EU AI Act Art.77: Supervision of Scientific Research AI Testing Outside Sandboxes — Ethics Committees, GDPR Art.89, and CLOUD Act Risk (2026)
EU AI Act Article 77 completes the Chapter VIII testing supervision framework by addressing the one testing pathway that Art.76 deliberately excludes: AI testing conducted for genuine scientific research purposes. Where Art.76 governs commercial real-world testing under Art.58, Art.77 calibrates supervisory intensity to the specific characteristics of scientific research — ethics committee oversight, publication obligations, and the GDPR Art.89 research exception — without eliminating market surveillance authority engagement entirely.
The distinction between Art.77 and Art.76 is not merely procedural — it reflects a deliberate policy choice to avoid chilling legitimate AI research. Research institutions, universities, public research centres, and research organisations operating under recognised governance frameworks face a lighter-touch regulatory burden than commercial providers conducting pre-market validation testing. The trade-off is explicit: Art.77 protection is conditional on bona fide research intent, independent ethics oversight, and a genuine commitment to public dissemination of results.
For developers and compliance teams in research-adjacent organisations, Art.77 presents both an opportunity and a trap. The registration-not-approval model is genuinely lighter than Art.76. But the conditions that must be satisfied — and the consequences of failing to satisfy them retroactively — mean that treating Art.77 as a blanket exemption from AI Act supervision is a compliance risk.
Art.77 in the Post-Deployment Enforcement Architecture
Art.77 sits in Chapter VIII alongside Art.72-76, closing the testing pathway matrix for all real-world AI testing that occurs outside AI regulatory sandboxes:
| Article | Role | Art.77 Interface |
|---|---|---|
| Art.57 | AI regulatory sandboxes | Art.57 sandbox testing operates under NCA cooperative oversight — Art.77 is irrelevant for sandbox-internal testing |
| Art.58 | Real-world testing rights | Art.58 grants testing rights; Art.76 governs MSA supervision of Art.58 commercial testing; Art.77 governs MSA supervision of scientific research conducted without Art.58 commercial testing plan |
| Art.72 | Post-market monitoring | Art.77 research results may contribute to Art.72 PMM datasets when the tested system is later deployed commercially |
| Art.74 | Market surveillance powers | Art.74 investigative powers remain fully available to MSAs for Art.77 research testing — Art.77 affects when and how they are exercised, not whether they exist |
| Art.76 | Commercial real-world testing | The boundary between Art.76 and Art.77 is the primary compliance determination — research institutions that fail the Art.77(1) conditions are subject to Art.76 obligations |
| Art.77 | Scientific research testing | This guide |
| Art.79 | Penalties | Art.77 notification failures and misuse of the research exception are sanctionable under Art.79 |
Art.77(1): Scope — What Constitutes Scientific Research Testing
Art.77(1) defines the boundary of the scientific research exception with five cumulative conditions. All five must be satisfied simultaneously for Art.77 to apply:
Condition 1: Primary purpose is scientific knowledge generation The testing must primarily generate new scientific knowledge — not validate a commercial product before market entry. This is the central condition and the most frequently contested. Indicators that the primary purpose is commercial:
- The tested system is a product in development by a for-profit entity
- The testing methodology is designed to demonstrate performance claims rather than investigate research questions
- Results are shared exclusively with a commercial partner rather than published
- The research timeline tracks commercial release dates rather than academic publication cycles
Condition 2: Conducted by or under a recognised research institution Art.77(1) requires institutional affiliation — individual researchers acting outside recognised institutions do not qualify. Recognised research institutions include:
- Universities and university hospitals
- Public research centres operating under national or EU research mandates
- Research organisations formally recognised under national R&D policy frameworks
- Research institutes within international organisations (CERN, EMBL, etc.)
Private research labs affiliated with commercial entities may qualify only where their research governance is structurally independent of commercial operations.
Condition 3: Independent ethics oversight The research must be subject to independent ethics committee (EC) or institutional review board (IRB) review that is appropriate to the sector and jurisdiction. Art.77(1) does not create a new AI-specific ethics structure — it integrates with existing research ethics governance:
| Sector | Ethics Body |
|---|---|
| Clinical and biomedical AI | National ethics committee + institutional IRB |
| Social science AI | Institutional review board or equivalent |
| Public sector AI research | Data ethics board or government ethics committee |
| General academic AI research | University research ethics committee |
| EU Horizon-funded research | European Research Council ethics review |
Condition 4: Results intended for publication or public dissemination The research outputs must be committed to entering the scientific public record. Internal reports, confidential deliverables, and results shared exclusively with commercial sponsors do not satisfy this condition. See Art.77(5) for the full publication requirement framework.
