Skip to content
DataDream
← All articles
Compliance10 min

AI Act art. 4: what SME employers need to arrange now

Laurens van Dijk, oprichter van DataDream

Laurens van Dijk

Agentic Engineer, DataDream

Share

The deadline passed long ago, and most SMEs have no idea

On 2 February 2025, article 4 of the European AI Act became binding. Not 'phased in step by step'. Not 'a guideline for later'. Simply: from that day on, every EU employer must ensure that employees using AI also understand it well enough. We are now more than a year further along, and most SMEs using ChatGPT, Copilot or Claude are still unaware of this.

The law is short. Article 4 requires a 'sufficient level of AI literacy' among everyone who uses AI systems within your organisation or operates them on your behalf. It is a legal obligation with enforcement powers at the Dutch Data Protection Authority (AP) and fines that in theory can reach several million euros.

This piece explains why your team needs to understand the AI they work with to avoid fines. Below: what art. 4 literally requires, who it applies to, what a sufficient level looks like for your SME team, and how to arrange it pragmatically without setting up a consultancy circus. Even if you have done nothing yet: it is not a disaster, but you do need to start.

What does article 4 say?

The official text is short: 'Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in, and considering the persons or groups of persons on whom the AI systems are to be used.'

These are the three key points. The obligation lies with two parties: with the provider (often a software vendor) and with the deployer (that is you, as the company using AI). For the vast majority of SMEs, you are the deployer, not the provider. You use ChatGPT or Copilot, you do not build it yourself. The level is 'sufficient', not 'everyone at university level'. What is sufficient depends on role, type of AI and risk. A marketing employee using ChatGPT for blog posts needs a different level than an HR manager using AI to screen applicants. And it applies to everyone who uses AI on your behalf, not just permanent staff. Interns, freelancers and temp workers who work for you fall under it too.

Enforcement in the Netherlands sits with the Autoriteit Persoonsgegevens (AP), which the cabinet has designated as market supervisor for algorithms and AI. The AP has published its own guidance ('Getting started with AI literacy') and is clear that this is not a paper tiger.

One employee using ChatGPT for customer communication is already enough to make the obligation apply to you.

Who exactly does this apply to in your company?

This is where many SME employers go wrong. They think: 'We don't use AI.' And then it turns out on closer inspection that the marketing manager uses ChatGPT daily for copy, emails and newsletters, that the office manager uses Copilot in Outlook or Gemini in Gmail as soon as those features are switched on, that the finance clerk uses AI for transaction processing or summarising reports, and that the recruiter has AI summarise cover letters or screen CVs. Customer service runs on AI chatbots or AI suggestions. The CRM system (HubSpot AI, Salesforce Einstein) has AI features that are actively being used. And the developers have Copilot or Cursor in their IDE.

Many SMEs underestimate how much AI is already in their processes. It does not have to be a big AI platform to fall under art. 4. One employee using ChatGPT for customer communication is already enough to make the obligation apply to you.

Interns and freelancers count too. The law speaks of 'persons dealing with the operation and use of AI systems on their behalf'. If an external copywriter writes for your brand using AI, or a freelancer handles customer support through an AI tool, then you, as the client, are responsible for their AI literacy for that task.

What is a 'sufficient level' for your team?

Art. 4 does not require a uniform course for everyone. It requires knowledge that fits the context. A workable model is to think of your team in layers.

Base layer (all employees, including those who do not use AI daily). What is AI actually, how does a large language model work at a high level, what are the risks (hallucinations, bias, data leaks), when should you not use AI (customer data in a free ChatGPT account is a bad idea), and how do you report an incident. You can knock this out in an hour or two for the whole team.

User layer (employees who use AI daily or weekly). Tool-specific: how does ChatGPT/Copilot/Claude work, what is a good prompt, how do you validate the output (AI makes up facts), when not to use it, how to handle GDPR-sensitive data. Count on half a day to a full day per user, plus a prompt library with good examples for your work.

Responsible layer (management team, AI lead, IT lead). Governance: which tools do you allow, what agreements do you make with vendors, how do you document that you comply, and which transparency duties do you owe to customers. This is more a working session than a training: you set policy.

High-risk roles (HR, finance, legal, customer service). Anyone using AI for decisions about people (recruitment, credit assessment, customer segmentation) falls into the high-risk category of the AI Act. Extra rules apply there, including documentation duties and human oversight. Role-specific training required.

These layers are not sequential. They are meant for different audiences and run in parallel.

How to arrange this pragmatically

No consultancy circus needed. A structured five-step approach works for most SMEs, and you can set it up in a few weeks if everyone cooperates.

Start by taking stock of who uses which AI tools. Send round a short questionnaire, or do a quick loop of the departments. Almost always you end up with a list longer than you expected. This is immediately valuable input for your GDPR register.

Then write a short AI policy of one to two pages. Not a 40-page manual. But: which tools are allowed, which data may go in (and which absolutely may not), when must a human review, how do you report incidents, and who is the point of contact inside your company for AI questions.

After that, arrange training in the three layers. Base for everyone, user training for active users, governance session for the management team. You do not have to buy all of this externally. The AP offers its own guidance. Open source material is widely available. For specific roles or larger teams, external support pays off.

Set up an incident reporting process. Just like with GDPR: when in doubt, you report it. An AI that accidentally leaks customer data, an application-screening system that systematically rejects people with certain surnames, a chatbot giving wrong legal information: those are incidents. Who reports what where? Lay that down in advance.

And plan a yearly review. AI changes fast, regulation does too. The AI Act itself is being phased in (high-risk obligations from August 2026, some obligations only in 2027). Train once and done does not work.

