2026-04-16·12 min read·

EU AI Act Art.63 Sandbox Reporting Obligations — Developer Guide (2026)

Chapter VI of the EU AI Act (Articles 57–63) closes with Article 63 — the transparency and accountability mechanism for the entire innovation support infrastructure. Where Articles 57–62 create the mechanisms (sandboxes, real-world testing, personal data processing, SME support, cross-border coordination), Art.63 establishes what gets measured, what gets reported, and what becomes public.

For developers, Art.63 operates on two levels: it creates obligations on you (reporting requirements during sandbox participation) and it creates obligations on national competent authorities (annual reporting to the Commission that becomes a source of competitive intelligence for everyone). Understanding both levels is essential for sandbox strategy in 2026 and beyond.

Art.63 became applicable on 2 August 2025 as part of Chapter VI of the EU AI Act (Regulation (EU) 2024/1689).

Art.63 in the Chapter VI Framework

Article	Mechanism	Primary Beneficiary
Art.57	AI Regulatory Sandbox	All providers testing high-risk AI
Art.58	Real-World Testing Outside Sandbox	Providers needing production-scale validation
Art.59	Personal Data Further Processing	Sandbox participants using production data
Art.60	SME/Startup Support Measures	Small enterprises, startups
Art.61	Further Support Measures	TEFs, DIHs, AI-on-Demand Platform
Art.62	AI Office and Board Coordination	Multi-jurisdiction providers, regulatory bodies
Art.63	Sandbox Reporting Obligations	Regulatory transparency, ecosystem intelligence

Art.63 closes the feedback loop for Chapter VI. National authorities must report what happened in their sandboxes — how many providers participated, what types of AI systems were tested, what regulatory obstacles were encountered, what guidance the Commission should issue. This creates a system-level intelligence function: the Commission can identify where sandbox schemes are working, where they are failing, and what legislative or guidance interventions are needed.

What Art.63 Establishes

Art.63 creates a structured reporting regime with obligations on both sides of the regulatory relationship:

NCA obligations (to the Commission and the public):

Annual reporting on sandbox operations to the European Commission
Aggregated statistics on participants, AI system types, and outcomes
Analysis of regulatory obstacles encountered by sandbox participants
Assessment of whether sandbox participation improved participant compliance readiness
Recommendations for Commission guidance or legislative clarification

Developer obligations (to the NCA):

Progress reporting during sandbox participation (typically quarterly or milestone-based)
Exit reporting — what was tested, what was learned, what regulatory questions were resolved
Documentation of incidents, deviations from the approved sandbox plan, and corrective actions
Final conformity assessment readiness report at sandbox exit

Public disclosure obligations (what the Commission publishes):

Aggregated Union-wide overview compiled from NCA reports
Key statistics: participation rates, AI application domains, outcome distributions
Identified systemic regulatory obstacles (anonymised)
Guidance documents issued as a result of sandbox findings

NCA Annual Reporting Obligations

What NCAs Must Report to the Commission

Art.63 requires national competent authorities to submit annual reports covering the following:

1. Participation Statistics

Number of applications received (by AI system risk tier)
Number of applications admitted (and rejection rate with reasons)
Number of applications admitted under SME/startup priority (Art.60(1)(a))
Number of multi-jurisdiction applications processed (Art.58(7))
Average processing time from application to admission decision
Average sandbox duration (planned vs. actual)

2. AI System Profile Data

Distribution of AI system domains (healthcare, employment, education, critical infrastructure, law enforcement, etc.)
Risk tier distribution: high-risk Annex III systems vs. GPAI models vs. other systems
Deployment modality: embedded systems, SaaS, APIs, on-premise installations
Participant profile: percentage SMEs, startups, research organisations, large enterprises

3. Regulatory Outcome Data

Number of AI systems that completed sandbox and achieved conformity assessment readiness
Number of systems withdrawn from sandbox (and primary reasons)
Number of systems that failed conformity assessment post-sandbox (critical feedback metric)
Regulatory questions identified that required new guidance or legislative clarification

4. Personal Data Processing Statistics

Number of sandbox applications involving Art.59 further processing of personal data
Categories of personal data involved (special categories under Art.9 GDPR vs. standard)
Data protection officer consultation rates
GDPR compatibility issues identified and resolved