Condition 5: AI system tested as a subject of investigation, not as an operational service The AI system must be the object of scientific investigation during the testing period — not deployed to provide live operational services to users. A research team that evaluates how an AI decision-support system performs under controlled research conditions satisfies this condition. A research team that deploys a system to provide actual medical diagnoses or credit decisions to participants during the "research" does not.
Art.77(2): MSA Registration Obligation
Art.77(2) requires research institutions to notify the competent market surveillance authority before commencing testing. The critical legal distinction from Art.76(2) commercial notification: Art.77(2) is a registration requirement, not an approval mechanism.
What "registration" means in practice. The MSA:
- Does not issue an approval, clearance, or authorisation in response to an Art.77(2) registration
- Does not need to respond at all before testing commences (absence of response ≠ denial)
- Uses the registration as a record that enables ex-post oversight if concerns arise
- May contact the institution after receiving the registration if eligibility questions arise under Art.77(1)
What the Art.77(2) registration must contain:
- Institution name, registration number, and contact details (principal investigator)
- Research title and primary scientific question
- Description of the AI system under investigation (including Annex III high-risk category, if applicable)
- Testing scope: locations, duration, and number and description of participants
- Ethics committee name, approval reference number, and date of approval
- GDPR legal basis for data processing and applicable Art.89 safeguards
- Publication commitment: intended venue, type, and anticipated timeline
Timing. Registration must be submitted before testing commences. Retrospective registration after testing begins loses Art.77 protection — the MSA may treat unregistered testing as Art.76 commercial testing and apply full Art.76(2) obligations retroactively.
Multi-Member-State research. Where scientific research testing spans multiple EU member states, Art.77(2) registration must be filed with the competent MSA in each member state where testing occurs. There is no "lead MSA" consolidation mechanism for research testing equivalent to Art.76(4) commercial testing. However, research institutions may coordinate with all relevant MSAs simultaneously using the same registration documentation package.
Art.77(3): Ethics Committee Integration
Art.77(3) makes independent ethics committee oversight a formal element of the Art.77 supervisory framework — not merely good research practice but a condition for maintaining Art.77 protection.
The delegation of pre-testing oversight. For commercial testing under Art.76, pre-testing oversight falls primarily on the MSA: it receives the Art.76(2) notification, may impose conditions, and can trigger Art.76(3) suspension before testing starts. Under Art.77, this pre-testing oversight function is effectively delegated to the ethics committee. The ethics committee:
- Assesses participant protection before testing commences — covering participant consent procedures, data minimisation, benefit-risk ratio, and vulnerable group protections (mirroring what Art.76(5) requires the provider to document for MSA review)
- Provides ongoing monitoring during testing — many ethics committees require progress reports and may suspend research if concerns arise, mirroring Art.76(3) suspension powers through the research governance channel
- Generates compliance documentation — ethics committee decisions, conditions, and monitoring correspondence form part of the Art.77 compliance record available to the MSA on request
When ethics oversight is insufficient for Art.77 compliance:
- The AI system poses risks to physical safety beyond what a research ethics committee is equipped to assess (e.g., autonomous system testing in physical environments)
- The research involves Annex III high-risk AI in a safety-critical sector not typically within academic IRB competence (aviation, critical infrastructure, law enforcement)
- The ethics committee itself identifies risks beyond its competence and refers the matter to regulatory oversight
In these circumstances, Art.77(3) provides a pathway for research teams to seek informal pre-registration guidance from the MSA — a voluntary pre-clearance mechanism that Art.76 does not offer for commercial testing.
Art.77(4): GDPR Art.89 Scientific Research Interaction
Art.77(4) specifically addresses the intersection between Art.77 supervisory oversight and the GDPR's scientific research exception under Art.89 GDPR. Most AI research testing involves personal data processing — Art.77(4) specifies which GDPR Art.89 safeguards must be in place for the data processing to be compliant within the Art.77 framework.
