GovCompass
Knowledge base
AnalysisAccountabilitySafety & reliability

Regulatory sandboxes: innovation under EU AI Act supervision

By Michel Venniker· · Aligned with the consolidated EU AI Act, including the 2026 Omnibus amendments.

Regulatory sandboxes under Art. 57-63 are controlled environments, supervised by the national authority, in which organisations can develop and test innovative AI systems with guidance and temporary relief from certain administrative requirements, without suspending the material safeguards or incident-reporting duties.

Updated: June 2026

Introduction: the sandbox as innovation policy tool

The EU AI Act's regulatory sandbox framework (Art. 57–63) acknowledges a tension inherent in technology regulation: rules designed to address today's risks can inadvertently prevent tomorrow's innovation. Regulatory sandboxes are the legislative response, a structured environment in which AI systems can be developed, tested, and validated under regulatory supervision, with reduced compliance obligations during the development phase.

What is a regulatory sandbox?

A regulatory sandbox under the EU AI Act is a controlled testing environment established by national competent authorities. Within the sandbox, participants may develop and test AI systems, including potentially high-risk systems, without the full compliance obligations that would normally apply to market deployment. The sandbox is time-limited and operates under a supervised framework: the authority monitors the testing and participants must comply with the terms of their sandbox agreement.

Who can apply?

Art. 57 provides that national authorities shall establish at least one regulatory sandbox within each member state. Priority access is given to:

  • Startups and SMEs
  • Micro-enterprises
  • Innovative organisations developing novel AI approaches

Larger organisations may access sandboxes, but the selection criteria explicitly prioritise smaller innovators with limited resources to navigate full compliance frameworks.

Benefits of sandbox participation

  • Reduced compliance burden during testing: Sandbox participants are not required to meet all Art. 9–27 obligations during the testing phase
  • Regulatory guidance: Direct access to supervisory authority expertise, invaluable for navigating grey areas in the regulation
  • Liability protection: Art. 62 provides that market surveillance authorities shall not impose fines for violations that occur in good faith during sandbox testing, subject to conditions
  • Regulatory certainty post-sandbox: Testing under supervisory oversight builds the evidentiary record that supports full market deployment approval

The dutch sandbox

In the Netherlands, the Autoriteit Persoonsgegevens (AP) is the designated authority for EU AI Act regulatory sandboxes. The AP has announced its sandbox programme structure and is accepting expressions of interest. Dutch organisations interested in sandbox participation should contact the AP's AI regulatory team directly.

Sandbox vs market deployment

The sandbox does not provide a permanent exemption. Once testing concludes, organisations must achieve full compliance before market deployment. The sandbox is best understood as a fast-track pathway to compliance, with regulatory guidance that accelerates the journey, rather than an alternative to compliance.

Compliance checklist

  1. Are any of your AI development projects at a stage where sandbox participation would be beneficial?
  2. Have you assessed whether your organisation qualifies for priority sandbox access (SME/startup)?
  3. Have you reviewed the AP's sandbox programme terms?
  4. Is there an internal process for evaluating sandbox applications?
Legal referencesArt. 57Art. 58Art. 73

More on Accountability

Art. 10 EU AI Act: data and data governance for high-risk AI

Reference

Art. 10 requires that the training, validation, and testing data for high-risk AI systems meets quality criteria: relevant, sufficiently representative, and as free of errors and complete as possible for the intended purpose. It also requires documented data governance practices covering collection, preparation, bias examination, and gap mitigation, and it permits the limited processing of special-category data where strictly necessary to detect and correct bias, under safeguards.

Art. 12 EU AI Act: record-keeping and logging for high-risk AI

Reference

Art. 12 requires high-risk AI systems to technically allow for the automatic recording of events (logs) over their lifetime. The logging must enable traceability of the system's functioning at a level appropriate to its intended purpose, support post-market monitoring, and help identify situations that may lead to risk or substantial modification. It is a design obligation on the provider that makes the system auditable by construction.

Art. 19 EU AI Act: keeping the automatically generated logs

Reference

Art. 19 requires providers of high-risk AI systems to keep the logs that the system automatically generates (under Art. 12) for as long as they control them, for a period appropriate to the intended purpose and at least six months unless other law requires longer. It is the retention counterpart to the Art. 12 logging capability, and it works alongside the deployer retention duty in Art. 26.6.

Art. 26.1 EU AI Act: following provider instructions as a deployer

Reference

Art. 26.1 requires deployers to use high-risk AI systems strictly in accordance with the provider's instructions for use. This means using the system only for its intended purpose, within its specified technical configuration, and by qualified users, and documenting that compliance. Deviating from the instructions can shift liability entirely to the deployer.

More on Safety & reliability

Art. 14 EU AI Act: designing high-risk AI for human oversight

Reference

Art. 14 requires providers to design and build high-risk AI systems so that they can be effectively overseen by humans during use. The system must let an overseer understand its capabilities and limits, watch for anomalies, resist automation bias, correctly interpret outputs, decide not to use the system, and intervene or stop it through a kill switch (Art. 14(4)(e)). It is the design obligation that makes the deployer oversight duty of Art. 26.2 possible.

Art. 26.4 EU AI Act: input data quality for deployers

Reference

Art. 26.4 requires deployers of high-risk AI to ensure that input data is relevant and sufficiently representative for the system's intended purpose. The deployer is responsible for data quality in operation, even though the provider sets the specifications under Art. 10.

Art. 26.5 EU AI Act: post-market monitoring for deployers

Reference

Art. 26.5 requires deployers of high-risk AI to monitor the system's operation against the provider's instructions and to report risks and serious incidents. Monitoring is the early-warning mechanism that connects to incident reporting under Art. 73.

Art. 5 EU AI Act: all 8 prohibited AI practices explained

Reference

Art. 5 lists the eight prohibited AI practices, including subliminal manipulation, exploitation of vulnerable groups, social scoring, and untargeted facial-recognition scraping. These prohibitions are absolute, apply to every organisation regardless of size, and have been in force since 2 February 2025.