We use cookies to improve your experience and analyse site traffic.
We use cookies to improve your experience and analyse site traffic.
Market surveillance authorities have broad investigative powers under Article 74. Organisations must maintain an inspection-ready posture at all times, with current documentation, accessible evidence, and personnel trained in their inspection roles. Annual rehearsal exercises, pre-configured regulatory access profiles, and proactive authority engagement reduce the risk of inspection failure.
Article 57 requires each member state to establish at least one AI regulatory sandbox by August 2026, providing a controlled environment in which providers can develop, train, validate, and test AI systems under regulatory supervision before placing them on the market.
Article 57 requires each member state to establish at least one AI regulatory sandbox by August 2026, providing a controlled environment in which providers can develop, train, validate, and test AI systems under regulatory supervision before placing them on the market. Participation is voluntary but offers significant advantages for organisations developing novel or high-risk systems.
Sandbox participation provides direct regulatory feedback on the system's compliance approach before the conformity assessment, reducing the risk of a failed assessment or post-market enforcement action. It creates a documented track record of regulatory cooperation that strengthens the organisation's credibility with market surveillance authorities. Article 57(8) permits the competent authority to agree on conditions that facilitate innovation. For systems in novel domains where the application of the AI Act's requirements is unclear, sandbox participation can help establish precedent that benefits both the provider and the broader regulatory ecosystem.
Sandbox participation requires dedicated effort and should not be undertaken as a lightweight exercise.
Sandbox participation requires dedicated effort and should not be undertaken as a lightweight exercise. The organisation must prepare an application demonstrating the system's intended purpose, risk profile, and development stage. Once admitted, regular reporting to the sandbox supervising authority is expected, including progress updates, test results, and any issues encountered. The time commitment is significant: sandbox programmes typically run for six to twelve months.
Organisations should consider sandbox participation for their highest-risk or most novel systems, where the regulatory uncertainty is greatest and the benefit of direct supervisory feedback is most valuable. Lower-risk systems with well-understood compliance pathways are better served by the standard internal conformity assessment process. The AI Governance Lead should assess the cost-benefit of sandbox participation against the system's risk profile, novelty, and the maturity of the relevant national competent authority.
The AI System Assessor integrates sandbox findings and supervisory feedback into the aisdp. Where the competent authority has reviewed and accepted specific aspects of the system's design or compliance approach, the Legal and Regulatory Advisor documents the acceptance as supporting evidence. Sandbox exit reports, where the supervising authority provides a formal summary of the programme's outcomes, are valuable evidence artefacts for the AISDP.
The EU database is intended as a digital-first platform that is machine-readable, navigable, and publicly accessible.
The EU database is intended as a digital-first platform that is machine-readable, navigable, and publicly accessible. However, the broader digital interaction landscape between providers and national authorities remains uneven across several operational areas.
Registration through the EU database is expected to be an online submission through the Commission's platform. The technical format for electronic instructions for use under Annex VIII has not been fully standardised, and organisations should prepare these in commonly accessible digital formats such as PDF or HTML pending further guidance.
No standardised digital reporting format has been mandated across all member states for post-market monitoring data. Some member states may accept structured digital submissions while others may initially require document-based reporting. Organisations should design their monitoring systems to export data in multiple formats to accommodate this variation.
For serious incident reporting, the European Commission published a draft incident reporting template in September 2025 providing a structured format for Article 73 notifications. Organisations should adopt this template as their baseline, adapting it to any national variations that emerge. For regulatory inspections, market surveillance authorities have the power under Article 74 to request documentation and access logging infrastructure. Organisations should ensure their documentation repositories, monitoring dashboards, and logging systems can be made available on reasonable notice, with a regulatory access profile providing read-only access to required artefacts without exposing commercially sensitive information beyond the regulatory scope.
At least annually, ideally led by an external party unfamiliar with the system's specifics. Results are documented and gaps tracked in the Non-Conformity Register.
The Legal and Regulatory Advisor can engage with inspectors to agree confidentiality protections for information beyond the regulatory scope, but everything within scope must be provided promptly.
Yes. Early proactive engagement builds a constructive relationship and is particularly valuable where authorities are newly established and still developing procedures.