AI literacy · EU AI Act · UK · Gulf
Your people are already required to be AI-literate. Most companies don't know it yet.
Since 2 February 2025, the EU AI Act has required every company that uses AI to ensure its staff are AI-literate. Enforcement and supervision begin on 2 August 2026, and the UK and the Gulf are moving the same way. The duty is being simplified, not removed, and the people who ask about it loudest now are enterprise buyers running their checks. GRABS builds the programme that satisfies it: a baseline everyone gets, role-based depth where the stakes are higher, and the records to prove it.
What the law actually says.
Article 4 of the EU AI Act (Regulation 2024/1689) requires providers and deployers of AI systems to ensure a "sufficient level of AI literacy" among staff and anyone operating AI on their behalf. It applies to nearly every business that touches AI, including companies that simply use a tool like ChatGPT internally. There is no mandated curriculum, certificate or exam; the duty is to take proportionate, documented measures. A 2026 simplification package (the "Digital Omnibus", politically agreed in May 2026 and expected to be formally adopted around July 2026) reframes the duty as an obligation of effort rather than a guaranteed result, but the duty, the 2 August 2026 enforcement date, and the commercial pressure behind it all remain.
Last reviewed 26 June 2026. This page is general information about AI-related obligations in the EU, the UK and the Gulf, not legal advice. These frameworks are evolving (notably the EU Digital Omnibus, expected to be adopted around July 2026), and dates and obligations may change. Check your specific obligations with a qualified adviser.
Where this applies: the EU, the UK and the Gulf.
One programme, three regulatory realities. The duty looks different in each market, but trained, documented staff is the answer in all three.
EU — a duty already in force.
Article 4 has required AI literacy since 2 February 2025; enforcement supervision begins 2 August 2026. It reaches you even from outside the EU if your AI's output is used there.
UK — principles, not a single law (yet).
No UK AI Act; instead five cross-sector principles applied by the ICO, FCA and others, plus UK data-protection duties on automated decisions, and the EU Act on top if you serve EU users. Regulators increasingly expect a named AI owner, governance and trained staff.
The Gulf — government-led, moving fast.
Binding data-protection laws (the UAE and Saudi PDPLs) cover automated decisions, alongside national AI ethics frameworks (the UAE AI Charter, Saudi SDAIA principles), sector guidance such as the UAE central bank's AI note, and procurement that increasingly demands governance, oversight and a capable workforce. Saudi Arabia has named 2026 its "Year of AI"; ISO 42001 is fast becoming the badge tenders look for.
Wherever you operate, the common denominators are the same: people who understand the AI they use, oversight where decisions matter, and a record that proves it. That is what the programme delivers.
Built for the Gulf
In the Gulf, AI governance is government-led and moving fast, and the programme is built to the badges that matter there: aligned with ISO/IEC 42001, the international AI-management standard SDAIA itself holds and that Gulf tenders increasingly look for, and with the SDAIA AI Ethics Principles and the UAE AI Charter. Training your people pass, governance your regulators recognise, and a record your procurement teams can show.
Why this is a buying decision, not just a compliance one.
- → Your customers are already asking. Procurement and security questionnaires, and Gulf tenders, now ask whether your staff are trained on AI. A missing programme is a visible gap that slows or stops a deal.
- → Untrained AI is a liability. When an untrained employee causes harm with an AI system, the absence of a documented programme makes any defence harder. A record is cheap insurance.
- → Training is how AI actually lands. Without role-based literacy you get weaker adoption, more data leaking into the wrong tools, and more decisions taken on autopilot. The programme pays for itself in use, not just in compliance.
The programme.
Four levels. Everyone gets the baseline; depth is added where the stakes rise. Proportionate to the role and the risk, exactly what the law asks for, and what makes AI safe to use.