Required Art.89 GDPR safeguards under Art.77(4):
| Safeguard | Implementation |
|---|---|
| Pseudonymisation | Participant data pseudonymised as early as technically feasible |
| Data minimisation | Only data strictly necessary for research purpose collected |
| Access controls | Strict controls prevent access to identified data unless scientifically required |
| Subject rights management | Research exemptions from Art.15–22 GDPR documented and applied proportionately |
| Retention limitation | Data not retained beyond research completion requirements |
| Ethics committee review of data processing | Data handling reviewed as part of ethics committee approval |
Art.89(2) exemptions available to research testing. Member states may exempt certain GDPR data subject rights for scientific research, which can reduce the compliance burden for Art.77 testing:
| GDPR Right | Art.89(2) Exemption? | Condition |
|---|---|---|
| Art.15 — Access | Possible | Only if exercising access right would seriously impair research objectives |
| Art.16 — Rectification | Possible | Only if processing correct data is required for research validity |
| Art.17 — Erasure | Possible | Cannot erase data that would invalidate completed research |
| Art.18 — Restriction | Possible | Restriction would prevent legitimate research completion |
| Art.21 — Objection | Possible | Compelling legitimate research grounds override individual objection |
What Art.77(4) does not permit. The research exception has hard limits that cannot be overridden by Art.89:
- Purpose limitation remains: Research testing data cannot be repurposed for commercial development without a new legal basis and fresh consent
- Special categories remain restricted: GDPR Art.9 data (biometric, health, political opinion) requires explicit consent or applicable national law derogation even for scientific research
- AI-generated inferences are personal data: Inferences generated by the tested AI system about participants cannot be retained or used commercially after research concludes
Art.77(5): Publication and Transparency Requirements
Art.77(5) makes public dissemination of research results a condition of the Art.77 exception — not merely an aspiration. Research that begins under Art.77 but subsequently withholds or commercialises all results without publication falls outside the Art.77 exception retroactively.
What counts as publication under Art.77(5):
| Dissemination Type | Satisfies Art.77(5)? | Notes |
|---|---|---|
| Peer-reviewed journal article | Yes | Standard academic publication channel |
| Conference paper (peer-reviewed proceedings) | Yes | Peer-reviewed conference proceedings sufficient |
| Preprint (arXiv, SSRN, medRxiv) | Yes | Counts even before formal peer review |
| Technical report (publicly accessible) | Yes | Must be accessible without restriction |
| EU Horizon project public deliverable | Yes | Public research deliverables fully satisfy Art.77(5) |
| Internal confidential report | No | Confidential reports do not satisfy Art.77(5) |
| Patent filing alone | No | Patent protects commercial exploitation, not scientific dissemination |
| Press release without underlying data | No | Media coverage without scientific content insufficient |
Embargo periods. Art.77(5) does not prohibit publication embargoes for patent protection or commercial partner coordination. However:
- Embargoes are permissible only for a defined and reasonable period
- Embargoes that convert to permanent non-disclosure retroactively void the Art.77 exception
- Horizon Europe Open Access mandates typically require publication within 6 months — Art.77(5) and Horizon mandates are compatible
- An embargo period exceeding 24 months is a significant Art.77(5) compliance risk
Pre-registration (recommended). Art.77(5) encourages but does not mandate pre-registration of research hypotheses and protocols. Pre-registration strengthens Art.77(1) bona fide research intent evidence and reduces the risk of outcome-reporting bias challenges during MSA review.
Art.77(6): MSA Supervisory Powers for Research Testing
Art.77(6) preserves full MSA supervisory authority over scientific research testing — it calibrates when and how that authority is exercised, not whether it exists. The MSA retains all Art.74 investigative powers for Art.77 testing; the difference is that it applies them ex-post and proportionately rather than in the ex-ante surveillance posture of Art.76.
