GovCompass
Knowledge base
GuideAccountability

Regulatory sandbox explained: innovation space under the EU AI Act

By Michel Venniker· · Aligned with the consolidated EU AI Act, including the 2026 Omnibus amendments.

Joining a national AI regulatory sandbox under Art. 57-63 follows a structured path: prepare a project dossier, apply in one of the submission windows, sign a sandbox agreement with the supervisor, report progress and incidents during testing, and produce a final report that supports full compliance afterwards.

Updated: June 2026

What is a regulatory sandbox?

A regulatory sandbox in the EU AI Act context (Art. 57–63) is a time-limited, supervised testing environment where AI systems can be developed and validated under reduced compliance obligations. The concept originates in financial services regulation (the FCA sandbox in the UK being an early example) and has been adapted for AI governance.

The sandbox is not a loophole or an exemption. It is a structured pathway for organisations developing novel AI to access regulatory guidance and test under supervision, with the goal of transitioning to full compliance at the end of the sandbox period. Think of it as a "compliance incubator."

Legal framework: Art. 57–63

The EU AI Act's sandbox framework creates three key structures:

  1. National sandboxes (Art. 57): Each member state must establish at least one regulatory sandbox. In the Netherlands, the Autoriteit Persoonsgegevens (AP) is the operator.
  2. Cross-border sandboxes (Art. 57.3): Member states may operate joint sandboxes for organisations working across multiple EU jurisdictions.
  3. Simplified participation for SMEs (Art. 62): The AP must design sandbox procedures specifically to accommodate SMEs and startups, including simplified application processes and tailored supervision.

How does sandbox participation work?

Application

Organisations apply to the AP with a detailed description of: the AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry → to be developed, the intended use case, the testing plan, the categories of individuals who will be involved in testing, and the anticipated compliance pathway post-sandbox.

Selection

The AP evaluates applications against published criteria: innovation potential, regulatory questions requiring sandbox guidance, organisation capacity to achieve post-sandbox compliance, and risk level of the proposed AI system. Priority is given to SMEs and startups.

Sandbox agreement

Accepted participants sign a sandbox agreement that specifies: the scope of reduced compliance obligations during testing, reporting requirements to the AP, the duration of the sandbox period, and the conditions under which the sandbox can be terminated early.

Testing and supervision

During the sandbox, the AP provides regulatory guidance and oversight. Participants may test their AI systems with reduced documentation and conformity requirements. Regular check-ins with the AP supervisory team allow real-time regulatory questions to be resolved.

Exit

At the end of the sandbox, participants produce a sandbox closure report documenting: what was tested, what was learned, and how the AI system will achieve full compliance before market deployment. The exit report feeds directly into the conformity assessmentconformity assessmentThe pre-market process demonstrating a high-risk AI system meets the EU AI Act's requirements, leading to CE marking and registration.Open full entry → process.

What you still cannot do in a sandbox

The sandbox reduces but does not eliminate all obligations:

  • Art. 5 prohibitions apply in full, prohibited AI practices remain prohibited in sandboxes
  • GDPR obligations apply to any personal data processed in sandbox testing
  • Participants must maintain transparencytransparencyOpenness about the fact that AI is used and how it operates in general: disclosures, documentation, notices. Pairs with explainability, which addresses individual outcomes.Open full entry → with test subjects about their involvement
  • Serious incidents during sandbox testing must be reported to the AP

Frequently asked questions

Q: Can we use real customer data in sandbox testing?
A: With appropriate consent and under GDPR-compliant conditions, yes. The sandbox does not create a GDPR exemption. The AP will require a detailed data management plan for any testing involving personal data.

Q: How long do sandboxes last?
A: Art. 58 specifies a maximum of 12 months, with one possible extension of 12 months. Longer-term testing must transition to standard compliance.

Q: Does sandbox participation guarantee market approval?
A: No. The sandbox is a testing environment, not a fast-track approval pathway. Systems that complete sandbox testing must still achieve full compliance before market deployment. However, the regulatory guidance received during the sandbox significantly accelerates the compliance process.

Is a sandbox right for your organisation?

The sandbox is most valuable for: organisations developing genuinely novel AI systems where the compliance requirements are unclear, startups and SMEs who would benefit from direct regulatory access, and organisations operating in multiple EU jurisdictions who need regulatory coordination. It is less valuable for organisations deploying off-the-shelf AI systems with well-established compliance pathways.

Legal referencesArt. 57Art. 58Art. 61

More on Accountability

Art. 10 EU AI Act: data and data governance for high-risk AI

Reference

Art. 10 requires that the training, validation, and testing data for high-risk AI systems meets quality criteria: relevant, sufficiently representative, and as free of errors and complete as possible for the intended purpose. It also requires documented data governance practices covering collection, preparation, bias examination, and gap mitigation, and it permits the limited processing of special-category data where strictly necessary to detect and correct bias, under safeguards.

Art. 12 EU AI Act: record-keeping and logging for high-risk AI

Reference

Art. 12 requires high-risk AI systems to technically allow for the automatic recording of events (logs) over their lifetime. The logging must enable traceability of the system's functioning at a level appropriate to its intended purpose, support post-market monitoring, and help identify situations that may lead to risk or substantial modification. It is a design obligation on the provider that makes the system auditable by construction.

Art. 19 EU AI Act: keeping the automatically generated logs

Reference

Art. 19 requires providers of high-risk AI systems to keep the logs that the system automatically generates (under Art. 12) for as long as they control them, for a period appropriate to the intended purpose and at least six months unless other law requires longer. It is the retention counterpart to the Art. 12 logging capability, and it works alongside the deployer retention duty in Art. 26.6.

Art. 26.1 EU AI Act: following provider instructions as a deployer

Reference

Art. 26.1 requires deployers to use high-risk AI systems strictly in accordance with the provider's instructions for use. This means using the system only for its intended purpose, within its specified technical configuration, and by qualified users, and documenting that compliance. Deviating from the instructions can shift liability entirely to the deployer.