EU AI Act Art.77: Supervision of Scientific Research Testing Outside AI Regulatory Sandboxes — Developer Guide (2026)
EU AI Act Article 77 addresses a gap in the testing supervision framework that sits between Art.57 (AI regulatory sandboxes) and Art.76 (commercial real-world testing under Art.58). Where Art.76 establishes how national market surveillance authorities supervise AI systems undergoing commercial testing in real market conditions, Art.77 establishes the supervisory regime for AI testing conducted exclusively for scientific research purposes — and it does so with a fundamentally different regulatory posture.
The scientific research exception matters for developers working inside universities, public research institutions, and research-focused organisations. The EU AI Act does not exempt scientific research testing from all oversight — Art.77 makes that clear — but it does calibrate the supervisory intensity to the nature of the activity. Research testing that genuinely serves scientific objectives, operates under ethics committee oversight, and commits to publication of results faces a lighter-touch regulatory burden than commercial testing. Understanding exactly what Art.77 requires — and what it does not require — is essential for research teams deploying high-risk AI systems in real-world research contexts.
The Art.77 supervisory framework was designed to avoid chilling legitimate AI research while maintaining the fundamental safeguards that protect human participants in AI testing. The balance it strikes: research teams do not need Art.57 sandbox approval or Art.58/Art.76 commercial testing authorisation, but they do need to register with the competent MSA, operate under ethics oversight, and accept ex-post supervisory access.
Art.77 became applicable on 2 August 2026 as part of the Chapter VIII market surveillance framework. Research testing initiated before that date under national research governance frameworks should confirm Art.77 compliance alignment from 2 August 2026 forward.
Art.77 in the Testing Supervision Framework
Art.77 sits in Chapter VIII alongside the market surveillance authorities' general powers (Art.74), GPAI supervision (Art.75), and commercial real-world testing supervision (Art.76). Understanding Art.77's positioning requires mapping all testing pathways:
| Testing Pathway | Applicable Article | Regulatory Relationship | Approval Required? |
|---|---|---|---|
| AI regulatory sandbox (NCA-controlled) | Art.57 | NCA as cooperative supervisor | Yes — sandbox application |
| Commercial real-world testing outside sandbox | Art.58 + Art.76 | MSA in surveillance mode | Testing plan + Art.76(2) notification |
| Scientific research testing outside sandbox | Art.77 | MSA ex-post supervisory access | No — registration only |
| Post-market monitoring of deployed systems | Art.72 + Art.74 | MSA market surveillance | No — ongoing obligation |
The critical distinction: Art.77 does not require pre-approval of research testing the way Art.57 requires sandbox approval. It requires registration — putting the MSA on notice that testing is occurring so ex-post supervisory access is possible. This is significantly lighter than the Art.76(2) notification requirement for commercial testing, which requires a full testing plan, risk assessment, and monitoring protocol.
