COMMISSION IMPLEMENTING REGULATION (EU) …/...
of XXX
laying down rules for the application of Regulation (EU) 2024/1689 of the European Parliament and of the Council as regards the establishment, development, implementation, operation and supervision of AI regulatory sandboxes
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (), and in particular Article 58(1) thereof,
Whereas:
(1)In accordance with Regulation (EU) 2024/1689, AI regulatory sandboxes are intended to provide a controlled framework established by competent authorities to enable the development, training, validation and testing, including in real-world conditions, of innovative AI systems under regulatory supervision for a limited time before their placement on the market.
(2)To avoid fragmentation across the Union, maximise the benefits of AI regulatory sandboxes for all, and guarantee the consistent implementation of Regulation (EU) 2024/1689, it is important to adopt common rules setting out the detailed arrangements regarding the establishment, development, implementation, operation and supervision of the AI regulatory sandboxes. Such rules should be in line with the objectives of the AI regulatory sandboxes and the other relevant provisions set out in Regulation (EU) 2024/1689. These rules should also ensure coherence and complementarity with Union initiatives supporting data-driven innovation and with relevant Union sectoral frameworks governing the development and placing on the market of regulated products and systems.
(3)AI regulatory sandboxes aim to enhance legal certainty for innovators and support them in achieving regulatory compliance with Regulation 2024/1689 and, as appropriate, other Union law, such as Regulation (EU) 2016/679 (‘General Data Protection Regulation’), and Union product safety legislation. They should also promote responsible innovation and competitiveness and accelerate access of innovative AI systems to the Union market by removing barriers for SMEs, including start-ups. AI regulatory sandboxes play a key role in connecting innovators with competent authorities through a collaborative approach and in enhancing the competent authorities’ oversight and understanding of the opportunities, emerging risks and the impacts of AI use. Participation in AI regulatory sandboxes should focus on issues that may raise legal uncertainty for providers and prospective providers to innovate and experiment with AI in the Union.
(4)This Regulation lays down detailed rules as regards the establishment, development, implementation, operation and supervision of AI regulatory sandboxes by competent authorities pursuant to Article 57(1), (2) and (3) of Regulation (EU) 2024/1689. For reasons of uniform application and common interpretation concerning regulatory questions examined in the AI regulatory sandbox, as well as mutual recognition of the results, this Regulation should apply to all AI regulatory sandboxes under Regulation (EU) 2024/1689.
(5)AI regulatory sandboxes should be widely available across the Union and enable broad and equal access to prospective providers. Member States should have at least one AI regulatory sandbox with a national coverage as required by Regulation (EU) 2024/1689. To that end, any provider or prospective provider within the scope of Regulation (EU) 2024/1689 should be able to apply and participate in the AI regulatory sandbox as long as the relevant conditions and procedures established in this Regulation are met. Such AI regulatory sandboxes should be established in the Member States by 2 August 2026. Piloting projects are also encouraged before competent authorities under Regulation (EU) 2024/1689 have been formally designated by the Member States. Other AI regulatory sandboxes may also be established in specific sectors or at regional or local level, as well as jointly with the competent authorities of other Member States (‘joint AI regulatory sandboxes’), or at Union level. Sector specific AI regulatory sandboxes may be established at different levels (regional or local, national or jointly) and can be particularly useful in industrial or public areas of particular strategic importance and in areas of notable regulatory implementation challenges that are in need of support, including in the public sector.
(6)The European Data Protection Supervisor may establish an AI regulatory sandbox to support the responsible development, testing and use of AI systems provided by the EU institutions, bodies, offices and agencies.
(7)Member States are encouraged to establish joint AI regulatory sandboxes facilitating cross-border collaboration, streamlining coordination, optimising resources and strengthen consistency in the implementation of Regulation (EU) 2024/1689. Such joint AI regulatory sandboxes will in particular allow Member States to meet the obligation of establishing an AI regulatory sandbox with national coverage. Joint AI regulatory sandboxes should be established through appropriate framework agreements, for example a memorandum of understanding.
(8)It is important that the terms and conditions of the participation in an AI regulatory sandbox are made clear to the provider or prospective provider as early as possible and agreed upon before entering the sandbox. These can be accepted with an electronic signature.
(9)Participation by SMEs, including start-ups, shall be free of charge unless exceptional costs are incurred in the AI regulatory sandboxes. For other participants the costs of participation must be fair, transparent and proportionate. The competent authority should therefore communicate the applicable fees to the provider or prospective provider in an AI regulatory sandbox as early as possible.
