Article 57 of Regulation (EU) 2024/1689 — AI regulatory sandboxes. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 57 of Regulation (EU) 2024/1689 requires Member States to establish at least one AI regulatory sandbox at national level, operational no later than 2 August 2026. These sandboxes must be established by the relevant national competent authority or, where appropriate, jointly with the competent authorities of other Member States, under the coordination of the European AI Office. The sandbox framework allows providers and prospective providers of AI systems to develop, train, validate, and test innovative AI systems in a real-world or simulated environment under the direct supervision of competent authorities, before placing those systems on the market or putting them into service.
Participation does not constitute an exemption from the obligations set out in the Regulation or from applicable Union or Member State law. Competent authorities may, however, apply existing legal requirements in a flexible or adapted manner within the sandbox where doing so does not undermine the objectives of those provisions or risk harm to health, safety, or fundamental rights.
Participating organisations must submit a sandbox plan and operate pursuant to specific terms and conditions set by the authority. The sandbox runs for an initial twelve-month period, extendable by a further twelve months. Member States must report annually to the Commission on the results of their sandboxes. The Commission, in cooperation with the AI Office and Member States, shall issue guidance on the practical implementation of this Article, including selection criteria and detailed procedures for participation.
What This Means in Practice
Article 57 creates a formal, supervised pathway for organisations to innovate responsibly without waiting for the full compliance apparatus to be established. In practice, the sandbox is most relevant for startups and SMEs that are developing AI systems that may fall under high-risk classifications or that operate in legally uncertain territory, such as systems touching health, education, employment, critical infrastructure, or law enforcement.
For a company seeking to use a sandbox, the process involves identifying the competent authority in its Member State, submitting an application with a sandbox plan describing the AI system, the innovation objectives, the proposed testing methodology, and the safeguards in place. If accepted, the authority assigns a dedicated point of contact and may allow the organisation to test the system with real data or in real-world conditions that would otherwise trigger stricter pre-market obligations.
A concrete example: a startup developing an AI-based medical triage tool that would normally qualify as a high-risk AI system under Annex III could enter a sandbox to run clinically supervised pilots. During the sandbox, the authority may allow a phased application of conformity assessment requirements while monitoring the system's behaviour and the startup's compliance maturity. At the end of the sandbox period, the startup must either complete full conformity assessment and register the system in the EU database, or withdraw it.
Importantly, sandbox participation does not create regulatory immunity. Any harm caused to individuals during testing remains the provider's liability, and fundamental rights protections apply throughout. The sandbox is a testing and learning environment, not a waiver of obligations.
Key Obligations
- Establishment deadline: Each Member State must have at least one functional AI regulatory sandbox operational by 2 August 2026, under the oversight of its national competent authority or via a joint cross-border sandbox arrangement.
- Sandbox plan requirement: Participants must submit and operate under an approved sandbox plan that defines the AI system under development, the testing scope, safeguards, and intended market application.
- Continued legal liability: Participating organisations remain fully liable for any damage, harm, or rights violation caused during sandbox activities; participation confers no immunity under civil, criminal, or data protection law.
- Duration limits: Sandboxes are capped at twelve months, extendable once for a further twelve months, after which the system must achieve full compliance or be withdrawn.
- Priority access for SMEs and startups: Competent authorities must ensure that SMEs and startups have prioritised or facilitated access to sandbox programmes, including through simplified application procedures and dedicated support.
- Reporting and transparency: Competent authorities must produce reports at the conclusion of each sandbox cycle summarising activities, outcomes, and lessons learned; Member States must report annually to the Commission on the overall functioning of their sandbox programmes.
Relationship to Other Articles
Article 57 sits within Title VI (Measures in Support of Innovation) alongside Articles 58 through 63, which address sandbox-specific data processing rules, real-world testing outside sandboxes, and measures for SMEs. It is closely connected to Article 58, which establishes the data protection conditions under which personal data may be processed within a sandbox for the purpose of developing AI in the public interest.
The article also connects directly to the high-risk AI system obligations in Title III (Articles 8 to 51), since sandboxes are primarily intended to assist providers in meeting those requirements before market placement. Article 74 on market surveillance is relevant because the competent authority overseeing a sandbox may be the same body responsible for post-market supervision.
Article 57 should further be read alongside Article 3 (definitions, in particular the definitions of "provider", "prospective provider", and "AI system") and Article 96, which governs the role of the AI Office in coordinating cross-border sandbox activities and issuing implementation guidance.
Compliance Timeline
The EU AI Act entered into force on 1 August 2024, with obligations phased in over a multi-year period. Article 57 falls under the general application date of 2 August 2026, meaning Member States are required to have their AI regulatory sandboxes operational by that date.
The broader compliance calendar provides context for sandbox relevance: prohibitions on unacceptable-risk AI practices became enforceable from 2 February 2025; obligations relating to general-purpose AI models (Title VIII) applied from 2 August 2025; and obligations for high-risk AI systems listed in Annex III apply from 2 August 2026, with a further extension to 2 August 2027 for high-risk systems covered by existing Union harmonisation legislation.
This phasing means that the sandbox mechanism under Article 57 becomes available precisely as high-risk AI obligations become enforceable, giving innovative providers a structured pathway to test and refine their systems under supervision before facing the full weight of conformity assessment, registration in the EU database under Article 71, and ongoing post-market monitoring obligations under Article 72.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
An AI regulatory sandbox is a controlled framework established by one or more national competent authorities that allows AI providers and prospective providers to develop, train, validate, and test innovative AI systems under regulatory supervision, for a limited time and with reduced compliance burdens, before placing those systems on the market or putting them into service.
Access is primarily intended for SMEs, including startups, and may be extended to other participants. Providers and prospective providers of AI systems must apply to the competent authority of the Member State where they are established. Selection is based on criteria including the innovative nature of the AI system, the potential societal, health, safety, fundamental rights, or environmental benefit, and the applicant's inability to test the system in conditions that adequately simulate a real-world environment.
No. Sandbox participation does not exempt participants from applicable EU and Member State law. However, certain provisions may be applied flexibly by supervisory authorities within the sandbox. Participants remain fully liable for any harm caused during testing and must adhere to a sandbox plan agreed with the authority.
Sandboxes operate for an initial period of twelve months, which may be extended by an additional twelve months. The total duration therefore cannot exceed twenty-four months, after which the participant must either bring the system into full compliance or withdraw it from the market.
At the end of the sandbox period, participants must either demonstrate full compliance with the EU AI Act and relevant EU law before placing their system on the market, or cease deployment. The competent authority issues a report summarising the activities carried out and lessons learned, which may be made available to other authorities or the public to inform future policy.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.