Common misconceptions

'Our employees don't use AI.' Almost always untrue. Browser extensions from ChatGPT, AI features in M365 and Google Workspace, AI in CRM systems: it sneaks in everywhere. One quick survey proves it.

'One training and we comply.' No. Art. 4 requires a sufficient level that keeps pace with how the work and the tools evolve. A yearly review is part of the package.

'Only IT people need to be AI literate.' Wrong. The law applies to everyone who uses or operates AI on your behalf. A marketing employee with no technical background falls under it just as much.

'It's only for big companies.' Wrong. The AI Act applies to every EU employer using AI, regardless of size. The European Commission does take size and risk into account for enforcement and fine levels. The first enforcement actions are expected to focus on large players with obvious breaches, but that does not release SMEs from the obligation.

'GDPR training already covers it.' Wrong. GDPR and the AI Act overlap on privacy aspects, but AI literacy requires additional knowledge: how does a model work, what are hallucinations, what is bias in training data, when is human oversight required. That is not in a GDPR training.

'Our vendor takes care of it.' Partly. A software vendor (provider) has its own duties, but that does not release you as deployer from your responsibility for your own employees. The law names both parties, not just the provider.

What if you do nothing?

The practical consequences are:

Supervisor. In the Netherlands, the Autoriteit Persoonsgegevens has been designated as market supervisor for algorithms and AI. The AP investigates, can take enforcement decisions and impose fines. For breaches of art. 4 (and related articles), the fine levels from article 99 of the AI Act apply: up to €15 million or 3% of worldwide annual turnover, whichever is higher. In practice the AP is expected to focus first on large players and obvious breaches, not on an SME just setting up its AI policy. But the power is there.

Liability and damages. An employee who uses AI without training and causes harm to a customer, such as through a data leak or a discriminatory decision: you as the employer are primarily responsible. No demonstrable AI literacy then counts as an aggravating factor. This can lead to damage claims and reputational harm.

Reputation. The Netherlands is strict on GDPR enforcement and no stranger to privacy scandals that follow companies for years (the childcare benefits affair, the SyRI ruling). An AI incident at an SME without a policy hits the press faster than you think. That goes especially for B2B work with larger clients who set their own compliance requirements on suppliers.

How DataDream can help

No package you have to buy, but several ways to get started faster.

The free AI scan is a short questionnaire showing where you stand: which AI you probably already use, which risks are acute, and where to start. Want a working session, then DataDream runs an AI Quickscan via /ai-strategy: per department, take stock of who uses what, draft a concept policy, and map training needs per role. Start small, roll out in phases. For the real work there are AI trainings that explicitly meet art. 4: base for everyone, user training for active users, governance session for the management team. On location or online, in your context (based on your use cases, not a generic slide deck). And if you deploy recruitment AI: that sits in the high-risk category of the AI Act, with heavier documentation and transparency duties. For that there is specific support for HR recruitment AI.

DataDream provides a workable policy and a trained team, with documentation to show compliance. That is what the AP wants to see if they ever come knocking, and it is what customers ask of you when they add AI compliance to their procurement terms.

Starting with a first step

If you are reading this article thinking 'we have done nothing about this yet': it is important to start now. Most SMEs are in the same boat. The first steps, an inventory, an AI policy and a base training, can be done in a few weeks.

No idea where to start? Take the free AI scan to see where your company stands. Want support on policy and strategy: discuss the approach at /ai-strategy. For team trainings that explicitly meet art. 4: /ai-training.

Curious what AI can do for your business?

Take the free AI Scan and find out in 1 minute.

Frequently asked questions

What exactly is AI literacy?
AI literacy is the combination of skills, knowledge and understanding needed to use AI systems responsibly: technical basics (how does an AI model work), risk awareness (hallucinations, bias, privacy), legal context (GDPR, AI Act) and practical use (prompting, output validation). The level depends on the role: an end user needs less in-depth knowledge than a management team member arranging governance.
When do I need to comply with article 4?
The obligation has been directly applicable since 2 February 2025; there is no transition period left. If you have nothing in place now, you are technically in violation. In practice the regulator focuses mainly on large players and clear breaches, but that does not exempt you from the obligation. Start now.
How long does such a trajectory take for an SME team of 20?
Depends on where you stand and how deep you go. A workable baseline (inventory, short AI policy, basic training for the whole team, user training for the intensive users) can be set up in a few weeks if everyone cooperates. Deeper governance and role-specific training takes more time. You do not need to have everything perfect in one go: start small, in phases.
May I arrange this internally myself?
Yes. The law does not prescribe an external party. The Dutch Data Protection Authority offers a guide that is a fine starting point for many SMEs. External guidance is worthwhile mainly if you have no one internally combining AI and legal knowledge, or if you work in a regulated sector with heavier requirements.
What if an employee uses AI without training anyway? Am I liable?
In principle yes. As an employer you are responsible for what your employees do in their role. The absence of demonstrable AI literacy is an aggravating factor in an incident. An AI policy plus demonstrable training is your best defence. Having a policy and not enforcing it does not help: there must also be evidence that the policy is alive.
Does article 4 also apply to freelancers working for me?
Yes. The law speaks of 'persons operating and using AI systems on their behalf'. If a freelancer works for your brand with AI, then as the client you must ensure that person has the appropriate AI literacy for that task. Give them access to the same training, or stipulate in the contract that they arrange adequate AI literacy themselves.
How do I document that I comply with article 4?
Make sure you have three things in order. One: an AI policy with date and version number. Two: a register of who followed which training, when and at what level. Three: a log of AI incidents and how they were handled. Keep it simple and up to date. An Excel file or a section on your intranet works fine for SMEs.