Art.77(1): Scope — What Constitutes Scientific Research Testing
Art.77(1) defines the boundaries of the scientific research exception. For Art.77 to apply rather than Art.76, the testing must satisfy all of the following conditions:
- The primary purpose of the testing is generation of new scientific knowledge — not validation of a commercial product before market entry
- The testing is conducted by or under the supervision of a recognised research institution: a university, public research centre, or research organisation operating under national or EU research governance frameworks
- The research is subject to independent ethics oversight — a recognised research ethics committee (REC), institutional review board (IRB), or equivalent body appropriate to the sector
- The research outputs are intended for publication or public dissemination — results will enter the scientific literature, not remain proprietary
- The AI system undergoing testing is being evaluated as a subject of scientific investigation, not deployed to provide operational services to users during the testing period
The Commercial Testing Boundary
Art.77(1) explicitly prevents providers from characterising commercial testing as scientific research to avoid the more demanding Art.76 regime. The following combinations raise Art.77 eligibility questions:
| Testing Scenario | Art.77 Applies? | Notes |
|---|---|---|
| University lab testing AI diagnostic tool in hospital trial | Yes | Genuine research institution, ethics approved, publication intended |
| AI company funding academic research with proprietary data | Partial | Research institution involvement alone does not qualify — commercial beneficiary analysis required |
| Public health authority testing AI screening tool for policy assessment | Yes | Public institution, policy research purpose, publication requirement met |
| Startup using "pilot study" framing for beta testing | No | Commercial testing in Art.77 framing — Art.76 applies |
| Research institute testing AI on behalf of commercial client | No | Contracted testing for commercial benefit — Art.76 applies regardless of who conducts it |
| Academic collaboration testing AI system co-developed with industry | Yes if research primary | Requires primary research purpose; industrial co-development alone does not disqualify |
| Research testing AI that also incidentally provides useful outputs to participants | Yes if incidental | Useful outputs to participants do not convert research to commercial deployment if research remains primary purpose |
Art.77(1) Scientific Research Indicators
When evaluating whether testing satisfies Art.77(1), regulators will examine:
- Is the testing funded through research grants (Horizon Europe, national research councils) rather than commercial development budgets?
- Does the research protocol pre-register the hypotheses being tested in a public registry (ClinicalTrials.gov equivalent, PROSPERO, Open Science Framework)?
- Has an independent ethics committee reviewed and approved the research protocol before testing begins?
- Is there a publication commitment — either contractual or through funding conditions — that prevents indefinite confidential withholding of results?
- Is the AI system being tested on (as a research subject) rather than being deployed for (to provide services)?
Art.77(2): Research Institution Registration Obligations
Art.77(2) establishes the registration obligation that replaces the full Art.76(2) notification for scientific research testing. Registration is lighter than notification: it puts the MSA on record that testing is occurring without requiring pre-approval or detailed ex-ante risk assessment.
Required Registration Content
An Art.77(2) registration must contain:
1. Institutional Identification
- Research institution name, address, and legal entity registration number
- Research ethics committee or IRB name and registration/accreditation
- Principal investigator name and contact
- Data controller identification under GDPR
2. AI System Description
- System name, version, and technical description (at a level proportionate to the research context — not the full Annex IV technical file)
- Annex III risk classification, if applicable
- Whether the system being tested is: (a) already CE-marked / conformity-assessed and deployed but evaluated in research context; (b) a research prototype; or (c) a commercial system in pre-market research evaluation
3. Research Purpose and Design
- Research question(s) being investigated
- Methodology: how the AI system will be tested, with what participants, in what conditions
- Expected duration: start date and anticipated end date
- Pre-registration reference (if applicable): link to hypothesis pre-registration
4. Ethics Oversight Reference
- Ethics committee/IRB name, the decision reference number, and date of approval
- Whether additional sector-specific ethical oversight applies (clinical ethics, data ethics, etc.)
- Summary of conditions attached by the ethics committee to the research approval
5. Publication Commitment
- Intended publication outlet or dissemination pathway
- Embargo period (if any) — Art.77 does not prohibit reasonable embargo, but indefinite non-publication voids the research exception
- Whether pre-results protocol will be published (recommended)
6. Data Processing Summary
- Categories of personal data processed
- GDPR Art.89 safeguards in place (pseudonymisation, data minimisation, access controls)
- Whether a full GDPR Art.35 DPIA has been conducted
Registration Timing
Art.77(2) requires registration before testing commences — it is not a retrospective requirement. Testing that begins without prior registration loses Art.77 protection retroactively and may be treated by the MSA as unregistered Art.58 testing subject to full Art.76 oversight.
The MSA does not issue an approval, acknowledgement, or denial in response to an Art.77(2) registration. The registration is a record-keeping mechanism that enables ex-post oversight. If the MSA has concerns about eligibility under Art.77(1), it may contact the research institution after receiving the registration, but absence of MSA response does not constitute approval.