(10)A competent data protection authority should be associated to the operation of the AI regulatory sandbox and supervise when personal data is processed for the development, training or testing of the AI system in the context of the AI regulatory sandbox.
(11)While aiming to ensure the objective of regulatory learning through the sharing of results of participation in AI regulatory sandboxes, competent authorities should respect the confidentiality of information and data obtained in carrying out tasks connected to the AI regulatory sandbox, in accordance with Article 78 of Regulation (EU) 2024/1689.
(12)It is important to ensure that the necessary procedures, processes, and administrative requirements are clearly described, accessible, and easy to understand. Uniform and common criteria must be defined for participating in all AI regulatory sandboxes.
(13)When selecting participants, the competent authority should review the eligibility of the candidates and the selection criteria laid down in this Regulation, including the specific regulatory and practical challenges in the proposed sandbox project, the maturity and competitiveness of the AI system and the potential for and scalability of regulatory learning for the specific sector and more broadly. There may be different levels of maturity in the AI systems for which providers or prospective providers apply for participation in the AI regulatory sandbox. When assessing the innovative character of an AI system in a proposal for an AI regulatory sandbox project, competent authorities should take into account the novelty of the AI system’s technology or its novel application.
(14)Due to their limited administrative resources to navigate the legal landscape and ensure compliance with Regulation (EU) 2024/1689, SMEs, including start-ups, should have priority access to AI regulatory sandboxes, if they meet the eligibility and selection criteria, and have a registered office or a branch in the Union.
(15)While respecting the aim of achieving national coverage in the AI regulatory sandbox, competent authorities may, in the selection of participants, choose to annually focus on multiple, specific sectors that are in industrial or public areas of particular strategic importance and in areas of notable regulatory implementation challenges that are in need of support, depending on their capacities, especially in the early implementation phases of the AI regulatory sandbox.
(16)In order to adequately leverage available resources and infrastructure at the Union and national level and promote synergies with the AI regulatory sandboxes, competent authorities should ensure cooperation with and facilitate the involvement of relevant AI ecosystem actors, such as the Testing and Experimentation Facilities, the European Digital Innovation Hubs, AI Factories, and other AI innovation initiatives. Competent authorities should, where appropriate, facilitate involvement of actors such as national or European standardisation organisations, notified bodies, research and experimentation labs and relevant stakeholder and civil society organisations. Where appropriate, there should be supervision by the competent authority of specific projects within the AI regulatory sandboxes that may be carried out in existing Union and national AI ecosystem initiatives and infrastructure. Member States are encouraged to establish joint AI regulatory sandboxes leveraging these infrastructures and facilitating cross-border collaboration and testing.
(17)In order to frame a specific set of actions for developing, training, testing or validating concrete projects of innovative AI systems in the controlled environment of an AI regulatory sandbox and to allocate the necessary resources, the sandbox plan should address the needs of the participants, specifying their objectives, as well as the relevant risk management safeguards and the support to be provided by the competent authorities, and other entities involved.
(18)In order to avoid fragmentation and to streamline participation and procedures in AI regulatory sandboxes, and ensure mutual recognition of the results, competent authorities should take into account templates and guidance material adopted by the European Artificial Intelligence Board (‘the Board’) in accordance with its powers under Article 66(d) of Regulation (EU) 2024/1689 in the establishment and operation of AI regulatory sandboxes.
(19)Participation in an AI regulatory sandbox should support a path towards conformity with Regulation (EU) 2024/1689. Parallel dialogue with a notified body is encouraged, while exiting an AI regulatory sandbox does not grant presumption of conformity. Participation in and exiting from an AI regulatory sandbox shall not be considered an approval by the competent authorities to the provider or prospective provider to place on the market or put into service the AI system supervised in the AI regulatory sandbox under Regulation (EU) 2024/1689.
(20)In order to facilitate and accelerate the placing of AI systems onto the Union internal market, testing in real-world conditions may be conducted within the framework of an AI regulatory sandbox. Such testing should not affect other Union and national law on the testing in real-world conditions. With the involvement of the sectoral competent authority under the Union harmonisation legislation listed in Annex I to Regulation (EU) 2024/1689, testing of high-risk AI systems embedded in regulated products or systems that constitute products themselves subject to specific requirements set out in the relevant Union harmonisation law could also be conducted, as appropriate.
(21)Exit reports are useful for regulatory learning and contribute to the dissemination of lessons learned. It is necessary to lay down rules regarding the content of the exit report referred to in Article 57(7) of Regulation (EU) 2024/1689. Publication and dissemination of the results of a specific sandbox project for the benefit of everyone should encourage dialogue among and between competent authorities, participants and non-participants, such as relevant stakeholders.
