(Utkast) Kommisjonens gjennomføringsforordning (EU) …/… om fastsettelse av regler for gjennomføringen av europaparlaments- og rådsforordning (EU) 2024/903, med hensyn til etablering og drift av samvirkende juridiske sandkasser
EU-rammeverk for samvirke mellom digitale offentlige tjenester i Europa (Interoperable Europe Act): gjennomføringsbestemmelser om juridiske sandkasser
Utkast til kommisjonsforordning godkjent av komite (representanter for medlemslandene) og publisert i EUs komitologiregister 26.5.2025
Tidligere
- Utkast til forordning lagt fram av Kommisjonen 13.2.2025 med tilbakemeldingsfrist 13.3.2025
Bakgrunn
(fra kommisjonsforordningen)
(1) Regulation (EU) 2024/903 introduced the interoperability regulatory sandboxes as an innovation support measure to enhance the development of innovative interoperability solutions and the cross-border interoperability of trans-European digital public services.
(2) In order to address the specific cross-border innovation and interoperability-related needs of public sector authorities, public sector bodies or Union entities may establish an interoperability regulatory sandbox pursuant to Article 11 of Regulation (EU) 2024/903. Interoperability regulatory sandboxes are fora to create regulatory learnings that are informed by data coming from targeted projects aiming to develop, train, test or validate innovative interoperability solutions. For interoperability solutions this innovation can concern all interoperability layers (legal, organisational, semantic or technical), where this innovative element can be seen as the introduction of something new or significantly improved. To assess, if something is new or improved, the context is relevant what is innovative in one sector or Member State may be commonplace in another. The interoperability regulatory sandboxes can give room to experiment with a broad range of innovative interoperability solutions that can support better cross-border interoperability of public services. An interoperability regulatory sandbox evolves around open regulatory questions, especially in cross-border contexts that are discussed with the relevant regulators that can come from different sectors, administrative levels and Member States. In the case that only technical experimentation is needed, such experimentation can happen in other forms, such as testbeds or innovation labs, and no interoperability regulatory sandbox is needed. In accordance with Article 11 (4) of Regulation (EU) 2024/903, interoperability regulatory sandboxes are by default joint endeavours of several Union entities and/or public sector bodies that work together towards more legal certainty in the frame of an interoperability regulatory sandbox. In that sense, interoperability regulatory sandboxes are established through specific agreements between the different collaborating entities (such as a Memorandum of Understanding). Cooperation within the interoperability regulatory sandboxes can build on existing cross-border cooperation mechanisms. For this reason, public sector bodies or Union entities forming a consortium (e.g. a European Digital Infrastructure Consortium or European Grouping Territorial Cooperation) can establish an interoperability regulatory sandbox as well.
(3) To foster innovation, several national and Union wide regulatory sandboxes have been established or are in the process of being established under various Union legislative instruments, such as, but not limited to, the EU Blockchain Regulatory Sandbox, the setting up of AI regulatory sandboxes under Regulation (EU) 2024/1689 , and the Net-zero regulatory sandboxes to promote innovation in the field of net zero technologies under Regulation (EU) 2024/1735 . While some regulatory sandboxes may be sectorial, the interoperability regulatory sandboxes established under Regulation (EU) 2024/903 specifically focus on innovative solutions for Trans-European digital public services. To ensure alignment with the objectives of Regulation (EU) 2024/903, these sandboxes must adhere to specific criteria. Such criteria serve to determine which regulatory sandboxes will be featured on the Interoperable Europe Portal and monitored by the Interoperable Europe Board, established in accordance with Article 15 of Regulation (EU) 2024/1735. The checklists provided in the Annex to this Regulation and the guidelines and clarifications that the Commission may issue in accordance with Article 11(3) of Regulation (EU) 2024/903 support public sector bodies and Union entities in assessing their compliance with these criteria. This enables the Commission to fulfil its task under Article 12(9) of Regulation (EU) 2024/903 of ensuring that information on the interoperability regulatory sandboxes is available on the Interoperable Europe portal. The check and authorisation of interoperability regulatory sandboxes by the Commission does not constitute an assessment of the legality of activities of the participants within such sandboxes. All participants remain fully liable for their activities as set out in Article 12(5) of Regulation (EU) 2024/903. The supervisory and corrective powers of competent authorities over these sandboxes remain unaffected, in accordance with Article 12(4) of Regulation (EU) 2024/903.
