The EU AI Act does not prescribe a specific document list. It requires businesses to take measures to support staff AI literacy — and documentation is how you demonstrate that those measures have been taken.
Article 4 of the EU AI Act requires providers and deployers of AI systems to take measures to support the AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf.
It does not enumerate specific documents. It sets an obligation and leaves the implementation to each business. Documentation is not the only way to demonstrate compliance — but it is the most credible way, and the only approach that survives scrutiny from a regulator or enterprise procurement team.
There is a meaningful difference between what the EU AI Act requires and what a defensible compliance position looks like in practice. The Act requires measures to support AI literacy. The five elements described on this page are what those measures look like when documented in a way that could withstand scrutiny. They are best practice, not statutory prescription — but they are the best practice that matters.
Based on the structure of the obligation, the EU AI Office’s published guidance, and the proportionality principle built into the regulation, there are five elements that together constitute a complete, credible compliance position for a business using AI.
A formal written document governing how your business uses AI. It should cover which tools are approved for professional use, what those tools may and may not be used for, how staff should handle data when using AI systems, and who holds responsibility for compliance within your organisation.
Why it matters: A written policy demonstrates that your business has actively governed its AI usage rather than allowing tools to proliferate without oversight. It is typically the first thing a regulator or procurement team asks to see. A generic template downloaded from the internet does not carry the same credibility as a policy that reflects your actual tools, context, and governance structure.
A structured inventory of every AI system your business uses professionally — including the name and vendor of each tool, the purpose it serves, a risk classification, and which roles in your organisation interact with it.
Why it matters: You cannot take measures to support AI literacy for tools you have not identified. The register is the foundation on which all other compliance documentation rests. Most businesses discover they are using more AI than they realised when they build one for the first time. AI-powered features are embedded throughout modern software, and the register forces the audit that identifies them.
Individual records for each staff member who uses AI professionally, confirming which tools they use, their role in relation to those tools, and what measures have been taken to support their AI literacy.
Why it matters: The AI literacy obligation applies at the individual level, not just the organisational level. A business-wide training certificate does not demonstrate that each relevant staff member has had appropriate measures taken in relation to their specific tools and responsibilities. Per-employee records make that connection explicit and traceable.
What this is not: A training certificate from an external provider is a useful supporting document but not a literacy record. The record needs to connect the individual to the specific tools they use and the specific measures taken in their context.
A document mapping each role in your organisation to an appropriate AI literacy tier, demonstrating that your approach to AI literacy is proportionate and role-specific rather than uniform across all staff.
Why it matters: The EU AI Act builds proportionality into the obligation — a member of staff who uses ChatGPT occasionally to draft communications has different literacy requirements from a recruitment manager using AI screening software to shortlist candidates. A training matrix demonstrates that your business has understood and applied this proportionality. A one-size-fits-all approach is not what the regulation envisages and is less credible under scrutiny.
All four documents above compiled into a single timestamped PDF, structured for immediate production if a regulator requests evidence of compliance or an enterprise client asks as part of a procurement process.
Why it matters: Compliance is not just about having the documents — it is about being able to produce them quickly and credibly when asked. A well-structured evidence pack demonstrates that compliance is an ongoing practice rather than a one-time exercise. The timestamp is important: it establishes when the compliance position was documented and provides a baseline for updates.
This is the question most businesses want answered, and it is worth being precise about. The EU AI Act does not define a threshold of documentary sufficiency. What it requires is that measures have been taken. A regulator assessing your compliance would be asking: did this business take meaningful steps to support staff AI literacy, and can it demonstrate those steps?
Documentation that answers yes to that question tends to share four characteristics:
It reflects your actual tools, your actual roles, and your actual context — not a generic template that could belong to any organisation.
It is up to date and timestamped. Compliance documentation from two years ago that has never been reviewed is not a defensible position.
It connects each relevant staff member to the specific measures taken in their context, not just confirms that a policy exists somewhere.
It can be produced on request, not assembled over several days. A compiled evidence pack ready to share signals that compliance is active, not retrospective.
A training certificate is a useful supporting document but it is not a compliance position. What constitutes a defensible position is documentation tailored to your specific business — your tools, your roles, and your context. Generic training that does not reflect how your team actually uses AI provides limited protection.
A template tells you what to write but does not know which AI tools your business uses, what your roles are, or how your team interacts with AI. A templated policy that does not reflect your actual business provides minimal credibility if a regulator or procurement team scrutinises it closely.
The Digital Omnibus agreement extended the deadline for high-risk AI systems under Annex III to 2 December 2027. It did not change the AI literacy obligation, which has been in force since February 2025 and applies to all businesses using AI regardless of risk level.
There is no minimum size threshold in the EU AI Act’s AI literacy obligation. The obligation is proportionate in its implementation — a three-person business will not be expected to have the same documentation infrastructure as a large enterprise — but it applies regardless of size.
The EU Digital Omnibus agreement of May 2026 updated the wording of Article 4 from “ensure a sufficient level” of AI literacy to “take measures to support” AI literacy. This is a meaningful shift: the focus moves from proving an outcome to demonstrating the steps taken. A well-structured set of compliance documents — policy, register, literacy records, training matrix, evidence pack — directly demonstrates those steps. The Omnibus text is pending formal adoption, expected before August 2026.
No. Article 4 sets an obligation — to take measures to support AI literacy — without prescribing the specific form those measures must take. The five-element framework described on this page represents what a defensible compliance position looks like in practice, based on the structure of the obligation and the EU AI Office’s guidance. It is best practice, not a statutory checklist.
There is no prescribed update frequency. A compliance position that reflected your business accurately eighteen months ago but has not been reviewed since is unlikely to remain accurate — staff join and leave, new AI tools get adopted, and regulations evolve. Best practice is to review documentation whenever a significant change occurs, with a formal annual review at minimum.
Fines under the EU AI Act for violations related to the AI literacy obligation can reach €7.5 million or 1% of global annual turnover, whichever is higher. Enforcement is the responsibility of national market surveillance authorities in each EU member state. Enforcement activity is still developing, but the commercial pressure from procurement requirements is already a more immediate driver for many businesses.
No. A GDPR data processing policy governs how personal data is collected, stored, and processed. An AI usage policy governs how your business uses AI systems — which tools are approved, what they may be used for, and how staff should interact with them. There is overlap where AI tools process personal data, and the two policies should be consistent with each other, but they serve different compliance purposes.
Yes. Businesses using high-risk AI systems under Annex III of the EU AI Act face significantly stricter obligations than the AI literacy requirement alone — including conformity assessments, technical documentation, risk management systems, and EU database registration. These obligations apply from 2 December 2027. The five-element compliance position described on this page covers the AI literacy obligation that applies to all businesses; high-risk AI compliance is a separate and more substantial undertaking.
Answer a short assessment about your business, your team, and the AI tools you use. We generate all five documents automatically — tailored to your specific context, formatted professionally, and compiled into an auditor-ready evidence pack.
Start your free assessment14-day free trial — no credit card required