The AI Obligation Almost Every Mid-Market Company Overlooks
Since February 2025, the EU AI Act requires every company using AI to ensure adequate AI competence among employees. What the obligation means, what it does not, and why waiting is the wrong reflex.

Most mid-market executives I speak with assume the EU AI Act does not concern them. That it is a matter for big tech companies and AI developers. This is a mistake, and it can become expensive.
Since February 2025, Article 4 of the AI Regulation imposes an obligation that affects virtually every company that uses AI. Not only those that develop AI, but also those that merely use it. And by now, nearly all of them do — often without having consciously decided to.
What Article 4 actually requires
The core is straightforward: anyone who deploys AI systems in their company must ensure that the people working with them have adequate AI competence. This applies to your own employees and to people working with AI on your behalf. It applies regardless of how risky the AI being used is. A chatbot for drafting texts falls under it just as much as an AI that informs personnel decisions.
What the obligation does not require is equally important. It prescribes no specific training format, no certificate, no minimum number of hours. The legislator deliberately leaves open how you establish the competence. This creates both freedom and uncertainty.
What happens if you breach it — and what does not
Here it gets interesting, because the common picture is wrong. There is no direct fine specifically for a breach of Article 4. Failing to take AI competence measures does not automatically result in a penalty.
The costs arise indirectly, which does not make them any smaller. If a lack of AI competence causes damage — say a data-protection incident or a flawed automated decision — the missing training can be construed as a breach of duty of care. In a liability case, a company that demonstrably trained and documented stands significantly better than one that did nothing. On top of that, uncontrolled AI use creates its own GDPR risks with their own fines. The enforcement mechanism of the AI Act ramps up gradually and will tighten over the coming years.
Why waiting is the wrong reflex
Many executives hear no direct fine and set the topic aside. That is understandable and short-sighted.
The real reason to act is not the law. It is the fact that the competence genuinely is lacking. Those who do not train their people do not just have a compliance problem — they are leaving productivity on the table and producing risk. The law merely describes a gap that already exists. The obligation is more an occasion to do something overdue than an additional burden.
What to do in concrete terms
Three steps suffice to start:
Take stock. Who in the company uses which AI for what, and how competently? This is the same stocktake that also makes the shadow AI problem visible. One effort, two insights.
Tiered training. Not everyone needs the same thing. A managing director must understand strategic and legal aspects. An administrator needs safe daily operation. A developer needs technical depth. Training by role, not by watering can.
Documentation. Record what you have done. In a liability case, what counts is proof that you took appropriate measures. A brief record suffices — it just needs to exist.
The bottom line
The EU AI Act is neither a bureaucratic monster to be feared nor a paper tiger to be ignored. Article 4 compels you to do something that pays off in its own right: letting your people work with AI competently and safely. Those who treat it as a pure compliance tick-box miss the actual benefit. Those who use it as an occasion to finally bring order to AI in the business fulfil the obligation along the way.