A practical guide to what a small or medium-sized business needs to have in place to demonstrate compliance with the EU AI Act’s AI literacy obligation — and how to get there.
The EU AI Act contains different obligations for different types of organisations and different types of AI use. Before working through the checklist, it is important to understand which obligations are relevant to your business.
For the vast majority of SMEs — businesses using off-the-shelf AI tools like ChatGPT, Microsoft Copilot, or Canva AI — the primary obligation is the AI literacy requirement under Article 4. This has been enforceable since February 2025 and applies regardless of business size.
You use AI tools professionally but have no documentation in place. This is the most common position for European SMEs right now.
You have some documentation — perhaps a basic AI policy — but it is not complete, not tailored to your business, or not compiled into an evidence pack.
You have a complete, current, business-specific set of compliance documentation and can produce it immediately on request.
This checklist reflects what a defensible compliance position looks like in practice for an SME using AI professionally. The EU AI Act sets an obligation — to take measures to support AI literacy — without prescribing specific documents. The items below represent the steps and documentation that would satisfy that obligation under scrutiny from a regulator or enterprise procurement team.
Determine whether the EU AI Act applies to your business
Any business using AI tools in a professional context — including off-the-shelf tools like ChatGPT, Copilot, or Canva AI — is a deployer under the EU AI Act and subject to the AI literacy obligation. There is no minimum size threshold.
Check whether any AI tools your business uses are applied to Annex III use cases: HR and recruitment decisions, credit scoring, healthcare diagnostics, education assessment, law enforcement, or critical infrastructure. High-risk AI carries stricter obligations with a 2 December 2027 deadline.
Under Article 2(1)(c), the EU AI Act applies to businesses outside the EU where AI outputs are used by people in the EU — including customers, employees, or users. If your AI outputs reach EU-based individuals, the obligation applies regardless of where your business is located.
Create a structured inventory of every AI system your business uses professionally
Include standalone AI assistants, AI features embedded in existing software, and any tool that uses machine learning to generate outputs, make predictions, or take actions. Do not limit the inventory to dedicated AI software — AI capabilities are embedded throughout modern business tools.
For each tool, document the name, vendor, what your team uses it for, and which roles or individuals interact with it professionally.
Classify each tool as minimal risk, limited risk, or high risk based on the use case. Most general-purpose AI tools used for drafting, research, or productivity are minimal risk. Tools used in HR decisions, customer assessments, or healthcare are potentially high risk.
Record whether personal or sensitive data is entered into the tool and any relevant handling rules — for example, whether staff are instructed not to input client data.
Formal document governing how your business uses AI
The policy should specify which tools are authorised, so staff know which are sanctioned and which require approval before use.
Define what AI tools may and may not be used for — for example, whether client data may be entered, whether AI-generated content must be reviewed before use, and whether certain decisions may not be delegated to AI.
The policy should identify who in the organisation is responsible for maintaining AI compliance and updating the documentation when the business changes.
A generic template that could belong to any organisation is significantly less credible under scrutiny than a policy that reflects your actual tools, context, and governance structure.
Individual documentation for each staff member who uses AI
Include all employees and contractors who use AI tools in the course of their work for your business, regardless of how frequently or at what level of seniority.
Each record should connect the individual to the specific tools they use, their role in relation to those tools, and what measures have been taken to support their AI literacy.
A business-wide training certificate demonstrates that training was procured, not that each individual’s literacy needs have been addressed in the context of their specific role and tools.
Map roles to appropriate AI literacy tiers
Different roles carry different AI risk and require different levels of literacy. A staff member using ChatGPT to draft internal communications has different needs from a manager using AI to inform decisions about people.
The matrix should show that your approach to AI literacy is proportionate and role-specific — which is what the EU AI Act’s proportionality principle requires.
Compile all documentation into a single, timestamped, producible PDF
Your AI usage policy, tools register, literacy records, and training matrix should be compiled into one coherent document that can be produced immediately on request.
The timestamp establishes when the compliance position was documented and provides a baseline for future updates. An undated document is harder to defend.
Compliance documentation that takes several days to assemble undermines its credibility. The evidence pack should be ready to share within minutes of a request from a regulator or client.
Compliance is not a one-time exercise. The EU AI Act’s AI literacy obligation applies on an ongoing basis, and your documentation needs to remain current as your business changes. The following events should trigger a review and update of your compliance documentation.
Any new AI tool adopted for professional use should be added to the tools register, and the AI usage policy should be updated if the tool introduces new use cases or data handling considerations.
When a staff member who uses AI joins or leaves the business, the literacy records and training matrix should be updated to reflect the change. New joiners should have a literacy record created from their start date.
If a staff member’s role changes such that their AI use or risk exposure changes, their individual record and training matrix tier should be reviewed.
When the EU AI Office publishes new guidance or the regulation is amended, your documentation should be reviewed for consistency with the updated requirements.
Regardless of whether any of the above triggers apply, a formal annual review of all compliance documentation is best practice — confirming that the register is complete, the policy remains accurate, and all records are current.
The EU Digital Omnibus agreement of May 2026 updated the wording of Article 4 from “ensure a sufficient level” of AI literacy to “take measures to support” AI literacy. This shifts the focus from proving an outcome to demonstrating the steps taken — which is precisely what this checklist addresses. The Annex III high-risk AI deadline was extended to 2 December 2027. The Omnibus text is pending formal adoption, expected before August 2026.
For most SMEs, the information-gathering stage — identifying which AI tools are used and by whom — is the main time investment. With that information to hand, a structured platform can generate all required documentation in under 10 minutes. Building the documentation manually from scratch takes considerably longer and carries a higher risk of gaps or inconsistencies.
This checklist addresses the AI literacy obligation under Article 4, which is the primary obligation for most SMEs using general AI tools. Businesses using high-risk AI systems under Annex III have additional, more extensive obligations. For any situation involving legal complexity or high-risk AI, complementing this checklist with specialist legal advice is recommended.
The number of tools does not affect whether the obligation applies — it affects the complexity of the documentation. A business using only ChatGPT still needs an AI usage policy, a tools register with one entry, literacy records for the staff members who use it, and a training matrix. The documentation is simpler but the obligation is the same.
The key questions are: does the documentation reflect your actual tools and business context, or is it a generic template? Does it cover each relevant staff member individually? Is it current and dated? Can it be produced immediately on request? If the answer to any of these is no, the documentation is unlikely to be sufficient under scrutiny. The four characteristics of defensible documentation — specific, current, individual, and immediately producible — are the standard to aim for.
Fines under the EU AI Act for violations related to the AI literacy obligation can reach €7.5 million or 1% of global annual turnover, whichever is higher. Enforcement is the responsibility of national market surveillance authorities in each EU member state, and enforcement activity is still developing. For most SMEs, the more immediate consequence of non-compliance is commercial — being unable to satisfy enterprise procurement requirements that increasingly include EU AI Act compliance checks.
Our platform guides you through a structured assessment and generates every item on this checklist automatically — your AI tools register, usage policy, per-employee literacy records, training matrix, and compiled evidence pack. Tailored to your business. Ready to produce immediately.
Start your free assessment14-day free trial — no credit card required