This document is an excerpt from the EUR-Lex website
Document 32025R1420
Commission Implementing Regulation (EU) 2025/1420 of 17 July 2025 laying down rules for the application of Regulation (EU) 2024/903 of the European Parliament and of the Council, as regards the establishment and the operation of the interoperability regulatory sandboxes
Commission Implementing Regulation (EU) 2025/1420 of 17 July 2025 laying down rules for the application of Regulation (EU) 2024/903 of the European Parliament and of the Council, as regards the establishment and the operation of the interoperability regulatory sandboxes
Commission Implementing Regulation (EU) 2025/1420 of 17 July 2025 laying down rules for the application of Regulation (EU) 2024/903 of the European Parliament and of the Council, as regards the establishment and the operation of the interoperability regulatory sandboxes
C/2025/4756
OJ L, 2025/1420, 18.7.2025, ELI: http://data.europa.eu/eli/reg_impl/2025/1420/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)
In force
|
Official Journal |
EN L series |
|
2025/1420 |
18.7.2025 |
COMMISSION IMPLEMENTING REGULATION (EU) 2025/1420
of 17 July 2025
laying down rules for the application of Regulation (EU) 2024/903 of the European Parliament and of the Council, as regards the establishment and the operation of the interoperability regulatory sandboxes
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2024/903 of the European Parliament and of the Council of 13 March 2024 laying down measures for a high level of public sector interoperability across the Union (Interoperable Europe Act) (1), and in particular Article 12(10) thereof,
Whereas:
|
(1) |
Regulation (EU) 2024/903 introduced the interoperability regulatory sandboxes as an innovation support measure to enhance the development of innovative interoperability solutions and the cross-border interoperability of trans-European digital public services. |
|
(2) |
In order to address the specific cross-border innovation and interoperability-related needs of public sector authorities, public sector bodies or Union entities may establish an interoperability regulatory sandbox pursuant to Article 11 of Regulation (EU) 2024/903. Interoperability regulatory sandboxes are fora to create regulatory learnings that are informed by data coming from targeted projects aiming to develop, train, test or validate innovative interoperability solutions. For interoperability solutions this innovation can concern all interoperability layers (legal, organisational, semantic or technical), where this innovative element can be seen as the introduction of something new or significantly improved. To assess, if something is new or improved, the context is relevant what is innovative in one sector or Member State may be commonplace in another. The interoperability regulatory sandboxes can give room to experiment with a broad range of innovative interoperability solutions that can support better cross-border interoperability of public services. An interoperability regulatory sandbox evolves around open regulatory questions, especially in cross-border contexts, that are discussed with the relevant regulators that can come from different sectors, administrative levels and Member States. In the case that only technical experimentation is needed, such experimentation can happen in other forms, such as testbeds or innovation labs, and no interoperability regulatory sandbox is needed. In accordance with Article 11(4) of Regulation (EU) 2024/903, interoperability regulatory sandboxes are by default joint endeavours of several Union entities and/or public sector bodies that work together towards more legal certainty in the frame of an interoperability regulatory sandbox. In that sense, interoperability regulatory sandboxes are established through specific agreements between the different collaborating entities (such as a Memorandum of Understanding). Cooperation within the interoperability regulatory sandboxes can build on existing cross-border cooperation mechanisms. For this reason, public sector bodies or Union entities forming a consortium (e.g. a European Digital Infrastructure Consortium or European Grouping Territorial Cooperation) can establish an interoperability regulatory sandbox as well. |
|
(3) |
To foster innovation, several national and Union wide regulatory sandboxes have been established or are in the process of being established under various Union legislative instruments, such as, but not limited to, the EU Blockchain Regulatory Sandbox, the setting up of AI regulatory sandboxes under Regulation (EU) 2024/1689 of the European Parliament and of the Council (2), and the Net-zero regulatory sandboxes to promote innovation in the field of net zero technologies under Regulation (EU) 2024/1735 of the European Parliament and of the Council (3). While some regulatory sandboxes may be sectorial, the interoperability regulatory sandboxes established under Regulation (EU) 2024/903 specifically focus on innovative solutions for Trans-European digital public services. To ensure alignment with the objectives of Regulation (EU) 2024/903, these sandboxes must adhere to specific criteria. Such criteria serve to determine which regulatory sandboxes will be featured on the Interoperable Europe Portal and monitored by the Interoperable Europe Board, established in accordance with Article 15 of Regulation (EU) 2024/903. The checklists provided in the Annex to this Regulation and the guidelines and clarifications that the Commission