What is "AI literacy"?
On February 2, 2025, the first set of provisions of the AI Act will enter into application, including the requirement for AI literacy as outlined in Article 4 of the AIA. According to Article 4 AIA, the following obligation applies uniformly across all AI systems, models, and risk categories.
Art. 4 AIA: Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in, and considering the persons or groups of persons on whom the AI systems are to be used.
The term "AI literacy" referenced in the text of Regulation and in the title of Article 4 AIA is further elaborated in Article 3, item 56 AIA. The following sections detail the relationships and distinctions between these two provisions.
Definition of "AI literacy" according to Article 3, Item 56 AIA
According to Article 3, item 56 AIA, "AI literacy" is defined as:
[the] skills, knowledge and understanding that allow providers, deployers and affected persons, taking into account their respective rights and obligations in the context of this Regulation, to make an informed deployment of AI systems, as well as to gain awareness about the opportunities and risks of AI and possible harm it can cause.
The concept of AI literacy encompasses, in an abstract sense, the necessary skills required to navigate and succeed in the digital landscape through the effective use of AI systems.
Provider, deployer und affected persons
AI literacy is applicable to all relevant stakeholders within the AI value chain, depending on their roles throughout the value creation process (see Recital 20). Different competencies are naturally required at various stages of this process. For example, providers of high-risk AI systems must possess a thorough understanding of the technical specifics of AI during the development phase to ensure the creation of AI that is both safe and consistent with European values.
Pursuant to Article 4 of the AIA, deployers and providers are required to implement "measures" to ensure that their staff, as well as any other individuals involved in the operation and use of AI systems on their behalf, possess an adequate level of AI literacy. The nature of these measures depends on the specific AI system or model employed and its associated risk level. It is essential to take into account the technical knowledge, experience, training, and education of the employees, as well as the context in which the AI systems are deployed and the individuals or groups they are intended to serve. AI literacy is inherently interdisciplinary, encompassing not only technical expertise but also legal and ethical considerations (see Recital 20 AIA). For example, providers involved in the development of a chatbot will naturally address different concerns than an operator who merely implements such a system within their organization.
- Illustration using an example on the topic of data protection and security:
A provider of a chatbot must ensure during the development process that user-entered data is stored and processed securely (e.g., data encryption, security updates, etc.). An operator of such a chatbot, who makes this system available to their employees, must ensure that no personal data or trade secrets are unlawfully transferred to the provider as a third party. This may include measures such as the operator using "on-premises" solutions, implementing necessary contractual safeguards, and/or providing appropriate training for employees on using the chatbot to ensure that such data entries are avoided (see also information from the Austrian Data Protection Authority regarding AI and data protection).
Given the varied applications and configurations of AI systems, the measures required under Article 4 AIA can differ significantly. There is no universal approach to determining the specific actions necessary to meet the requirements of Article 4 AIA. This also means that not all companies are equally affected by Article 4 AIA, nor is it necessary for every employee to possess the same level of AI literacy. For instance, if a company allows its entire staff to use chatbots like ChatGPT, it must implement appropriate and recurring training sessions (including for new hires) for the whole workforce. Conversely, if an "AI tool" is limited to use within the HR or communications department, the training can be focused on a smaller group. The depth and frequency of training may vary accordingly, as deploying AI systems with limited risk may require different measures than those needed for high-risk AI systems.
It is important to note that, unlike the GDPR, Article 4 AIA does not mandate the appointment of an "AI officer." The decision to provide training for employees or to hire personnel with AI expertise for the implementation of AI strategies is left to the discretion of each individual company. Suitable approaches should be tailored to each specific case. Given that the process is not rigid, it is advisable to incorporate AI literacy as a continuous component of professional development and training programs.
The definition of the term "AI literacy" explicitly includes the positive requirement to understand the opportunities presented by AI, enabling the identification of potential value-adding applications.
The following groups are subject to the obligation for AI literacy:
- Individuals involved in the development of AI
- Individuals responsible for the operation of AI systems
- Individuals within a company who utilize AI systems.
The AI Act does not specify the nature of the training measures to be implemented. These may include internal training sessions, external consultations, or in-house courses.
Penalties
Although the AI Act itself does not prescribe administrative penalties for non-compliance with Article 4 AIA, non-compliance may lead to consequences. A lack of employee training is generally attributable to the employer under § 1313a of the Austrian Civil Code, even outside the scope of the AI Act. Article 4 of the AI Act serves to clarify the duty of care that businesses must exercise with respect to AI. Thus, if damages occur due to insufficient AI literacy, Article 4 AIA establishes that there was an obligation to provide appropriate training.
Further information
AI literacy is often associated with digital competence, and the two topics are indeed closely related. This is evident in the fact that AI literacy is integrated into various skills areas and sub-competencies. Moreover, AI literacy builds upon the foundation of digital skills. To successfully apply and develop AI systems and models, digital competencies are also required.
National initiatives: https://www.digitalaustria.gv.at/Strategien/DKO-Digitale-Kompetenzoffensive.html
European Commission: DigComp 2.2: The Digital Competence Framework for Citizens
European Commission: Digital skills