| Level | Who it's for | Objective | What it covers | You leave with |
|---|---|---|---|---|
| Foundation AI literacy baseline | Every employee who uses any AI tool | Meet the baseline duty: understand what AI is, how the tools you use behave, where they fail, and how to use them safely | What AI is and isn't · the AI already in your business · capability and limits (hallucination, bias, drift) · safe prompting and the data you must never paste · spotting AI-generated content · when to stop and ask a human | Confident, responsible everyday use · completion recorded |
| Practitioner working with AI in your role | Heavy AI users by function (sales, marketing, finance, ops, HR, support) | Use AI well and safely in a specific function, with quality control and confidentiality discipline | Function-specific use cases and guardrails · checking and correcting AI output · client- and personal-data rules for your function · prompt patterns that work for the role | Role-competence · recorded |
| Oversight supervising AI decisions | Managers, and anyone overseeing consequential AI (recruitment, performance, credit, pricing) | Provide meaningful human oversight: supervise AI in high-stakes decisions, catch automation bias, know the override and escalation paths | Meaningful human oversight in practice · bias and discrimination · recognising "high-risk" and consequential use · documenting oversight and decisions | Oversight-ready · recorded |
| Governance owning your AI posture | Leadership, founders, compliance and risk owners | Own the organisation's AI posture across the regimes that apply to you (EU / UK / Gulf) and hold the evidence | The AI-use policy · provider vs deployer duties · the obligation map for your markets (EU AI Act · UK principles + ICO/FCA · Gulf PDPLs + SDAIA/UAE Charter + ISO 42001) · building the evidence and attestation file · what to do when enforcement or procurement asks | A named owner and a documented programme · attestation issued |
What every level ships with.
- ● A written, plain-English AI-use policy your team can actually follow.
- ● An attestation record: who was trained, on what, to what level, and when.
- ● Sector-tailored examples and scenarios that match the work your people do.
- ● Refreshes as the law and the tools change: literacy is not a one-time tick-box.
How it's delivered.
The GRABS way: short, scenario-based modules, not lectures. Days, not months. Tailored to your stack and your sector, and aligned with ISO/IEC 42001 and, for the Gulf, the SDAIA AI Ethics Principles where you need it. Measured and recorded, and finished with an attestation you can hand to a regulator or a buyer.
The record is the point
Every regime expects you to show what you did: the EU asks for proportionate, documented measures; Gulf regulators and tenders expect governance records; enterprise buyers ask for proof in procurement. So we don't just train your people, we attest it: a clear record of who learned what, to what level, and when, the artefact you hand over without scrambling.
Already running a GRABS team? Literacy is part of the engagement.
The moment you deploy a GRABS team, you are a deployer of AI, and the literacy duty is yours. We build it into the engagement: your people learn to work with the team safely, and your obligation is covered with a record at handover. Not yet ready for a team? Start here. Literacy is the cheapest, fastest first step toward AI Act readiness, and the worst outcome is a trained team and a documented programme.
Questions buyers ask.
Is this actually the law, or hype? +
In the EU it's law: Article 4 of the EU AI Act has applied since 2 February 2025, with enforcement supervision from 2 August 2026. The 2026 Digital Omnibus reframes the duty as an obligation of effort rather than result, but the duty, and the commercial pressure behind it, remain.
We're outside the EU — does this still matter? +
Yes. The EU Act reaches you if your AI's output is used in the EU. In the UK, sector regulators and data-protection law already expect trained staff and a named AI owner. In the Gulf, data-protection laws, national AI ethics frameworks and procurement increasingly demand governance and a capable workforce. The destination is the same; we get you there once.
Does this align with ISO 42001 or SDAIA? +
Yes. The programme is built to align with ISO/IEC 42001, the international AI-management standard, and, for Gulf engagements, the SDAIA AI Ethics Principles and the UAE AI Charter. We map the training and the records to the governance and procurement expectations buyers and regulators in the region actually check.
We only use ChatGPT internally. Does this apply to us? +
Yes. Using any AI system makes you a "deployer," and the literacy duty applies regardless of risk tier. It is one of the broadest obligations in the Act, and one of the easiest for a buyer or regulator to ask about.
Is there a required course or exam? +
No. The law prescribes no curriculum, certificate or exam, only proportionate, documented measures. We give you a baseline, role-based depth, a written policy and the records, sized to your business.
What are the penalties? +
In the EU there is no standalone fine for the literacy duty; it sits under the general tier, up to €15M or 3% of worldwide annual turnover, the lower figure for SMEs, and counts as an aggravating factor in any wider breach. The more immediate cost is commercial: a missing programme that a buyer's questionnaire or a Gulf tender exposes.
Get your team AI-literate before the deadline.
Register your interest and we'll line up a programme sized to your business, or book a scoping call now. The worst outcome is a trained team and a documented record.