(22)The Board and Commission should collaborate on the evaluation of the AI regulatory sandboxes established in the Member States or at Union level. This should be done by taking into account the impact an AI regulatory sandbox has had, including the lessons learned, and in terms of evaluating the processes and governance. Such an evaluation may be done independently.
(23)AI regulatory sandboxes established under this Regulation are without prejudice to other legislation allowing for the establishment of other sandboxes aiming to ensure compliance with law other than Regulation (EU) 2024/1689.
(24)The European Data Protection Supervisor and the European Data Protection Board were consulted in accordance with Article 42(1) and (2) of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered an opinion on XX/XX/XX.
(25)The measures provided for in this Regulation are in accordance with the opinion of the [Artificial Intelligence] Committee,
HAS ADOPTED THIS REGULATION:
CHAPTER I
GENERAL PROVISION
Article 1
Scope
1.This Regulation sets common rules and detailed arrangements for the establishment, development, implementation, operation and supervision of all AI regulatory sandboxes established pursuant to Article 57 of Regulation (EU) 2024/1689.
2.The rules set out in this Regulation shall fully apply to AI regulatory sandboxes established in accordance with Article 57(1), (2) and (3) of Regulation (EU) 2024/1689 and to the competent authorities referred therein.
CHAPTER II
PARTICIPATION IN AN AI REGULATORY SANDBOX
Article 2
General terms and conditions for participation in an AI regulatory sandbox
1.The terms and conditions set out in paragraphs 2 to 5 shall apply to the participation in an AI regulatory sandbox.
2.Participation by SMEs, including start-ups, in an AI regulatory sandbox shall be prioritised and free of charge.
Competent authorities may still recover costs that exceed what the competent authority can reasonably expect from the sandbox plan associated with the specific sandbox project. The recovery of exceptional costs shall be carried out in a fair, transparent and proportionate manner. When charging the participant a fee for exceptional costs, the invoice should be sufficiently detailed in order for the participant to understand which exceptional costs have occurred and how they have been calculated. Prospective participants should be informed about the possibility that exceptional costs might be incurred, as early as possible and at least before the participation starts.
3.Competent authorities may charge companies larger than SMEs, including start-ups, a fee proportionate to the costs incurred. In such case, they shall define and publish the list of fees that apply for participation when the application phase pursuant to Article 3 is open.
4.Providers or prospective providers who do not have a registered office or a branch in the Union, but who want to participate in an AI regulatory sandbox, shall pay a participation fee to the competent authority and have an authorised representative who can be held responsible and liable for the participation in the AI regulatory sandbox.
5. Participants in the AI regulatory sandbox remain responsible for ensuring compliance with applicable Union legislation that is not supervised in the AI regulatory sandbox.
Article 3
Application and selection
1.Any interested provider or prospective provider can apply to participate in an AI regulatory sandbox. Competent authorities shall facilitate the application procedure with a form to be filled in with information on the applicant and the project proposed for participation in the AI regulatory sandbox.
2.A proposal for a sandbox project shall be eligible for participation in the AI regulatory sandbox if it meets the following cumulative criteria:
(a)the application is made by a public or private provider or prospective provider, or by an authorised representative for providers or prospective providers who do not have a registered office or a branch in the Union;
(b)the application relates to an AI system which is not placed on the market or put into service or, if so, the system will be subject to substantial modification.
(c)For the purposes of the first subparagraph, point (a), providers and prospective providers may also submit applications in partnerships with deployers or other relevant third parties.
3.When evaluating a proposal for a sandbox project, the competent authority shall take into consideration at least the following selection criteria:
(a)the need to participate in the AI regulatory sandbox, due to specific regulatory and other practical challenges;
(b)the potential for and scalability of regulatory learning, including the expected impact and benefits for the specific sector;
(c)the extent to which the project will contribute to objectives of public interest or societal benefit and Union policy;
(d)the maturity and economic viability of the proposal;
(e)the innovative character of the AI system.
4.Competent authorities may annually decide to give more priority to specific sectors in industrial or public areas of particular strategic importance and in areas of notable regulatory implementation challenges that are in need of support, for reasons of available resources and capacity of the competent authority, while still respecting the objectives of broad and equal access to the AI regulatory sandbox.
5.When complying with their obligations under this Article, competent authorities shall take into account templates and guidance material adopted by the Board in accordance with its powers under Article 66(d) of Regulation (EU) 2024/1689.
6.The selection procedures shall be fair and equal while allowing priority access for SMEs, including start-ups, pursuant to Article 62(1), point (a), of Regulation (EU) 2024/1689.