5. Systemic Obstacles Report

Recurrent legal uncertainties that blocked sandbox progress (anonymised)
Technical certification requirements that created disproportionate burden for SMEs
Coordination failures between the sandbox authority and sector-specific regulators
Recommendations for Commission guidance notes or legislative amendment

When NCAs Must Report

The timing structure under Art.63:

Report Type	Deadline	Recipient	Public?
Annual NCA report	31 March each year (for preceding calendar year)	European Commission + AI Office	Partially (aggregate)
Commission Union overview	30 June each year	European Parliament + Council	Yes (published)
Ad-hoc significant findings	Within 30 days of identification	AI Office	No (regulatory channel)
Multi-jurisdiction sandbox report	Upon sandbox completion	Lead authority + AI Board (Art.62)	Partially

The Commission's Union-wide annual overview (published by 30 June) is the primary public intelligence document. It aggregates NCA reports across all 27 member states and provides the system-level view that developers can use for strategy.

Developer Reporting During Sandbox Participation

During your sandbox period, you are not a passive participant — Art.63 creates a reporting relationship between you and the NCA.

Typical Developer Reporting Schedule

Entry report (within 30 days of sandbox admission):

Baseline system description: architecture, training data, intended purpose, risk assessment
Testing plan: milestones, success criteria, timelines
Data processing map: what personal data will be processed under Art.59 authorization
Incident response plan: how you will handle unexpected AI behaviour during testing

Progress reports (quarterly or milestone-based, as agreed with NCA):

Testing progress against plan
Regulatory questions that have arisen
Any deviations from approved plan (mandatory disclosure)
Incidents and corrective actions taken

Incident reports (within 72 hours of occurrence):

Description of what happened
AI system behaviour that triggered the incident
Affected users or data subjects (if any)
Immediate mitigation measures
Root cause analysis timeline

Exit report (at sandbox completion):

Summary of what was tested and outcomes
Regulatory questions resolved (and how)
Regulatory questions remaining unresolved
Conformity assessment readiness assessment
Technical documentation status (Annex IV compliance)
Recommendations for the NCA to include in their Art.63 annual report

What NCAs Do With Developer Reports

NCAs use developer reports for:

Monitoring sandbox compliance (are participants following their approved plan?)
Identifying systemic issues to escalate to the AI Board via Art.62
Generating the anonymised obstacles analysis in their Art.63 annual report
Assessing whether their sandbox scheme is achieving its policy objective
Calibrating admission criteria for future applicants

Developer reports are not published — they are confidential regulatory submissions. However, the systemic patterns they reveal (without identifying individual companies) do appear in annual reports.

What Becomes Public Under Art.63

Commission Annual Overview (High-Value Intelligence)

The Commission's annual overview published by 30 June each year contains:

Participation trends: Is sandbox uptake increasing? Which domains have the most activity? Are SME-specific measures (Art.60) driving more startup participation?

Outcome patterns: What percentage of sandbox participants achieve conformity assessment readiness? Are certain AI domains having higher failure rates?

Regulatory obstacle taxonomy: What are the most common legal uncertainties? This is directly actionable — if a question appears in three member states' reports, it signals a genuine legal gap that the Commission is likely to address.

Guidance issued: What guidance documents or FAQ updates were triggered by sandbox findings? This is a direct signal of where the regulatory framework is still being interpreted.

Member state variation: Are some member states processing sandbox applications faster? Are some sectors over-represented in certain member states' sandboxes?

What Is NOT Public

The following are explicitly protected from public disclosure:

Individual company sandbox participation (unless the company discloses it)
Proprietary technical details of AI systems tested
Commercially sensitive business plans submitted with sandbox applications
Personal data involved in Art.59 authorisations
Specific regulatory obstacles identified by individual companies
NCA-company correspondence during the sandbox period

Developer Strategy: Extracting Intelligence from Reports

The Commission's annual overview is an underutilised intelligence resource. Here is how to use it strategically:

1. Identify Your Risk Profile Early

If the report shows that AI systems in your domain (e.g., healthcare AI under Annex III point 5) have a 40% sandbox exit failure rate, this tells you that conformity assessment for healthcare AI is genuinely difficult — budget accordingly, and consider whether sandbox participation is essential before attempting commercial deployment.

2. Benchmark Processing Times

If the average sandbox admission time in your target member state is 90 days (vs. 30 days for SMI priority), and you qualify for SME priority under Art.60(1)(a), make sure your application correctly invokes that priority. The data shows whether member states are actually delivering the fast-track.