may issue in accordance with Article 11(3) of Regulation (EU) 2024/903 support public sector bodies and Union entities in assessing their compliance with these criteria. This enables the Commission to fulfil its task under Article 12(9) of Regulation (EU) 2024/903 of ensuring that information on the interoperability regulatory sandboxes is available on the Interoperable Europe portal. The check and authorisation of interoperability regulatory sandboxes by the Commission does not constitute an assessment of the legality of activities of the participants within such sandboxes. All participants remain fully liable for their activities as set out in Article 12(5) of Regulation (EU) 2024/903. The supervisory and corrective powers of competent authorities over these sandboxes remain unaffected, in accordance with Article 12(4) of Regulation (EU) 2024/903. |
|
(4) |
While interoperability regulatory sandboxes can provide a forum for different forms of collaboration between the interoperability regulatory sandbox coordinators, the respective regulators and other actors, the specific agreement establishing the interoperability regulatory sandbox serves the purpose to clearly set out which working methods between the interoperability regulatory sandbox coordinators and other actors are envisioned. The specific agreement should make transparent which type of other actors are eligible to join the interoperability regulatory sandbox, specify at which point in the lifespan of the interoperability regulatory sandbox and under which conditions they can participate. This is necessary to prevent any detrimental factors to the objectives of the interoperability regulatory sandbox. The specific agreement establishing the interoperability regulatory sandbox should also create transparency vis-à-vis the planned interactions with actors that have to be involved in the process pursuant to applicable law, such as Article 11(1) of Regulation (EU) 2024/903, which provides that interoperability regulatory sandboxes entailing the processing of personal data are to be operated under the supervision of the national data protection authorities or the European Data Protection Supervisor. The necessary engagement of the data protection supervisory authorities depends on different factors such as the complexity of the data processing operations in the envisioned projects in the interoperability regulatory sandbox, the categories and amount of data concerned as well as the risks associated with the processing. The operation of the interoperability regulatory sandboxes under the supervision of data protection authorities, where the interoperability regulatory sandboxes entail personal data processing, should be understood as an additional task for the data protection authorities, conferred on them by Regulation (EU) 2024/903, and a condition for the proper operation of the interoperability regulatory sandboxes. Following the application of Union data protection law to any personal data processing in the context of the implementation of Regulation (EU) 2024/903, data protection authorities should be provided the necessary resources for the performance of their new tasks. In the case that data protection authorities from different Member States and from EU level are involved in the interoperability regulatory sandbox, the cooperation of these authorities can also build on the respective mechanisms, referred to in Article 61 of Regulation (EU) 2016/679 of the European Parliament and of the Council (4), in Article 61 and Article 62 of Regulation (EU) 2018/1725 of the European Parliament and of the Council (5). |
|
(5) |
To ensure that participation in the interoperability regulatory sandboxes is based on a specific plan in accordance with Article 12(3) of Regulation (EU) 2024/903, the regulatory sandbox coordinators ought to select one or more suitable projects and ensure the establishment of a specific plan for each of them, containing all elements outlined in Article 12(3) of Regulation (EU) 2024/903.Whether the specific plan on the projects running in the interoperability regulatory sandboxes is developed by the regulatory sandbox coordinators or by other actors invited by them will depend on the governance structure employed for the interoperability regulatory sandbox. What ought to be clearly established by the regulatory sandbox coordinators throughout the lifespan of the interoperability regulatory sandbox, is how the specific deliverables will feed into the regulatory learning objectives of the interoperability regulatory sandbox. |
|
(6) |
To support such objectives, Article 11(3) of Regulation (EU) 2024/903 foresees that the Commission may issue guidelines and clarifications. The Commission shall create a dedicated interface for information on the interoperability regulatory sandboxes, that will make public relevant details regarding the established interoperability regulatory sandboxes and the projects running within the interoperability regulatory sandbox. To promote broad and equitable access to the interoperability regulatory sandboxes, information on how to establish an interoperability regulatory sandbox should be made readily and easily accessible to the potential regulatory sandbox coordinators on the Interoperable Europe Portal in accordance with Article 12(9) of Regulation (EU) 2024/903. The Interoperable Europe Portal can also facilitate the networking of stakeholders interested in establishing or joining an interoperability regulatory sandbox. The Portal will also serve as a critical tool for ensuring effective regulatory learning outcomes. Final reports and related regulatory insights will be published here, as well as the related recommendations from the Interoperable Europe Board. |