Art.77(3): Ethics Committee Integration
Art.77(3) formalises the relationship between Art.77 supervisory oversight and independent ethics committee review. The EU AI Act does not create a new AI-specific ethics committee structure — it integrates with existing national and sectoral research ethics governance.
Recognised Ethics Oversight Bodies Under Art.77(3)
| Sector | Ethics Body | Relevant for |
|---|---|---|
| Clinical/biomedical AI | National ethics committee + institutional IRB | AI in healthcare, diagnostics, treatment |
| Social sciences | Institutional review board or ethics committee | Behavioural AI, social scoring research |
| Public sector AI | Data ethics board or government ethics committee | AI used by public authorities in research |
| Technology research | University research ethics committee | General-purpose AI research in academic settings |
| Cross-border EU research | European Research Council ethics review (Horizon-funded) | Multi-member state research programs |
Ethics Committee Role Under Art.77(3)
The ethics committee performs functions that would otherwise fall to the MSA under Art.76:
- Pre-testing risk assessment: Ethics committees evaluate participant protection, data minimisation, consent procedures, and benefit-risk ratio before research begins — this assessment covers much of what Art.76(2) MSA notification would otherwise achieve
- Ongoing monitoring: Many ethics committees require progress reports and may suspend research if concerns arise — this mirrors Art.76(3) suspension powers but through the research governance channel
- Documentation: Ethics committee decisions, conditions, and monitoring reports form part of the Art.77 compliance record available to the MSA on request
When Ethics Oversight is Insufficient
Art.77(3) specifies circumstances where ethics committee oversight alone does not satisfy Art.77 requirements and MSA engagement is required:
- The AI system being tested poses risk to physical safety beyond what a research ethics committee is equipped to assess (e.g., autonomous system testing in physical environments)
- The research involves Annex III high-risk AI in a safety-critical context not typically covered by academic IRBs (aviation, critical infrastructure, law enforcement)
- The ethics committee itself identifies risks that exceed its competence and refers the matter to regulatory oversight
In these cases, Art.77(3) creates a pathway for the research team to seek informal pre-registration guidance from the MSA — essentially a voluntary pre-clearance mechanism that Art.76 does not offer for commercial testing.
Art.77(4): GDPR Art.89 Scientific Research Interaction
Art.77(4) specifically addresses the interaction between Art.77's scientific research testing framework and the GDPR's scientific research exception under Art.89 GDPR. This intersection is significant because most AI research testing involves personal data processing.
GDPR Art.89 Safeguards Required Under Art.77(4)
For Art.77(4) to permit the data processing associated with scientific research testing, the following Art.89 GDPR safeguards must be in place:
| Safeguard | Implementation Requirement |
|---|---|
| Pseudonymisation | Participant data pseudonymised as early as technically feasible in the processing pipeline |
| Data minimisation | Only data strictly necessary for the research purpose is collected |
| Access controls | Strict access controls prevent researcher access to identified data unless scientifically necessary |
| Subject rights management | Research exemption from Art.15–22 GDPR individual rights must be documented and applied proportionately |
| Retention limitation | Research data not retained longer than necessary for the published research |
| Ethics committee review | Data processing reviewed as part of ethics committee approval |
Art.89 Exceptions That Apply in Research Context
Under GDPR Art.89(2), member states may provide exemptions from certain GDPR data subject rights when data is processed for scientific research purposes. These exemptions, where implemented in national law, can reduce the compliance burden for Art.77 research testing:
| GDPR Right | Art.89(2) Exemption Possible? | Condition |
|---|---|---|
| Art.15 — Access right | Yes | Only if exercising the right would seriously impair research objectives |
| Art.16 — Rectification | Yes | Only if processing correct data is necessary for research validity |
| Art.17 — Erasure | Yes | Cannot erase data that would invalidate completed research |
| Art.18 — Restriction | Yes | Restriction would prevent completion of legitimate research |
| Art.21 — Objection | Yes | Object to processing for compelling legitimate research grounds |
Art.77(4) Limits on the Research Exception
Art.77(4) does not permit unlimited data collection under a research justification:
- Purpose limitation still applies: Data collected for research testing cannot be repurposed for commercial development without a new legal basis
- Special categories remain restricted: Art.9 GDPR special categories (biometric, health, political opinion) require explicit consent or applicable national law derogation even for research
- Consent remains the cleanest basis: For most participant-involving research, explicit informed consent remains the preferred GDPR legal basis — the Art.89 exemptions address specific GDPR obligations, not the lawfulness of processing itself
- AI-generated inferences about participants: Inferences generated by the AI system being tested about research participants are themselves personal data — they cannot be retained or used commercially after the research concludes
Art.77(5): Publication and Transparency Requirements
Art.77(5) makes publication and transparency conditions necessary for the scientific research exception to remain valid. A research team that begins testing under Art.77 but subsequently withholds or commercialises all results without publication falls outside the Art.77 exception retroactively.
