EU AI Act: Provisions on AI Literacy and Prohibited AI Practices Become Effective – Taking Stock and Looking Ahead

By Gareth Kristensen, Prudence Buckland, Jan-Frederik Keustermans, Nicola Duemler & Katie Akers on February 3, 2025

Less than a year after the EU AI Act[1] entered into force on 1 August 2024, its provisions on AI literacy and prohibited AI practices started to apply from 2 February 2025.[2]

AI Literacy

Article 4 of the EU AI Act requires providers and deployers of AI systems to introduce measures to ensure, “to their best extent”, that their personnel have a sufficient level of AI literacy.[3] Notably, this obligation applies in respect of all AI systems, irrespective of their risk categorisation. AI literacy entails equipping providers, deployers and other relevant persons with “the necessary notions to make informed decisions regarding AI systems.”[4] Indeed, ‘AI literacy’ is defined under the EU AI Act as the skills, knowledge and understanding to enable the informed use and development of AI systems, and to gain awareness about the risks and opportunities created by AI.

Although there is currently limited guidance on how to meet the AI literacy principle, it is clear that persons actively involved in the development of an AI model, or who are responsible for human oversight on the use of AI within an organisation, must achieve a comparatively higher level of AI literacy than individuals who are only occasionally exposed to AI.

As a matter of good practice, organisations should look to implement dedicated training programmes and curricula, and to maintain records of such training, including (subject to applicable privacy laws) details of the training provider, records of attendance and results of post-training surveys.

Providers and deployers should also consider whether bespoke training is required for specific roles or functions (including to account for the manner in which those roles or functions interact with, use or operate AI systems), as the EU AI Act is clear that AI literacy measures should be tailored to: (i) the technical knowledge, experience, education and training of relevant persons; and (ii) the context in which the AI system will be used (including the persons that the AI System will be used by).

The EU AI Office is running a webinar later this month on initiatives to facilitate implementation of the AI literacy principle.[5] It is anticipated that these initiatives will eventually form the basis of a public repository of practices used among members of the AI Pact for compliance with the AI literacy obligation.[6]

The EU AI Act does not contain a specific penalty for non-compliance with AI literacy measures, but the Act notes that all relevant circumstances should be taken into account when determining penalties for other infringements. A failure to adequately implement or evidence AI literacy measures could therefore impact the severity of any other enforcement action.

Prohibited AI Practices

The EU AI Act prohibits certain uses of AI systems outright.[7] These prohibited AI practices are set out in Article 5 and include, among others:

AI systems that manipulate people’s decisions or exploit their vulnerabilities in a manner that causes or is likely to cause significant harm (note the prohibited practice here is the effect not the intention);
AI systems that create or expand facial recognition databases through untargeted scraping of facial images from the internet or CCTV;
AI systems that infer an individual’s emotions in the workplace or in educational settings (except where used for medical or safety reasons); and
biometric categorisation systems that categorise individuals based on their biometric data to infer their race, political opinions, trade union membership, religious or philosophical beliefs, sex life or sexual orientation.[8]

Non-compliance with the prohibition of the AI practices set out in Article 5 may result in a fine of up to €35 million or 7% of worldwide annual turnover for the preceding financial year (whichever is higher).[9]

The European Commission is also expected to publish further guidelines on how prohibited AI practices will be identified for inclusion within the scope of the EU AI Act in the coming months (which will take into account the input received during a 4-week stakeholder consultation process that the EU AI Office concluded last December) [Post-publication update: the European Commission published its guidelines on prohibited AI practices on 4 February 2025: see here].

Key Upcoming Dates

The EU AI Act’s remaining provisions will begin to apply in a phased manner. The key dates to mark on your calendar are:

2 August 2025: The rules on general-purpose AI (GPAI) models will apply to any new GPAI models placed on the market after this date.[11]
2 August 2026: The remaining provisions of the EU AI Act start to apply, including the obligations on high-risk AI systems listed in Annex III (except for Article 6(1)).[12]
2 August 2027: Article 6(1) starts to apply, and pre-existing GPAI models (i.e., those placed on the market before 2 August 2025) must now also comply.[13]
31 December 2030: End of the separate transition period for large-scale IT systems.[14]

For more detail on how companies should prepare for the application of the EU AI Act, see our recent publication: Effective Board Ove rsight as AI Evolves.

[1] See Regulation No. 1689/2024 laying down harmonised rules on Artificial Intelligence, full text here.

[2] For more detail on the EU AI Act generally, see The AI Act has been published in the EU Official Journal | Cleary AI and Technology Insights.

[3] See Regulation – EU – 2024/1689 – EN – EUR-Lex, Article 4 and Recital 20. Note that this obligation applies not only to staff but also to other persons dealing with the operation and use of AI systems on their behalf.

[4] Ibid Recital 20.

[5] See https://digital-strategy.ec.europa.eu/en/events/third-ai-pact-webinar-ai-literacy.

[6] The AI Pact supports voluntary commitments to start applying the principles of the AI Act; it encourages organisations to proactively share best practices for compliance. Note, following these practices will not result in a presumption of compliance but may promote industry consensus on relevant measures. For further information, see https://digital-strategy.ec.europa.eu/en/policies/ai-pact.

[7] AI systems used for military, defence or national security purposes are excluded from the scope of the EU AI Act and thus Article 5 on prohibited practices does not apply to such AI systems. See https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng, Recital 24.

[8] See Regulation – EU – 2024/1689 – EN – EUR-Lex, Article 5(1).

[9] Ibid, Article 99(3).

[10] See Commission launches consultation on AI Act prohibitions and AI system definition | Shaping Europe’s digital future.

[11] See Regulation – EU – 2024/1689 – EN – EUR-Lex, Chapter V Article 113.

[12] Ibid and Article 6(1) concerns high-risk Al systems that are not prescribed in Annex III but are intended to be used as a safety component of a product, or the Al is itself a product, and the product is required to undergo a third-party conformity assessment under existing specific EU laws (e.g., radio equipment, medical devices, vehicles, aviation, …).

[13] See Regulation – EU – 2024/1689 – EN – EUR-Lex, Article 113.

[14] Ibid, Article 111(1).