MSA Art.77(6) oversight triggers:
| Trigger | MSA Response |
|---|---|
| Registration review reveals Art.77(1) eligibility concerns | MSA contacts institution for evidence of genuine research purpose |
| Third-party complaint about research testing harms | MSA Art.74 investigation — may suspend under emergency powers |
| Ethics committee refers matter to regulatory authority | MSA assumes Art.76-equivalent oversight for affected testing phase |
| Serious incident involving research participant | MSA may suspend under Art.74(9) emergency powers |
| Post-testing review shows commercial use of all results | Retroactive enforcement: Art.77 withdrawn, Art.76 obligations applied from start |
| Failure to publish within reasonable timeframe | MSA may investigate whether Art.77(5) conditions satisfied |
Art.77(6) vs Art.76(3): Suspension comparison:
| Dimension | Art.76(3) — Commercial Testing | Art.77(6) — Research Testing |
|---|---|---|
| Suspension trigger threshold | MSA identifies risk to participants | Risk to participants AND/OR Art.77 eligibility doubt |
| Prior notice | Standard: notice + response period; emergency: immediate | Same, but research context typically supports standard procedure |
| Ethics committee consultation | Not required | MSA will typically consult ethics committee before suspending approved research |
| Retroactive enforcement | N/A | MSA may impose Art.76 obligations retroactively if Art.77 never applied |
Art.77 vs Art.76 vs Art.57: Three Testing Pathways
| Dimension | Art.57 — Regulatory Sandbox | Art.58 + Art.76 — Real-World Testing | Art.77 — Scientific Research |
|---|---|---|---|
| Regulatory posture | NCA as cooperative partner | MSA in surveillance mode | MSA in ex-post oversight mode |
| Approval required? | Yes — sandbox application | Testing plan (Art.58) + Art.76(2) notification | No — registration only |
| Ethics oversight | NCA guidance included | Developer-managed; Art.76(5) for vulnerable groups | Independent ethics committee required |
| Commercial purpose? | Yes — innovation support pathway | Yes — pre-market validation | No — primary purpose must be scientific research |
| GDPR basis | Art.57/Art.59 sandbox exception | Standard GDPR + Art.76(6) DPA coordination | GDPR Art.89 research exception |
| Publication required? | No | No | Yes — Art.77(5) |
| MSA suspension? | NCA oversight | Yes — Art.76(3), immediate powers | Yes — Art.77(6), proportionate approach |
| Lead time | Weeks to months (sandbox application) | 5–15 working days (notification) | Days–weeks (registration) |
| GPAI interface | AI Office coordination | Art.76(7): AI Office for GPAI components | Same AI Office coordination |
| Applicable from | 2 August 2026 | 2 August 2026 | 2 August 2026 |
CLOUD Act Risk Analysis for Scientific Research Testing
Academic and research institutions frequently rely on cloud infrastructure — for compute, data storage, and the AI models being evaluated. When that infrastructure is operated by a US-headquartered provider, CLOUD Act jurisdiction creates a specific risk for research datasets that is frequently overlooked in academic risk management frameworks.
Four-Category Research Data Jurisdiction Analysis
| Data Category | CLOUD Act Risk | Art.77 Mitigation |
|---|---|---|
| Participant personal data (raw interactions, biometrics, health data) | HIGH — directly personal; US cloud provider with EU operations = US compellability possible | EU-sovereign storage required before testing commences |
| AI model weights under evaluation | MEDIUM — may contain training data inferences; model provider's cloud jurisdiction critical | EU-based model hosting or controlled access protocol |
| Research infrastructure, logging, and compute | LOW–MEDIUM — acceptable on standard cloud if no personal data in logs | Standard cloud acceptable with log sanitisation |
| Anonymised / published research dataset | NONE — publicly disclosed data has no meaningful CLOUD Act risk | N/A |
The Research Institution Advantage and Its Limits
Research institutions operating under EU public law status — national universities, public research centres — sometimes assume that their public status provides protection against CLOUD Act compellability. This assumption is incorrect. CLOUD Act exposure arises from the cloud provider's corporate structure and relationship to US law, not from the research institution's legal status. An EU university using AWS or Azure to store participant personal data is subject to CLOUD Act risk on that data regardless of its public university status.
The mitigation is infrastructure, not institutional identity: storing research participant data on EU-sovereign cloud infrastructure (EU-domiciled provider, EU datacenter, no US parent entity with compellability exposure) eliminates CLOUD Act risk at the data storage layer.
Python: ScientificResearchTestingRecord
from dataclasses import dataclass, field
from datetime import date
from typing import Optional
from enum import Enum
class ResearchInstitutionType(str, Enum):
UNIVERSITY = "university"
PUBLIC_RESEARCH_CENTRE = "public_research_centre"
RESEARCH_ORGANISATION = "research_organisation"
HOSPITAL_RESEARCH_UNIT = "hospital_research_unit"
GOVERNMENT_RESEARCH = "government_research"
class EthicsCommitteeType(str, Enum):
IRB = "institutional_review_board"
NATIONAL_REC = "national_research_ethics_committee"
CLINICAL_ETHICS = "clinical_ethics_committee"
DATA_ETHICS = "data_ethics_board"
EU_HORIZON_ETHICS = "eu_research_ethics_horizon"
@dataclass
class EthicsOversight:
"""Art.77(3): Ethics committee oversight record."""