3. Identify Which Member States Are Sandbox-Ready

Report data on participation rates and admission processing times reveals which member states have built capable sandbox infrastructure vs. which are still standing up their programmes. Filing in an experienced sandbox jurisdiction (likely Germany, Netherlands, France, or Sweden in the first cohort) may yield faster and more expert guidance.

4. Track Regulatory Obstacle Patterns

If the same obstacle appears in multiple member states' reports (e.g., "uncertainty about whether clinical validation studies constitute real-world testing under Art.58 or require a different authorisation"), this is a signal to proactively document your position on that issue before applying. You may be able to get a clarification from the AI Office rather than waiting for guidance.

5. Monitor Guidance Documents Triggered by Sandbox Findings

Art.63 reports trigger Commission guidance notes. Subscribe to EU AI Office publications and map new guidance to your technical documentation. Guidance notes can change what Annex IV documentation needs to say.

Confidentiality Protections for Developers

Art.63 includes explicit protections for developer information:

Commercial secrets: NCAs cannot disclose proprietary technical information, business plans, or competitive strategies submitted as part of sandbox applications or participation. This is protected under both Art.63 and general EU administrative law.

Aggregation requirement: NCAs can only use developer information in aggregate form in their annual reports. No individual company can be identified from NCA reporting.

Scope limitation: Information collected for sandbox purposes cannot be used for enforcement purposes against the same company (important protection against using sandbox admission to trigger market surveillance).

GDPR compatibility: Personal data processed under Art.59 authorisation is subject to all GDPR protections — including the purpose limitation principle. Data used in sandbox testing cannot be repurposed by the NCA for unrelated regulatory surveillance.

Practical recommendation: Include a confidentiality marking on all sandbox submissions (cover page + page headers). This creates an administrative record that you invoked your confidentiality rights, which matters if there is ever a dispute about disclosure.

CLOUD Act Implications for Sandbox Reports

Where Are Art.63 Reports Stored?

NCA reports to the Commission: Submitted via Commission administrative systems, stored in EU-located infrastructure. EU Sovereign territory — CLOUD Act extraterritorial reach does not apply to documents held by EU government bodies.

Commission annual overview: Published as a PDF on the EU AI Office website, hosted on EU Commission servers. EU sovereign. No CLOUD Act exposure.

Developer submissions to NCAs: Typically stored in national government document management systems. EU sovereign.

The risk arises when developers store their own copies: If you submit your sandbox participation reports from a US cloud provider's system (e.g., drafting on US-hosted collaboration tools, storing in S3 buckets on US servers), your copies are potentially subject to CLOUD Act demands — even though the NCA's copy is EU-sovereign.

Practical CLOUD Act Mitigation for Sandbox Participants

# Sandbox document jurisdiction checklist
SANDBOX_DOCUMENT_TYPES = {
    "entry_report": {
        "sensitivity": "HIGH",
        "contains": ["Technical architecture", "Risk assessment", "Business plan"],
        "eu_sovereign_required": True,
        "rationale": "Contains technical trade secrets and business strategy"
    },
    "progress_reports": {
        "sensitivity": "MEDIUM-HIGH",
        "contains": ["Testing results", "Incident data", "Regulatory questions"],
        "eu_sovereign_required": True,
        "rationale": "Testing outcomes are competitively sensitive"
    },
    "incident_reports": {
        "sensitivity": "HIGH",
        "contains": ["AI behaviour anomalies", "Affected users", "Mitigation actions"],
        "eu_sovereign_required": True,
        "rationale": "Incident details could create legal liability if disclosed"
    },
    "exit_report": {
        "sensitivity": "VERY HIGH",
        "contains": ["Conformity readiness", "Unresolved legal questions", "Future roadmap"],
        "eu_sovereign_required": True,
        "rationale": "Summarises all findings — most strategically sensitive document"
    },
    "nca_correspondence": {
        "sensitivity": "HIGH",
        "contains": ["Regulatory guidance", "Authority interpretations", "Informal positions"],
        "eu_sovereign_required": True,
        "rationale": "Authority interpretations are privileged regulatory communications"
    }
}

Recommendation: Store all sandbox participation documents on EU-sovereign infrastructure (EUCS certified, or at minimum EU-only cloud regions with GDPR DPA). Treat sandbox documents as equivalent to legal privilege — US cloud exposure creates a risk that these documents could be compelled without EU court oversight.

