GovCompass
Knowledge base
Guide

Regulatory Sandbox Explained: Innovation Space Under the EU AI Act

Updated: June 2026 — full revision to Validai quality standard

What Is a Regulatory Sandbox?

A regulatory sandbox in the EU AI Act context (Art. 57–63) is a time-limited, supervised testing environment where AI systems can be developed and validated under reduced compliance obligations. The concept originates in financial services regulation (the FCA sandbox in the UK being an early example) and has been adapted for AI governance.

The sandbox is not a loophole or an exemption. It is a structured pathway for organisations developing novel AI to access regulatory guidance and test under supervision — with the goal of transitioning to full compliance at the end of the sandbox period. Think of it as a "compliance incubator."

Legal Framework: Art. 57–63

The EU AI Act's sandbox framework creates three key structures:

  1. National sandboxes (Art. 57): Each member state must establish at least one regulatory sandbox. In the Netherlands, the Autoriteit Persoonsgegevens (AP) is the operator.
  2. Cross-border sandboxes (Art. 57.3): Member states may operate joint sandboxes for organisations working across multiple EU jurisdictions.
  3. Simplified participation for SMEs (Art. 62): The AP must design sandbox procedures specifically to accommodate SMEs and startups, including simplified application processes and tailored supervision.

How Does Sandbox Participation Work?

Application

Organisations apply to the AP with a detailed description of: the AI system to be developed, the intended use case, the testing plan, the categories of individuals who will be involved in testing, and the anticipated compliance pathway post-sandbox.

Selection

The AP evaluates applications against published criteria: innovation potential, regulatory questions requiring sandbox guidance, organisation capacity to achieve post-sandbox compliance, and risk level of the proposed AI system. Priority is given to SMEs and startups.

Sandbox Agreement

Accepted participants sign a sandbox agreement that specifies: the scope of reduced compliance obligations during testing, reporting requirements to the AP, the duration of the sandbox period, and the conditions under which the sandbox can be terminated early.

Testing and Supervision

During the sandbox, the AP provides regulatory guidance and oversight. Participants may test their AI systems with reduced documentation and conformity requirements. Regular check-ins with the AP supervisory team allow real-time regulatory questions to be resolved.

Exit

At the end of the sandbox, participants produce a sandbox closure report documenting: what was tested, what was learned, and how the AI system will achieve full compliance before market deployment. The exit report feeds directly into the conformity assessment process.

What You Still Cannot Do in a Sandbox

The sandbox reduces but does not eliminate all obligations:

  • Art. 5 prohibitions apply in full — prohibited AI practices remain prohibited in sandboxes
  • GDPR obligations apply to any personal data processed in sandbox testing
  • Participants must maintain transparency with test subjects about their involvement
  • Serious incidents during sandbox testing must be reported to the AP

Frequently Asked Questions

Q: Can we use real customer data in sandbox testing?
A: With appropriate consent and under GDPR-compliant conditions, yes. The sandbox does not create a GDPR exemption. The AP will require a detailed data management plan for any testing involving personal data.

Q: How long do sandboxes last?
A: Art. 58 specifies a maximum of 12 months, with one possible extension of 12 months. Longer-term testing must transition to standard compliance.

Q: Does sandbox participation guarantee market approval?
A: No. The sandbox is a testing environment, not a fast-track approval pathway. Systems that complete sandbox testing must still achieve full compliance before market deployment. However, the regulatory guidance received during the sandbox significantly accelerates the compliance process.

Is a Sandbox Right for Your Organisation?

The sandbox is most valuable for: organisations developing genuinely novel AI systems where the compliance requirements are unclear, startups and SMEs who would benefit from direct regulatory access, and organisations operating in multiple EU jurisdictions who need regulatory coordination. It is less valuable for organisations deploying off-the-shelf AI systems with well-established compliance pathways.