Brief № 015 · Regulation
AI Act sandboxes move to 2027. SMEs should still watch
The Omnibus deal gives Member States one more year to open AI Act sandboxes. For SMEs, the useful work starts before the doors open.
On this page
The most practical AI Act deadline for small builders just moved, but the work it implies did not disappear. Regulatory sandboxes are no longer an August 2026 promise in the political calendar. Under the May 2026 provisional Omnibus deal, national authorities get until 2 August 2027 to establish them.
That one-year shift matters because sandboxes were supposed to be the place where hard cases could be tested before the market had to live with them. It also matters because many SMEs have quietly misunderstood the tool. A sandbox is not a permission slip. It is a supervised test environment, and the firms that get value from it will be the firms that arrive with a specific system, a specific uncertainty and a record that can be read by a regulator.
What changed in May
Art. 57 of Regulation (EU) 2024/1689 requires Member States to ensure that competent authorities establish at least one AI regulatory sandbox at national level. The original operational date was 2 August 2026. The Council of the European Union’s 7 May 2026 statement on the AI Omnibus says the provisional agreement postpones that deadline until 2 August 2027.
The distinction is important. This is a delay for the public infrastructure around experimentation, not the deletion of the infrastructure. The Article 57 logic remains: sandboxes can be established nationally or jointly with other Member States, the Commission may provide support, and the environments are meant to let innovative AI systems be developed, trained, tested and validated under supervision before being put on the market or into service.
The broader AI Act calendar is now uneven. Prohibited practices and AI literacy duties are already in force. General-purpose AI model rules entered application in 2025. Transparency duties under Art. 50 still sit on the 2026 horizon, with limited Omnibus adjustments. High-risk obligations have a different, longer track. Sandboxes are now part of that staggered implementation picture.
What a sandbox is for
The phrase is misleadingly soft. A regulatory sandbox is not a casual pilot. In the AI Act, it is a structured environment where competent authorities provide guidance, supervision and support so providers and prospective providers can identify risks, test mitigation measures and understand how legal obligations apply to a concrete system.
For an SME, that means the value is in the legal uncertainty that can be made specific. “We use AI” is not a sandbox question. “We are building a tool that supports worker scheduling, may affect task allocation, and uses model outputs in a decision workflow” is closer. So is “we are adapting a medical-device-adjacent triage assistant and need to understand which regime controls the test.”
The sandbox can help with classification, evidence and regulator dialogue. It cannot turn a weak product into a compliant one by ceremony. It also cannot absorb every ordinary AI deployment in Europe. National authorities will have capacity limits, and the better candidates will be the ones where supervision produces learning for both sides.
The SME advantage is preparation
The 2027 delay creates a planning window. Most SMEs should not spend it waiting for a national web form. They should spend it preparing the smallest file that would let an authority understand the system without a discovery meeting.
| File element | Why it matters |
|---|---|
| System purpose | Shows whether the AI is assistive, advisory or decision-impacting |
| Provider or deployer role | Decides which AI Act obligations may attach to the firm |
| Sector and use case | Flags employment, education, finance, health, infrastructure or public-sector sensitivity |
| Affected persons | Identifies whether workers, customers, applicants or vulnerable groups are exposed |
| Data processed | Frames privacy, confidentiality and data-governance questions |
| Model and vendors | Shows whether a GPAI model, wrapper or sector system sits underneath |
| Main uncertainty | Gives the sandbox a legal and technical question to answer |
| Proposed safeguards | Lets the authority see oversight, logging, fallback and stop conditions |
Source: Regulation (EU) 2024/1689, Article 57; AI Act Service Desk Article 57 summary. Last verified 2026-06-15.
This does not need to be a long dossier. It does need to be concrete. If the file cannot name the affected persons, the vendor layer or the risk question, the business probably does not yet know what it wants the sandbox to test.
The liability line stays outside the fence
The AI Act is explicit on one point that vendors may prefer to blur. Participants in a sandbox remain liable under applicable Union and national liability law for any damage inflicted on third parties as a result of experimentation. The fence is regulatory supervision, not legal immunity.
That matters for SMEs because a sandbox can create confidence in evidence and interpretation, but not remove the need for ordinary controls. Human oversight still has to be real. Personal data still has to be lawful. A test involving workers, applicants, patients or customers still needs boundaries before it begins. If a system is unsafe outside the sandbox, it is not made safe merely by calling the trial supervised.
The better reading is practical: a sandbox is a place to make uncertainty legible. It can help a company discover whether it is a provider, whether its system is plausibly high-risk, what documentation will be expected, and what mitigation looks credible. It is not a place to outsource governance.
Who should watch first
Not every SME needs a sandbox strategy. A small firm using an off-the-shelf meeting transcription tool, document assistant or image generator usually needs procurement evidence, a use register and Article 50 transparency checks. It does not need a regulator-supervised test bed.
The stronger candidates are SMEs building or materially adapting systems in sensitive workflows: recruitment ranking, staff allocation, credit assessment, education support, access to essential services, safety-adjacent industrial tools, or regulated-product contexts. Firms sitting between a general-purpose model and a sector-specific product should also pay attention, because role analysis can become the whole problem.
There is a second group: suppliers who want to sell into larger customers. Even if the SME is not formally high-risk, a buyer may ask whether the system has been tested with an authority, whether the risk classification was discussed, or whether the evidence pack is ready. In procurement, sandbox readiness may become a trust signal before sandbox participation becomes common.
The useful next step
The immediate task is not to apply. In most Member States, there may be nowhere to apply yet. The task is to identify whether one system in the company would benefit from supervised regulatory testing and to write down the question that makes it worth public authority time.
For a buyer, that question may be “which vendor evidence should we require before deploying this system in a worker-facing process?” For a builder, it may be “are we a provider of a high-risk AI system, or a deployer adapting a general-purpose tool?” For a sector supplier, it may be “what real-world testing conditions would make this pilot defensible?”
The Omnibus delay gives authorities breathing room. It gives SMEs a different gift: time to arrive precise. When the sandboxes open, “we have an AI project” will not be enough. “Here is the system, here is the role, here is the risk, here is the question” is the file that can use the room.
Frequently asked questions
Does the Omnibus deal remove AI Act sandboxes?
No. The Council and Parliament provisional agreement postpones the deadline for national competent authorities to establish AI regulatory sandboxes until 2 August 2027. It does not remove the Article 57 mechanism.
Can an SME wait until 2027 before documenting its AI systems?
No. A sandbox application will need a concrete system description, role analysis and risk question. Firms that start only when the portal opens will be behind firms that already know what they want tested.
Is a sandbox the same as permission to ignore the AI Act?
No. Article 57 says participants remain liable under Union and national law for damage caused during experimentation. A sandbox can guide, supervise and de-risk; it does not erase legal duties.
Which SMEs are likely to benefit most?
SMEs building or adapting systems near high-risk categories, sector regulation or real-world testing questions are better candidates than ordinary deployers of off-the-shelf tools.
Sources
- Primary Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence EUR-Lex accessed
- Official Article 57: AI regulatory sandboxes AI Act Service Desk accessed
- Official Artificial Intelligence: Council and Parliament agree to simplify and streamline rules Council of the European Union accessed
- Official Timeline for the Implementation of the EU AI Act AI Act Service Desk accessed
- Official AI Act European Commission accessed
Image credit: Photo: Laboratory interior by Polina Tankilevitch, Pexels License (Pexels)
Eleanor Whitcombe covers EU AI regulation for Flint Brief.
Spotted an error or want a right of reply? hello@flintbrief.com (subject [Right of reply]).