Publication Timeline Requirements
Art.77(5) does not mandate immediate publication — it recognises that academic publication timelines, peer review, and reasonable commercial embargoes are inherent to research practice. The requirements are:
- Research protocol publication (recommended, not mandatory): Publishing the study protocol before results are available prevents outcome-reporting bias and signals genuine research intent to the MSA
- Results publication or public dissemination: The research outputs must enter the public record — whether through peer-reviewed publication, conference proceedings, technical reports, or equivalent channels
- No indefinite embargo: Embargoes are permissible for patent protection or commercial partner coordination, but embargoes that prevent any public dissemination indefinitely convert the testing from scientific research to proprietary commercial activity
- Open data commitment where feasible: Art.77(5) encourages (but does not mandate) publication of anonymised research datasets consistent with GDPR and ethics committee conditions
What Counts as "Publication" Under Art.77(5)
| Dissemination Type | Counts as Publication? | Notes |
|---|---|---|
| Peer-reviewed journal article | Yes | Standard academic publication channel |
| Conference paper or proceedings | Yes | Peer-reviewed conference sufficient |
| Preprint (arXiv, SSRN, medRxiv) | Yes | Counts even before formal peer review |
| Technical report (public) | Yes | Must be publicly accessible without restriction |
| Internal report (confidential) | No | Confidential reports do not satisfy Art.77(5) |
| Patent filing (without publication) | No | Patent protects commercial exploitation, not scientific dissemination |
| Press release without underlying data | No | Media coverage without scientific content insufficient |
| EC/Horizon project public deliverable | Yes | Public research deliverables satisfy Art.77(5) |
Publication Commitment Documentation
To satisfy Art.77(5) at registration time (before publication is possible), research teams should document:
- The intended publication venue or type (pre-identified journal, conference, or report channel)
- The funding conditions (e.g., Horizon Europe Open Access mandate) that create a legal obligation to publish
- The timeline from testing completion to anticipated publication
- Any embargo period and its justification
Art.77(6): MSA Supervisory Powers for Research Testing
Art.77(6) preserves the MSA's ability to exercise supervisory oversight over scientific research testing, despite the lighter Art.77 registration framework. The MSA retains all Art.74 investigative powers — it simply applies them with an ex-post, proportionate approach rather than the ex-ante surveillance posture of Art.76.
