Monday, 18 May 2026
AI Daily
Front Page
EU AIFriday, 08 May 2026 · 4 min read

EU AI Act Sandbox Deadline Pushed to 2027 as States Fall Behind

The May 7 omnibus deal extended the EU AI Act's sandbox deadline to August 2027, exposing a stark implementation gap: as of mid-2025, only Spain had a functioning national sandbox among all 27 member states.

Abstract visualization of EU regulatory framework with national member state nodes connected to a central European network
Placeholder (picsum)

Buried deep inside the 7 May 2026 EU AI Act omnibus deal is a provision that attracted far less attention than the headline delays to high-risk AI obligations — but which may be equally consequential for how the regulation actually lands in practice: the deadline for EU member states to establish functioning national AI regulatory sandboxes has been pushed back by a full year, from 2 August 2026 to 2 August 2027.

The extension was not a precaution. It was a recognition of reality.

A Deadline That Most Countries Were Going to Miss

Article 57 of the EU AI Act requires every member state to establish at least one national AI regulatory sandbox — a supervised testing environment where developers can build and validate AI systems with regulatory guidance before bringing them to market. The original deadline was 2 August 2026. As of August 2025, a full year before that date, only one of the 27 member states — Spain — had a functioning sandbox operational.

A European Parliament Think Tank analysis published in April 2026 mapped the implementation landscape more precisely. Five member states were actively building sandboxes; four had declared an intention to do so. The remaining sixteen had not communicated any implementation plans whatsoever. Spain's agency AESIA opened its sandbox in 2025 and published detailed implementation guidelines in December of that year; it currently hosts twelve high-risk AI systems under supervised development. That track record stands largely alone.

The implementation gap reflects structural problems that a deadline extension does not resolve. National competent authorities must hire staff with specialised AI expertise, design eligibility frameworks, build pre-testing and post-testing procedures, and coordinate with existing sectoral regulators — all simultaneously, without finalised Commission guidance. The implementing acts that would have standardised sandbox procedures were not yet adopted as of the April 2026 Think Tank report, leaving member states to design independently under time pressure.

Fragmentation is a specific risk that analysts have flagged since the sandbox architecture was first proposed. Because member states retain discretion over how their sandboxes operate, the oversight environments they create will inevitably vary in stringency. A developer seeking sandbox certification could, in principle, select the least demanding jurisdiction — a dynamic that critics argue could produce inconsistencies in how the AI Act is enforced across the single market, precisely the outcome the regulation was designed to prevent.

A New EU-Level Sandbox, but Not Until 2028

The omnibus deal also creates something that did not exist in the original AI Act: a centralised, EU-level regulatory sandbox operated directly by the AI Office, with priority access reserved for SMEs, start-ups, and small mid-cap enterprises. This is a meaningful structural addition — it provides a pathway for smaller innovators who lack the resources to engage with the patchwork of national systems, and it gives the AI Office a direct operational role in compliance facilitation rather than purely supervisory functions.

The catch is timing. The legislative financial statement accompanying the omnibus sets the EU-level sandbox's operational target at 2028 — two years after the original national deadline, and one year after the newly extended one. Any company hoping to use the centralised route for high-risk AI systems that fall under the December 2027 compliance deadline will be navigating a gap period in which neither the national landscape nor the EU-level infrastructure is complete.

The omnibus also expanded sandbox access to a newly defined "small mid-cap" category: companies with fewer than 750 employees and annual turnover under €150 million. That expansion responds to legitimate concerns that the original SME threshold was too narrow to capture the segment of European AI companies that are past start-up stage but still lack the compliance infrastructure of large enterprises.

What the Extension Buys — and What It Doesn't

For the sixteen member states that have not yet communicated implementation plans, the extra twelve months provide genuine relief. Sandbox design is not a trivial administrative task; it requires recruiting regulators who understand machine learning systems, drafting legal frameworks for experimental AI deployment, and building the institutional capacity to issue the exit reports that give tested companies a head-start on conformity assessment.

What the extension cannot fix is the underlying resourcing question. The AI Act explicitly requires national competent authorities to "allocate sufficient resources to comply with this Article effectively." Several smaller member states have raised concerns in Council working groups that the regulatory burden the AI Act imposes on national administrations is disproportionate to their available budgets. A year more time does not change that arithmetic unless accompanied by EU-level financial support.

The broader implication is that the AI Act's enforcement architecture will be uneven for several years. High-risk AI systems reaching the December 2027 compliance deadline may enter markets where the intended supervised development pathway either does not exist, exists in an immature form, or varies materially from the equivalent pathway in a neighbouring country. For compliance officers and legal advisers preparing clients for the new timeline, the sandbox gap is not a technicality — it is a significant variable in how much practical certainty the AI Act will deliver in its first enforcement cycle.

What to Watch

Spain's AESIA model is likely to attract increasing attention as other member states look for implementation blueprints. The Commission's still-pending implementing acts, which are expected to standardise sandbox design before the end of 2026, will be the clearest indicator of whether the extension year produces convergence or continued fragmentation. And the AI Office's preparations for its own centralised sandbox — whose full timeline runs to 2028 — will signal how seriously the EU-level architecture is being resourced in parallel with national efforts.

#EU AI Act#regulatory sandbox#implementation#member states#compliance#omnibus

Sources

More from EU AI

See all