(4) While interoperability regulatory sandboxes can provide a forum for different forms of collaboration between the interoperability regulatory sandbox coordinators, the respective regulators and other actors, the specific agreement establishing the interoperability regulatory sandbox serves the purpose to clearly set out which working methods between the interoperability regulatory sandbox coordinators and other actors are envisioned. The specific agreement should make transparent which type of other actors are eligible to join the interoperability regulatory sandbox, specify at which point in the lifespan of the interoperability regulatory sandbox and under which conditions they can participate. This is necessary to prevent any detrimental factors to the objectives of the interoperability regulatory sandbox. The specific agreement establishing the interoperability regulatory sandbox should also create transparency vis-à-vis the planned interactions with actors that have to be involved in the process pursuant to applicable law, such as Article 11(1) of Regulation (EU) 2024/903, which provides that interoperability regulatory sandboxes entailing the processing of personal data are to be operated under the supervision of the national data protection authorities or the European Data Protection Supervisor. The necessary engagement of the data protection supervisory authorities depends on different factors such as the complexity of the data processing operations in the envisioned projects in the interoperability regulatory sandbox, the categories and amount of data concerned as well as the risks associated with the processing. The operation of the interoperability regulatory sandboxes under the supervision of data protection authorities, where the interoperability regulatory sandboxes entail personal data processing, should be understood as an additional task for the data protection authorities, conferred on them by Regulation (EU) 2024/903, and a condition for the proper operation of the interoperability regulatory sandboxes. Following the application of Union data protection law to any personal data processing in the context of the implementation of Regulation (EU) 2024/903, data protection authorities should be provided the necessary resources for the performance of their new tasks. In the case that data protection authorities from different Member States and from EU level are involved in the interoperability regulatory sandbox, the cooperation of these authorities can also build on the respective mechanisms, referred to in Article 61 of Regulation (EU) 2016/679 of the European Parliament and of the Council , in Article 61 and Article 62 of Regulation (EU) 2018/1725 of the European Parliament and of the Council .
(5) To ensure that participation in the interoperability regulatory sandboxes is based on a specific plan in accordance with Article 12 (3) of Regulation (EU) 2024/903, the regulatory sandbox coordinators ought to select one or more suitable projects and ensure the establishment of a specific plan for each of them, containing all elements outlined in Article 12 (3) of Regulation (EU) 2024/903.Whether the specific plan on the projects running in the interoperability regulatory sandboxes is developed by the regulatory sandbox coordinators or by other actors invited by them will depend on the governance structure employed for the interoperability regulatory sandbox. What ought to be clearly established by the regulatory sandbox coordinators throughout the lifespan of the interoperability regulatory sandbox, is how the specific deliverables will feed into the regulatory learning objectives of the interoperability regulatory sandbox.
(6) To support such objectives, Article 11(3) of Regulation (EU) 2024/903 foresees that the Commission may issue guidelines and clarifications. The Commission shall create a dedicated interface for information on the interoperability regulatory sandboxes, that will make public relevant details regarding the established interoperability regulatory sandboxes and the projects running within the interoperability regulatory sandbox. To promote broad and equitable access to the interoperability regulatory sandboxes, information on how to establish an interoperability regulatory sandbox should be made readily and easily accessible to the potential regulatory sandbox coordinators on the Interoperable Europe Portal in accordance with Article 12(9) of Regulation (EU) 2024/903. The Interoperable Europe Portal can also facilitate the networking of stakeholders interested in establishing or joining an interoperability regulatory sandbox. The Portal will also serve as a critical tool for ensuring effective regulatory learning outcomes final reports and related regulatory insights will be published here, as well as the related recommendations from the Interoperable Europe Board.
(7) In order to accommodate the specific needs for the development, training, testing and validation of innovative interoperability solutions, in the interoperability regulatory sandbox, regulatory sandbox coordinators may include other natural or legal persons, such as other public sector actors, Union entities, research institutions, GovTech actors including SMEs and Startups, actors from the AI innovation ecosystem, provided they meet the criteria specified in Article 12(1) of Regulation (EU) 2024/903. This does not entail changes on the responsibilities of the interoperability regulatory sandbox coordinators, nor of the participants who ought to uphold the specific agreement conditions upon entering an interoperability regulatory sandbox. The purpose of including the GovTech actors specified in Article 12(1) is to enable a richer regulatory dialogue within the interoperability regulatory sandbox, facilitating the sharing of lessons learned, identifying learnings from innovation experimentation, risks, and best practices on standardisation. The involvement of said other actors in the interoperability regulatory sandbox could also help to gain sector-specific insight and access support from testing and experimentation facilities and from the European Digital Innovation Hubs. Innovative procurement approaches can work in synergy with and support interoperability regulatory sandboxes by enabling timely access to resources, expertise, and technologies for controlled experimentation. This ensures the flexibility needed to test innovative solutions while remaining aligned with regulatory goals.