committee_name: str
committee_type: EthicsCommitteeType
approval_reference: str
approval_date: date
conditions_attached: list[str]
monitoring_frequency: str # "annual", "per-phase", "on-incident"
def sufficient_for_art77(self, ai_risk_context: str) -> tuple[bool, list[str]]:
"""Check if ethics oversight is sufficient or if MSA pre-registration guidance needed."""
gaps = []
if ai_risk_context == "physical_safety_high_risk" and self.committee_type in (
EthicsCommitteeType.IRB, EthicsCommitteeType.DATA_ETHICS
):
gaps.append(
"Physical safety high-risk AI: academic IRB may be insufficient — "
"seek informal MSA guidance under Art.77(3)"
)
if not self.approval_reference:
gaps.append("Ethics committee approval reference required for Art.77(2) registration")
return len(gaps) == 0, gaps
@dataclass
class PublicationCommitment:
"""Art.77(5): Publication and transparency commitment."""
publication_type: str # "journal", "conference", "preprint", "technical_report"
intended_venue: str
anticipated_publication_date: Optional[date] = None
embargo_end_date: Optional[date] = None
pre_registration_url: Optional[str] = None
open_access_mandate: bool = False # Horizon Europe or national OA mandate
def validate(self) -> list[str]:
issues = []
if self.publication_type == "internal_report":
issues.append(
"Internal reports do not satisfy Art.77(5) — "
"publication must be publicly accessible"
)
if self.embargo_end_date and self.anticipated_publication_date:
embargo_days = (self.embargo_end_date - date.today()).days
if embargo_days > 730:
issues.append(
f"Embargo period exceeds 24 months — Art.77(5) compliance risk. "
"Indefinite embargo retroactively voids the research exception."
)
return issues
@dataclass
class Art77Registration:
"""
EU AI Act Art.77(2): MSA registration for scientific research testing.
Must be submitted before testing commences.
"""
institution_name: str
institution_type: ResearchInstitutionType
institution_registration_number: str
principal_investigator: str
pi_contact_email: str
member_states: list[str] # ISO 3166-1 alpha-2 — one registration per MS
research_title: str
research_question: str
system_name: str
system_description: str
annex_iii_category: Optional[str] = None # None if not high-risk
ethics_oversight: Optional[EthicsOversight] = None
publication_commitment: Optional[PublicationCommitment] = None
gdpr_legal_basis: str = "consent" # consent, public_task, legitimate_interest
art89_safeguards: list[str] = field(default_factory=list)
testing_start_date: Optional[date] = None
testing_end_date: Optional[date] = None
def art77_1_conditions_met(self) -> tuple[bool, list[str]]:
"""
Verify all five Art.77(1) conditions are satisfied.
Returns (all_met, list_of_gaps).
"""
gaps = []
# Condition 1: commercial-purpose check is contextual — flag for manual review
gaps.append(
"[MANUAL] Verify primary purpose is scientific knowledge generation, "
"not commercial product validation"
)
# Condition 2: institution type
if self.institution_type not in (
ResearchInstitutionType.UNIVERSITY,
ResearchInstitutionType.PUBLIC_RESEARCH_CENTRE,
ResearchInstitutionType.RESEARCH_ORGANISATION,
ResearchInstitutionType.HOSPITAL_RESEARCH_UNIT,
ResearchInstitutionType.GOVERNMENT_RESEARCH,
):
gaps.append("Institution type not recognised as qualifying research institution")
# Condition 3: ethics oversight
if self.ethics_oversight is None:
gaps.append("Art.77(3): Independent ethics committee approval required")
# Condition 4: publication commitment
if self.publication_commitment is None:
gaps.append("Art.77(5): Publication commitment required before registration")
else:
pub_issues = self.publication_commitment.validate()
gaps.extend(pub_issues)
# Condition 5: operational service deployment check — manual
gaps.append(
"[MANUAL] Confirm AI system is object of investigation, "
"not deployed as operational service to participants"
)
hard_gaps = [g for g in gaps if not g.startswith("[MANUAL]")]
return len(hard_gaps) == 0, gaps
def registration_complete(self) -> tuple[bool, list[str]]:
"""Full Art.77(2) registration readiness check."""