When MSAs Use Art.77(6) Powers
| Trigger | MSA Response |
|---|---|
| Registration review raises eligibility concerns (not genuine research) | MSA contacts research institution for Art.77(1) evidence |
| Third-party complaint about research testing harms | MSA may conduct investigation under Art.74 |
| Ethics committee refers matter to regulatory oversight | MSA assumes Art.76-equivalent oversight for affected testing phase |
| Serious incident involving research participant | MSA may suspend testing under Art.74(9) emergency powers |
| Post-testing review shows commercial rather than research use of results | MSA retroactive enforcement — Art.77 exception withdrawn, Art.76 obligations applied |
| Research institution fails to publish within reasonable timeframe | MSA may investigate whether Art.77(5) conditions are satisfied |
Art.77(6) vs Art.76(3): Suspension Comparison
The MSA's suspension powers exist under both Art.77 and Art.76, but the triggering threshold differs:
| Dimension | Art.76(3) — Commercial Testing | Art.77(6) — Research Testing |
|---|---|---|
| Suspension trigger | MSA determines methodology poses risk to participants | MSA determines testing poses risk AND/OR Art.77 eligibility is in doubt |
| Prior notice | Standard: notice with response period; emergency: immediate | As Art.76, but research context typically supports standard procedure |
| Ethics committee role | Not relevant | MSA will typically consult ethics committee before suspending approved research |
| Publication status | Not relevant | Suspension after publication may not be proportionate unless ongoing risk |
| Retroactive enforcement | N/A — Art.76 applies from start | MSA may impose Art.76 obligations retroactively if Art.77 conditions were never met |
Art.77 vs Art.76 vs Art.57: Testing Pathway Comparison
| Dimension | Art.57 — Regulatory Sandbox | Art.58 + Art.76 — Real-World Testing | Art.77 — Scientific Research |
|---|---|---|---|
| Who governs? | NCA (cooperative partner) | MSA (surveillance mode) | MSA (ex-post access) |
| Approval required? | Yes — sandbox application | Testing plan (Art.58) + Art.76(2) notification | No — registration only |
| Ethics oversight? | NCA guidance included | Developer-managed | Independent ethics committee required |
| Commercial purpose permitted? | Yes — innovation support | Yes — product validation | No — primary purpose must be research |
| GDPR exception? | Art.59 specific sandbox exception | Standard GDPR + Art.76(5) coordination | Art.89 scientific research exception |
| Publication required? | No | No | Yes — Art.77(5) |
| MSA can suspend? | NCA (not MSA) | Yes — Art.76(3) | Yes — Art.77(6), but proportionate |
| Applies to GPAI? | Yes (with AI Office coordination) | Yes — Art.76(6) AI Office coordination | Yes — same coordination applies |
| Applicable from? | 2 August 2026 | 2 August 2026 | 2 August 2026 |
CLOUD Act Risk Analysis for Research Testing Under Art.77
Scientific research involving AI systems frequently relies on cloud infrastructure — for compute, data storage, or the AI models being evaluated. When that infrastructure is US-headquartered, CLOUD Act jurisdiction creates a specific risk for research datasets that is often overlooked in academic risk management.
Three-Layer Research Data Jurisdiction Analysis
| Data Category | CLOUD Act Risk | Art.77 Mitigation |
|---|---|---|
| Participant personal data (raw responses, interactions) | HIGH — directly personal, US Cloud provider with EU operations = US subpoena possible | EU-sovereign storage required before testing commences |
| AI model weights being evaluated | MEDIUM — proprietary IP, may contain training data inferences | EU-based model hosting or controlled access protocol |
| Research infrastructure and logging | LOW–MEDIUM | Acceptable on standard cloud if no personal data in logs |
| Pseudonymised research dataset (post-collection) | LOW — pseudonymisation reduces but does not eliminate risk | EU storage sufficient with pseudonymisation |
| Ethics committee documentation | LOW | Standard encrypted storage acceptable |
| Published research data (anonymised) | NONE — public data has no CLOUD Act risk | N/A |
Research Data Sovereignty Checklist
Before commencing Art.77 testing on cloud infrastructure:
- Personal data of research participants stored exclusively on EU-sovereign infrastructure (EU datacenter + EU legal entity operator + no US-parent compellability)
- Data processing agreement with cloud provider covers scientific research context
- CLOUD Act exposure assessment documented as part of DPIA
- Ethics committee informed of cloud provider jurisdiction if US-headquartered provider is used
- Alternative: EU-native cloud provider (eliminates CLOUD Act risk entirely — see sota.io EU PaaS guide)
Python: ScientificResearchTestingRecord
from dataclasses import dataclass, field
from datetime import date
from typing import Optional
from enum import Enum
class ResearchInstitutionType(str, Enum):
UNIVERSITY = "university"
PUBLIC_RESEARCH_CENTRE = "public_research_centre"
RESEARCH_ORGANISATION = "research_organisation"
HOSPITAL_RESEARCH_UNIT = "hospital_research_unit"
GOVERNMENT_RESEARCH = "government_research"
class EthicsCommitteeType(str, Enum):
IRB = "institutional_review_board"
NATIONAL_REC = "national_research_ethics_committee"
CLINICAL_ETHICS = "clinical_ethics_committee"
DATA_ETHICS = "data_ethics_board"
EU_RESEARCH_ETHICS = "eu_research_ethics_horizon"
@dataclass
class EthicsOversight:
"""Art.77(3): Ethics committee oversight record."""