Python Tooling for Art.63 Compliance

Class 1: SandboxReportingSchedule

Tracks all reporting obligations during sandbox participation.

from dataclasses import dataclass, field
from datetime import date, timedelta
from typing import Optional
from enum import Enum

class ReportStatus(Enum):
    UPCOMING = "upcoming"
    DUE = "due"
    SUBMITTED = "submitted"
    OVERDUE = "overdue"

@dataclass
class SandboxReport:
    report_type: str
    due_date: date
    submitted_date: Optional[date] = None
    nca_reference: Optional[str] = None
    notes: str = ""

    @property
    def status(self) -> ReportStatus:
        today = date.today()
        if self.submitted_date:
            return ReportStatus.SUBMITTED
        if today > self.due_date:
            return ReportStatus.OVERDUE
        if (self.due_date - today).days <= 14:
            return ReportStatus.DUE
        return ReportStatus.UPCOMING

    def days_until_due(self) -> int:
        return (self.due_date - date.today()).days

@dataclass
class SandboxReportingSchedule:
    company_name: str
    sandbox_id: str
    member_state: str
    sandbox_start: date
    sandbox_end: date
    reports: list[SandboxReport] = field(default_factory=list)

    def generate_standard_schedule(self) -> None:
        """Generate standard Art.63 reporting schedule from sandbox dates."""
        # Entry report: 30 days after sandbox start
        self.reports.append(SandboxReport(
            report_type="Entry Report",
            due_date=self.sandbox_start + timedelta(days=30)
        ))
        # Quarterly progress reports
        current = self.sandbox_start + timedelta(days=90)
        quarter = 1
        while current < self.sandbox_end:
            self.reports.append(SandboxReport(
                report_type=f"Progress Report Q{quarter}",
                due_date=current
            ))
            current += timedelta(days=90)
            quarter += 1
        # Exit report: 30 days after sandbox end
        self.reports.append(SandboxReport(
            report_type="Exit Report",
            due_date=self.sandbox_end + timedelta(days=30)
        ))

    def overdue_reports(self) -> list[SandboxReport]:
        return [r for r in self.reports if r.status == ReportStatus.OVERDUE]

    def upcoming_reports(self, days_ahead: int = 30) -> list[SandboxReport]:
        return [r for r in self.reports
                if r.status in (ReportStatus.UPCOMING, ReportStatus.DUE)
                and r.days_until_due() <= days_ahead]

    def compliance_rate(self) -> float:
        if not self.reports:
            return 0.0
        submitted = sum(1 for r in self.reports if r.status == ReportStatus.SUBMITTED)
        past_due = sum(1 for r in self.reports
                      if r.due_date <= date.today())
        return (submitted / past_due * 100) if past_due > 0 else 100.0

Class 2: NCAReportIntelligenceExtractor

Parses and tracks intelligence from published Commission annual overviews.

@dataclass
class SandboxIntelligenceItem:
    source_year: int
    member_state: str
    category: str  # "obstacle", "outcome", "guidance", "statistic"
    finding: str
    relevance_domains: list[str]
    action_required: Optional[str] = None

@dataclass
class NCAReportIntelligenceExtractor:
    """Track and analyse patterns from Art.63 annual reports."""
    your_ai_domain: str
    your_member_state: str
    intelligence_items: list[SandboxIntelligenceItem] = field(default_factory=list)

    def add_finding(self, item: SandboxIntelligenceItem) -> None:
        self.intelligence_items.append(item)

    def domain_relevant_obstacles(self) -> list[SandboxIntelligenceItem]:
        """Return obstacles relevant to your AI domain."""
        return [i for i in self.intelligence_items
                if i.category == "obstacle"
                and self.your_ai_domain in i.relevance_domains]

    def cross_jurisdiction_patterns(self) -> dict[str, list[SandboxIntelligenceItem]]:
        """Find obstacles appearing in multiple member states (= systemic gaps)."""
        by_finding: dict[str, list] = {}
        for item in self.intelligence_items:
            key = item.finding[:50]  # Use first 50 chars as grouping key
            by_finding.setdefault(key, []).append(item)
        return {k: v for k, v in by_finding.items() if len(v) >= 2}

    def best_sandbox_jurisdiction(self) -> str:
        """Identify member state with fastest processing and most domain experience."""
        # Simplified: in practice, weight by domain match + processing time statistics
        domain_counts: dict[str, int] = {}
        for item in self.intelligence_items:
            if self.your_ai_domain in item.relevance_domains and item.category == "statistic":
                domain_counts[item.member_state] = domain_counts.get(item.member_state, 0) + 1
        return max(domain_counts, key=domain_counts.get) if domain_counts else self.your_member_state

