Pillar guide → For the full breakdown of EU AI Act obligations for SMEs and SMBs (Art. 4, 5, 26, 27, 50, fines, timeline), see our complete EU AI Act SME compliance guide.
On 7 May 2026, the Council of the European Union and the European Parliament reached a provisional political agreement on the Digital Omnibus, a targeted amendment package to Regulation (EU) 2024/1689 (the AI Act). One change has received relatively little press attention but matters directly to every employer: the reframing of Article 4 AI Act, the AI literacy provision that has been in force since 2 February 2025. The official press release is available on consilium.europa.eu.
What changes concretely, what remains legally binding, and what should employers do now to demonstrate the AI literacy of their staff in a defensible way without over-bureaucratising the process?
What Article 4 AI Act said before the Omnibus
The original wording of Article 4 AI Act required providers and deployers of AI systems to ensure, to their best extent, a sufficient level of AI literacy of staff and other people dealing with the operation and use of those AI systems. The provision has applied EU-wide since 2 February 2025, sector-neutral and independent of the risk class of the AI system deployed.
The formulation read like a classic ensure-obligation. In practice, that meant: an employer providing access to internal AI tools, corporate ChatGPT accounts or Microsoft Copilot had to convey a defined minimum level of competence to staff and be able to evidence it. Active supervision by national market surveillance authorities (AESIA in Spain, BNetzA / BSI / BfDI in Germany, Digitaliseringsstyrelsen / Finanstilsynet / Datatilsynet in Denmark) starts as planned on 2 August 2026.
What the Digital Omnibus of 7 May 2026 changes
With the political agreement of 7 May 2026, Article 4 AI Act is reframed as a best-efforts duty to promote AI literacy. Providers and deployers shall take measures to promote the development of AI literacy of their staff and of persons acting on their behalf. A strict ensure-obligation in the narrow sense no longer applies. This is a meaningful change with three practical consequences:
- There is no prescribed training format, no minimum training duration, no harmonised EU-wide curriculum. Employers can shape their measures to actual risk and actual AI use in their organisation.
- What counts are documented measures. A note in the intranet or a generic email alone is typically insufficient, because it evidences neither personalisation nor learning outcome.
- Active supervision from 2 August 2026 was not delayed by the Omnibus. Authorities will from that date onwards check whether organisations have met their best-efforts duty.
What remains legally binding
The Digital Omnibus is not a repeal of Article 4 AI Act, it is a reformulation. The following points remain fully binding:
Scope: Article 4 AI Act applies sector-neutral to all providers and deployers. There is no exemption for SMEs, craft trades or public administration. The factors referenced in Recital 20 of the AI Act (context of use, risk, staff configuration) remain guiding for how measures are designed.
Penalty framework: The AI Act sets no specific fine for breaches of Article 4. It leaves the sanctions for the AI-literacy duty to the Member States; national authorities can enforce them from 2 August 2026. The high fine brackets of Article 99 (up to EUR 35 million or 7 %) apply to other breaches, in particular the prohibited practices under Article 5.
Burden of proof: Even a best-efforts duty requires that the effort be documented. An organisation with nothing to show has nothing to argue with before a supervisory authority, and the burden of evidence sits with the provider or deployer in most national administrative-law regimes.
Data protection law: Conducting AI training with personal data of staff (name, email, department, learning outcome) is still subject to the GDPR and the relevant national implementing laws. Worker-representation rights at national level (Spanish Article 64 Estatuto de los Trabajadores, German § 87(1) No. 6 BetrVG, Danish co-operation agreements) remain unaffected.
Why a documented baseline training remains strongly recommended
From a legal and operational standpoint, even with the softer wording there is a strong case for offering every staff member with AI exposure a documented baseline training. Three reasons that hold independently of the AI Act:
First, liability risk from misuse. An organisation granting an employee access to ChatGPT for sales drafting without training, and that employee then pasting client data into a US-hosted cloud service, faces not only potential GDPR fines but also civil claims and breach-of-contract liability. A documented training covering permitted use, data classification and Shadow-AI risks measurably reduces that exposure.
Second, evidence before the market surveillance authority. From August 2026, authorities are expected to conduct sample-based checks and request concrete evidence. A signed audit dossier per staff member is the fastest and cleanest way to demonstrate the best-efforts duty, without lengthy on-site visits or extensive written statements.
Third, operational safety. A short, practical baseline training measurably reduces the frequency of data-protection incidents, confidentiality breaches and Shadow-AI usage. The benefit accrues regardless of how the AI Act evolves.
A practical minimum standard for the best-efforts duty
From our advisory practice and our reading of Recitals 20 and 165 of the AI Act, we derive the following pragmatic minimum standard that covers the best-efforts duty in the post-Omnibus version:
- Inventory of AI systems in use. Which cloud-based tools (ChatGPT, Copilot, Gemini, Claude) and which internal or local AI systems are deployed? Who has access?
- Risk classification of use. Is AI used for hiring decisions, credit scoring, health contexts or other high-risk areas, or strictly as an assistant with human final decision?
- Training offering with learning-outcome check. An asynchronous online training of 60 to 120 minutes, with a short exam (5 to 6 questions, 80 % pass threshold) and a named certificate per person.
- Audit dossier at campaign closure. A cryptographically signed bundle of all evidence (invitation, reading time, exam attempts, certificates). Ed25519 signatures hold for 10 to 20 years and remain verifiable independently of the vendor.
- Annual refresh. The AI landscape evolves quickly. An annual refresh with updated content signals to the supervisory authority that the best-efforts duty is treated as an ongoing process.
Once these five steps are implemented cleanly, the ongoing effort is typically two to four hours per year, and the organisation is on safe legal ground.
Bottom line
The Digital Omnibus of 7 May 2026 softens the wording of Article 4 AI Act, but it does not make it less relevant. Active supervision from 2 August 2026 is coming, and authorities will want to see concrete evidence. Organisations that establish a documented baseline training now are ready, without scrambling under deadline pressure.
Our turnkey training for Article 4 AI Act is designed for exactly this pragmatic use case: EUR 20 per participant, no minimum commitment, with a signed audit dossier at campaign closure. For questions on how to shape this in your specific organisation, we are happy to act as sparring partner, no commitment required.