committee_name: str
committee_type: EthicsCommitteeType
approval_reference: str
approval_date: date
conditions_attached: list[str]
monitoring_frequency: str # e.g., "annual", "per-phase", "on-incident"
def is_sufficient_for_art77(self, ai_risk_level: str) -> tuple[bool, list[str]]:
"""
Check if ethics oversight is sufficient for Art.77 or if MSA engagement needed.
Returns (sufficient, gaps).
"""
gaps = []
if ai_risk_level == "high_risk_physical_safety" and self.committee_type == EthicsCommitteeType.IRB:
gaps.append(
"Physical safety high-risk system: academic IRB may be insufficient — "
"consider seeking informal MSA guidance under Art.77(3)"
)
if not self.approval_reference:
gaps.append("Ethics committee approval reference number required for Art.77(2) registration")
if not self.conditions_attached:
# Not necessarily a gap — some approvals have no conditions
pass
return len(gaps) == 0, gaps
@dataclass
class Art77PublicationCommitment:
"""Art.77(5): Publication and transparency commitment."""
intended_publication_type: str # journal, conference, report, preprint
intended_venue: str # journal name, conference, or "open access repository"
embargo_period_days: Optional[int] = None # None = no embargo
pre_registration_url: Optional[str] = None # hypotheses pre-registered
open_access_mandate: bool = False # Horizon Europe or national mandate
def validate(self) -> list[str]:
issues = []
if self.embargo_period_days is not None and self.embargo_period_days > 730:
issues.append(
f"Embargo period {self.embargo_period_days} days (>2 years) may void Art.77(5) "
"publication condition — MSA may classify as indefinite embargo"
)
if self.intended_publication_type == "internal_report":
issues.append(
"Internal reports do not satisfy Art.77(5) publication requirement — "
"must be publicly accessible"
)
return issues
@dataclass
class Art77Registration:
"""
EU AI Act Art.77(2): MSA registration for scientific research testing.
Must be submitted before testing commences.
"""
# Institution
institution_name: str
institution_type: ResearchInstitutionType
institution_registration_number: str
principal_investigator: str
principal_investigator_contact: str
# Research
research_title: str
research_question: str
annex_iii_category: Optional[str] # None if tested system is not high-risk
system_name: str
system_description: str
testing_start_date: date
testing_end_date: date
participant_count: int
member_states_involved: list[str]
# Ethics
ethics_oversight: EthicsOversight
# Data
personal_data_categories: list[str]
art89_gdpr_safeguards: list[str]
eu_sovereign_storage_confirmed: bool
gdpr_legal_basis: str # typically "Art.6(1)(e) public interest research" or "Art.6(1)(a) consent"
dpia_conducted: bool
# Publication
publication_commitment: Art77PublicationCommitment
# Tracking
registration_date: date = field(default_factory=date.today)
msa_registration_reference: Optional[str] = None
def validate_art77_eligibility(self) -> tuple[bool, list[str]]:
"""
Validate that this testing genuinely qualifies for Art.77 scientific research exception.
