A health insurer switches on Microsoft 365 Copilot for 1,200 employees this month. Licences are arranged, tenant settings are configured, IT is ready. Then the compliance officer asks the question that halts the project: have we actually arranged what the AI Act requires from us now that everyone starts working with AI?
The direct answer: yes, a Copilot rollout falls under the EU AI Act, and the first obligation you hit is Article 4 on AI literacy. It has applied since 2 February 2025 and requires that everyone working with Copilot has a sufficient level of AI literacy, appropriate to their role, context and risk. No certificate requirement, but demonstrable measures: role-based training plus an evidence file showing who learned what and when.
Copilot and Article 4 in four sentences
An organization deploying Copilot is a deployer under the AI Act; Microsoft is the provider of the system and of the underlying model. Article 4 has applied since 2 February 2025 and requires an appropriate level of AI literacy for everyone working with Copilot. The level is role-dependent: a recruiter using Copilot for candidate texts needs different knowledge than a controller or a communications advisor. You build evidence with an AI inventory, a role matrix, training records and periodic management reporting.
Does Microsoft Copilot fall under the EU AI Act?
Yes. Microsoft 365 Copilot is an AI system within the meaning of Article 3(1) of the AI Act: it infers from input how to generate output and thereby influences the user's working environment. It also runs on a general-purpose AI model, for which the GPAI obligations sit with the model provider.
For the division of roles this means: Microsoft is the provider of the system and carries the obligations at system and model level. Your organization becomes the deployer when rolling it out, with obligations of its own. The most important one right now is Article 4: ensuring AI literacy among the staff operating and using the system. And because a broad Copilot rollout puts the tool in nearly everyone's hands, the target group of that obligation immediately becomes the entire organization.
Copilot itself is not a high-risk system in normal office use. That changes when you use its output for tasks listed in Annex III, for example when HR structurally uses Copilot in assessing or shortlisting candidates. For such standalone Annex III applications the high-risk obligations apply from 2 December 2027 under the Digital Omnibus. The task determines the classification, not the tool.
What does Article 4 mean for organizations rolling out Copilot?
Since 2 February 2025, Article 4 requires organizations to take measures "to their best extent" to ensure a sufficient level of AI literacy among their staff and other persons using AI systems on their behalf. Sufficient is explicitly relative: the level must match technical knowledge, experience, education and the context in which the system is used.
For a Copilot rollout this means three things in practice. First: everyone using Copilot must understand the basics, such as what the system can and cannot do, that output can be convincing yet wrong (hallucinations), and which data does and does not belong in a prompt. Second: the level must differ per role, because the risks differ per role. Third: you must be able to show that you organized this. Not because Article 4 carries its own fine (it does not), but because "how did you arrange this" is the first question a supervisor, auditor, works council or major client will ask.
The full explanation of the obligation, including the direction given by the Dutch Data Protection Authority, is in our complete AI literacy guide.
Which roles need Copilot training?
All Copilot users need a baseline level, and on top of that specific roles require depth. A workable role matrix for a Copilot rollout looks like this:
All employees (baseline). What Copilot is and how it works, responsible prompting, recognizing hallucinations, verifying output before use, and data hygiene: no special categories of personal data or confidential documents in prompts where that is not permitted.
HR and recruitment. Copilot output for vacancy texts, candidate communication or assessment drafts quickly touches bias and the boundary with Annex III. These roles must know where assistance ends and automated assessment begins.
Finance and control. Numerical Copilot output looks precise but can contain calculation errors and invented source data. Verification against source systems belongs explicitly in this training.
Legal and compliance. These roles assess not only their own use but everyone else's. They need the deepest level: the AI Act division of roles, the GDPR side of prompts, and the internal rules for acceptable use.
Communications and marketing. Anyone creating externally published content with Copilot must know the Article 50 transparency obligations that apply from 2 August 2026, including recognizably marking AI-generated content in specific cases.
Managers and system administrators. Managers must be able to oversee AI-assisted work in their teams; IT administrators must understand Copilot's tenant settings, data access and logging.
Platforms such as LearnWize are built exactly for this: role-based learning paths for AI literacy and Copilot use, with assessment, certificates and training records that together form an Article 4 evidence file.
How do you record evidence of AI literacy during a Copilot rollout?
With Article 4, evidence is the difference between "we offered an e-learning" and "we can show per role that measures are appropriate and were carried out". Four building blocks make up the file.
The first is the AI inventory: Copilot is in your AI register, with purpose, user groups, data access and the division of roles towards Microsoft. The second is the role matrix above: which role needs which level and why. The third consists of training records per employee: who completed which learning path when, with what result, and what the follow-up is for those not yet done. The fourth is periodic management reporting, so AI literacy is anchored at governance level and does not remain a one-time rollout project.
For a manual start you can use our editable AI training records template. What the full file looks like is set out in the Article 4 evidence dossier. Once hundreds of employees need to be tracked, a platform with automatic records such as LearnWize is the practical route.
Does the Digital Omnibus change this obligation?
The Digital Omnibus softens the wording of Article 4: the direct duty for providers and deployers shifts towards an institutional mandate in which the Commission and member states promote and encourage AI literacy, alongside proportionate training measures. The package has been formally approved by the European Parliament and the Council, but as of mid-July 2026 it had not yet been published in the Official Journal. Until that publication, the original text applies in law.
For a Copilot rollout little changes in practice. The reason to make employees AI literate was never the threat of a fine, because a standalone Article 4 fine does not exist. The reason is that an organization handing 1,200 people a powerful AI assistant without teaching them what it can and cannot do organizes predictable failures: leaked data in prompts, unverified output in client communication and decisions based on invented figures. AI literacy also remains part of human oversight for high-risk AI (Article 14) and a growing expectation from supervisors, clients and works councils.
Which other AI Act obligations affect a Copilot rollout?
Three adjacent obligations deserve a place in the same project. Article 50 applies from 2 August 2026 and has not been postponed: AI-generated content must in specific cases be recognizably and machine-readably marked, which is relevant for teams publishing externally with Copilot. The GDPR fully applies to everything employees put into prompts and to the documents Copilot can access via the tenant. And anyone planning to use Copilot output for Annex III tasks, such as recruitment and selection, should schedule the high-risk preparation towards 2 December 2027.
This is where AI literacy turns into AI governance: an AI register, risk classification per use case, an acceptable-use policy and an evidence rhythm. For that broader foundation, Embed AI runs an AI governance scan and a 30-day Readiness Sprint in which Copilot is taken along as the first use case.
How do you tackle this within a month?
Do not start with a generic e-learning for everyone, but with insight into where your organization stands. Put Copilot in the AI register, draw up the role matrix, and then measure the current level of AI literacy per team. Based on that, you determine which role-based learning paths are needed and where the biggest risks sit.
That first measurement takes five minutes: start the LearnWize AI literacy scan and see immediately where your team stands against what Article 4 requires.
Frequently asked questions about Copilot and AI literacy
Sources
Newsletter
Every Tuesday, the AI Act week ahead in 5 minutes
A practical briefing on deadlines, new guidance and enforcement, so you know what matters this week. No spam and you can unsubscribe in one click.
Practical and short · No spam · One-click unsubscribe