The AI competency obligation under the EU AI Act is already in effect. It is not about a certificate — it is about a real, situational capability: using AI responsibly, in an informed manner, and in the right context.
On August 1, 2024, the European Union’s AI Regulation entered into force — the world’s first comprehensive legal framework for artificial intelligence. The regulation is being applied gradually, with different chapters taking effect at different times. The AI competency requirement under Article 4 is among the requirements that become effective early.
This means: anyone who deploys AI in their business must ensure that the people involved have sufficient AI competency. For the currently applicable implementation deadline, we recommend checking the official EUR-Lex website or your national supervisory authority, as individual timelines may be adjusted.
Let’s look at what this actually means — without legal jargon.
First, the legal foundation. In Article 3(56) of Regulation (EU) 2024/1689 — the EU AI Act — AI literacy is defined as:
“The skills, knowledge and understanding that allow providers, deployers and affected persons to deploy AI systems in an informed manner, as well as to be aware of the opportunities and risks that AI can pose and the harm it can cause.”
In plain language: AI competency means that people don’t simply use AI blindly — they understand what they’re doing, what risks exist, and when human judgment is needed.
Important: AI competency is not a formal credential. It is the ability to use AI responsibly, in an informed manner, and in the right context.
Article 4 of the EU AI Act obliges providers and deployers of AI systems to take measures to ensure, to their best extent, that their staff and anyone acting on their behalf who works with AI systems has a sufficient level of AI knowledge.
The phrase “to their best extent” is deliberate — it recognizes that a micro-enterprise’s capabilities differ from those of a large corporation. The principle of proportionality applies explicitly here.
What must be considered when assessing sufficiency:
This is the crucial part. The law doesn’t only target IT departments or AI experts — it affects everyone who comes into contact with AI systems in a professional context.
Who this is: Companies or individuals who develop, train or place AI systems on the market under their own name. This also includes companies that adapt existing AI models and distribute them as their own product.
What they need: The highest level of competency. They must thoroughly understand the system technically, know its risks, understand its limitations, ensure quality and anticipate possible misuse. Compliance, transparency and documentation obligations are also part of this.
Who this is: Companies or individuals who use an AI system in their own operations — for example, a marketing agency that uses an AI tool for text generation or customer analysis, or a company that uses AI for HR, sales or customer service.
What they need: Practical understanding of competency for the specific use case. They must know how the system is used correctly, what risks exist, what protective measures are necessary and when human oversight is required.
Simply using a tool without understanding how it works is not sufficient here.
Who this is: All staff who use AI tools as part of their work — whether in marketing, accounting, customer dialogue, editorial work or elsewhere. Even those who “just” use ChatGPT for texts, AI for presentations or an AI-powered CRM system may be affected.
What they need: Sufficient basic understanding appropriate to their specific task. This means:
Requirements here are significantly lower than for deployers — but not zero.
Who this is: People who decide whether and which AI systems are used in the organization — even if they don’t personally operate the tools daily. CEOs, department heads, managers.
What they need: Strategic understanding of risks, opportunities and legal consequences. They must be able to make sound decisions about AI deployment and understand the organizational obligations involved. Without this knowledge, they cannot make responsible decisions.
Who this is: People who manage AI projects in terms of content or organization — for example in marketing, HR, compliance, customer service, IT or data protection.
What they need: In-depth, role-specific understanding. They connect specialist requirements with risk and quality awareness. They must be able to recognize when an AI system is working correctly and when it needs to be checked or adjusted.
Who this is: Agencies, freelancers or external consultants who use AI on behalf of a company. If a marketing agency uses AI tools to create content for a client, it falls into this category.
What they need: The same context-specific competency as internal employees. The obligation applies not only to internal staff — it also covers external contractors as soon as they use AI for the relevant purpose.
Who this is: Individuals who use AI exclusively for personal, non-professional purposes.
The EU AI Act is fundamentally directed at professional and commercial use of AI. Those who use ChatGPT only at home for personal texts are not subject to competency obligations.
AI competency is not just a topic for companies and legal obligations. It matters for every individual person — regardless of whether they use AI professionally or privately.
Because anyone who uses AI tools like ChatGPT, Claude, Midjourney or others inputs something: texts, questions, ideas, photos, documents, personal information. Many people do this without knowing what happens to it afterward.
This depends on the respective tool and its terms of use — but there are some fundamental things everyone should know:
Inputs can be used for training. Many AI services use user inputs to further develop their models — unless you opt out or disable this in the settings. What you input today could become part of training data tomorrow.
Inputs are processed on external servers. AI services don’t run on your computer — they run on the providers’ servers, often in the USA or other countries outside the EU. This has data protection implications, especially when you enter personal data.
Images and photos are no exception. Anyone who uploads a photo to an AI tool — whether a portrait photo, a product image or a screenshot with sensitive information — is sharing that image data with the provider. Particular caution is warranted with photos of people, children, documents or confidential content.
Confidential information has no place in AI tools. Customer data, internal price lists, contracts, employee data or trade secrets should never be entered unfiltered into an AI system. Even if the tool itself is secure — legal responsibility lies with the user.
Understanding AI doesn’t just mean being able to operate a tool. It also means understanding what happens in the background — which data flows where, what rights you have and what risks arise.
This isn’t scaremongering. It’s informed usage. And that’s exactly what the EU AI Act means by AI competency: not fear of AI — but using AI with open eyes and sound judgment.
Here is an important clarification that is frequently misunderstood:
This doesn’t mean training is superfluous. It means a workshop or course can be a useful building block — but it’s not a free pass if competency is lacking in daily practice.
The competency obligation doesn’t create a huge bureaucratic burden — but it does require clear steps:
1. Inventory: Which AI tools are used in my company? By whom? For what purposes?
2. Clarify roles: Who is a deployer, who is a simple user, who makes decisions about AI deployment? Each group needs adapted competency.
3. Training and briefings: Appropriate to the role and risk level of AI deployment. This can be an external course, internal briefing, a policy, or a combination.
4. Internal documentation: Record what training, briefings, policies or approval processes exist. This helps with demonstrability — even if no external audit is required.
5. Rules for AI use: What may be entered? What may not? How are results checked? These rules protect companies and give employees orientation.
AI competency is the ability to use AI systems in an informed, critical and responsible manner — appropriate to one’s role and deployment context.
A certificate can be one building block — but what’s legally and practically decisive is something else: do the people working with AI understand what they’re doing? Can they assess risks, check results and use AI in the right context?
That is the real question of the EU AI Act.
Those who act now create not only legal security — but also the foundation for AI deployment that genuinely works.
If you want to build AI competency for yourself or your team, take a look at our online courses — we combine foundational legal understanding with practical skills you can apply immediately.
The information in this article is based on the following public sources:
Author
Annette Schneider-Desgranges
Marketing expert with over 25 years of experience · Founder of AI Marketing LearnAgency in Karlsruhe · Lecturer · Certified KI Architect – AI Agents Expert · Certified AI Marketing Innovation Leader · Certified AI Prompt Engineer.
View LinkedIn ProfileThis article was created with AI assistance and editorially revised.
These courses go deeper into the topics covered in this article.
Online-Selbstlernkurs · Sofort verfügbar nach Kauf
5 hours
149 € incl. VAT
Regular price 399 € incl. VAT
Discover our courses and workshops - and put what you have learned into action.