|
(7) |
In order to accommodate the specific needs for the development, training, testing and validation of innovative interoperability solutions, in the interoperability regulatory sandbox, regulatory sandbox coordinators may include other natural or legal persons, such as other public sector actors, Union entities, research institutions, GovTech actors including SMEs and Startups, actors from the AI innovation ecosystem, provided they meet the criteria specified in Article 12(1) of Regulation (EU) 2024/903. This does not entail changes on the responsibilities of the interoperability regulatory sandbox coordinators, nor of the participants who ought to uphold the specific agreement conditions upon entering an interoperability regulatory sandbox. The purpose of including the GovTech actors specified in Article 12(1) is to enable a richer regulatory dialogue within the interoperability regulatory sandbox, facilitating the sharing of lessons learned, identifying learnings from innovation experimentation, risks, and best practices on standardisation. The involvement of said other actors in the interoperability regulatory sandbox could also help to gain sector-specific insight and access support from testing and experimentation facilities and from the European Digital Innovation Hubs. Innovative procurement approaches can work in synergy with and support interoperability regulatory sandboxes by enabling timely access to resources, expertise, and technologies for controlled experimentation. This ensures the flexibility needed to test innovative solutions while remaining aligned with regulatory goals. |
|
(8) |
To ensure that all projects running in the interoperability regulatory sandboxes respect data privacy, the regulatory sandbox coordinators and the other actors have to set out a well-defined approach towards further processing of personal data in the interoperability regulatory sandbox, that is to say, personal data initially lawfully collected for other purposes. This approach should be compliant with all requirements set out in Regulation (EU) 2024/903 and all other obligations pursuant to Union data protection law. The specific agreement on the establishment of the interoperability regulatory sandbox should already specify, where appropriate, the elements set out in Article 11(4) of Regulation (EU) 2024/903. The approach should give specific attention to following a hierarchical approach to the use of personal data, ensuring that the data processed is limited to what is necessary for the functioning of the interoperability solution to be developed or tested in the interoperability regulatory sandbox, and that functioning cannot be effectively achieved by processing anonymised, synthetic or other non-personal data, as set out in Article 12(6)(b) of Regulation (EU) 2024/903. Where personal data processing may lead to new inferences about data subjects, regulatory sandbox coordinators and also the other actors involved in the interoperability regulatory sandbox must demonstrate a valid legal basis for the operational use of sandbox results. This legal basis shall be included in the specific plan pursuant to Article 12(3)(g) of Regulation (EU) 2024/903, and all conditions under Article 12(6) must be met. Without such legal basis, operational personal data from the sandbox cannot be further processed. This limitation prevents the use of interoperability regulatory sandboxes primarily for data exchange or comparison between authorities without proper legal grounds. |
|
(9) |
A structured approach to evaluation and monitoring is essential for fostering a safe and productive environment for innovation, while maintaining accountability and regulatory integrity within the interoperability regulatory sandbox. For this purpose, pursuant to Article 12(8) of Regulation (EU) 2024/903, regulatory sandbox coordinators are to provide regular reports to the Commission and the Interoperable Europe Board summarising progress, outcomes, and challenges. The reporting should also cover the evaluation of data quality aspects, such as the accuracy and fairness of assessments, data, or inferences generated during the sandbox’s operation. This evaluation is crucial to ensure the reliability and trustworthiness of the sandbox’s outputs to be used operationally (e.g. for fraud detection, subsidy allocation, or civil status registration). Experimentation in interoperability regulatory sandboxes can also serve as an opportunity to evaluate the sustainability, energy and resource efficiency of the innovative interoperability solutions developed, trained, tested or validated in the context of the interoperability regulatory sandbox. To ensure continuous oversight, the process should require establishing a mechanism for ongoing data collection from individual projects, allowing for regular tracking of progress, risk management, and adherence to the sandbox’s standards. Templates and examples provided by the Commission and available on the Interoperable Europe Portal can in the future support the streamlining of reporting, to make it easier for all parties to fill out and comprehend the results of the interoperability regulatory sandboxes. |
|
(10) |
