Compliance, Governance & Risk

EU AI Act Article 4 for SMBs: What You Actually Need (2026)

Last verified against primary/authoritative sources: 2026-06-16. This is general information and self-assessment guidance, not legal advice — see the note at the end. The AI Act's staged schedule is being…

Last verified against primary/authoritative sources: 2026-06-16. This is general information and self-assessment guidance, not legal advice — see the note at the end. The AI Act's staged schedule is being amended; re-verify every date against the official text and a qualified adviser before relying on it.

If you run or operate a small business that uses AI tools — ChatGPT, Copilot, Claude, or the AI features baked into software you already pay for — you've probably been told you have a hard EU AI Act deadline bearing down on you. A lot of that messaging is out of date, and some of it is scaremongering.

This guide gives you the honest version: what Article 4 actually requires, what changed in May 2026, what an SMB realistically needs to do, and the one artifact that proves you did it. We'd rather you act for the right reason than panic-buy on a deadline that moved.

What Article 4 is (in one paragraph)

Article 4 of the EU AI Act is the AI-literacy duty. In plain terms, organisations that provide or use AI systems are expected to take measures to ensure the people operating those systems on their behalf have a sufficient level of AI literacy — appropriate to their role, their technical background, and the context the AI is used in. It deliberately does not prescribe a curriculum. It expects you to tailor literacy to your people and your tools.

Crucially for SMBs: you are almost certainly a deployer (you use third-party AI tools) rather than a provider (you build and sell an AI system). Deployer obligations are materially lighter than provider obligations — but they aren't zero, and Article 4 is the one most SMBs can act on directly.

The honest timeline (and what the Digital Omnibus changed)

Here's where most "act now or face fines!" content is stale. As verified on 2026-06-16:

  • 2 February 2025 — Article 4 (AI literacy) entered application, to providers and deployers, with no grace period. This part is live today. The prohibited-practice rules also began applying on this date.
  • 2 August 2025 — EU-level governance bodies (the AI Office, the AI Board) became operational and the rules for general-purpose AI (GPAI) models began to apply. This mostly affects model providers, not SMB deployers.
  • 2 August 2026 — enforcement powers and supervision under the wider regime are generally framed as taking effect around this date.
  • The Digital Omnibus (political agreement, 7 May 2026) — the Council and Parliament agreed to simplify and streamline the rules. The agreement proposes to soften Article 4 from an outcome-based "ensure a sufficient level" duty into a "take measures to support the development of" literacy duty, shifting more responsibility to the Commission and Member States; and it deferred the high-risk obligations to 2 December 2027 (Annex III / stand-alone systems) and 2 August 2028 (Annex I / embedded systems). This amendment still requires formal adoption and publication before it is law — it is not yet in force.

So what does that mean for you? Two honest takeaways:

  1. There is no hard SMB "compliance deadline" in 2026 in the way the panic posts suggest. Article 4 applies today, but the heavier obligations moved out to 2027/2028, and Article 4 itself is being softened, not hardened.
  2. The duty hasn't disappeared. Article 4 is not repealed. Demonstrating that your people understand the AI they use remains both legally prudent and commercially sensible — and the law in this area is visibly in flux, which is its own reason to keep your references current.

We won't print a scary fine figure here. The headline penalty numbers are easy to misquote, the SME-adjusted exposure depends on your turnover and the breach, and — bluntly — the genuine, immediate commercial driver for most SMBs isn't a hypothetical regulatory fine at all. It's the next item.

The real reason most SMBs need this now: your customers

Set the regulation aside for a moment, because it isn't the thing actually costing SMBs money this quarter.

Enterprise buyers have added an AI section to their vendor security questionnaires. Do you have an AI policy? Are staff trained? Can you evidence your AI risk assessment? If you can't answer, the deal stalls in procurement. This demand is bottom-up, market-driven, and intensifying through 2026 — and it doesn't care how the Digital Omnibus lands.

This is the durable "why now." A stalled enterprise deal is real money, this quarter, regardless of any statute. If you build your AI governance file for that reason, you'll also be in good shape on Article 4 as a free side effect.

(Want a quick, honest read on where you stand? The free AI Governance Readiness Check scores you against Article 4, ISO/IEC 42001 and NIST AI RMF themes in a few minutes, no email, entirely in your browser.)