7.Competent authorities shall inform the applicant about the outcome of the selection procedure no later than three months. The applicant has the right to appeal such decisions made by competent authorities, taking into account relevant national legislation and procedures for appeal of administrative decisions.
Article 4
Participation
1.The competent authorities shall record in a secure manner the activities and the updates related to participation in an AI regulatory sandbox, and maintain records related to AI systems developed or tested in that sandbox. Where necessary for their monitoring and supervisory tasks, competent authorities shall also be entitled to request additional information from the participants.
2.Competent authorities shall publish on the single information platform, as referred to in Article 57(17) of Regulation (EU) 2024/1689, tools for compliance with Regulation (EU) 2024/1689, such as technical specifications, benchmarks and testing tools developed in AI regulatory sandboxes, provided those means demonstrate proven relevance for compliance with Regulation (EU) 2024/1689 and do not infringe intellectual property rights.
3.The duration of the participation in the AI regulatory sandbox shall be proportionate to the set-up and operation of the sandbox, taking into account, in particular, the following elements:
(a)the available capacity, resources and priority defined by the competent authority;
(b)whether the sandbox project will cover several or all aspects of the conformity assessment referred to in Article 43 of Regulation (EU) 2024/1689 or other obligations set out in that Regulation;
(c)the complexity, scale and specific needs of the selected sandbox project.
4. When the AI system is tested in real world conditions and supervised in the AI regulatory sandbox, the real-world testing plan shall be part of the sandbox plan.
5. Competent authorities shall cooperate with and facilitate the involvement of the relevant actors within the AI ecosystem referred to in Article 58(2)(f) of Regulation 2024/1689, such as the Testing and Experimentation Facilities, the European Digital Innovation Hubs, centres of excellences, and AI Factories. In the implementation of the AI regulatory sandboxes, competent authorities shall leverage the existing Union and national AI ecosystem initiatives and infrastructure, including through regulatory supervision of specific projects within the AI regulatory sandboxes that may be carried out in those facilities, where appropriate.
CHAPTER III
OPERATION OF AN AI REGULATORY SANDBOX PROJECT
Article 5
Sandbox plan
1.Following the selection of applications in accordance with Article 3, the sandbox plan shall be agreed upon between the provider or prospective provider and the competent authorities without undue delay following the selection.
2.The sandbox plan shall specify at least the following elements concerning the participation in the AI regulatory sandbox:
(a)information about the applicant and the AI system specified in the selected application;
(b)the estimated timeline of the sandbox project, including an end date;
(c)the objectives of the participation and scope of the activities to be carried out in the AI regulatory sandbox;
(d)a description of the requirements and obligations laid down in Regulation (EU) 2024/1689 and, where relevant, in other Union legislation, that fall within the scope of the participation in the AI regulatory sandbox;
(e)an indication whether the AI system specified in the selected application involves the processing of personal data and the need for involving the competent data protection authority;
(f)risk management safeguards and a procedure for monitoring, managing and reporting serious incidents that could occur during the participation in the AI regulatory sandbox, when considered necessary and appropriate given the risks that are likely to arise;
(g)where applicable, a plan on testing in real world conditions as referred to in Article 4(4) of this Regulation, supervised within the framework of the AI regulatory sandbox.
3.The provider or prospective provider shall, to the best of their ability, identify which information or data included in the sandbox plan, might be confidential pursuant to Article 78 of Regulation (EU) 2024/1689.
4.The sandbox plan may be updated during the participation in the AI regulatory sandbox if both the competent authority and the provider or prospective provider agree.
5.When complying with their obligations under this Article, competent authorities shall take into account templates and guidance material adopted by the AI Board in accordance with its powers under Article 66(d) of Regulation (EU) 2024/1689.
6. Subject to Article 2(2) of Regulation (EU) 2024/1689, and as regards testing in real world conditions of AI systems covered by Union harmonisation legislation listed in Section B of Annex I to Regulation (EU) 2024/1689, the design and implementation of sandbox projects and sandbox plans shall take into account the specificities of the AI systems and product tested. Member States shall enable the testing in real world conditions of those products, including by providing, as necessary, access to physical public infrastructure, where testing is essential to ensure compliance of AI systems covered by Union harmonisation legislation listed in Section B of Annex I to Regulation (EU) 2024/1689 with the requirements set out in Chapter III, Section 2, of that Regulation.
Article 6
Written proof and exit report
1.After completion of a provider’s or a prospective provider’s participation in the AI regulatory sandbox, the relevant competent authority shall evaluate the admitted project with respect to the activities carried out and the progress in their implementation, in accordance with the objectives in the sandbox plan.