The specific agreement on the interoperability regulatory sandboxes may need to be renewed in cases of substantial changes to the original specific agreement. Such changes may include, among others, modifications regarding the number and the identity of the regulatory sandbox coordinators, or the extension of the initially agreed timeframe necessary to achieve the sandbox objectives. |
|
(11) |
In the case that regulatory dialogue and the experimentation in the interoperability regulatory sandboxes has provided enough evidence on the safe use of an interoperability solution, those interoperability solutions should be shared through the Interoperable Europe portal, where applicable, with non-restrictive licensing terms, such as the European Union Public Licence (EUPL), in compliance with Article 4 Regulation (EU) 2024/903). |
|
(12) |
Any significant risks identified during the development and testing of interoperability solutions in an interoperability regulatory sandbox should result in adequate mitigation and, failing that, in the suspension of the development and testing process. The requested multi-level risk management approach, balancing the role of risk managers and the oversight by the regulatory sandbox coordinators and competent authorities, should ensure a safe environment for the testing, training, development or validation of interoperability solutions in the interoperability regulatory sandbox. Regulatory sandbox coordinators should decide on the risk management process, managing communication between competent authorities and risk managers, and ensure that each project within the interoperability regulatory sandbox complies with the established risk management plan. The risk management should build on and ensure full compliance with other applicable risk management procedures, e.g. in the field of cyber security or personal data protection. Guidelines and clarifications on the Interoperable Europe Portal can in the future help regulatory sandbox coordinators to find the appropriate set-up. |
|
(13) |
The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 25 March 2025. |
|
(14) |
The measures provided for in this Regulation are in accordance with the opinion of the Committee established by Article 22(1) of Regulation (EU) 2024/903, |
HAS ADOPTED THIS REGULATION:
CHAPTER I
GENERAL PROVISIONS
Article 1
Definitions
For the purpose of this Regulation, the following definitions shall apply:
|
(1) |
‘project’ means a specific set of actions aiming to develop, train, test and validate innovative interoperability solutions, running in the controlled environment of an interoperability regulatory sandbox according to a specific plan and involving participants as referred to in Article 12(3) of Regulation (EU) 2024/903; |
|
(2) |
‘regulatory sandbox coordinators’ means Union entities or public sector bodies that jointly establish and manage an interoperability regulatory sandbox, including overseeing their setup, coordinating participation, monitoring progress, reporting on the activities and termination; |
|
(3) |
‘specific agreement’ means a formal instrument concluded between at least three Union entities or public sector bodies that outlines the terms, roles, responsibilities, and working methods for the creation, governance, and operation of an interoperability regulatory sandbox; |
|
(4) |
‘regulator’ means regulatory bodies or authorities that oversee and enforce compliance within specific sectors at Union, Member States, regional or local level relevant for the projects in an interoperability regulatory sandbox; |
|
(5) |
‘specific plan’ means a specific plan on the development, training, testing and validation of innovative interoperability solutions in an interoperability regulatory sandbox, as referred to in Article 12(3) of Regulation (EU) 2024/903. |
CHAPTER II
ESTABLISHMENT OF AN INTEROPERABILITY REGULATORY SANDBOX
Article 2
General provisions
1. An interoperability regulatory sandbox shall be established through a specific agreement between at least three Union entities or public sector bodies. Legal entities forming a consortium may establish an interoperability regulatory sandbox, provided that the consortium involves at least three Union entities or public sector bodies and complies with the conditions set out in this Regulation.
2. Before formalising the specific agreement, the Union entities or public sector bodies establishing the interoperability regulatory sandbox shall ensure that:
|
(a) |
the interoperability regulatory sandbox meets the criteria set out in Article 3 and specified in the checklist set out in the Annex to this Regulation; |
|
(b) |
the interoperability regulatory sandbox was notified to the Commission and, where applicable, authorised by the Commission pursuant to Article 11(4) of Regulation (EU) 2024/903 and Article 5 of this Regulation. |
3. An interoperability regulatory sandbox shall be established for an initial period that should not exceed three years. An interoperability regulatory sandbox may be renewed, following the procedure set out in Article 7. Participation in the interoperability regulatory sandbox has to be started and terminated within the lifespan of the interoperability regulatory sandbox, not exceeding the maximum duration of participation in an interoperability regulatory sandbox set out in Article 12(2) of Regulation (EU) 2024/903.
Article 3
Criteria for the establishment of interoperability regulatory sandboxes
1. Any public sector body or Union entity may take part in establishing an interoperability regulatory sandbox, subject to the conditions laid down in this Regulation.
