.svg){kind=icon}
The EU's AI literacy duty catches more UK firms than they realise
If your core business has any EU exposure (clients, staff, or AI output that ends up in the EU), the AI Act's literacy duty likely applies to you. The threshold for being caught is lower than the news coverage suggests, and enough senior leaders we have spoken to haven't worked out what it requires that we felt it was worth having a chat.
EU regulators begin enforcing the duty on 2 August 2026.
AI tools have been in everyday use for nearly three years. The records, the policies, the actual oversight have lagged behind and the EU has decided that gap is no longer acceptable in its market.
The EU AI Act has been in force since August 2024 and is rolling out in stages. The provision now starting to land in UK boardrooms is Article 4, which obliges organisations using AI to ensure their staff have a level of literacy proportionate to the tools and the context.
Many UK firms with EU exposure have assumed Brexit took them out of scope. It didn't, and the practical implications go beyond ticking a compliance box. For UK firms with no EU footprint at all, the position is different. We'll come back to those firms at the end.
First, what the legal terms mean
The piece uses a few terms from EU regulation that are worth pinning down briefly.
An Article is a binding clause of the regulation. Article 4 is the AI literacy duty. Article 26 is the training duty for deployers of high-risk AI. Article numbers are sometimes followed by sub-clause numbers, so Article 3(56) means clause 56 within Article 3.
A Recital is preamble text that sits before the articles and explains their intent. Recitals help interpret what the articles mean but aren't binding in themselves. If the operative text (the articles) and a recital appear to disagree, the operative text wins, though a court can use the recital to read it in context. This becomes relevant when we look at scope.
An Annex is a list attached to the regulation. Annex III contains the eight categories of high-risk AI.
We also use provider and deployer throughout. A provider builds or rebrands an AI system and puts it on the market under its own name. A deployer uses an AI system in a professional capacity. Most UK organisations using AI tools are deployers, not providers.
You don't need an EU office to be in scope
The Act catches UK organisations in three ways: 1) It applies if you place an AI system or product on the EU market; 2) It applies if you deploy AI in the EU; and 3), more relevantly for most UK businesses, it applies when the outputs of your AI use are used in the EU.
That third trigger is where most UK organisations are likely to get drawn in. The Act doesn't require an EU subsidiary, an EU contract, or even EU revenue to apply. It just requires AI outputs ending up in the EU.
Does this affect your business?
Some scenarios are clear. Others sit in genuinely contested legal territory. The table below covers the cases UK businesses run into most often.
The contested rows reflect a tension in the legislation itself. The Act's operative text doesn't require that AI outputs reach the EU intentionally. The recital, which is interpretive rather than binding, says it should. Until the Commission issues guidance or a court decides a case, the safe planning assumption is that any meaningful EU touchpoint puts you in scope, or close to it.
If your firm has no EU clients, no EU staff, and no EU output at all, the Act doesn't apply to you directly. The position for those firms is different and we'll come back to it.
The Regulator(s): Who will come calling.
There isn't a single EU AI regulator. Enforcement runs through Market Surveillance Authorities designated by each Member State, with the European Commission's AI Office handling general-purpose AI models centrally and coordinating across borders.
Member States have taken different approaches. Spain has built a single dedicated agency, AESIA. Germany has handed the role to its Federal Network Agency, the Bundesnetzagentur. France has gone decentralised, splitting around seventeen authorities by sector, with the CNIL leading on personal data and prohibited practices. Ireland has built a coordinated network of existing regulators. The picture is fragmented by design.
The deadline for Member States to do this was August 2025. As of March 2026, only eight of the twenty-seven had completed the process and notified the Commission of their single point of contact. Enforcement capacity is still being built.
For UK firms in scope of the Act, this means the regulator you might end up answering to depends on which Member State your AI outputs are reaching. A UK consultancy delivering AI-assisted work to a Madrid client is most likely in AESIA's territory. The same firm doing the same work for a Paris client is looking at the French DGCCRF and likely the CNIL as well, depending on the use. There isn't one set of expectations to prepare for.
For UK firms with no EU exposure, the immediate enforcement question is different. The relevant regulators are the ones already paying attention to your sector. We'll come back to which those are.
In practice, the immediate enforcement risk for most UK businesses isn't a knock on the door from Brussels. It's more likely a regulator already paying attention to your sector asking awkward questions about an AI use that's gone wrong, or a client running vendor due diligence. Both care about the same thing: evidence that you understand what your AI is doing, and that your people do too.
What the duty actually asks for
Article 4 imposes a duty on "providers" (those who build or rebrand AI systems) and "deployers" (those who use them) to support AI literacy among their staff and anyone operating AI on their behalf. The duty has been in force since February 2025 and becomes enforceable in August 2026.
It is being softened, though not yet definitively. The Digital Omnibus on AI, politically agreed in May 2026 and awaiting formal adoption, reportedly revises Article 4's standard. The current text requires providers and deployers to "take measures to ensure, to their best extent, a sufficient level of AI literacy." The revised wording reportedly drops the "sufficient level" framing and asks them to "take measures to support" it. The duty doesn't disappear. The bar is lower, and the obligation is clearer about being proportionate effort rather than a guaranteed result. The final published text, expected before August 2026, will resolve any remaining ambiguity.
