Start with AI literacy, definitions, and oversight.
If you lead technology or strategy in an international school in Europe, the EU AI Act can feel like a lot. Law, commentary, strong opinions. The way through it is not panic, massive consultation fees or paperwork theatre. It is building a shared, practical baseline.
Can you recognize your school in this statement?
“Our Approach to AI”
We use AI tools thoughtfully and appropriately to support learning and school operations, aligned with the EU Charter of Fundamental Rights, the EU AI Act, and data protection standards based on GDPR.
We will be explicit about what AI literacy means in our school and what “competent human oversight” looks like in practice. We will train staff on GDPR risks that show up in everyday AI use, especially where children’s data is involved. We will keep an eye on guidance from the EU AI Office and update our approach as needed.
The EU AI Act is the EU’s framework for governing artificial intelligence in a risk-based way. It is designed to support innovation while protecting health, safety, and fundamental human rights. This isn’t saying all AI is dangerous. It’s saying some uses carry bigger consequences, so the rules scale up with the risk.
If your school is already using tools with adaptive learning, automated feedback, analytics, or generative features, you are already in the world the EU AI Act is trying to regulate.
A quick timeline you can plan around
The EU AI Act became law on 1 August 2024 followed by phased application. Recent changes by the “Digital Omnibus Act” moved some deadlines without changing legal requirements.
Schools should treat 2026 and 2027 as a window to build governance and shared understanding, not a window to wait.
If you want to get oriented fast, focus on these definitions and concepts. They can help your school to drive everything else and ensure your school has a shared understanding of the regulation.
The AI Act is scoped around the concept of an AI system. Vendors will sometimes use language like AI powered, intelligent, adaptive, or analytics, and sometimes try to avoid saying AI at all. That is why the Commission published guidelines on the AI system definition early 2025, explicitly to help organizations apply the AI Act’s rules in practice.
The definition is designed to capture machine-based systems that can operate with some level of autonomy and generate outputs that influence environments. In school terms, many adaptive, analytic, or generative education tools will likely fall in scope even if the feature set looks “simple” on the surface.
Schools are usually deployers (Article 3.(4)), meaning they use an AI system under their authority in a professional context. Vendors are usually providers (Article 3.(3)), meaning they develop, or place the system on the market or put it into service under their name.
This matters because the obligations are not symmetrical. Providers carry the heavier burden across design and documentation. Deployers carry different set of operational responsibilities.
There is also a practical warning for ambitious schools. If a school substantially modifies a system, builds its own system around a model, or puts something into service under its own name, it can start drifting into provider territory. You can do that, but you should do it knowingly, because the obligations and expectations change.
Schools usually only work with a user facing system, like a chat interface or an “AI powered” education app. The real capability often comes from an underlying model. In many modern tools the AI model is general purpose, while the AI system is the wrapper, the interface, and the product logic built around it.
This split matters because you may never contract directly with the model developer. You contract with a vendor who wraps the model into an education product. From a governance perspective your school is still the deployer of the system. That means you need to understand what the system does and what data it touches, even if the model sits behind several layers of vendors.
This is where I think schools should invest their available resources. AI Literacy is an expectation.
AI literacy is defined, and it is not optional as an organizational topic
The EU Commissions and the AI Act defines AI literacy not just as technical knowledge, but also awareness of opportunities, risks, possible harm, and the ability to make informed decisions about AI systems.
The problem for schools is that the law can only go so far. It does not tell you what “sufficient AI literacy” looks like for your classroom, your staff room, or your safeguarding environment.
The school must unpack it, but not as a generic session but as a shared operational and educational definition.
Article 4, the literacy requirement that changes what schools must do
Article 4 is the practical hook. It requires providers and deployers to take measures to ensure, to the best extent, a sufficient level of AI literacy for staff and others operating or using AI systems on their behalf, taking account of context and the persons or groups the system is used on.
In schools, that last part is decisive. Even if the AI Act is not a child protection law, the reality of school deployment is that children are the primary affected persons. Your AI literacy measures must be shaped around that.
This is why I keep coming back to the same governance message. If the school does not define literacy and oversight, teachers and students will interpret it on their own.
Recital 20 and Recital 56, why education is singled out
Recital 20 frames AI literacy as part of equipping providers, deployers, and affected persons to make informed decisions and understand risks. It is one of the clearest policy signals that literacy is not fluff, it is a tool for responsible deployment.
Recital 56 is the education specific signal. It links AI deployment in education to high quality digital education and the development of skills like critical thinking and media literacy. It is the AI Act saying, in plain terms, education is a context where literacy matters and where the impacts can be serious.
For schools, this is permission and pressure at the same time. Permission to treat AI literacy as core to teaching and learning. Pressure to treat AI literacy as an organizational responsibility, not a personal hobby.
Competent human oversight, define it before everyone invents their own version
Schools also need to put “competent human oversight” on the table as early as possible.
People often hear “human oversight” and think it means someone clicks approve of looks over the output. That’s not competent oversight. Real oversight means understanding and seeing what the system is doing well enough to catch failure modes, bias, and misuse, and to intervene when needed. Article 14 is one of the core places where that concept is operationalized for high-risk systems.
Even if you are not yet classifying everything as high risk today, you should still define oversight as a house standard. Otherwise, a teacher will treat oversight as proofreading, a student will treat oversight as trusting the output, and a leader will treat oversight as vendor assurances. You end up with three different meanings inside one organization.
A school level definition could be as direct as this:
· Oversight means staff can explain when the system might be wrong.
· Oversight means staff understand what inputs are risky.
· Oversight means staff know when not to use the tool at all.
· Oversight means staff can override the tool and document why in high impact contexts.
The content and the tools will evolve, but the point is consistency.
GDPR and the AI Act, you cannot separate them in a school
Now the part that is very easy to say and hard to operationalize.
Most AI use in schools is also personal data processing. That means GDPR is always in the room, even when the AI Act is the headline.
The practical risk in schools is not only student names. It is inference and linkage. Here is an example that is happening in your classrooms today.
A teacher thinks they are being careful and writes into an AI assistant:
· “I’m worried about a brown eyed student in my Grade 8 class.”
Two weeks later:
· “Bob in my Grade 8 class is struggling.”
Later:
· “Bob has brown eyes.”
A powerful system can connect the dots. We might have forgotten the lessons from the large social media companies and how they harvested and manipulated user data, but that data is forever there. An AI system might retain chat history, learn user habits, or link sessions in ways staff do not understand. It might infer identity even when the user believes they have kept things anonymous. This is why AI literacy and GDPR literacy belong together. The AI Act is pushing schools to raise competence. Schools should use that push to re-teach what personal data is, what profiling can look like in practice, and why “do not paste names” is not a sufficient safeguard.
This first part has given us the foundation of the shared language, the key definitions, and the organizational commitments we need to make as international schools in the EU. You don’t need to solve everything immediately. You just need to start with a clear understanding.
In the next article, we’ll move from the “why” and “what” into the practical “how”. We’ll look at how to actually shape AI governance in your school, how it should work day-to-day, and how it should connect with your Data Protection Officer. That’s where the real operational impact happens.