champions." They can pass on internal knowledge and serve as the first point of contact for questions.
• Deploy Micro-Learnings: Instead of day-long front-of-class training, compact, 30- to 60-minute e-learning modules are often enough and can be easily integrated into daily work.
• Hybrid Approach: Use standardized external online courses for legal and technical basics and supplement them with a short internal meeting where your specific tools are discussed.

A pragmatic roadmap for implementation in the company:

1. Inventory: Which AI tools are already actively used (officially approved tools as well as unofficial "shadow AI")?
2. Risk Assessment: In which departments is the risk highest (e.g., where a lot of sensitive data is processed)? You start there first.
3. Define Concept: Create a short basic module for everyone and plan specific updates for specialist departments.
4. Communication: Explain the "why" to the team. Make it clear that the training is not a bureaucratic hurdle, but gives employees security in dealing with innovative tools.

• Starting Too Theoretically: Avoid long treatises on the history of AI. Focus on concrete use cases from the daily work of your teams.
• One-Time Action Instead of a Process: AI develops rapidly. Plan short, e.g., annual updates from the outset to react to new tool functions or legal updates.
• Skipping the Management Level: Managing directors and department heads also use AI and make strategic decisions based on AI data. They should complete the training equally.

The EU AI Act turns AI literacy from a nice-to-have into a must-have. Pure text guidelines are no longer sufficient – structured, verifiable training processes are required. For companies, however, this is no reason to worry, but a real opportunity: Those who train their teams purposefully minimize error sources, ensure legal certainty, and exploit the full potential of ChatGPT, Copilot, and co. productively. With pragmatic modules and digital documentation, implementation is easily doable even for SMEs.

Do employees who only use AI privately also need to be trained? 

The obligation from the AI Act refers to professional use on behalf of the company. A short basic training for the entire workforce is nevertheless advisable to raise awareness of the risks of "shadow AI" (e.g., thoughtlessly entering internal company data into private accounts).

Are there official certificates that we must acquire? 

No. The EU AI Act does not prescribe a specific state certificate. Crucial is that the training measure has verifiably taken place and was appropriate to the risk level of the tools used.

Who is liable if a trained employee still makes a mistake? 

Training is a central part of the so-called exculpatory evidence. They show authorities and auditors that the company has fully complied with its statutory duty of care and has taken organizational precautions.

How can heyData support you? 

heyData takes the complexity out of implementation for you. You get legally compliant, ready-made AI compliance training specifically tailored to the requirements of the EU AI Act. The modules are compact, practical, and include an integrated comprehension check.