Regulatory Sandbox Notification is the formal administrative procedure by which a provider or prospective provider informs a National Competent Authority that a specific AI system will undergo development, testing, and validation within a supervised regulatory sandbox environment. This notification serves as a prerequisite for accessing the sandbox's controlled conditions, where certain standard registration and conformity assessment requirements may be temporarily modified or waived under the direct supervision of the competent authority.
Glossary
Regulatory Sandbox Notification

What is Regulatory Sandbox Notification?
The formal process of informing a National Competent Authority that an AI system is being tested under a controlled regulatory sandbox, often with modified registration requirements.
The notification dossier typically includes a detailed Intended Purpose Declaration, a description of the testing plan, and a preliminary risk assessment. Unlike a full EU AI Act Database registration, the sandbox notification establishes a temporary legal safe harbor, allowing innovators to validate high-risk systems under real-world conditions without immediate full compliance. The competent authority uses this notification to define the sandbox plan's specific parameters, exit criteria, and the applicable supervisory modalities.
Key Features of a Sandbox Notification
A formal declaration to a National Competent Authority enabling supervised testing of an AI system under a modified legal framework. The notification triggers specific derogations from standard registration requirements while maintaining a controlled environment for innovation.
Modified Registration Requirements
The sandbox notification activates a derogation from full pre-market registration. Instead of submitting the complete Technical Documentation File, providers file a sandbox-specific plan outlining:
- The testing scope and duration
- The specific regulatory provisions being derogated
- The risk mitigation measures in place
This allows for iterative development without triggering the full conformity assessment process under the EU AI Act.
Competent Authority Oversight
The notification is submitted to the National Competent Authority (NCA) of the member state where the sandbox operates. The NCA:
- Reviews the sandbox plan for completeness
- Issues written guidance on regulatory expectations
- Monitors testing activities for compliance with the agreed scope
This creates a supervised learning loop where regulators provide real-time feedback before market entry.
Time-Bound Authorization
A sandbox notification is not an indefinite license. It specifies a fixed duration aligned with the testing phase. Key temporal constraints include:
- A defined start and end date for the sandbox period
- An exit plan detailing transition to full registration
- A requirement to notify the NCA of any substantial modification during testing
Upon expiration, the provider must either pursue full registration or cease operations.
Liability and Safeguard Provisions
The notification does not exempt providers from liability. The sandbox framework requires:
- Mandatory safeguards to protect fundamental rights
- Clear informed consent from sandbox participants
- A residual risk disclosure specific to the testing environment
Any serious incident occurring during the sandbox phase must be reported through the incident reporting linkage tied to the provisional registration ID.
Cross-Border Recognition
A sandbox notification approved in one EU member state can facilitate cross-border testing under mutual recognition principles. This requires:
- Coordination between the home NCA and host member states
- Adherence to the harmonized standard for sandbox operations
- A unified Unique Registration ID for traceability across jurisdictions
This mechanism prevents regulatory fragmentation while allowing localized supervision.
Transition to Full Registration
The sandbox notification serves as a precursor to formal registration. The exit process mandates:
- Compilation of a complete Technical Documentation File incorporating sandbox learnings
- A finalized Declaration of Conformity based on validated performance data
- Submission to the EU AI Act Database for a permanent Unique Registration ID
The sandbox phase effectively acts as a pre-market authorization proving ground.
Frequently Asked Questions
Clarifying the formal process and legal implications of notifying National Competent Authorities when testing high-risk AI systems under controlled regulatory sandbox conditions.
A Regulatory Sandbox Notification is the formal legal process by which a prospective AI provider or authorized representative informs a National Competent Authority (NCA) of their intent to develop, test, and validate an innovative AI system within a controlled regulatory environment. This notification serves as a structured entry point that temporarily modifies standard Conformity Assessment and registration requirements, allowing supervised experimentation under a specific sandbox plan. The notification must include a detailed description of the planned testing activities, the expected duration, and the specific regulatory flexibilities being requested. Crucially, this process does not exempt the provider from liability for harm caused to third parties; it merely provides a supervised space to gather evidence for future compliance under the EU AI Act.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Explore the interconnected legal and technical concepts that govern how AI systems are tested, registered, and monitored under the EU AI Act.
EU AI Act Database
The centralized European Commission repository where providers and deployers must register high-risk AI systems before market placement. This database serves as the single source of truth for regulatory oversight, linking each system to its Unique Registration ID, conformity documentation, and incident reports. Registration is a legal prerequisite, not an optional step.
Substantial Modification
A change to an AI system's intended purpose or performance that triggers a new conformity assessment. This is not a minor update; it fundamentally alters the system's risk profile. Key triggers include:
- Expanding the target user base to vulnerable populations
- Modifying the core algorithmic logic
- Changing the operational context in ways that introduce new hazards Such a modification legally resets the registration clock.
Post-Market Monitoring
The continuous, systematic process by which providers collect and analyze real-world performance data after registration. This is a dynamic obligation, requiring providers to feed operational insights back into their risk management files. The documented plan must be included in the Technical Documentation File and is critical for detecting emergent biases or safety issues that were not visible during sandbox testing.
National Competent Authority
The designated public authority within an EU member state responsible for supervising AI registration and enforcement. This is the primary entity to which a Regulatory Sandbox Notification is submitted. The NCA acts as the gatekeeper for sandbox participation, granting supervised testing privileges and providing regulatory guidance before formal market entry procedures begin.
Incident Reporting Linkage
The technical mechanism connecting a registered AI system's Unique Registration ID to a mandatory incident portal. If a serious incident or malfunction occurs—whether during sandbox testing or post-market operation—providers must file a report. This linkage ensures that the system's compliance history is dynamically updated, allowing regulators to correlate sandbox findings with real-world safety events.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us