Returns (eligible, issues).
"""
issues = []
# Institution check
if self.institution_type == ResearchInstitutionType.UNIVERSITY or \
self.institution_type == ResearchInstitutionType.PUBLIC_RESEARCH_CENTRE:
pass # Clear research institution
else:
issues.append(
f"Institution type '{self.institution_type.value}' — verify that commercial benefit "
"is not the primary purpose; document why testing qualifies as scientific research"
)
# Ethics oversight
risk_level = "high_risk_physical_safety" if self.annex_iii_category else "standard"
sufficient, ethics_gaps = self.ethics_oversight.is_sufficient_for_art77(risk_level)
issues.extend(ethics_gaps)
# GDPR data sovereignty
if not self.eu_sovereign_storage_confirmed and self.personal_data_categories:
issues.append(
"Personal data involved but EU-sovereign storage not confirmed — "
"CLOUD Act risk for participant data; confirm EU-only infrastructure"
)
# Publication
pub_issues = self.publication_commitment.validate()
issues.extend(pub_issues)
# DPIA
if self.personal_data_categories and not self.dpia_conducted:
issues.append(
"Personal data processing in research context: GDPR Art.35 DPIA strongly "
"recommended — document decision if DPIA is not required"
)
return len(issues) == 0, issues
def to_registration_summary(self) -> dict:
"""Generate summary for Art.77(2) MSA registration submission."""
eligible, issues = self.validate_art77_eligibility()
return {
"art77_eligible": eligible,
"eligibility_issues": issues,
"institution": self.institution_name,
"pi": self.principal_investigator,
"system": self.system_name,
"testing_period": f"{self.testing_start_date} to {self.testing_end_date}",
"ethics_reference": self.ethics_oversight.approval_reference,
"publication_commitment": self.publication_commitment.intended_venue,
"eu_sovereign_storage": self.eu_sovereign_storage_confirmed,
"registration_date": str(self.registration_date),
}
class Art77ComplianceChecker:
"""
Check ongoing Art.77 compliance during and after research testing.
"""
def __init__(self, registration: Art77Registration):
self.registration = registration
def check_post_testing_publication_status(
self,
testing_end_date: date,
publication_submitted: bool,
current_date: date
) -> tuple[str, str]:
"""
Assess whether publication timeline satisfies Art.77(5).
Returns (status, recommendation).
"""
days_since_end = (current_date - testing_end_date).days
embargo = self.registration.publication_commitment.embargo_period_days or 0
if publication_submitted:
return "COMPLIANT", "Publication submitted — Art.77(5) satisfied."
if days_since_end <= embargo:
return "COMPLIANT", f"Within embargo period ({days_since_end}/{embargo} days)."
if days_since_end < 365:
return "MONITORING", (
f"{days_since_end} days post-testing without publication. "
"Typical academic timelines are 6-18 months — document progress."
)
if days_since_end < 730:
return "AT_RISK", (
f"{days_since_end} days (>{days_since_end//365}y) post-testing without publication. "
"Art.77(5) publication condition at risk — MSA may question research classification."
)
return "NON_COMPLIANT", (
f"{days_since_end} days (>{days_since_end//365}y) without publication. "
"Art.77 scientific research exception likely void — review with legal counsel."
)
def check_data_usage_boundary(
self,
data_use_purpose: str,
commercial_use: bool
) -> tuple[bool, str]:
"""
Verify research data is not repurposed commercially — Art.77 purpose limitation.
"""
if commercial_use:
return False, (
"Research data cannot be repurposed for commercial AI development without "
"a new GDPR legal basis. Art.77 exception covers research purpose only — "
"commercial use converts this to standard processing obligations."
