Reading time: 10 minutes
Blog
EU AI Act Article 4: How to Design Your Mandatory Employee Training Plan Before August 2
Beñat Arrizabalaga
Co-founder & Business Development
Digitization
EU AI Act Article 4: How to Design Your Mandatory Employee Training Plan Before August 2
August 2, 2026 is not the date the obligation starts. It's the date enforcement starts.
Article 4 of the EU Artificial Intelligence Act has been legally binding since February 2, 2025. From that day, any company using AI systems — including tools as widespread as Copilot, ChatGPT Enterprise, or any software with automated decision functions — has a legal obligation to ensure employees have an adequate level of AI literacy. What changes in August is that AESIA (Spain's AI Supervisory Agency) gains full inspection and sanctioning powers.
The problem: 78% of companies still aren't ready to meet this obligation.^1
If you're responsible for L&D, HR, or operations at a company that uses AI, you have fewer than 75 days to get the plan documented. This article breaks down exactly what the law requires, how to structure the plan, and what documentation you need ready.
The regulation text is deliberately broad. It states that providers and deployers of AI systems must "take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf."^2
Three things worth understanding clearly:
No size threshold. The obligation applies to freelancers, micro-businesses, and multinationals alike — as long as they use AI professionally. Five employees or 5,000: makes no difference.
Training must be proportional to context. The law doesn't specify a number of hours or a required format. It does require that training be adapted to the employee's technical knowledge, their sector, and the specific systems they use in their role.
Documentation is not optional. A generic "intro to AI" course with no attendance records, no assessment, and no evidence of application doesn't meet the requirement. If you can't demonstrate that your employees received role-appropriate training, you're exposed.
What doesn't cut it: knowing how to use ChatGPT, an employee who took an online course on their own, or an AI usage policy PDF posted to the intranet.
The European Commission and AESIA have published guidance on what areas a sound AI literacy plan should address. These are the seven blocks they identify as reference — the depth required in each will depend on how your company actually uses AI:
| # | Competency | What it means in practice |
|---|
| 1 | General AI understanding | What AI is, how it works, which systems your company uses, opportunities and risks |
| 2 | Organizational role | Whether your company develops or deploys AI, and what that means legally for each position |
| 3 | Risk assessment | Specific risks of the systems each employee uses: hallucinations, bias, data leaks |
| 4 | Contextual technical training | Adapted to the employee's knowledge level, sector, and specific tools |
| 5 | Responsible use | Data protection, what not to share with public AI tools, human oversight |
| 6 | Output interpretation | Maintaining human review of AI recommendations, knowing how to verify results |
| 7 | Basic legal framework | AI Act, GDPR in the AI context, company obligations |
Not everyone needs the same depth in every block. A production operator using a predictive maintenance system needs to understand blocks 5 and 6. A legal director or HR lead needs solid grounding in 2, 3, and 7 as well. That's why structuring the plan by level matters.
The most practical approach — and the one reflected in both European guidance and the implementations we're seeing across Spain — is to divide the plan into three levels based on each role's degree of exposure to AI systems:
| Level | Audience | Core content | Estimated duration |
|---|---|---|---|
| Foundation | All staff | What AI is, how it works broadly, ethical and safe use, when not to trust an AI system's output, personal data and privacy | 2–4 h |
| Intermediate | Power users (marketing, HR, customer service, operations) | Role-specific prompt engineering, bias detection, critical output evaluation, job-specific tools | 6–10 h |
| Advanced | Managers, legal, IT, strategic HR | Risk management, AI Act in depth, internal audit, governance, compliance documentation | 10–20 h |
This model responds well to the proportionality requirement the Regulation establishes: each person gets training adapted to their technical knowledge level and the real context of AI use in their role. That said, what constitutes a "sufficient level" for any given role is something each organization will need to define based on its own systems, sector, and specific risks — there's no universal table you can apply mechanically.
Foundation-level training applies to 100% of staff. Intermediate and advanced levels are determined by role, not by individual choice.
Having completed the training isn't enough if you can't prove it. In an inspection, AESIA may request compliance evidence. These are the four documents you should have ready:
1. AI systems inventory A record of all tools and systems with AI functions the company uses or has deployed, classified by department and risk level (per the Regulation's Annexes). Includes third-party software with embedded AI.
2. AI usage policy by role A document establishing which systems each type of employee can use, for what tasks, and what restrictions apply (for example, what data cannot be entered into public AI tools). It doesn't have to be an extensive rulebook — what matters is that it's written down and accessible.