2.The written proof provided for under Article 57(7) of Regulation (EU) 2024/1689 may, where appropriate, be prepared in collaboration with other relevant authorities. The written proof shall serve as documentation evidence informing notified bodies and relevant market surveillance authorities, but it shall not have the same status or legal effect as a declaration of conformity within the meaning of Article 47 of Regulation (EU) 2024/1689. The written proof shall include at least the following elements:
(a)types of activities successfully carried out in the sandbox in terms of development, training, validation, and testing of the AI system, as applicable, indicating the sector or sectors in which the sandbox operated;
(b)the legal requirements and obligations evaluated in the context of the AI regulatory sandbox;
(c)proof of whether the admitted sandbox project has been completed.
3.The exit report provided for under Article 57(7) of Regulation (EU) 2024/1689 shall serve for regulatory learning purposes and include the following elements in addition to the elements set out in paragraph 2:
(a)description of the key regulatory issues examined in the AI regulatory sandbox, how those issues were resolved, including specific recommendations, good practices, tools, benchmarks or measures tested that could be replicated;
(b)if applicable, a record of serious incidents within the AI regulatory sandbox;
(c)best practices and lessons learned that can be scaled up in similar cases.
4.The exit report shall not have the same status or legal effect as a declaration of conformity within the meaning of Article 47 of Regulation (EU) 2024/1689. The relevant competent authority shall provide participant of the AI regulatory sandbox with the exit report within a reasonable period, but no later than two months after completing participation.
5.In case the participant agrees, the exit report shall be published on the single and dedicated interface referred in Article 57(17) of Regulation 2024/1689 by the competent authority without undue delay.
6.The competent authority may publish relevant key findings from the exit report, containing only non-confidential information, in order to contribute to legal clarity, regulatory learning and innovation within the internal market. The exchange of information as well as the non-confidential information will not include any sensitive operational data in relation to the activities of law enforcement, border control, immigration or asylum territories. Unless stated as confidential in the sandbox plan in accordance with Article 5(3), information shall be presumed to be available for disclosure.
Article 7
Post-participation
1.Competent authorities may undertake voluntary follow up activities for providers or prospective providers having formerly participated in the AI regulatory sandbox as long as these aim to (i) assess the effectiveness of their participation in the AI regulatory sandbox; (ii) gain relevant information to boost AI innovation and uptake after exiting from the AI regulatory sandbox; and (iii) use those results to draft the national annual report.
2.Upon request from market surveillance authorities during ex post market surveillance actions, competent authorities that have supervised the AI system in the AI regulatory sandbox shall provide information in addition to the documents already provided under Article 6 on the AI system developed or tested in the sandbox. Sensitive operational data relating to the activities of law enforcement, border control, immigration or asylum authorities shall not be disclosed.
Article 8
Suspension of an AI regulatory sandbox project
1.Until 30 calendar days before the planned participation end date, the competent authority and the provider or prospective provider may decide to extend the duration of the sandbox project if they both agree, and such an extension is justified.
2.Competent authorities may temporarily or permanently suspend the testing process or the participation in an AI regulatory sandbox if no mitigation is possible. Competent authorities may consider that no mitigation is possible if one or more of the following condition applies:
(i) where the participation conditions and parameters set out in the sandbox plan have been breached;
(ii) when the conditions for temporary or permanent suspension of the testing process or the participation in the AI regulatory sandbox under Article 57(11) of Regulation (EU) 2024/1689 are fulfilled due to significant risks to health, safety and fundamental rights identified during the development and testing of AI systems that cannot be effectively mitigated;
(iii) at the motivated request of the participant in an AI regulatory sandbox project.
The competent authorities shall inform the AI Office without undue delay in case of such a termination and the reasons thereof.
Article 9
Evaluation
1.When drafting the annual report under Article 57(16) of Regulation (EU) 2024/1689, the competent authority shall take into account the elements and template provided by the Board in accordance with its powers under Article 66(d) of Regulation (EU) 2024/1689. These annual reports shall be submitted to the AI Office and the Board. The competent authorities shall publish the reports online on the single and dedicated interface referred in Article 57(17) of Regulation 2024/1689.
2.Both the national annual reports from the competent authorities and the general annual reports from the AI Office shall be made publicly available online by the AI Office on the single and dedicated interface referred in Article 57(17) of Regulation 2024/1689. These reports will not cover any sensitive operational data in relation to the activities of law enforcement, border control, immigration or asylum authorities.
CHAPTER IV
FINAL PROVISION
Article 10
Entry into force
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels,
For the Commission
The President
Ursula VON DER LEYEN