Are EU member states required to establish AI sandboxes?

Yes. Article 57 of the EU AI Act requires each member state to establish at least one AI regulatory sandbox at national level, operational by August 2, 2026. Member states may also establish sandboxes at regional or local level.

Can sandbox participants process personal data for AI testing?

Yes, under specific conditions set out in Article 59. Personal data collected for other purposes may be used in the sandbox for AI development and testing, subject to safeguards including pseudonymization, access controls, and deletion after the sandbox period ends.

Do SMEs get priority access to AI sandboxes?

Yes. Article 57(6) requires that the conditions for sandbox participation take into account the specific needs of SMEs, including startups, providing them with priority access to the sandbox environment.

Does sandbox participation exempt companies from the AI Act?

No. Sandbox participants must comply with applicable legislation including the AI Act. The sandbox provides guidance, regulatory engagement, and a controlled testing environment, but does not grant exemptions from legal obligations.

How long does a sandbox period last?

The duration is agreed between the participant and the supervising authority based on the testing plan. There is no fixed period in the AI Act. Comparable programs in financial regulation typically run 6-12 months, but AI system complexity may require longer periods.

Quick answer

The EU AI Act (Articles 57-62) requires each member state to establish at least one AI regulatory sandbox by August 2026. Sandboxes provide a controlled environment where AI providers can develop, test, and validate innovative AI systems under regulatory supervision, with specific provisions for processing personal data, liability protections for good-faith participants, and priority access for SMEs and startups.

Updated June 2026 · MmowW AI Compliance

AI Regulatory Sandboxes: Purpose, Structure, and Participation Guide

What Are AI Regulatory Sandboxes

AI regulatory sandboxes are controlled environments established by national competent authorities where AI providers can develop, train, test, and validate AI systems before placing them on the market, under the direct supervision of the regulatory authority. The EU AI Act Article 57 mandates that each member state establish at least one sandbox, operational by August 2, 2026. The sandbox concept is borrowed from financial regulation (FCA sandbox, 2016) and adapted for AI's specific technical and regulatory challenges. Sandboxes are not exemptions from the law; participants must still comply with applicable legislation, but they receive guidance, regulatory certainty, and structured engagement with the authority.

Structure and Governance

Under Article 57(4), sandboxes must be designed to facilitate: (a) development and testing of innovative AI systems before placement on the market; (b) understanding of opportunities, emerging risks, and appropriateness of regulatory responses; (c) cooperation between AI providers and competent authorities; and (d) learning about applicable rules and compliance pathways. Each sandbox operates under terms and conditions agreed between the participant and the supervising authority, including the scope of AI systems covered, the testing period, applicable safeguards, and exit conditions. The European AI Office coordinates sandbox experiences across member states to ensure consistency.

Eligibility and Application

Article 57(6) prioritizes access for SMEs, including startups. Providers of high-risk AI systems seeking to test novel approaches to conformity assessment are natural sandbox candidates. The European Commission is empowered to adopt implementing acts specifying detailed sandbox rules (Article 58). Practical eligibility criteria typically include: a genuinely innovative AI system (not merely a variant of existing technology), a clear testing plan with defined objectives, willingness to share findings with the regulatory authority, and adequate resources to implement required safeguards.

Feature	EU AI Act Sandbox	UK AI Sandbox (DSIT)	Singapore AI Verify Sandbox
Legal basis	AI Act Articles 57-62	Pro-Innovation White Paper	IMDA AI Verify Foundation
Mandatory?	Yes (1 per member state)	Voluntary, regulator-led	Voluntary
Scope	All AI system types	Sector-specific (per regulator)	AI governance testing
Data processing rules	Specific GDPR carve-outs (Art. 59)	No specific carve-outs	National data law applies
SME priority	Yes (Art. 57(6))	Varies by regulator	Open to all
Duration	Agreed per participant	Typically 6-12 months	Ongoing program

Personal Data Processing in Sandboxes

Article 59 establishes specific rules for processing personal data within sandboxes. Personal data lawfully collected for other purposes may be processed in the sandbox for developing, testing, and training AI systems, subject to conditions: the data processing serves a substantial public interest; the data is necessary for detecting and correcting bias; appropriate safeguards are applied (pseudonymization, access controls, logging); data is deleted after the sandbox period ends; and processing complies with GDPR except as specifically provided. This provision addresses a critical barrier to responsible AI development: the difficulty of testing AI systems against real-world data without violating data protection rules.

Benefits for Participants

Sandbox participation offers several advantages: regulatory guidance during development reduces compliance uncertainty and costly late-stage modifications; documented sandbox testing can support conformity assessment for high-risk AI systems; the supervising authority may issue compliance opinions that carry evidential weight; participants gain early understanding of regulatory expectations and enforcement priorities; and sandbox exit reports provide a structured record of compliance efforts. Article 62 requires the European AI Office to publish annual reports on sandbox outcomes, creating transparency about the regulatory approach across the EU.

Practical Steps to Participate

Organizations interested in sandbox participation should: (1) identify the national competent authority in their member state responsible for AI sandbox administration; (2) prepare a detailed testing plan specifying the AI system, its intended purpose, the regulatory questions to be explored, and proposed safeguards; (3) assess whether personal data processing under Article 59 conditions is needed and prepare appropriate data governance measures; (4) allocate personnel to engage directly with the supervising authority throughout the sandbox period; (5) document all findings, decisions, and regulatory interactions for future conformity assessment use; and (6) plan the post-sandbox transition to full market deployment with lessons learned integrated into the compliance framework.

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.