3. Training records Evidence of who received what training, when, and with what outcome. The minimum: attendance logs, dates, content covered, and if possible some form of learning assessment. Platforms that generate SCORM or xAPI records automatically make this document largely self-creating.
4. Risk assessment for high-impact systems For systems that fall under the Annex III high-risk categories (systems affecting HR decisions, access to essential services, critical infrastructure, etc.), you need documented risk assessments and the mitigation measures in place.
If you already have documentation processes for GDPR or ISO 45001, these documents are largely extensions of what you already manage.
In Spain, AI and digital skills training can qualify for subsidization through FUNDAE, the state-funded continuous training system available to companies that contribute to Social Security. For the subsidy to apply, the training action must be communicated to FUNDAE before it starts, delivered through an authorized training provider, and meet documentation requirements (planning, attendance records, evaluation questionnaires).
Available credits vary by company size:^3
Online training is subsidized at approximately €7.50 per hour per learner. If you haven't used your FUNDAE credit allocation this year, an Article 4 compliance plan is a direct use case. Here's how FUNDAE credits work with AI video training.
The proportionality requirement means the content can't be generic: a module on "AI introduction" that doesn't mention the company's actual systems or the sector's specific risks will struggle to satisfy what the regulation requires. That means the content needs to be produced internally or substantially adapted.
The critical bottleneck usually isn't designing the plan — it's production. Building three differentiated training levels, contextualized for the sector and specific roles, can be a weeks-long project or a months-long one depending on the workflow you choose.
Solutions that tend to work well for this type of project share three traits: they allow you to generate content from existing internal documentation (policies, tool guides, procedures) without starting from scratch in audiovisual production; they export in formats with automatic traceability (SCORM, xAPI) so completion records are captured without manual overhead; and they make it possible to update modules when the regulation evolves — without rebuilding each piece from zero. In a regulatory area that will keep moving, that last point carries real weight.
If you're starting from zero today, here's the framework we recommend:
Weeks 1–2 (now)
Weeks 3–4
Weeks 5–6
Weeks 7–8 (through August 2)
This framework assumes someone with decision-making authority is dedicated to the project and that key steps don't stall on internal dependencies. In practice, larger organizations often find that the bottleneck isn't content production — it's agreeing on who approves the AI usage policy, who validates that the systems inventory is complete, or simply whose calendar has room to move things forward. Each of those steps can consume days or weeks that aren't on paper.
The goal isn't to complete everything in exactly 8 weeks. It's to show documented evidence of progress before August 2: an inventory started, a policy in draft, a first module launched. That's already a fundamentally different position than having nothing.
What happens if I don't comply before August 2? Article 4 doesn't have a direct sanction assigned to it specifically, but non-compliance aggravates any other Regulation violation. General AI Act fines reach up to €35 million or 7% of global annual turnover. More relevant for most companies: it's reasonable to anticipate that employee training will be among the things AESIA examines when supervising AI use in organizations.
Does training have to be in-person? No. The regulation sets no format requirements. Online training is valid. Platforms that generate SCORM or xAPI records automatically also simplify the documentation side significantly: who completed what and when is logged without additional manual work.
Does this apply to companies that only use third-party AI tools (not developing their own AI)? Yes. The obligation applies to both providers (who develop AI systems) and deployers (who deploy them in their organization). If your company uses Copilot, Gemini, any HR software with embedded AI, or similar tools, you are a "deployer" under the Regulation and the obligation applies.
Can I use courses from external platforms to comply? Yes, as long as the content is adapted to your company's specific use context and you can evidence attendance and learning. A generic course with no completion evidence from your employees isn't sufficient.
Article 4 is a concrete obligation with a real deadline. It's not a best-practice guide or a recommendation: it's a legal requirement that's already in force and will have active supervision in Spain from August 2.
The good news is that compliance doesn't require an extraordinary budget or a transformation project. It requires a structured plan, content adapted to your company's roles, and the documentation that proves it was executed.
If you want to see how other L&D managers are approaching this, here's a complete guide for HR directors digitalizing training with AI.
^1 Vision Compliance, EU AI Act Readiness Report 2026. https://visioncomplianceconsulting.com ^2 Article 4, Regulation (EU) 2024/1689. https://artificialintelligenceact.eu/article/4/ ^3 Delbion, AI training subsidized through FUNDAE. https://www.delbion.com/insights/curso-ia-bonificado-fundae/
@ 2026 Vidext Inc.
Newsletter
Discover all news and updates from Vidext
@ 2026 Vidext Inc.