2. The goal of an interoperability regulatory sandbox should contribute to the objectives set out in Article 11(2) of Regulation (EU) 2024/903.
3. Public sector bodies or Union entities shall assess the possibility to join an existing interoperability regulatory sandbox with the same scope or to link to existing regulatory sandboxes with an overlapping scope before establishing a new interoperability regulatory sandbox.
4. The regulatory sandbox coordinators shall conclude a specific agreement on the establishment of an Interoperability regulatory sandbox that shall, at least, contain the following elements:
|
(a) |
a description of the interoperability regulatory sandbox objective, scope and deliverables, in particular how the interoperability regulatory sandbox, effectively contributes to the objectives set out in Article 11(2) of Regulation (EU) 2024/903, the innovative interoperability solutions that may be developed, trained, tested or validated in the interoperability regulatory sandbox and the open regulatory issues covered in the interoperability regulatory sandbox, as well as its planned duration; |
|
(b) |
a governance plan outlining how the interoperability regulatory sandbox will operate, including the management of projects in the interoperability regulatory sandbox, setting out clear and transparent arrangements for collaboration between the participants, regulatory authorities, and any other actor involved in the interoperability regulatory sandbox, and outlining roles and responsibilities of the participants entering or exiting the interoperability regulatory sandbox; the regulatory sandbox coordinators may agree on the division of the tasks set out in Article 9 of this Regulation among them; |
|
(c) |
description of a risk management mechanism to supervise, monitor, and mitigate risks, ensuring the protection of fundamental rights, health, safety and personal data protection supported by clear policies and procedures to address potential violations of these fundamental rights, health and safety standards and personal data protection; |
|
(d) |
description of a framework for evaluation and reporting across the interoperability regulatory sandbox and on the projects running within the interoperability regulatory sandbox, including mechanisms for monitoring progress, addressing challenges, documenting lessons learned and potential follow-up, and ensuring alignment with regulatory objectives; |
|
(e) |
where the processing of personal data in the projects running in the interoperability regulatory sandbox is envisioned, specifying the information referred to in in Article 11(4) of Regulation (EU) 2024/903. |
5. The regulatory sandbox coordinators shall agree on initiating at least one project subject to the conditions set out in the specific agreement, and Chapter III of this Regulation by establishing a draft specific plan.
Article 4
Single point of contact
The regulatory sandbox coordinators shall designate among themselves, a single point of contact for the purposes of communication with the Commission throughout the entire lifespan of the interoperability regulatory sandbox.
Article 5
Notification and authorisation of an interoperability regulatory sandbox
1. In the case that public sector bodies or Union entities want to establish an interoperability regulatory sandbox, they shall send a joint request through the Interoperable Europe Portal.
2. The joint request shall include all information necessary for the Commission to assess the compliance of requests by only public sector bodies with the criteria set out in Article 3 of this Regulation.
3. The Commission shall notify the single point of contact of its decision on the request referred to in paragraph 1. In case of a negative decision, the regulatory sandbox coordinators may submit a reasoned review request within 30 days of receiving the Commission’s decision. The Commission shall examine the review request within 30 days and shall notify the single contact point of its decision on that review request.
4. The start date of an interoperability regulatory sandbox set out in the specific agreement shall not be before receiving the notification referred to in paragraph 3.
Article 6
Transparency
1. The Commission shall create a single, dedicated interface for information and exchange on interoperability regulatory sandboxes within the Interoperable Europe Portal, including:
|
(a) |
general information and guidelines for Union entities and public sector bodies interested in establishing an interoperability regulatory sandbox, including features that help interested stakeholders to exchange information, requests and best practices; |
|
(b) |
dedicated information on each of the established interoperability regulatory sandboxes, including eligibility and selection criteria for participation in the interoperability regulatory sandboxes and information on running and closed projects in the interoperability regulatory sandbox. |
2. The single contact point shall collect any missing information, specified in paragraph (1)(b), at least 10 days before the starting of the operations of the interoperability regulatory sandbox and share it with the Commission. The single point of contact shall regularly update the information on projects within the interoperability regulatory sandbox.
