AI Literacy: Mandatory Competency Development for Businesses. Is Your Organization Prepared for EU Requirements?

Introduction

On February 2, 2025, the initial provisions of the EU's AI Act came into force. This introduces a new legal requirement: all employees who use or develop AI must achieve a sufficient level of AI Literacy.

At SecureFirst, we encounter many organizations that are not yet aware that this is already in effect – and that it can have significant consequences. In this guide, we provide an overview of the requirements, how to get started, and why this is not merely a legal matter – but also a business-critical responsibility.

What Does AI Literacy Mean?

AI Literacy signifies that employees possess the requisite skills, knowledge, and understanding to:

• Utilize AI systems in an informed and critical manner
  
• Comprehend risks such as bias, hallucinations, and sources of error
  
• Ensure data protection and responsible usage
  
• Make ethical decisions when interacting with AI
  

In essence, it involves using AI responsibly, effectively, and in accordance with both legislation and corporate values.

AI Act: Article 3 No. 56 and Article 4

The AI Literacy requirement is explicitly stated in the EU's AI Act:

• Article 3, No. 56 defines AI skills as the ability to use AI informedly, with an understanding of its risks and opportunities.
  
• Article 4 mandates that organizations ensure an “adequate level of AI skills” for all individuals working with AI.
  

This applies to permanent employees, consultants, and freelancers alike – regardless of whether they develop, operate, or simply use AI in their daily tasks.

Who Needs Training – and Why?

All individuals involved in the use of AI systems must possess an appropriate level of competence. This includes, but is not limited to:

• HR and Customer Service, who utilize AI for decision support
  
• Sales and Marketing, who engage with AI-driven data analysis
  
• Developers and IT professionals who implement AI solutions
  
• External consultants working on behalf of the company
  

To understand how your organization specifically utilizes AI, leverage our phishing simulation to analyze the technological understanding within the organization.

Getting Started – Implementation Flow

While no single method is mandated by legislation, we recommend the following approach:

1. Designate a Responsible Function
   HR, IT, or Compliance – the critical factor is that they possess the necessary mandate and executive support.
   
2. Map AI Usage
   Determine where and how AI is utilized within the organization. Include both current and planned usage.
   
3. Define Competency Requirements
   Differentiate by Role:
   
   • End-users: basic understanding
     
   • Decision-makers: technical and legal understanding
     
   • Developers: advanced technical insight
     
4. Educate on Key Themes
   These topics should be included:
   
   • AI Bias and Discrimination
     
   • Hallucinations and Output Comprehension
     
   • Data Protection and GDPR
     
   • Transparency and Accountability
     
   • Prompt Engineering and Generative AI
     
   • Ethics, Robustness, and Security
     
5. For instance, leverage our awareness training and e-learning solutions.
   
6. Conduct and Document Training
   Utilize e-learning, workshops, and in-person courses – and maintain records of who has completed which training modules.
   
7. Plan for Continuous Updates
   AI evolves rapidly. Micro-training and annual updates are recommended.
   

What are the Risks of Insufficient AI Literacy?

• Regulatory Perspective: Although penalties for Article 4 have not yet been established, companies must be able to demonstrate compliance by February 2025 – with audits commencing in August 2026.
  
• From a business perspective: Uncritical use of AI can lead to errors, discrimination, data breaches, or loss of trust.
  

Therefore, initiate action promptly – just as with NIS2 compliance, it is a matter of due diligence.

Danish Implementation: Current Status?

Danish law L 154 came into effect in August 2025, designating the Agency for Digital Government and the Danish Data Protection Agency as supervisory authorities. Guidelines are currently being developed, and SecureFirst closely monitors these developments – so you don't have to.

Conclusion

AI Literacy is not merely a legal requirement – it is an investment in competent employees, responsible digital transformation, and trust in your organization.

Ready to get started? We assist with analysis, training, and documentation. Contact us – or try our price calculator to see what it entails.

FAQ: Frequently Asked Questions

What is AI Literacy?
It refers to the essential competencies employees require to understand and responsibly utilize AI.

Does this requirement also apply to external consultants?
Yes – if they work with AI on behalf of the company.

Have fines been stipulated?
Not yet for Article 4 – but enforcement begins in August 2026.

How should training be conducted?
There is freedom to choose the method, but the training must align with roles and risks.Does AI Literacy apply to all AI systems?
Yes, both high-risk and low-risk – if the system is utilized within the organization.