What an SMB actually needs to do (about half a day)

You don't need a consultant or a £7,500/yr platform. For a typical AI-using SMB deployer, a defensible governance file comes down to seven steps:

  1. Name an owner. One accountable person (founder, COO, ops lead, DPO). Their name goes on every document. Governance with no owner is the first thing flagged.
  2. Inventory your AI tools. Every one — including the embedded AI features in tools you already pay for, and the ones staff signed up for themselves ("shadow AI"). For each: what it's for, what data goes in, whether the vendor trains on your data. You can't govern what you haven't listed.
  3. Run an AI risk register honestly. Use-case-driven, with ratings and controls. Be honest about high-stakes uses; don't manufacture risk you don't have, and don't hide risk you do.
  4. Deliver AI-literacy training and record it. A ~1-hour session covering the essentials (AI predicts rather than verifies, so always check it; never paste personal/special-category/client-confidential data into an unapproved tool; a human reviews and owns anything that leaves the business; high-stakes uses stop and get sign-off). Then log each attendee, role and date. The dated log is the artifact — not the slide deck.
  5. Complete an impact assessment for your most consequential AI use. If it touches people's rights, money, or opportunities, flag it for professional review before you rely on it.
  6. Generate and date the file. Charter, policy, training record, risk register, impact assessment — each dated, versioned, with a next-review date.
  7. Get it reviewed, then keep it current. Have a qualified professional review it (especially for any high-stakes use), then re-verify the regulatory references at least quarterly and re-run training for new joiners and annually.

The artifact that proves it: the dated training record

If you take one thing from this guide, take this: a blank AI policy is worth roughly nothing; a completed, dated AI-literacy training record is the evidence.

Article 4 expects demonstrable measures — and so does the customer security questionnaire. Anyone can download a blank training-acknowledgment form. Almost nobody has a populated record showing who was trained, their role, and the date. That's the artifact an auditor and a procurement team ask to see, and it's exactly what free template bundles leave out.

The fast path

You can do all seven steps by hand. If you'd rather not, the AI Governance Pack turns about 15 minutes of answers into the whole file — a Governance Charter, AI Acceptable Use Policy, a dated AI-Literacy Training Record (with the ~1-hour training brief behind it so the record is honest), a pre-seeded risk register, a Deployer Impact Assessment, and a Security-Questionnaire Answer Kit — each clause-mapped to Article 4, ISO/IEC 42001 and the NIST AI RMF, with free updates as the law settles after the Omnibus. It runs entirely in your browser, is £149 one-time, and carries a 60-day "put-it-in-place" money-back guarantee.

It's self-assessment tooling, not legal advice, and it can't make a high-risk use compliant — what it does is get a real, dated, owned file in place fast and tell you honestly where you need a human expert.

Start free: the AI Governance Readiness Check will show you your gaps in a few minutes.


FAQ

Does Article 4 apply to my small business? If you use AI tools in your work, the AI-literacy duty applies to you as a deployer (it has applied since 2 February 2025). Provider obligations are heavier and apply if you build or brand an AI system you put on the market — most SMEs are deployers.

Is there a hard EU AI Act deadline in 2026 for SMBs? Not in the way much marketing claims. Article 4 applies now, but the Digital Omnibus (7 May 2026) deferred high-risk obligations to December 2027 / August 2028 and proposed softening Article 4 — and that amendment isn't yet law. Treat the regulation as a moving target and verify against the official text.

What does "AI literacy training" need to cover? Article 4 doesn't prescribe a curriculum. In practice, a sufficient session covers how generative AI behaves (it predicts, it can be confidently wrong), data-handling rules, mandatory human review, and which high-stakes uses require sign-off — tailored to your tools and sector.

What's the difference between "aligned to ISO 42001" and "ISO 42001 certified"? Alignment means your governance reflects the standard's structure. Certification is granted only by an accredited certification body after an audit. Never claim certification you don't hold — it's checkable and material.

Do I need a DPIA as well? Possibly. Where you process personal data, you may separately need a UK/EU GDPR Data Protection Impact Assessment. An AI impact assessment is not a substitute — check with a qualified adviser.


This article is general information and self-assessment guidance, not legal advice, and its author is not a regulated law firm. It does not certify compliance with the EU AI Act, ISO/IEC 42001 or the NIST AI RMF. AI-assisted content; regulatory references — including the Article 4 application date (2 Feb 2025) and the Digital Omnibus political agreement (7 May 2026) deferring high-risk obligations to Dec 2027 / Aug 2028 — were verified against primary/authoritative sources (Regulation (EU) 2024/1689, the European Commission, and the Council of the EU) on 2026-06-16. The schedule is being amended and is not yet finalised; re-verify against the official text and obtain qualified review before relying on any date.