Article 58 of Regulation (EU) 2024/1689 — Conditions for the establishment and operation of AI regulatory sandboxes. Official text, practical interpretation, key obligations and compliance implications.

Official Text Summary

Article 58 of Regulation (EU) 2024/1689 establishes the conditions under which AI regulatory sandboxes must be created and operated. It places a direct obligation on Member States to ensure that at least one sandbox is established at national level no later than 2 August 2026. The European Data Protection Supervisor must establish a sandbox for Union institutions, bodies, offices, and agencies falling within the scope of the Regulation.

The article sets out that sandboxes must operate on the basis of a specific plan agreed between the participant and the competent authority. Participation is time-limited, as a general rule to twelve months, extendable by a further twelve months. Selection of participants must follow transparent and fair criteria; SMEs and startups are to be given priority where they meet the eligibility conditions.

Competent authorities must provide guidance, supervision, and appropriate support to participants throughout the sandbox period. Participants remain subject to all applicable Union and national law during sandbox activities, including obligations regarding safety, fundamental rights, and data protection. Personal data processed during sandbox activities must be handled in accordance with Regulation (EU) 2016/679 (GDPR), Regulation (EU) 2018/1725, and Directive (EU) 2016/680, and must not be used for any purpose other than those set out in the sandbox plan without explicit authorisation.

At the conclusion of the sandbox, participants must submit a final report. Competent authorities may publish a summary of results, contributing to the broader evidence base for AI regulation across the Union.

What This Means in Practice

Article 58 has practical consequences for a wide range of stakeholders — national regulators, innovators, and legal teams alike.

For national competent authorities, the article creates a binding obligation: at least one functional sandbox must exist in each Member State by 2 August 2026. Regulators that have not yet launched sandbox programmes must accelerate governance design, resource allocation, and inter-agency coordination (particularly with data protection authorities). Cross-border sandboxes, which Article 58 explicitly permits, require bilateral or multilateral coordination protocols between national authorities.

For providers and prospective providers, the sandbox offers a structured path to test high-risk or novel AI systems under regulatory supervision before full market deployment. Concretely, a startup developing a predictive risk-scoring system for credit decisions — a likely high-risk system under Annex III — could apply to participate in a national sandbox to assess conformity and refine technical documentation before the high-risk rules become fully applicable.

For legal and compliance teams, Article 58 does not create a compliance holiday. All substantive obligations under other applicable law remain in force during sandbox participation. Data protection impact assessments are still required where relevant; fundamental rights safeguards cannot be waived. What the sandbox provides is structured regulatory dialogue, early supervisory feedback, and a degree of procedural flexibility — not a derogation from substantive rules.

Organisations considering sandbox participation should engage early with their national competent authority, prepare a detailed sandbox plan covering objectives, methodology, data governance, and exit criteria, and document all decisions and outcomes thoroughly in anticipation of the final report obligation.

Key Obligations

Relationship to Other Articles

Article 58 sits within Title VI (Measures in Support of Innovation) and must be read alongside the surrounding provisions of that title. Article 57 defines what an AI regulatory sandbox is and establishes the general framework obligation, forming the foundation on which Article 58 builds its operational conditions. Article 59 addresses the specific regime applicable to processing of personal data within sandboxes, providing the data protection interface that Article 58 requires but does not itself detail. Article 60 extends analogous testing provisions to real-world conditions outside sandboxes for certain high-risk AI systems.

Beyond Title VI, Article 58 connects to the obligations of high-risk AI system providers under Title III, since sandbox participation is most relevant precisely for systems that may fall under Annex III classifications. It also interacts with Article 74 (market surveillance) and Article 70 (confidentiality), as competent authorities exercise supervisory powers within the sandbox and handle commercially sensitive information shared by participants.

Compliance Timeline

The EU AI Act entered into force on 1 August 2024, triggering a phased application schedule. The key dates relevant to Article 58 are:

Organisations and national authorities should treat 2 August 2026 as a hard deadline for sandbox readiness, not a target to plan toward at the last moment.

Official AI Act Compliance Deadline Calendar

Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.

Obligation Applies to Original date New date Status Countdown Legal basis
Prohibited Practices (Art. 5) All providers and deployers active AI Act Art. 5
GPAI Rules (Chapter 5) GPAI model providers active AI Act Art. 51-56
High-risk AI — Annex III (standalone) Providers of standalone Annex III systems deferred AI Omnibus 2026 Art. 6(2)
High-risk AI — Annex I (embedded) AI embedded in Annex I regulated products deferred AI Omnibus 2026 Art. 6(1)
AI-Generated Content Marking Providers of generative GPAI systems active AI Act Art. 50(2)
Regulatory Sandboxes National competent authorities active AI Act Art. 57

Download JSON · CC BY 4.0

AI Act meets DORA and NIS2

Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.

Explore regulation-dora.eu ↗

Frequently Asked Questions

An AI regulatory sandbox is a controlled environment established by one or more national competent authorities that allows providers and prospective providers to develop, train, test, and validate innovative AI systems under regulatory supervision before placing them on the market or putting them into service.

Participation is open to providers and prospective providers of AI systems, including SMEs and startups. Selection criteria must be transparent, and national competent authorities must prioritise applicants that are SMEs or startups, provided they meet the eligibility conditions laid down in Article 58.

No. Participation in a sandbox does not exempt providers from their liability obligations under the AI Act or other applicable Union or national law. However, competent authorities may exercise their supervisory powers with a degree of flexibility during the sandbox period, provided public safety and fundamental rights protections are maintained.

The sandbox period is limited in time. As a general rule, participation lasts twelve months and may be extended once for an additional twelve months, giving a maximum total duration of twenty-four months.

Yes. Article 58 explicitly provides for the possibility of joint sandboxes involving the competent authorities of two or more Member States, supporting cross-border innovation and consistent application of the rules across the single market.

At the end of the sandbox, participants must submit a report to the competent authority describing the results of the activities carried out, the lessons learned, and, where relevant, the measures taken to ensure compliance before market placement. The competent authority may publish a summary of those results.

Stay ahead of AI Act changes

Get compliance alerts when deadlines or obligations change.

No spam. One-click unsubscribe.