Article 7
Renewal of the interoperability regulatory sandbox
1. Regulatory sandbox coordinators may decide to renew the interoperability regulatory sandbox under the following conditions:
|
(a) |
the objectives of the interoperability regulatory sandbox have not yet been achieved; |
|
(b) |
the interoperability regulatory sandbox is not closed pursuant to Article 8. |
2. In the case that the regulatory sandbox coordinators decide to renew the interoperability regulatory sandbox, they shall follow the procedure set out in Article 5.
3. In the case that the regulatory sandbox coordinators want to make substantial changes to the specific agreement, referred to in Article 2(1), including, among others, modifications regarding the number and the identity of the regulatory sandbox coordinators, or the extension of the initially agreed timeframe necessary to achieve the sandbox objectives, then the regulatory sandbox coordinators shall start the renewal procedure as set out in paragraph 2.
Article 8
Closing of an interoperability regulatory sandbox
1. Regulatory sandbox coordinators shall close the interoperability regulatory sandbox in one of the following cases:
|
(a) |
the interoperability regulatory sandbox has fulfilled its objectives; |
|
(b) |
the interoperability regulatory sandbox has reached its determined end date pursuant to Article 2(3) and the regulatory sandbox coordinators have not reached an agreement on its renewal; |
|
(c) |
the Commission has not authorised the renewal pursuant to Article 7; |
|
(d) |
the necessary funding to continue the activities of the interoperability regulatory sandbox is not available. |
2. Upon closing of the interoperability regulatory sandbox, the regulatory sandbox coordinators shall ensure that all projects in the interoperability regulatory sandbox are properly terminated, as set out in Article 15.
3. Regulatory sandbox coordinators shall submit the final report referred to in Article 12(8) of Regulation (EU) 2024/903 within three months following the closing of the interoperability regulatory sandbox.
CHAPTER III
OPERATION OF INTEROPERABILITY REGULATORY SANDBOXES
Article 9
General rights and obligations of the regulatory sandbox coordinators
1. Regulatory sandbox coordinators shall manage the operations in the interoperability regulatory sandbox and its related projects throughout the lifespan of the interoperability regulatory sandbox.
2. Regulatory sandbox coordinators are specifically responsible for the following tasks:
|
(a) |
to invite regulators to the interoperability regulatory sandbox; |
|
(b) |
to steer the regulatory dialogue with the regulators involved around the set-up of and the learnings from the projects; |
|
(c) |
to decide on the number of projects running sequential or in parallel during the lifespan of the interoperability regulatory sandbox; |
|
(d) |
to publish calls for participation in the interoperability regulatory sandbox on the Interoperable Europe Portal and admit participants to the interoperability regulatory sandbox, as referred to in Article 10; |
|
(e) |
to select projects to run in the interoperability regulatory sandbox, while verifying that each projects remains in the scope of the interoperability regulatory sandbox with particular attention to the following aspects:
|
|
(f) |
to ensure that participation is based on a specific plan; |
|
(g) |
to determine a time-limit for participation in a project; |
|
(h) |
to decide on extension of a project, as referred to in Article 12(2) of Regulation (EU) 2024/903; |
|
(i) |
to end a project, as referred to in Article 15; |
|
(j) |
to ensure periodic and final reporting to the Commission and the Interoperable Europe Board; |
|
(k) |
to set up a risk management framework, as referred to in Article 12. |
3. In case it is necessary to process personal data in the context of projects running in the interoperability regulatory sandbox, regulatory sandbox coordinators shall take the necessary measures to allow for the competent data protection authorities to effectively carry out their supervision tasks, as provided for in Article 11(1) of Regulation (EU) 2024/903.
Article 10
Admission of participants and other actors
1. Regulatory sandbox coordinators shall publish on the Interoperable Europe Portal information on the eligibility and selection criteria for participation in the interoperability regulatory sandbox. Those criteria shall include the provision of information on the possibility for GovTech actors, including national or European standardisation organisations, notified bodies, research and experimentation labs, innovation hubs and companies wishing to test innovative interoperability solutions, in particular SMEs and start-ups, to be involved in the interoperability regulatory sandbox, as provided for in Article 12(1) of Regulation (EU) 2024/903.
2. Regulatory sandbox coordinators shall decide on requests from other Union entities, public sector bodies or GovTech actors seeking to join the interoperability regulatory sandbox as participants or other actors, based on the rules for the respective interoperability regulatory sandbox, published on the Interoperable Europe Portal according to paragraph 1.
