Table of contents

Chapter 1: Classification of AI Systems as High-Risk

Article 6: Classification Rules for High-Risk AI Systems

Article 7: Amendments to Annex III

Chapter 2: Requirements for High-Risk AI Systems

Article 8: Compliance with the Requirements

Article 9: Risk Management System

Article 10: Data and Data Governance

Article 11: Technical Documentation

Article 12: Record-Keeping

Article 13: Transparency and Provision of Information to Deployers

Article 14: Human Oversight

Article 15: Accuracy, Robustness and Cybersecurity

Chapter 3: Obligations of Providers and Deployers of High-Risk AI Systems and Other Parties

Article 16: Obligations of Providers of High-Risk AI Systems

Article 17: Quality Management System

Article 18: Documentation Keeping

Article 20: Automatically Generated Logs

Article 21: Corrective Actions and Duty of Information

Article 23: Cooperation with Competent Authorities

Article 25: Authorised Representatives

Article 26: Obligations of Importers

Article 27: Obligations of Distributors

Article 28: Responsibilities Along the AI Value Chain

Article 29: Obligations of Deployers of High-Risk AI Systems

Chapter 4: Notifying Authorities and Notified Bodies

Article 30: Notifying Authorities

Article 31: Application of a Conformity Assessment Body for Notification

Article 32: Notification Procedure

Article 33: Requirements Relating to Notified Bodies

Article 33a: Presumption of Conformity with Requirements Relating to Notified Bodies

Article 34: Subsidiaries of and Subcontracting by Notified Bodies

Article 34a: Operational Obligations of Notified Bodies

Article 35: Identification Numbers and Lists of Notified Bodies Designated Under this Regulation

Article 36: Changes to Notifications

Article 37: Challenge to the Competence of Notified Bodies

Article 38: Coordination of Notified Bodies

Article 39: Conformity Assessment Bodies of Third Countries

Chapter 5: Standards, Conformity Assessment, Certificates, Registration

Article 40: Harmonised Standards and Standardisation Deliverables

Article 41: Common Specifications

Article 42: Presumption of Conformity with Certain Requirements

Article 43: Conformity Assessment

Article 44: Certificates

Article 46: Information Obligations of Notified Bodies

Article 47: Derogation from Conformity Assessment Procedure

Article 48: EU Declaration of Conformity

Article 49: CE Marking of Conformity

Article 51: Registration

Chapter 1: Post-Market Monitoring

Article 61: Post-Market Monitoring by Providers and Post-Market Monitoring Plan for High-Risk AI Systems

Chapter 2: Sharing of Information on Serious Incidents

Article 62: Reporting of Serious Incidents

Chapter 3: Enforcement

Article 63: Market Surveillance and Control of AI Systems in the Union Market

Article 63a: Mutual Assistance, Market Surveillance and Control of General Purpose AI Systems

Article 63b: Supervision of Testing in Real World Conditions by Market Surveillance Authorities

Article 64: Powers of Authorities Protecting Fundamental Rights

Article 65: Procedure for Dealing with AI Systems Presenting a Risk at National Level

Article 65a: Procedure for Dealing with AI Systems Classified by the Provider as a Not High-Risk in Application of Annex III

Article 66: Union Safeguard Procedure

Article 67: Compliant AI Systems Which Present a Risk

Article 68: Formal Non-Compliance

Article 68a: EU AI Testing Support Structures in the Area of Artificial Intelligence

Chapter 3b: Remedies

Article 68a(1): Right to Lodge a Complaint with a Market Surveillance Authority

Article 68c: A Right to Explanation of Individual Decision-Making

Article 68d: Amendment to Directive (EU) 2020/1828

Article 68e: Reporting of Breaches and Protection of Reporting Persons

Chapter 3c: Supervision, Investigation, Enforcement and Monitoring in Respect of Providers of General Purpose AI Models

Article 68f: Enforcement of Obligations on Providers of General Purpose AI Models

Article 68g : Monitoring Actions

Article 68h: Alerts of Systemic Risks by the Scientific Panel

Article 68i: Power to Request Documentation and Information

Article 68j: Power to Conduct Evaluations

Article 68k: Power to Request Measures

Article 68m: Procedural Rights of Economic Operators of the General Purpose AI Model

Article 53: AI Regulatory Sandboxes

1. Member States shall ensure that their competent authorities establish at least one AI regulatory sandbox at national level, which shall be operational 24 months after entry into force. This sandbox may also be established jointly with one or several other Member States’ competent authorities. The Commission may provide technical support, advice and tools for the establishment and operation of AI regulatory sandboxes. The obligation established in previous paragraph can also be fulfilled by participation in an existing sandbox insofar as this participation provides equivalent level of national coverage for the participating Member States.