)
return True, f"Data use '{data_use_purpose}' consistent with research purpose."
Art.77 Compliance Checklist (35 Items)
Phase 1 — Research Design (Before Registration)
- 1. Confirmed testing institution qualifies as recognised research organisation under Art.77(1)
- 2. Primary purpose documented as scientific knowledge generation — not commercial product validation
- 3. Ethics committee identified and application prepared before testing design finalised
- 4. Research hypothesis pre-registered in public registry (OSF, PROSPERO, ClinicalTrials.gov, or equivalent)
- 5. Publication commitment identified: target journal, conference, or open-access repository
- 6. Commercial benefit analysis completed — confirm no third party is the primary commercial beneficiary of the testing
Phase 2 — Ethics Committee Approval
- 7. Ethics committee application submitted with full research protocol
- 8. Ethics committee approval received — reference number documented
- 9. All ethics committee conditions reviewed and implementation plan prepared
- 10. If Annex III high-risk physical-safety system: assessed whether ethics oversight is sufficient or MSA pre-guidance needed (Art.77(3))
- 11. Sector-specific ethics requirements checked (clinical, social science, data ethics)
Phase 3 — Data Protection
- 12. GDPR Art.89 safeguards implemented: pseudonymisation, data minimisation, access controls
- 13. GDPR legal basis for personal data processing identified and documented
- 14. GDPR Art.35 DPIA assessment completed (documented if concluded not required)
- 15. EU-sovereign storage confirmed for all participant personal data
- 16. CLOUD Act exposure assessed for cloud infrastructure used in testing
- 17. Data retention schedule defined: research data retained only as long as scientifically necessary
- 18. Participant informed consent obtained (or Art.89 exemption documented)
Phase 4 — Art.77(2) Registration
- 19. MSA identified for the member state(s) where testing will occur
- 20. Art.77(2) registration prepared with all required content elements
- 21. Ethics committee approval reference included in registration
- 22. Publication commitment documented in registration
- 23. Registration submitted before testing commences
- 24. Registration date and submission evidence recorded
Phase 5 — Testing Execution
- 25. Testing conducted within scope approved by ethics committee
- 26. Any protocol deviations documented and ethics committee notified per their requirements
- 27. Serious incidents involving participants reported per ethics committee requirements
- 28. If MSA contacts research institution regarding Art.77(1) eligibility: respond promptly with supporting documentation
- 29. AI system outputs generated about participants treated as personal data — not retained or used beyond research scope
Phase 6 — Post-Testing and Publication
- 30. Testing conclusion documented: actual end date, participant count, any early termination
- 31. Research data pseudonymisation / deletion per protocol and ethics conditions
- 32. Research results submitted for publication or dissemination within committed timeline
- 33. If embargo applies: document embargo period and expiry date
- 34. Verify research data has not been repurposed for commercial AI development
- 35. Post-publication: confirm publication URL recorded in registration documentation (for MSA reference if queried)
See Also
- EU AI Act Art.76: Market Surveillance of Real-World Testing — Commercial testing under Art.58: full MSA notification, surveillance-mode oversight
- EU AI Act Art.57: AI Regulatory Sandboxes — NCA-supervised cooperative sandbox framework; alternative to Art.77 for organisations wanting active regulatory support
- EU AI Act Art.59: Personal Data Processing in Sandboxes — GDPR Art.89 interaction specifically in sandbox context
- EU AI Act Art.74: Market Surveillance Authority Powers — Full MSA Art.74 powers that Art.77(6) preserves for research testing oversight
- EU AI Act Art.78: Confidentiality in MSA Investigations — Protecting research data and trade secrets if MSA exercises Art.77(6) investigation powers
- EU Hosting Compliance: GDPR, CLOUD Act and Data Sovereignty — Infrastructure choices that eliminate CLOUD Act risk for research participant data