[00]

Resource 02 · AI Act · Regulation (EU) 2024/1689

_

Article 4: how to build the mandatory training plan before August 2

Article 4: how to build the mandatory training plan before August 2

By Alejandro Rios Calera, CTO

Alejandro Rios Calera is CTO and co-founder of The AI Business, where he leads the technical implementation of EU AI Act compliance in real-world AI projects.

Reading time: 9 min · The AI Business · July 2026

August 2, 2026 isn't the date the obligation begins. It's the date the inspections begin. The obligation to train your team has been in force since February 2025 — and almost no one has met it.

What Article 4 requires exactly

What Article 4 requires exactly

Article 4 of the European Artificial Intelligence Regulation has been in force since February 2, 2025. Since that day, any company that uses AI systems — and that includes tools as widespread as ChatGPT, Copilot, or any software with automated decision-making features — has the legal obligation to ensure that its employees have an adequate level of AI literacy. What changes on August 2, 2026 is that AESIA gains full powers of inspection and enforcement.

If you run a company that uses AI, there are only weeks left to have the plan documented. This guide explains exactly what the law requires, how to structure the plan, and what documentation you need to have ready.

The text is deliberately broad: providers and users of AI systems must take measures to ensure "a sufficient level of AI literacy among their staff and other persons dealing with the operation and use of AI systems on their behalf." Three key points:

· There's no size threshold. It affects sole proprietors, SMEs, and multinationals alike. It doesn't matter whether you have 5 employees or 5,000.

· The training must be proportional to the context. It doesn't require specific hours or formats — it requires that it be adapted to the employee's technical level, the sector, and the systems they use in their role.

· Documenting isn't optional. A generic course with no attendance records, assessment, or evidence doesn't comply. You have to be able to prove it in an inspection.

What isn't enough: knowing how to use ChatGPT, an employee having taken a course on their own, or posting a policy PDF on the intranet.

The 7 competencies your plan must cover

The 7 competencies your plan must cover

The guidance published by the European Commission and AESIA identifies seven reference areas. The depth in each one depends on how AI is actually used at your company:

#

Competency

What it means in practice

1

General understanding of AI

What it is, how it works, which systems your company uses, opportunities and risks

2

Organizational role

Whether your company develops or deploys AI, and what each position implies legally

3

Risk assessment

Risks of the systems each employee uses: hallucinations, biases, leaks

4

Contextual technical training

Adapted to the employee's level, sector, and specific tools

5

Responsible use

Data protection, what not to share with public tools, human oversight

6

Interpreting outputs

Human review of AI recommendations, verification of results

7

Basic legal framework

AI Act, GDPR in the AI context, the company's obligations

Not everyone needs the same depth: an operator using predictive maintenance needs to master blocks 5 and 6; a legal or HR director also needs 2, 3, and 7. Hence the importance of structuring by levels.

The 3-level model

The 3-level model

The most practical approach — the one reflected in the European guidance and in the implementations we're seeing in Spain — is to divide the plan according to each role's exposure to AI:

Level

Audience

Main content

Duration

Basic

Entire workforce

What AI is, ethical and safe use, when not to trust the output, personal data and privacy

2–4 h

Intermediate

Heavy users (marketing, HR, customer service, operations)

Role-applied prompts, bias detection, critical evaluation of outputs, tools for the job

6–10 h

Advanced

Managers, legal, IT, strategic HR

Risk management, in-depth AI Act, internal audit, governance, documentation

10–20 h

The basic level applies to 100% of the workforce. The intermediate and advanced levels are assigned by role, not by choice. What counts as a "sufficient level" for each profile is defined by each organization based on its systems and risks — there's no universal table.

The 4 documents an inspection will ask for

The 4 documents an inspection will ask for

Having the training done isn't enough if you can't prove it. In an inspection, AESIA can request evidence. These are the four documents that must exist:

1. Inventory of AI systems in use. Every tool with AI features the company uses, classified by department and risk level. Includes third-party software with embedded AI.

2. AI usage policy by role. Which systems each type of employee can use, for what tasks, and with what restrictions (for example, what data cannot be entered into public tools). It doesn't have to be lengthy — it has to exist and be accessible.

3. Training records. Who received what training, when, and with what result. At a minimum: attendance, dates, content, and some assessment of learning.

4. Risk assessment of high-impact systems. For Annex III systems (HR, access to essential services, critical infrastructure…), the specific assessment and the mitigation measures adopted.

If you already have documentation processes for GDPR or an ISO standard, these documents are largely extensions of what you already manage. All four come out of our 72-hour diagnosis — it's literally what we deliver.

FUNDAE: fund it with subsidized credit

FUNDAE: fund it with subsidized credit

Training in digital and AI competencies can qualify for subsidy through FUNDAE. To apply it, the training activity must be reported before it starts, delivered through an authorized organizing entity, and meet the documentation requirements. Indicative credits by workforce size:

· Fewer than 10 employees: from ~€430

· 10–49 employees: from ~€1,650

· 50–249 employees: from ~€3,750

· 250+ employees: up to €15,000 or more

Online training is subsidized at around €7.50 per hour and learner. If you haven't yet used your FUNDAE credit this year, the Article 4 plan is a direct use case: compliance can end up costing you almost nothing.

The realistic timeline: 4 weeks

The realistic timeline: 4 weeks

If you're starting from scratch today, this is the schedule we recommend through August 2:

Week

What to do

1

Inventory the AI systems in use · assign each employee to their level · check the available FUNDAE credit

2

Draft the usage policy by role · create the basic-level modules (top priority: it affects the entire workforce)

3

Launch the basic level and log completion · develop the intermediate content

4

Complete intermediate and advanced · consolidate the 4 evidence documents · close out high-risk assessments where applicable

In practice, the bottleneck usually isn't producing the content, but deciding: who approves the policy, who validates the inventory, who drives the process. What matters is being able to show documented progress before August 2: an inventory started, a policy in draft, a first module launched already puts you in a radically better position than having nothing.

Frequently asked questions

Frequently asked questions

What happens if I'm not compliant before August 2?

Article 4 has no directly assigned penalty, but non-compliance aggravates any other infringement of the regulation — whose general fines reach €35 million or 7% of global turnover. And it's reasonable to expect that training will be among the first things AESIA examines when supervising the use of AI.

Does the training have to be in person?

No. The regulation doesn't set a format. Online training is valid — and if it generates automatic completion records, the documentation part takes care of itself.

Does it affect companies that only use third-party AI?

Yes. The obligation applies to providers and to users. If you use Copilot, Gemini, or HR software with embedded AI, you're a "user" under the regulation and it applies to you.

Can I use courses from external platforms?

Yes, as long as the content is adapted to your company's real context and you can document attendance and learning. A generic course with no evidence of completion isn't enough.

Sources: Regulation (EU) 2024/1689 (official text) · artificialintelligenceact.eu · AESIA (aesia.es). This content is informational and does not constitute legal advice.

Weeks left, not months. Start by knowing where you stand.

Weeks left, not months. Start by knowing where you stand.

AI Act exposure diagnosis in 72 hours: inventory, risk classification, your exposure in euros, and the plan to close it. No obligation.

1 vídeo · 3 guías · 20 min de lectura

Miami · Spain · Dubai

GDPR · BY CONTRACT

EU AI ACT · BY CONTRACT

Miami · Spain · Dubai

Miami · Spain · Dubai