The AI Literacy Obligation Is Now Reality
On 2 February 2025, Article 4 of Regulation (EU) 2024/1689, commonly known as the EU AI Act, entered into force. It established a binding obligation across all EU member states: anyone who provides or deploys AI systems must possess sufficient AI literacy (Source: European Parliament, Regulation (EU) 2024/1689, Art. 4, published in the Official Journal of the EU on 12 July 2024).
This applies to dental practices too. If you use AI-assisted digital radiograph diagnostics, deploy an AI-powered appointment scheduling system, or operate automated billing software, your practice falls within the scope of this regulation. EU Internal Market Commissioner Thierry Breton emphasised at the regulation's adoption: "The AI Act creates a clear framework that enables innovation while protecting citizens' fundamental rights -- particularly in the sensitive area of healthcare" (EU Commission, Press Release, July 2024).
What Art. 4 Specifically Requires
Art. 4 of the EU AI Act requires that providers and deployers of AI systems take measures to ensure a sufficient level of AI literacy among their staff. The regulation defines AI literacy as the ability to use AI systems competently and to be aware of both the opportunities and risks involved (Source: EU AI Act, Art. 4(1) and Recital 20).
In practical terms, this means the following for practice owners:
- Training obligation: Staff members who work with AI systems must receive appropriate training
- Documentation: Completed training measures should be documented
- Proportionality: The scope of training depends on the risk level of the AI system in use and the person's role
- Ongoing updates: AI literacy is not a one-off exercise but must be refreshed whenever systems change
Risk Categories: Where Does Dentistry Stand?
The EU AI Act classifies AI systems into four risk categories: prohibited, high-risk, limited risk, and minimal risk. Two categories are particularly relevant for dental practices.
High-Risk (Annex III)
AI systems used in medical diagnostics may qualify as a medical device and fall under the high-risk category. This applies, for example, to AI-assisted radiograph analysis classified as Software as a Medical Device (SaMD) under the EU Medical Devices Regulation (MDR 2017/745) (Source: EU AI Act, Art. 6(1) in conjunction with Annex I, Section A).
These systems are subject to additional requirements:
- Conformity assessment by the manufacturer or a notified body
- Risk management system in accordance with Art. 9 EU AI Act
- Technical documentation and record-keeping obligations
- Human oversight during use (Art. 14)
The good news: these obligations primarily fall on the manufacturer of the AI system, not on the dental practice. However, practices must ensure they only deploy certified systems and follow the manufacturer's instructions.
Limited or Minimal Risk
AI reception systems, chatbots, and automated appointment scheduling typically fall under limited risk (Art. 50, transparency obligations). The key requirement here is disclosure: patients must be informed that they are interacting with an AI system (Source: EU AI Act, Art. 50(1)).
GDPR Meets the EU AI Act: Dual Compliance
Dental practices in Germany are subject to both the GDPR (DSGVO) and the EU AI Act simultaneously. The two frameworks complement each other but also create additional requirements.
Health data is classified under Art. 9 GDPR as a special category of personal data. Processing such data through AI systems requires explicit consent or another legal basis under Art. 9(2) GDPR. The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) stated in its position on the EU AI Act that the GDPR applies in full alongside the AI Act and does not lose precedence (Source: BfDI, Position Paper on the AI Act, 2024).
For practices, this means the following in day-to-day operations:
- Data Protection Impact Assessment (DPIA): Generally required when deploying AI that processes health data (Art. 35 GDPR)
- Data processing agreement: If an AI service provider processes patient data, a data processing agreement under Art. 28 GDPR is required
- Data minimisation: AI systems may only process data that is necessary for the specific purpose
- Transparency: Patients must be informed about the use of AI and the processing of their data
What Practice Owners Should Do Now
1. Take Stock of AI Systems in Use
Which systems in your practice use AI? Common examples include:
- Radiograph diagnostics with automated findings support (e.g. caries detection, periodontal analysis)
- Appointment scheduling and reception via digital assistants
- Billing software with automated suggestions
- Practice management systems with AI-assisted documentation
2. Determine the Risk Category
For each identified system: which risk category does it fall into? Medical devices with an AI component are potentially high-risk. Communication systems such as chatbots or reception assistants fall under limited risk.
3. Organise Training
Art. 4 requires demonstrable AI literacy. This means: training measures for all staff members who work with AI systems. The scope depends on the risk category and the person's role in interacting with the system.
According to a survey by the Hartmannbund, 73 percent of practising physicians say they do not feel sufficiently informed about AI regulation (Source: Hartmannbund, Survey on Digitalisation in Healthcare, 2024). In dentistry, the figure is likely similarly high. The DGZMK recommends: "Dentists should proactively familiarise themselves with the requirements of the EU AI Act before supervisory authorities begin enforcement" (DGZMK, Statement on the EU AI Act, 2024).
4. Build Up Documentation
Keep written records of which AI systems are in use, what training has been completed, and how transparency obligations are being met. This documentation is relevant in the event of an inspection by supervisory authorities.
5. Vet Your Vendors
When selecting AI systems, ensure the manufacturer meets the requirements of the EU AI Act. Ask for declarations of conformity, CE markings for medical devices, and details about the data processing architecture. Prefer vendors that process data locally and do not transfer patient data to the cloud.
Bodo Tech and Compliance
Paira, our AI reception system for dental practices, was built from the ground up with regulatory compliance as a core principle. All patient data is processed exclusively on dedicated hardware within the practice, with no cloud transfers to third countries. The GDPR-compliant architecture is described in detail in our post on GDPR-compliant AI and patient data.
To fulfil the transparency obligation under Art. 50 EU AI Act, Paira actively informs patients that they are communicating with an AI system. The technical details of our solution can be found in our post on the technology behind Paira.
For a look at how traditional practice reception compares to an AI-powered solution, see our fact-based comparison.
Frequently Asked Questions
Does the EU AI Act apply to small dental practices?
Yes. Art. 4 of the EU AI Act makes no distinction based on practice size. Any natural or legal person that deploys an AI system falls under the regulation. What matters is not the size of the practice but whether AI systems are being used. That said, the scope of obligations depends on the risk category of the system and the role of the deployer.
What penalties apply for violations of the EU AI Act?
The EU AI Act provides for fines of up to 35 million euros or 7 percent of global annual turnover, whichever is higher (Art. 99). Penalties for breaches of Art. 4 (AI literacy obligation) are lower but can still be substantial. National supervisory authorities will begin enforcement on a phased basis.
Do I need a Data Protection Impact Assessment for AI in my practice?
In most cases, yes, if the AI system processes health data. Art. 35 GDPR requires a DPIA for systematic and extensive profiling of personal aspects, for large-scale processing of special categories of data, or for systematic monitoring of publicly accessible areas. AI-assisted diagnostics and patient communication frequently fall under at least one of these criteria.
Do I have to inform patients when I use AI in the practice?
Yes. Art. 50 of the EU AI Act requires that individuals interacting with an AI system be informed accordingly. This applies in particular to AI chatbots, reception assistants, and automated communication systems. In addition, the GDPR (Art. 13 and 14) requires information about the processing of personal data. In practice, this means: a clearly visible notice at reception and in digital communication channels.
Where can I find approved AI literacy training for dental practices?
Training programmes are currently still being developed. The regional dental chambers (Zahnärztekammern) are expected to offer certified continuing education courses. Private providers are also developing courses specifically for dental practices. Make sure any training meets the requirements of Art. 4 and is ideally CME-certified. Bodo Tech provides updates on available training for PAIRA customers on the homepage.