Class 3: SandboxIncidentReport

Manages the 72-hour incident reporting obligation.

from datetime import datetime

class IncidentSeverity(Enum):
    LOW = "low"          # Minor deviation, no external impact
    MEDIUM = "medium"    # Unexpected AI behaviour, contained
    HIGH = "high"        # External impact, data subjects affected
    CRITICAL = "critical"  # Major harm, regulatory mandatory report

@dataclass
class SandboxIncidentReport:
    incident_id: str
    sandbox_id: str
    detected_at: datetime
    severity: IncidentSeverity
    description: str
    affected_users: int = 0
    personal_data_involved: bool = False
    immediate_mitigation: str = ""
    root_cause: Optional[str] = None
    nca_notified: Optional[datetime] = None
    nca_reference: Optional[str] = None

    @property
    def reporting_deadline(self) -> datetime:
        """72-hour reporting deadline from incident detection."""
        return self.detected_at + timedelta(hours=72)

    @property
    def is_overdue(self) -> bool:
        if self.nca_notified:
            return False
        return datetime.now() > self.reporting_deadline

    @property
    def hours_remaining(self) -> float:
        if self.nca_notified:
            return 0.0
        remaining = (self.reporting_deadline - datetime.now()).total_seconds() / 3600
        return max(0.0, remaining)

    def requires_mandatory_report(self) -> bool:
        """Check if incident triggers mandatory NCA notification."""
        return (
            self.severity in (IncidentSeverity.HIGH, IncidentSeverity.CRITICAL)
            or self.affected_users > 0
            or self.personal_data_involved
        )

    def to_nca_report_text(self) -> str:
        return f"""
SANDBOX INCIDENT REPORT
Sandbox ID: {self.sandbox_id}
Incident ID: {self.incident_id}
Detected: {self.detected_at.isoformat()}
Severity: {self.severity.value.upper()}
Affected Users: {self.affected_users}
Personal Data: {'Yes' if self.personal_data_involved else 'No'}

Description:
{self.description}

Immediate Mitigation:
{self.immediate_mitigation}

Root Cause (if known):
{self.root_cause or 'Under investigation'}
""".strip()

Class 4: Art63ConfidentialityProtector

Manages confidentiality markings and CLOUD Act jurisdiction for sandbox documents.

class DocumentSensitivity(Enum):
    PUBLIC = "public"
    INTERNAL = "internal"
    CONFIDENTIAL = "confidential"
    TRADE_SECRET = "trade_secret"

@dataclass
class SandboxDocument:
    doc_type: str
    created_date: date
    sensitivity: DocumentSensitivity
    storage_location: str  # "eu_sovereign" | "us_cloud" | "local"
    contains_personal_data: bool = False
    contains_trade_secrets: bool = False
    cloud_act_exposure: bool = False

    def __post_init__(self):
        if self.storage_location in ("us_cloud",) and self.sensitivity in (
            DocumentSensitivity.CONFIDENTIAL, DocumentSensitivity.TRADE_SECRET
        ):
            self.cloud_act_exposure = True

    def cloud_act_risk_level(self) -> str:
        if not self.cloud_act_exposure:
            return "NONE"
        if self.sensitivity == DocumentSensitivity.TRADE_SECRET:
            return "CRITICAL — migrate to EU sovereign storage immediately"
        if self.contains_personal_data:
            return "HIGH — GDPR violation if US authority accesses"
        return "MEDIUM — review storage jurisdiction"

@dataclass
class Art63ConfidentialityProtector:
    sandbox_id: str
    documents: list[SandboxDocument] = field(default_factory=list)

    def add_document(self, doc: SandboxDocument) -> None:
        self.documents.append(doc)

    def cloud_act_exposed_docs(self) -> list[SandboxDocument]:
        return [d for d in self.documents if d.cloud_act_exposure]

    def confidentiality_summary(self) -> dict:
        exposed = self.cloud_act_exposed_docs()
        return {
            "total_documents": len(self.documents),
            "cloud_act_exposed": len(exposed),
            "exposure_rate_pct": round(len(exposed) / max(len(self.documents), 1) * 100, 1),
            "critical_items": [d.doc_type for d in exposed
                               if "CRITICAL" in d.cloud_act_risk_level()],
            "recommended_action": "Migrate all CONFIDENTIAL and TRADE_SECRET docs to EU sovereign storage"
                                  if exposed else "No immediate action required"
        }

Class 5: Art63ExitReportBuilder

Generates the final exit report for sandbox completion.

