Market surveillance authorities have broad investigative powers under Article 74. Organisations must maintain an inspection-ready posture at all times, with current documentation, accessible evidence, and personnel trained in their inspection roles. Annual rehearsal exercises, pre-configured regulatory access profiles, and proactive authority engagement reduce the risk of inspection failure.
EU AI Act regulatory inspections require organisations to produce documentation, demonstrate system functionality, and provide access to monitoring infrastructure on reasonable notice. Maintaining inspection readiness means keeping the AISDP and evidence pack current, training key personnel in their inspection roles, and pre-configuring regulatory access profiles with read-only access to compliance-relevant systems. Annual rehearsal exercises test the team's ability to respond under realistic conditions, with a 30-minute drill benchmark for producing requested artefacts. During inspections, full cooperation is mandatory with penalties under Article 99 for obstruction. Post-inspection findings enter the Non-Conformity Register for remediation. Proactive engagement with competent authorities before they are needed in a crisis builds a constructive relationship that benefits both parties.
Article 57 requires each member state to establish at least one AI regulatory sandbox by August 2026, providing a controlled environment in which providers can develop, train, validate, and test AI systems under regulatory supervision before placing them on the market.
Article 57 requires each member state to establish at least one AI regulatory sandbox by August 2026, providing a controlled environment in which providers can develop, train, validate, and test AI systems under regulatory supervision before placing them on the market. Participation is voluntary but offers significant advantages for organisations developing novel or high-risk systems.
Sandbox participation provides direct regulatory feedback on the system's compliance approach before the , reducing the risk of a failed assessment or post-market enforcement action. It creates a documented track record of regulatory cooperation that strengthens the organisation's credibility with market surveillance authorities. Article 57(8) permits the competent authority to agree on conditions that facilitate innovation. For systems in novel domains where the application of the AI Act's requirements is unclear, sandbox participation can help establish precedent that benefits both the provider and the broader regulatory ecosystem.
Sandbox participation requires dedicated effort and should not be undertaken as a lightweight exercise.
Sandbox participation requires dedicated effort and should not be undertaken as a lightweight exercise. The organisation must prepare an application demonstrating the system's intended purpose, risk profile, and development stage. Once admitted, regular reporting to the sandbox supervising authority is expected, including progress updates, test results, and any issues encountered. The time commitment is significant: sandbox programmes typically run for six to twelve months.
Organisations should consider sandbox participation for their highest-risk or most novel systems, where the regulatory uncertainty is greatest and the benefit of direct supervisory feedback is most valuable. Lower-risk systems with well-understood compliance pathways are better served by the standard internal conformity assessment process. The AI Governance Lead should assess the cost-benefit of sandbox participation against the system's risk profile, novelty, and the maturity of the relevant national competent authority.
The EU database is intended as a digital-first platform that is machine-readable, navigable, and publicly accessible.
The EU database is intended as a digital-first platform that is machine-readable, navigable, and publicly accessible. However, the broader digital interaction landscape between providers and national authorities remains uneven across several operational areas.
Registration through the EU database is expected to be an online submission through the Commission's platform. The technical format for electronic instructions for use under Annex VIII has not been fully standardised, and organisations should prepare these in commonly accessible digital formats such as PDF or HTML pending further guidance.
At least annually, ideally led by an external party unfamiliar with the system's specifics. Results are documented and gaps tracked in the Non-Conformity Register.
The Legal and Regulatory Advisor can engage with inspectors to agree confidentiality protections for information beyond the regulatory scope, but everything within scope must be provided promptly.
Yes. Early proactive engagement builds a constructive relationship and is particularly valuable where authorities are newly established and still developing procedures.
Maintain an inspection-ready posture with current documentation, accessible evidence, trained personnel, and pre-configured regulatory access profiles.
Mock inspectors arrive with limited notice, request specific records using regulatory language, ask probing questions, and observe the system in use. The 30-minute drill tests response speed.
Read-only access to the evidence repository, monitoring dashboards, logging infrastructure, model registry, and AISDP documentation, excluding proprietary source code and employee data.
Findings enter the Non-Conformity Register with assigned owners and remediation timelines. Systemic weaknesses are assessed for portfolio-wide impact.
The AI System Assessor integrates sandbox findings and supervisory feedback into the aisdp. Where the competent authority has reviewed and accepted specific aspects of the system's design or compliance approach, the Legal and Regulatory Advisor documents the acceptance as supporting evidence. Sandbox exit reports, where the supervising authority provides a formal summary of the programme's outcomes, are valuable evidence artefacts for the AISDP.
No standardised digital reporting format has been mandated across all member states for post-market monitoring data. Some member states may accept structured digital submissions while others may initially require document-based reporting. Organisations should design their monitoring systems to export data in multiple formats to accommodate this variation.
For serious incident reporting, the European Commission published a draft incident reporting template in September 2025 providing a structured format for Article 73 notifications. Organisations should adopt this template as their baseline, adapting it to any national variations that emerge. For regulatory inspections, market surveillance authorities have the power under Article 74 to request documentation and access logging infrastructure. Organisations should ensure their documentation repositories, monitoring dashboards, and logging systems can be made available on reasonable notice, with a regulatory access profile providing read-only access to required artefacts without exposing commercially sensitive information beyond the regulatory scope.
CTO of Standard Intelligence. Leads platform engineering and contributes to the PIG series technical content.