While there is no EU certification scheme, no approved provider list, no required curriculum, and the European Commission has been explicit that organisations can keep internal records and aren't required to produce certificates, "no required structure" isn't the same as "anything goes."
For training to be defensible to a regulator, an auditor, or a client doing vendor due diligence, four things matter:
- It maps to what the regulation actually defines as AI literacy. Article 3(56) defines AI literacy as the skills, knowledge, and understanding to make informed deployment of AI, with awareness of its opportunities, risks, and possible harms. Recital 20 explains the policy intent behind that definition. Training that doesn't reflect those terms is harder to defend.
- It's proportionate to role and context. What works for a small marketing team using AI for drafting work isn't enough for a hiring manager using AI to screen CVs. Generic all-staff training is the weakest form of evidence.
- It produces a documented record. Attendance lists, dated materials, ideally an assessment that shows understanding rather than just exposure. Per-learner records of what each person was trained on and when are the evidence base.
- It's kept current. Training delivered 18 months ago without refresh is weaker evidence than training delivered six months ago with a clear version history.
A useful test: if a regulator called tomorrow and asked what your organisation has done to support AI literacy, could you produce a coherent answer in under an hour? If yes, you're in a defensible position. If not, the gap is the work.
Training needs to be more than ticking boxes
This is where most compliance-driven training falls down. Firms commission a half-day seminar, get everyone to sign an attendance sheet, store the deck somewhere, and call it done. The records exist but the substance doesn't and when something goes wrong, the gap becomes visible.
The Act is asking for evidence that organisations using AI know enough about what they're doing to avoid causing harm, not performative compliance. That's a different standard which needs training that reflects the actual tools in use, the roles using them, and the decisions being made with their outputs and it needs governance that doesn't end when the training does. It needs senior leaders who can articulate, without notes, what their staff are using AI for and why.
The firms doing this well aren't treating it as a regulatory chore. They're treating it as something that makes their use of AI more confident, more consistent, and easier to defend when something goes wrong. The compliance evidence is a by-product of doing the job properly. The firms doing it badly will have records but no substance, and will discover the difference when a regulator, a client, or an internal incident forces the question.
What is your risk appetite?
The Act treats some uses of AI as inherently high-risk and applies heavier obligations to organisations deploying them. The list includes AI used in recruitment and hiring, credit and insurance decisions, education and assessment, access to essential services, and certain healthcare and law enforcement uses.
If your organisation falls into one of these categories, Article 4 isn't the headline. Article 26 imposes a separate, harder training requirement on deployers of high-risk systems. Staff exercising oversight of those systems must have the competence, training, authority, and support to do so. The Digital Omnibus is likely to soften some obligations, but not ones in this category. Under the Omnibus changes, the high-risk obligations apply from 2 December 2027 for standalone systems and 2 August 2028 for product-embedded ones. Those dates depend on the Omnibus being formally adopted.
For most UK firms this isn't the immediate concern, but for those in regulated sectors using AI to make or shape decisions about people, it is.
If you have no EU exposure at all
For UK organisations with no EU footprint, the EU AI Act doesn't apply directly. But the idea that training is therefore optional is wishful thinking.
UK GDPR already requires accountability for how personal data is used in AI systems. The Equality Act 2010 catches discriminatory AI outputs in hiring, lending, and service decisions regardless of whether a human or a model produced the bias. Sector regulators including the ICO, FCA, MHRA, and Ofcom all expect organisations using AI to show appropriate oversight and competence. None of these laws use the phrase "AI literacy", but in substance they require something very similar.
The UK government's Regulating for Growth Bill, announced in the May 2026 King's Speech, will coordinate across regulators but won't introduce a single AI literacy duty. The honest position is that the EU has named the obligation explicitly while the UK reaches the same place through several different statutes. Either way, "we trained our people and have records to prove it" is where you want to be.
Client due diligence is increasingly the more pressing pressure. UK firms supplying EU clients, regulated clients, or large enterprise clients are increasingly asked about AI literacy in vendor onboarding. The buying conversation often comes from the firm's clients, not from a regulator.
Where to actually start
For most UK organisations, three steps cover the ground.
First, find out who uses AI at your business, for what, and whether any of that touches the EU or falls into a high-risk category. Most firms haven't done this. The output is a simple inventory, and it's the foundation for everything else.
Second, design training proportionate to what the inventory shows. A team using AI to draft client comms needs something different to a hiring manager using AI to screen CVs. Role-appropriate training is the only kind that holds up.
Third, document what you do. Course content with dates, attendance records, assessments where possible, and a clear answer to the "what did you do?" question. The evidence is half the value of the training, because it's the part the regulator or client will actually see.
At GiantKelp we work with UK professional services firms on exactly this, often starting with the inventory and working out from there. But the broader point matters more than the sales pitch. The firms getting ahead of this aren't doing it because the law requires it. They're doing it because they want to know what their people are doing with these tools, and they want to be confident about the answer. The regulation has just made that question harder to ignore.
This is educational commentary based on public sources as of May 2026, not legal advice. Article 4 references reflect the position before the Digital Omnibus is formally adopted. Specific compliance questions should be checked with a qualified solicitor.