@dataclass
class ConformityAssessmentReadiness:
    technical_documentation_complete: bool  # Annex IV
    eu_declaration_of_conformity_drafted: bool
    ce_marking_preparation_status: str
    outstanding_issues: list[str] = field(default_factory=list)
    estimated_completion_date: Optional[date] = None

@dataclass
class Art63ExitReportBuilder:
    sandbox_id: str
    company_name: str
    ai_system_description: str
    sandbox_start: date
    sandbox_end: date
    member_state: str
    nca_contact: str
    testing_outcomes: list[str] = field(default_factory=list)
    resolved_regulatory_questions: list[str] = field(default_factory=list)
    unresolved_regulatory_questions: list[str] = field(default_factory=list)
    conformity_readiness: Optional[ConformityAssessmentReadiness] = None
    recommendations_for_nca: list[str] = field(default_factory=list)

    def sandbox_duration_days(self) -> int:
        return (self.sandbox_end - self.sandbox_start).days

    def is_conformity_ready(self) -> bool:
        if not self.conformity_readiness:
            return False
        return (
            self.conformity_readiness.technical_documentation_complete
            and self.conformity_readiness.eu_declaration_of_conformity_drafted
            and len(self.conformity_readiness.outstanding_issues) == 0
        )

    def generate_executive_summary(self) -> str:
        status = "CONFORMITY ASSESSMENT READY" if self.is_conformity_ready() else "ADDITIONAL WORK REQUIRED"
        unresolved_count = len(self.unresolved_regulatory_questions)
        return f"""
SANDBOX EXIT REPORT — EXECUTIVE SUMMARY
Sandbox: {self.sandbox_id} | {self.member_state}
Company: {self.company_name}
Duration: {self.sandbox_duration_days()} days ({self.sandbox_start} — {self.sandbox_end})
Status: {status}
Resolved Regulatory Questions: {len(self.resolved_regulatory_questions)}
Unresolved Regulatory Questions: {unresolved_count}
Recommendations for NCA Annual Report: {len(self.recommendations_for_nca)}
""".strip()

    def unresolved_to_nca_format(self) -> list[dict]:
        """Format unresolved questions for NCA inclusion in Art.63 annual report."""
        return [
            {
                "question_text": q,
                "domain": self.ai_system_description[:50],
                "suggested_action": "Commission guidance note or FAQ update",
                "blocking_commercialisation": True
            }
            for q in self.unresolved_regulatory_questions
        ]

30-Item Art.63 Sandbox Reporting Checklist

Phase 1: Before Sandbox Entry (Items 1–8)

Understand your reporting obligations: Review the NCA's sandbox scheme documentation — identify all required reports, formats, timelines, and submission channels.
Appoint a sandbox reporting lead: Designate one person responsible for all Art.63 compliance. This person owns the reporting schedule.
Set up EU-sovereign document storage: All sandbox participation documents must be stored outside US cloud jurisdiction (see CLOUD Act section above).
Prepare your entry report template: Draft the entry report structure before sandbox start — it is due 30 days after admission.
Map your Art.59 personal data authorisation: If you will process personal data under Art.59, include the specific data categories, retention limits, and GDPR compatibility analysis in your entry report.
Define your incident classification matrix: Agree internally what constitutes LOW/MEDIUM/HIGH/CRITICAL incidents — this determines whether you trigger the 72-hour NCA notification obligation.
Identify your unresolved regulatory questions: List all legal uncertainties you are entering the sandbox with — these should appear in your entry report and be tracked to resolution.
Verify confidentiality markings on all documents: All submissions should bear your company name, sandbox ID, and a confidentiality notice invoking Art.63 protections.