3. The participants or other actors shall submit a declaration of commitment to the regulatory sandbox coordinators that provides for the assumption of obligations and the commitment for the candidate to meet financial, organizational, human resources and any other conditions that are relevant for this purpose.
Article 11
General rights and obligation of participants
1. Participants that have been admitted to an interoperability regulatory sandbox according to Article 10 shall have the following obligations:
|
(a) |
to contribute to the specific plan; |
|
(b) |
to assume full responsibility, as set out in Article 12(5) Regulation (EU) 2024/903, for the legality of the development, training, testing and validation of the interoperability solution; |
|
(c) |
to ensure that the interoperability solutions tested within the interoperability regulatory sandboxes comply with all applicable legal requirements and have obtained any necessary authorisations or approvals from competent authorities before they start the projects or that the competent authorities are involved in the interoperability regulatory sandbox; |
|
(d) |
to ensure, if personal data is processed within an interoperability regulatory sandbox, that such processing is in full compliance with applicable data protection law and to agree with the relevant data protection authorities, referred to in in Article 12(1) of Regulation (EU) 2024/903, on their expected involvement in the interoperability regulatory sandbox and its projects; |
|
(e) |
to adhere to the risk management framework, as set out in Article 12; |
|
(f) |
to regularly report on learnings in the interoperability regulatory sandbox, as specified in Article 13; |
|
(g) |
to ensure lawful handling of personal data processed in the projects as specified in Article 15(3). |
2. Participants may exit the interoperability regulatory sandbox under the conditions set out in Article 14.
Article 12
Risk management
1. Regulatory sandbox coordinators shall establish the risk management process for the interoperability regulatory sandbox covering the risk management process referred to in Article 12(3), point (d), of Regulation (EU) 2024/903. Regulatory sandbox coordinators shall define, implement, and monitor overarching risk management objectives for the interoperability regulatory sandbox, including specific risk management standards applicable to all projects therein, with due consideration of any mandatory risk management requirements pursuant to other applicable law. Regulatory sandbox coordinators shall ensure effective communication on risk management between participants, competent authorities, and other stakeholders.
2. Regulatory sandbox coordinators shall develop a specific risk management plan for each project that follows the risk management process referred to in paragraph 1.
3. Regulatory sandbox coordinators shall appoint one among them as risk manager for each project. The risk manager shall ensure that the project complies with the specific risk management plan referred to in paragraph 2 of this Article. Where risks are identified, the risk manager shall ensure that appropriate mitigation measures are taken.
4. In the case where appropriate risk mitigation is not feasible, the risk manager may temporarily suspend any project or participant’s involvement within the interoperability regulatory sandbox as an immediate safeguard. The risk manager shall promptly inform the regulatory sandbox coordinators and the relevant authorities. The single point of contact shall report this temporary suspension to the Commission.
5. The risk manager shall maintain records of risk management activities for the respective projects and make those records available for review by all regulatory sandbox coordinators and the Commission.
Article 13
Reporting obligations
1. Regulatory sandbox coordinators shall establish a mechanism for periodic reporting that covers at least the topics referred to in Article 12(8) of Regulation (EU) 2024/903. In the case of processing of personal data in the projects, the reporting shall include metrics assessing the effectiveness of the innovative interoperability solution in qualifying personal data, along with the accuracy and fairness of the output and usability of the results produced by the solution for the relevant authorities.
2. The mechanism shall include collecting data from all projects on an ongoing basis that ensures that progress is tracked, risks are managed, and compliance with the interoperability regulatory sandboxes’ objectives and legal requirements is maintained. The mechanism shall cover reporting on the learnings from the dialogue with the regulators.
3. Regulatory sandbox coordinators shall submit the periodic reports to the Commission and the Interoperable Europe Board referred to in Article 12(8) of Regulation (EU) 2024/903 at least once every six months from the date of establishment of the interoperability regulatory sandbox.
4. All reports shall be published on the Interoperable Europe Portal. The reports shall not contain confidential information.
Article 14
Exiting of participants
1. If a participant wants to exit the interoperability regulatory sandbox before the termination of the project that the participant is involved in, as referred to in Article 15, or the termination of the assigned task in the specific plan, the participant shall provide a detailed explanation to the regulatory sandbox coordinators and to the Commission of the reasons for exiting.