1a. Additional AI regulatory sandboxes at regional or local levels or jointly with other Member States’ competent authorities may also be established.

1b. The European Data Protection Supervisor may also establish an AI regulatory sandbox for the EU institutions, bodies and agencies and exercise the roles and the tasks of national competent authorities in accordance with this chapter.

1c. Member States shall ensure that competent authorities referred to in paragraphs 1 and 1a allocate sufficient resources to comply with this Article effectively and in a timely manner. Where appropriate, national competent authorities shall cooperate with other relevant authorities and may allow for the involvement of other actors within the AI ecosystem. This Article shall not affect other regulatory sandboxes established under national or Union law. Member States shall ensure an appropriate level of cooperation between the authorities supervising those other sandboxes and the national competent authorities.

1d. AI regulatory sandboxes established under Article 53(1) of this Regulation shall, in accordance with Articles 53 and 53a, provide for a controlled environment that fosters innovation and facilitates the development, training, testing and validation of innovative AI systems for a limited time before their placement on the market or putting into service pursuant to a specific sandbox plan agreed between the prospective providers and the competent authority. Such regulatory sandboxes may include testing in real world conditions supervised in the sandbox.

1e. Competent authorities shall provide, as appropriate, guidance, supervision and support within the sandbox with a view to identifying risks, in particular to fundamental rights, health and safety, testing, mitigation measures, and their effectiveness in relation to the obligations and requirements of this Regulation and, where relevant, other Union and Member States legislation supervised within the sandbox.

1f. Competent authorities shall provide providers and prospective providers with guidance on regulatory expectations and how to fulfil the requirements and obligations set out in this Regulation. Upon request of the provider or prospective provider of the AI system, the competent authority shall provide a written proof of the activities successfully carried out in the sandbox. The competent authority shall also provide an exit report detailing the activities carried out in the sandbox and the related results and learning outcomes. Providers may use such documentation to demonstrate the compliance with this Regulation through the conformity assessment process or relevant market surveillance activities. In this regard, the exit reports and the written proof provided by the national competent authority shall be taken positively into account by market surveillance authorities and notified bodies, with a view to accelerate conformity assessment procedures to a reasonable extent. 1fa Subject to the confidentiality provisions in Article 70 and with the agreement of the sandbox provider/prospective provider, the European Commission and the Board shall be authorised to access the exit reports and shall take them into account, as appropriate, when exercising their tasks under this Regulation. If both provider and prospective provider and the national competent authority explicitly agree to this, the exit report can be made publicly available through the single information platform referred to in this article.

1g. The establishment of AI regulatory sandboxes shall aim to contribute to the following objectives:

a) improve legal certainty to achieve regulatory compliance with this Regulation or, where relevant, other applicable Union and Member States legislation;

b) support the sharing of best practices through cooperation with the authorities involved in the AI regulatory sandbox;

c) foster innovation and competitiveness and facilitate the development of an AI ecosystem;

d) contribute to evidence-based regulatory learning;

e) facilitate and accelerate access to the Union market for AI systems, in particular when provided by small and medium-sized enterprises (SMEs), including start-ups.

2. National competent authorities shall ensure that, to the extent the innovative AI systems involve the processing of personal data or otherwise fall under the supervisory remit of other national authorities or competent authorities providing or supporting access to data, the national data protection authorities, and those other national authorities are associated to the operation of the AI regulatory sandbox and involved in the supervision of those aspects to the extent of their respective tasks and powers, as applicable.

3. The AI regulatory sandboxes shall not affect the supervisory and corrective powers of the competent authorities supervising the sandboxes, including at regional or local level. Any significant risks to health and safety and fundamental rights identified during the development and testing of such AI systems shall result in an adequate mitigation. National competent authorities shall have the power to temporarily or permanently suspend the testing process, or participation in the sandbox if no effective mitigation is possible and inform the AI Office of such decision. National competent authorities shall exercise their supervisory powers within the limits of the relevant legislation, using their discretionary powers when implementing legal provisions to a specific AI sandbox project, with the objective of supporting innovation in AI in the Union.

4. Providers and prospective providers in the AI regulatory sandbox shall remain liable under applicable Union and Member States liability legislation for any damage inflicted on third parties as a result of the experimentation taking place in the sandbox. However, provided that the prospective provider(s) respect the specific plan and the terms and conditions for their participation and follow in good faith the guidance given by the national competent authority, no administrative fines shall be imposed by the authorities for infringements of this Regulation. To the extent that other competent authorities responsible for other Union and Member States’ legislation have been actively involved in the supervision of the AI system in the sandbox and have provided guidance for compliance, no administrative fines shall be imposed regarding that legislation.

