Chapter VI — Measures in Support of InnovationArticle 58

Article 58: Detailed Arrangements for and Functioning of AI Regulatory Sandboxes

Applies from 2 Aug 20265 min readEUR-Lex verified Apr 2026

Article 58 sets out the operational rules for AI regulatory sandboxes established under Article 57. Participants must agree to terms including an agreed plan with objectives, fundamental rights safeguards, confidentiality protections, and procedures for exiting the sandbox and transitioning to the market. Supervising authorities monitor testing and may suspend participation if serious risks materialise. The Commission may adopt implementing acts further specifying sandbox procedures.

Start free assessment All articles

Who does this apply to?

-Sandbox participants — providers and prospective providers who have been admitted to an AI regulatory sandbox and must comply with its terms and conditions
-Supervising authorities — national competent authorities or the AI Office operating the sandbox, responsible for oversight and risk monitoring
-The European Commission — which may adopt implementing acts on detailed sandbox procedures and reporting templates

Scenarios

A fintech company enters a sandbox to test a credit-scoring AI. The agreed plan specifies: 6-month testing period, performance metrics for fairness and accuracy, exit criteria requiring a conformity-ready risk file, and a data-processing agreement for the test datasets.

The sandbox plan structures the testing and ensures the company builds its conformity evidence incrementally. The authority can halt testing if discriminatory outcomes exceed agreed thresholds.

Ref. Art. 58(1)

During sandbox testing, an AI system for public transport routing begins producing results that disproportionately disadvantage disabled users. The supervising authority invokes its suspension power and requires the provider to redesign the system before testing can resume.

The authority's ability to suspend protects fundamental rights without terminating the sandbox relationship entirely — the provider can return with a redesigned system.

Ref. Art. 58(2)

What Article 58 requires (in plain terms)

Article 58 translates the sandbox concept from Article 57 into concrete operational requirements. Every sandbox must have:

1. An agreed plan — participants and the supervising authority agree upfront on the sandbox's objectives, testing scope, duration, data to be used, and success/failure criteria. 2. Fundamental rights safeguards — the plan must include appropriate measures to protect fundamental rights of persons affected by the AI system during testing. 3. Confidentiality protections — trade secrets and proprietary information shared during sandbox participation must be protected by the authority. 4. Exit and transition procedures — clear rules on how a participant exits the sandbox (voluntarily or by suspension) and what happens to the testing outputs, especially how they feed into conformity assessment for market placement.

The supervising authority retains power to suspend or terminate participation if risks to health, safety, or fundamental rights materialise during testing that cannot be adequately mitigated.

Commission implementing acts

Article 58 empowers the Commission to adopt implementing acts further detailing sandbox procedures. These may cover:

Templates for sandbox applications and agreed plans
Reporting formats for sandbox outcomes
Common criteria for admission and exit
Procedures for cross-border sandbox cooperation

Monitor the Commission's AI Act implementation page for updates on these implementing acts. Until they are adopted, national competent authorities set their own detailed procedures within the Article 58 framework.

How Article 58 connects to the rest of the Act

Article 57 — establishes the sandbox obligation; Article 58 operationalises it.
Article 59 — special data-processing rules inside sandboxes (the sandbox plan must reference Article 59 where personal data is involved).
Article 60 — real-world testing outside sandboxes (alternative pathway with its own conditions).
Article 76 — confidentiality obligations applicable to sandbox supervisors.
Article 113 — application dates and staged enforcement timeline.

Compliance checklist

Negotiate and document an agreed sandbox plan with the supervising authority before commencing any testing — cover objectives, scope, data, duration, and success criteria.
Include explicit fundamental rights safeguards in the sandbox plan, especially if the AI system affects vulnerable groups or processes biometric or sensitive data.
Establish confidentiality agreements with the supervising authority to protect trade secrets and proprietary model details shared during sandbox participation.
Define clear exit criteria and a transition plan: what documentation must be ready, what test results feed into conformity assessment, and what happens to test data upon exit.
Prepare for possible suspension — build your testing plan so that intermediate results are documented and the system can be safely halted at any point.
Monitor for Commission implementing acts that may standardise sandbox procedures and reporting formats across Member States.
Maintain detailed records of all sandbox interactions, authority guidance, and test outcomes for your conformity file.

Read the official text on EUR-Lex

Preparing for a sandbox? Assess your AI system's compliance readiness first.

Start Free Assessment

Article 57: AI Regulatory Sandboxes

Article 59: Further Processing of Personal Data for Developing Certain AI Systems in the Public Interest in the AI Regulatory Sandbox

Article 60: Testing of High-Risk AI Systems in Real-World Conditions Outside AI Regulatory Sandboxes

Article 113: Entry into Force and Application Dates

Frequently asked questions

What happens to my test data and results if the sandbox is suspended?

Article 58 requires exit procedures to be part of the agreed plan. If participation is suspended, the plan should specify whether data must be deleted, returned, or retained under specific conditions. Personal data processing is also subject to Article 59 and GDPR requirements.

Can sandbox outcomes serve as evidence for conformity assessment?

Yes. Testing results, authority feedback, and risk assessments developed during sandbox participation can form part of your technical documentation under Article 11 and Annex IV. This is one of the key practical benefits of sandbox participation.

Are sandbox terms the same across all Member States?

Not necessarily. Until the Commission adopts implementing acts harmonising procedures, each Member State may set its own detailed terms within the Article 58 framework. Cross-border coordination is encouraged but not yet standardised.

On this page

Key terms

Agreed plan: The documented agreement between a sandbox participant and the supervising authority that specifies the objectives, scope, duration, data usage, safeguards, and exit criteria for sandbox participation.
Exit criteria: Pre-defined conditions under which a participant leaves the sandbox — either successfully (with outputs feeding into conformity assessment) or by suspension (if risks materialise that cannot be mitigated).
Implementing acts: Legally binding measures adopted by the Commission to specify uniform conditions for the implementation of EU legislation — here, potentially standardising sandbox procedures across Member States.

At a glance

Article: 58
Status: Upcoming
Timeline: 2 Aug 2026
Updated: 11 Apr 2026

Recommended next step

Run the short assessment to map risk class and obligations to your specific AI use case in minutes.

Start assessment now