Cyber Security
Data Protection

What should you train employees on regarding the AI Act?

Since we get asked this question time and again, we have put together an overview.

Frank von Stetten · 27.04.2026
AI competency training EU AI Act

   In this article

  1. What does the EU AI Act's AI literacy requirement cover?
  2. Contents of an AI literacy training (Article 4, EU AI Act)
  3. Specific target groups and levels of knowledge in AI training
  4. Going deeper: webinar on the EU AI Act

With the EU AI Act, companies are for the first time facing a clearly defined AI literacy requirement. But what exactly do employees need to learn in order to meet the requirements of Article 4? The AI Act demands "sufficient level of AI literacy" in the use of AI – but without specifying any concrete content. We show how companies can implement this EU AI Act AI literacy requirement in a practical, legally sound and tailored to each target group way.

What does the EU AI Act's AI literacy requirement cover?

The AI Regulation does not specify any concrete content. We do – developed in collaboration with specialist departments, learning experts, AI experts and lawyers.

Article 4 of the EU AI Act initially only states that 

"Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf […]"

(See Article 4 of the EU AI Act)

That is quite broadly worded. So what should you actually train employees on?
As experts in security, regulation and learning, we asked ourselves the same question – and so we brought together AI experts, specialist departments from our clients, lawyers and learning experts to jointly define the content of an "AI literacy training".

Contents of an AI literacy training (Article 4, EU AI Act)

AI fundamentals for AI Act training

This one's a no-brainer. Anyone using AI should understand the mechanics behind it:

  • How does AI actually work?
  • How does an AI learn?
  • What is grounding and reasoning?
  • What is the difference between a public LLM and an enterprise AI system?
  • What are hallucinations, and why is AI often biased?

The key messages here: AI produces probabilities, not truths. With public systems, your input data may be used for training purposes. And you should never adopt AI output without reviewing it. The "human in the loop" remains essential.

The components of artificial intelligence


The EU AI Regulation and AI literacy requirements under the AI Act

All experts quickly agreed that AI literacy training should also explain the essence of the EU AI Regulation:

  • Why does it exist?
  • What do the risk categories mean?
  • What obligations does the EU AI Regulation introduce?

For everyday users, this chapter is primarily informational. They should be familiar with the risk categories and the transparency obligations – and understand that they are always personally responsible for the outcome and must stand by it.

"The AI did it" 

is not an excuse. 

Topics such as ethics, fairness, bias mitigation, data protection and data security are, in our view, so important that we address them in dedicated chapters.

AI and cyber security / data protection

We have divided this chapter into two main sections. 
The first covers how attackers use AI (phishing, social engineering, deepfakes): AI is a superpower – for attackers and defenders alike. Phishing emails are becoming more sophisticated and deepfakes are virtually undetectable. But protection is still relatively straightforward: verify, verify, and verify again.

The second section addresses the incidents that AI can cause – even unintentionally – when the wrong AI system is fed sensitive information. This covers both cyber security and data protection, since personal data is, at its core, simply sensitive information. The key messages: do not upload sensitive data to public AI systems; if necessary, pseudonymise it first. 
 

E-Learning Preventing AI Attacks


AI systems in everyday work: what employees need to know

A common requirement from our clients was:

 "We need our specific use cases and tools to be reflected in the training." 

That is why this chapter was created:

  • Which AI should I use for which purpose?
  • How do integrated systems such as Gemini or Copilot differ from ChatGPT or Claude?
  • Which AI systems has the organisation approved for use? 

The key messages: use AI – it is already becoming an integral part of working life. But always engage your critical thinking. AI is a tool, not a decision-maker. You are, and remain, the responsible party.

Practical tips for using AI

Finally, we equip participants with practical tips for their day-to-day work – for example, trying out different AI systems, including in different languages. Or how to avoid the "garbage in, garbage out" problem. Ultimately, the right prompt is fundamental to the quality of the output: role, task, format and, above all, context. 