4b. The AI regulatory sandboxes shall be designed and implemented in such a way that, where relevant, they facilitate cross-border cooperation between national competent authorities.

5. National competent authorities shall coordinate their activities and cooperate within the framework of the Board.

5a. National competent authorities shall inform the AI Office and the Board of the establishment of a sandbox and may ask for support and guidance. A list of planned and existing AI sandboxes shall be made publicly available by the AI Office and kept up to date in order to encourage more interaction in the regulatory sandboxes and cross-border cooperation.

5b. National competent authorities shall submit to the AI Office and to the Board, annual reports, starting one year after the establishment of the AI regulatory sandbox and then every year until its termination and a final report. Those reports shall provide information on the progress and results of the implementation of those sandboxes, including best practices, incidents, lessons learnt and recommendations on their setup and, where relevant, on the application and possible revision of this Regulation, including its delegated and implementing acts, and other Union law supervised within the sandbox. Those annual reports or abstracts thereof shall be made available to the public, online. The Commission shall, where appropriate, take the annual reports into account when exercising their tasks under this Regulation.

6. The Commission shall develop a single and dedicated interface containing all relevant information related to sandboxes to allow stakeholders to interact with regulatory sandboxes and to raise enquiries with competent authorities, and to seek non-binding guidance on the conformity of innovative products, services, business models embedding AI technologies, in accordance with Article 55(1)(c). The Commission shall proactively coordinate with national competent authorities, where relevant. Article 53A Modalities and functioning of AI regulatory sandboxes In order to avoid fragmentation across the Union, the Commission shall adopt a an implementing act detailing the modalities for the establishment, development, implementation, operation and supervision of the AI regulatory sandboxes. The implementing act shall include common principles on the following issues:

a) eligibility and selection for participation in the AI regulatory sandbox;

b) procedure for the application, participation, monitoring, exiting from and termination of the AI regulatory sandbox, including the sandbox plan and the exit report;

c) the terms and conditions applicable to the participants. The implementing acts shall ensure that:

a) regulatory sandboxes are open to any applying prospective provider of an AI system who fulfils eligibility and selection criteria. The criteria for accessing to the regulatory sandbox are transparent and fair and establishing authorities inform applicants of their decision within 3 months of the application;

b) regulatory sandboxes allow broad and equal access and keep up with demand for participation; prospective providers may also submit applications in partnerships with users and other relevant third parties;

c) the modalities and conditions concerning regulatory sandboxes shall to the best extent possible support flexibility for national competent authorities to establish and operate their AI regulatory sandboxes;

d) access to the AI regulatory sandboxes is free of charge for SMEs and start-ups without prejudice to exceptional costs that national competent authorities may recover in a fair and proportionate manner;

e) they facilitate prospective providers, by means of the learning outcomes of the sandboxes, to conduct the conformity assessment obligations of this Regulation or the voluntary application of the codes of conduct referred to in Article 69;

f) regulatory sandboxes facilitate the involvement of other relevant actors within the AI ecosystem, such as notified bodies and standardisation organisations (SMEs, start-ups, enterprises, innovators, testing and experimentation facilities, research and experimentation labs and digital innovation hubs, centers of excellence, individual researchers), in order to allow and facilitate cooperation with the public and private sector;

g) procedures, processes and administrative requirements for application, selection, participation and exiting the sandbox are simple, easily intelligible, clearly communicated in order to facilitate the participation of SMEs and start-ups with limited legal and administrative capacities and are streamlined across the Union, in order to avoid fragmentation and that participation in a regulatory sandbox established by a Member State, or by the EDPS is mutually and uniformly recognised and carries the same legal effects across the Union;

h) participation in the AI regulatory sandbox is limited to a period that is appropriate to the complexity and scale of the project. This period may be extended by the national competent authority;

i) the sandboxes shall facilitate the development of tools and infrastructure for testing, benchmarking, assessing and explaining dimensions of AI systems relevant for regulatory learning , such as accuracy, robustness and cybersecurity as well as measures to mitigate risks to fundamental rights,[environment] and the society at large.

3. Prospective providers in the sandboxes, in particular SMEs and start-ups, shall be directed, where relevant, to pre-deployment services such as guidance on the implementation of this Regulation, to other value-adding services such as help with standardisation documents and certification, Testing & Experimentation Facilities, Digital Hubs, Centres of Excellence, and [EU benchmarking capabilities].

4. When national competent authorities consider authorising testing in real world conditions supervised within the framework of an AI regulatory sandbox established under this Article, they shall specifically agree with the participants on the terms and conditions of such testing and in particular on the appropriate safeguards with the view to protect fundamental rights, health and safety. Where appropriate, they shall cooperate with other national competent authorities with a view to ensure consistent practices across the Union.