Phase 2: During Sandbox Participation (Items 9–20)

Submit entry report within 30 days of admission: Missing this deadline creates compliance risk and may trigger NCA escalation.
Maintain a testing log: Daily/weekly entries documenting AI system behaviour, test cases run, outcomes observed — this feeds directly into progress reports.
Track regulatory questions as they arise: When an unexpected legal question emerges during testing, document it immediately with date, context, and the question formulation.
Notify the NCA of any deviation from your approved plan: Any change to your testing plan (scope, data, methodology) requires NCA notification — do not wait for the next progress report.
File incident reports within 72 hours: For HIGH/CRITICAL incidents or any incident involving users or personal data, the 72-hour window starts from detection — not from root cause analysis completion.
Submit progress reports on schedule: Quarterly or milestone-based (as agreed in your sandbox admission decision). Late progress reports are the most common compliance failure in sandbox participation.
Engage with NCA guidance proactively: If the NCA issues guidance or informal interpretation during your sandbox, document how you have incorporated it. This demonstrates good faith and feeds your exit report.
Track Art.60 SME priority metrics: If you were admitted under Art.60(1)(a) SME priority, document evidence of your SME status for the full sandbox period — it may be queried in your exit report.
Monitor Commission annual reports: If a new Commission annual overview is published during your sandbox, review the obstacle taxonomy for your domain. New guidance triggered by last year's reports may affect your testing approach.
Conduct a mid-sandbox legal review: At the halfway point, assess whether your unresolved regulatory questions from the entry report have been addressed, and whether new questions have emerged.
Prepare your Annex IV technical documentation progressively: Do not wait until exit — build technical documentation (Annex IV) incrementally during the sandbox so the exit report reflects genuine conformity readiness.
Maintain GDPR records of processing activities: Art.59 personal data processing requires Article 30 GDPR records. These must be accurate and current throughout the sandbox period.

Phase 3: Sandbox Exit and Post-Exit (Items 21–30)

Submit exit report within 30 days of sandbox end: The exit report is your most important Art.63 submission — it determines your conformity assessment readiness classification in the NCA's annual report.
Include all unresolved regulatory questions in the exit report: Frame them as recommendations for NCA inclusion in the Art.63 annual report — this is the mechanism by which sandbox findings improve the regulatory framework.
Document what changed in your technical architecture: Compare entry report architecture with final architecture. Changes triggered by regulatory guidance should be explicitly noted.
Confirm personal data deletion or pseudonymisation at exit: Art.59 authorisations expire at sandbox end. Document the data destruction/pseudonymisation actions taken.
Assess conformity assessment readiness honestly: NCAs track exit-to-market success rates. An optimistic exit report followed by a failed conformity assessment damages your regulatory relationship.
Request an exit meeting with the NCA: Many NCAs offer an exit meeting to discuss findings — use this to clarify any remaining interpretive questions and confirm the NCA's assessment of your compliance readiness.
Archive all sandbox participation documents for 10 years: Market surveillance authorities may request sandbox documentation during post-market monitoring. EU-sovereign storage, access-controlled, 10-year retention minimum.
Monitor the next Commission annual report: Your sandbox period will appear (aggregated) in the next Art.63 annual report. Review the published overview to understand how your domain was represented.
Track Commission guidance triggered by your sandbox period: If a guidance note is issued addressing a question you raised during your sandbox, update your technical documentation accordingly.
Brief your conformity assessment body on sandbox findings: When engaging a notified body for post-sandbox conformity assessment, provide the sandbox exit report — it demonstrates regulatory engagement and may accelerate the assessment process.

Art.57–63 Block Complete: Chapter VI Developer Intelligence Summary

With Art.63, the Chapter VI (Articles 57–63) block of the EU AI Act is fully covered in this series. Here is the complete framework intelligence summary for developers:

Article	Developer Action	Key Tool
Art.57	Apply for sandbox admission	Sandbox application with legal uncertainty focus
Art.58	Plan real-world testing outside sandbox	Testing plan + liability protocol
Art.59	Authorise personal data processing	GDPR compatibility memo + DPO consultation
Art.60	Invoke SME/startup priority measures	Commission Rec 2003/361/EC verification
Art.61	Access TEFs, DIHs, AIOD compute	TEF expression of interest, DIH registration
Art.62	Use AI Board templates, multi-jurisdiction coordination	Cross-border coordination protocol
Art.63	Comply with reporting, extract intelligence from reports	Reporting schedule + intelligence tracker

The Chapter VI framework rewards developers who engage systematically. Each article creates specific mechanisms; understanding how they interconnect — sandbox to real-world testing to personal data processing to SME support to institutional coordination to transparent reporting — allows you to navigate the EU AI Act innovation pathway as a coherent journey rather than a series of disconnected regulatory hurdles.