We also explain the correct approach to copyright. Can AI-generated content be protected by copyright? Can it infringe copyright? Is it permissible to use AI-generated images freely?

And we reinforce once more the importance of the "human in the loop" – that AI output should never be adopted without review. 

We are confident that these 5 chapters, delivered in approximately 30–40 minutes, not only fully address Article 4 of the EU AI Regulation, but cover all relevant topics for the target group of AI system users – concise, easy to understand, with videos and plenty of practical tips. 

The training is also available for use in your organisation's own LMS (the magic word being "SCORM"), or via our GDPR-compliant training platform – complete with assessment and certificate.

   EU AI Act AI literacy requirement at a glance

  • Scope: All organisations that provide their employees with access to AI systems (i.e. effectively every organisation, regardless of size or industry)
  • Duration: no legal requirement defined. Our AI literacy training lasts 40–50 minutes.
  • Frequency: no legal requirement defined.
  • Online suitability: fully suitable, highly efficient

IS-FOX recommendation on content: AI literacy training: how AI works, what the EU AI Regulation requires, cyber security and data protection in the context of AI, and practical, actionable tips for everyday use.

Specific target groups and levels of knowledge in AI training

Role-specific content for AI training 

Under the EU AI Regulation, training should be tailored to the relevant role (e.g. HR, IT or management). As the topic is still relatively new for most people, the majority of organisations start with a broad, general approach. 
Larger organisations in particular often have no way of assigning different training content to different target groups. We do. We can integrate conditional logic into our training – for example, "do you work in HR?" – and deliver role-specific content accordingly.

Refresher courses and test-out options in line with AI Act requirements 

The EU AI Regulation also states that the learner's existing level of knowledge should be taken into account. That is not straightforward with a one-size-fits-all e-learning – but it is achievable. 
We offer refresher pathways that revisit existing knowledge, right through to test-out options for more experienced learners: "Already up to speed? Prove it with a pre-assessment. Pass the questions for a chapter and you can skip it entirely. Don't pass, and you've just shown yourself that the chapter is worth your time."
Participants love refresher pathways and test-out options – particularly when they already covered the content the previous year. 
And organisations love them too, because no valuable productivity is wasted needlessly; the training takes only as much time as is actually needed.

Screenshot Master 7, IS-FOX e-learning, how the training works

Going deeper: webinar on the EU AI Act 

For anyone who wants to explore the requirements of the EU AI Act in more depth – particularly the AI literacy obligations under Article 4 – we recommend our webinar recording from March 2025 with lawyer Matthias Orthwein. It covers the regulatory background, practical implementation for organisations, and common pitfalls in detail.

👉 Watch the webinar recording (German)

About the author

Frank von Stetten

Frank von Stetten

Co-founder of HvS-Consulting, expert in AI governance, security awareness and regulatory training

Frank von Stetten is a co-founder of HvS-Consulting in Munich and a recognised expert in security awareness and corporate training programmes. For more than 20 years, he and his team have delivered training on cyber security, data protection, compliance, and occupational health and safety, both as live events and as e-learning courses. 

He is the author of numerous IS-FOX courses, a frequent speaker on "learning in organisations", and currently supports many organisations in implementing new regulatory requirements – including NIS-2 and the AI literacy obligations under the EU AI Act.

Explore our legally compliant employee training

Cyber Security Training preview

Modern and entertaining IT security trainings protect your company from attacks and their consequences.

Read more
Screenshot IS-FOX EU AI Act Schulung_training

Train your employees in AI skills in accordance with Art. 4 of the EU AI Act. The online course provides practical tips, legal basics and a certificate.

Read more
Data protection training Preview

Up-to-date and modern online data protection training courses make your employees fit for GDPR. Find out more and book training now!

Read more
Occupational Safety Training Preview

Occupational safety in the workplace, explained simply and concisely. Available as an e-learning course with a certificate. Learn more and book your training today!

Read more