2. Participants exiting an interoperability regulatory sandbox shall have the following obligations:
|
(a) |
to complete any outstanding requirements linked to the monitoring and reporting of their activity; |
|
(b) |
to ensure that the data collected and any interoperability solutions developed during the lifespan of the interoperability regulatory sandbox are managed in accordance with the applicable legislation, and with the conditions for admission to the interoperability regulatory sandbox, as defined by the sandbox coordinators; and |
|
(c) |
to take all necessary steps to mitigate potential risks for the success of the interoperability regulatory sandbox project and for public services and their delivery linked to the exiting the interoperability regulatory sandbox and its specific projects. |
3. Upon the exiting of a participant from an interoperability regulatory sandbox, the regulatory sandbox coordinators shall assess the necessary measures with regard to the obligations set out in Article 9.
Article 15
Termination of a project
1. Regulatory sandbox coordinators shall terminate a project in the interoperability regulatory sandbox in any of the following cases:
|
(a) |
the project has fulfilled the objectives before the maximum initial duration is reached; |
|
(b) |
the regulators involved in the interoperability regulatory sandbox or other competent authorities have requested the termination of the project and no mitigation is possible; |
|
(c) |
the necessary funding to continue the activities is not available; |
|
(d) |
the project no longer fulfils the minimum criteria in terms of scope and participation set out in its specific plan and no mitigation is possible. |
2. In case the regulatory sandbox coordinators plan to terminate a project before the initially scheduled ending date, the regulatory sandbox coordinators shall inform all participants in due time.
3. Personal data that was exceptionally processed in order to reach the objectives of a projects shall not be used as operative data outside the projects, unless there is a proper legal basis authorising a change of purpose.
4. Within three months following the termination of the projects, regulatory sandbox coordinators shall:
|
(a) |
publish on the Interoperable Europe portal or a portal, catalogue or repository connected to the Interoperable Europe portal the interoperability solutions and related materials developed during the project, including documentation, version history, documented source code and references to open standards or technical specifications used, if such solutions and material are in line with the applicable quality criteria for the Interoperable Europe Portal; |
|
(b) |
where solutions are issued as open source, use the EUPL or another appropriate open source licence; |
|
(c) |
clearly indicate, if sharing restrictions apply due to:
|
CHAPTER IV
FINAL PROVISIONS
Article 16
Entry into force
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 17 July 2025.
For the Commission
The President
Ursula VON DER LEYEN
(1) OJ L, 2024/903, 22.3.2024, ELI: http://data.europa.eu/eli/reg/2024/903/oj.
(2) Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (OJ L, 2024/1689, 12.7.2024, ELI: http://data.europa.eu/eli/reg/2024/1689/oj).
(3) Regulation (EU) 2024/1735 of the European Parliament and of the Council of 13 June 2024 on establishing a framework of measures for strengthening Europe’s net-zero technology manufacturing ecosystem and amending Regulation (EU) 2018/1724 (OJ L, 2024/1735, 28.6.2024, ELI: http://data.europa.eu/eli/reg/2024/1735/oj).
(4) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj).
(5) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj).
ANNEX
Checklist for an interoperability regulatory sandbox (referred to in Article 2(2), point (a))
|
No |
Criteria |
Description |
Description |
||||||||||||||||||||
|
1 |
Participants have been adequately specified |
|
Please provide the required information. Keep in mind that the interoperability regulatory sandbox must be established by at least three regulatory sandbox coordinators, either public sector bodies and/or Union entities. |
||||||||||||||||||||
|
2 |
Scope, objectives and deliverables have been adequately specified |
Scope:
Objectives:
Deliverables:
|
Please provide the required information. |
||||||||||||||||||||
|
3 |
Governance has been adequately specified |
|
Please provide the required information. The description should demonstrate that relevant regulators and other stakeholders have been clearly identified and considered, and, where applicable, include evidence of their readiness to participate in the interoperability regulatory sandbox. |
||||||||||||||||||||
|
4 |
Risk management has been adequately specified |
|
Please provide the required information. |
||||||||||||||||||||
|
5 |
Evaluation and reporting requirements have been adequately specified |
|
Please provide the required information. Keep in mind: the mechanism should include collecting data from individual projects on an ongoing basis to ensure that progress is tracked, risks are managed, and compliance with the framework’s objectives and legal requirements is maintained. |
||||||||||||||||||||
|
6 |
Further processing of personal data has been adequately specified |
|
Please provide the required information. |
ELI: http://data.europa.eu/eli/reg_impl/2025/1420/oj
ISSN 1977-0677 (electronic edition)