conditions_met, condition_gaps = self.art77_1_conditions_met()
required_fields = []
if not self.testing_start_date:
required_fields.append("testing_start_date required before registration")
if not self.member_states:
required_fields.append("member_states: specify MS where testing occurs")
if not self.art89_safeguards:
required_fields.append(
"art89_safeguards: document GDPR Art.89 safeguards in place"
)
all_gaps = condition_gaps + required_fields
return len([g for g in all_gaps if not g.startswith("[MANUAL]")]) == 0, all_gaps
# --- Example usage ---
reg = Art77Registration(
institution_name="TU Munich AI Research Lab",
institution_type=ResearchInstitutionType.UNIVERSITY,
institution_registration_number="DE-BY-TUM-2026-001",
principal_investigator="Prof. Dr. Anna Fischer",
pi_contact_email="a.fischer@tum.de",
member_states=["DE", "AT"],
research_title="Explainability of High-Risk AI Systems in Clinical Decision Support",
research_question=(
"How do explainability interfaces affect clinician trust calibration "
"in AI-assisted diagnostic systems?"
),
system_name="DiagExplain-v1",
system_description="High-risk AI system (Annex III class IIa MDR) for differential diagnosis support",
annex_iii_category="Annex III, point 5(a) — AI systems intended for use in medical devices",
ethics_oversight=EthicsOversight(
committee_name="TUM Ethics Committee for Medical Research",
committee_type=EthicsCommitteeType.CLINICAL_ETHICS,
approval_reference="TUM-EC-2026-0142",
approval_date=date(2026, 3, 15),
conditions_attached=["Informed consent required from all participants", "Monthly progress reports"],
monitoring_frequency="monthly",
),
publication_commitment=PublicationCommitment(
publication_type="journal",
intended_venue="npj Digital Medicine",
anticipated_publication_date=date(2027, 3, 1),
pre_registration_url="https://osf.io/abc123",
open_access_mandate=True,
),
gdpr_legal_basis="consent",
art89_safeguards=[
"Pseudonymisation at point of collection",
"Data minimisation — only interaction logs retained, no free-text patient notes",
"Strict role-based access controls",
"Data retention limited to 5 years post-publication",
],
testing_start_date=date(2026, 6, 1),
testing_end_date=date(2026, 11, 30),
)
complete, gaps = reg.registration_complete()
print(f"Registration ready: {complete}")
for g in gaps:
print(f" - {g}")
Series: EU AI Act Market Surveillance Framework (Chapter VIII)
| Article | Title | Focus |
|---|---|---|
| Art.72 | Post-Market Monitoring | PMM obligations for providers |
| Art.73 | Obligations of Deployers | Deployer monitoring cooperation |
| Art.74 | Market Surveillance Powers | MSA investigative authority |
| Art.75 | Mutual Assistance | Cross-border MSA + GPAI supervision |
| Art.76 | Real-World Testing Supervision | Commercial testing outside sandboxes |
| Art.77 | Scientific Research Testing | This guide — research exception conditions |
| Art.78 | Confidentiality of Information | MSA confidentiality obligations |
Art.77 Compliance Checklist (10 Items)
| # | Item | Requirement |
|---|---|---|
| 1 | Art.77(1) condition verification | Document satisfaction of all five conditions: scientific purpose, recognised institution, ethics oversight, publication intent, research-not-operational testing |
| 2 | MSA registration submitted | Art.77(2) registration filed with competent MSA in each Member State before testing starts |
| 3 | Registration completeness | All required elements included: institution details, research question, system description, ethics reference, GDPR basis |
| 4 | Ethics committee approval | Independent ethics committee approval obtained with reference number before testing commences |
| 5 | Ethics sufficiency assessment | For physical-safety high-risk AI: confirm IRB/REC competence or seek MSA pre-registration guidance |
| 6 | GDPR Art.89 safeguards | Pseudonymisation, data minimisation, access controls, retention limits documented and implemented |
| 7 | Publication commitment | Publication type and venue identified; embargo period (if any) is defined and reasonable (≤24 months) |
| 8 | Special category data | GDPR Art.9 special categories require explicit consent or applicable national law derogation — document legal basis separately |
| 9 | Infrastructure sovereignty | Research participant personal data stored on EU-sovereign infrastructure to eliminate CLOUD Act compellability risk |
| 10 | Commercial repurposing prohibition | Internal controls confirm research testing data and AI-generated inferences will not be repurposed for commercial development without fresh consent and new legal basis |
This guide is part of the sota.io EU AI Act developer series. For scientific research AI testing that requires EU-sovereign infrastructure — eliminating CLOUD Act exposure for participant data and model inference logs — see sota.io.