(8) To ensure that all projects running in the interoperability regulatory sandboxes respect data privacy, the regulatory sandbox coordinators and the other actors have to set out a well-defined approach towards further processing of personal data in the interoperability regulatory sandbox, that is to say, personal data initially lawfully collected for other purposes. This approach should be compliant with all requirements set out in Regulation (EU) 2024/903 and all other obligations pursuant to Union data protection law. The specific agreement on the establishment of the interoperability regulatory sandbox should already specify, where appropriate, the elements set out in Article 11(4) of Regulation (EU) 2024/903. The approach should give specific attention to following a hierarchical approach to the use of personal data, ensuring that the data processed is limited to what is necessary for the functioning of the interoperability solution to be developed or tested in the interoperability regulatory sandbox, and that functioning cannot be effectively achieved by processing anonymised, synthetic or other non-personal data, as set out in Article 12(6)(b) of Regulation (EU) 2024/903. Where personal data processing may lead to new inferences about data subjects, regulatory sandbox coordinators and also the other actors involved in the interoperability regulatory must demonstrate a valid legal basis for the operational use of sandbox results. This legal basis shall be included in the specific plan pursuant to Article 12(3)(g) of Regulation (EU) 2024/903, and all conditions under Article 12(6) must be met. Without such legal basis, operational personal data from the sandbox cannot be further processed. This limitation prevents the use of interoperability regulatory sandboxes primarily for data exchange or comparison between authorities without proper legal grounds.
(9) A structured approach to evaluation and monitoring is essential for fostering a safe and productive environment for innovation, while maintaining accountability and regulatory integrity within the interoperability regulatory sandbox. For this purpose, pursuant to Article 12(8) of Regulation (EU) 2024/903, regulatory sandbox coordinators are to provide regular reports to the Commission and the Interoperable Europe Board summarising progress, outcomes, and challenges. The reporting should also cover the evaluation of data quality aspects, such as the accuracy and fairness of assessments, data, or inferences generated during the sandbox's operation. This evaluation is crucial to ensure the reliability and trustworthiness of the sandbox's outputs to be used operationally (e.g. for fraud detection, subsidy allocation, or civil status registration). Experimentation in interoperability regulatory sandboxes can also serve as an opportunity to evaluate the sustainability, energy and resource efficiency of the innovative interoperability solutions developed, trained, tested or validated in the context of the interoperability regulatory sandbox. To ensure continuous oversight, the process should require establishing a mechanism for ongoing data collection from individual projects, allowing for regular tracking of progress, risk management, and adherence to the sandbox’s standards. Templates and examples provided by the Commission and available on the Interoperable Europe Portal can in the future support the streamlining of reporting, to make it easier for all parties to fill out and comprehend the results of the interoperability regulatory sandboxes.
(10) The specific agreement on the interoperability regulatory sandboxes may need to be renewed in cases of substantial changes to the original specific agreement. Such changes may include, among others, modifications regarding the number and the identity of the regulatory sandbox coordinators, or the extension of the initially agreed timeframe necessary to achieve the sandbox objectives.
(11) In the case that regulatory dialogue and the experimentation in the interoperability regulatory sandboxes has provided enough evidence on the safe use of an interoperability solution, those interoperability solutions should be shared through the Interoperable Europe portal, where applicable, with non-restrictive licencing terms, such as the European Union Public Licence (EUPL), in compliance with Article 4 Regulation (EU) 2024/903).
(12) Any significant risks identified during the development and testing of interoperability solutions in an interoperability regulatory sandbox should result in adequate mitigation and, failing that, in the suspension of the development and testing process. The requested multi-level risk management approach, balancing the role of risk managers and the oversight by the regulatory sandbox coordinators and competent authorities, should ensure a safe environment for the testing, training, development or validation of interoperability solutions in the interoperability regulatory sandbox. Regulatory sandbox coordinators should decide on the risk management process, managing communication between competent authorities and risk managers, and ensure that each project within the interoperability regulatory sandbox complies with the established risk management plan. The risk management should build on and ensure full compliance with other applicable risk management procedures, e.g. in the field of cyber security or personal data protection. Guidelines and clarifications on the Interoperable Europe Portal can in the future help regulatory sandbox coordinators to find the appropriate set-up.
(13) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 25/03/2025.
(14) The measures provided for in this Regulation are in accordance with the opinion of the Committee established by Article 22(1) of Regulation (EU) 2024/903,