k0nsult.cloud / ai-truth / piaskownica / en

AI Act regulatory sandbox

What a regulatory sandbox is under EU Regulation 2024/1689, the stage of preparation for an application we have reached, and the evidence we have gathered. Overriding status: IN PREPARATION / COMING SOON.

⚠ Factual status (claim ≤ proof): K0NSULT is not currently a participant in any AI regulatory sandbox. This page describes solely (a) what a sandbox is under EU law, (b) our state of preparation for an application, and (c) the evidence gathered. No wording on this page should be understood as a declaration of participation, acceptance, accreditation or supervision exercised by an authority. The status will change only after a formal application is accepted by the competent authority.

Status legend: LIVE confirmed by evidence · DATA based on a documented dataset · COMING SOON in preparation / planned. Principle: no proof = GAP, not a fact. We apply claim ≤ proof — we do not claim more than we can demonstrate.

1. What an AI regulatory sandbox is (EU 2024/1689)

Regulation (EU) 2024/1689 of the European Parliament and of the Council (the AI Act) introduces the institution of AI regulatory sandboxes. Within the measures supporting innovation, the Regulation provides that each Member State establishes at least one national AI regulatory sandbox.

Purpose: a controlled environment in which a provider or prospective provider of an AI system may develop, train, test and validate an innovative system before placing it on the market — under the supervision of the competent authority, for a limited time, according to an agreed plan.
Authority supervision: a sandbox operates under the control of a designated national authority; it does not exempt from obligations arising from the law, but allows them to be fulfilled in conditions of dialogue with the regulator.
Trace and reporting: participation involves documenting the course of activities, reporting and final conclusions (the exit report), which may support further compliance.
Voluntary and limited in nature: admission to a sandbox requires an application and the authority's acceptance; it is not automatic and does not constitute a certification of the system.

The above is a general description of the legal institution. References to specific articles (the provisions on AI regulatory sandboxes) should be verified in each case against the current text of EU Regulation 2024/1689 and against national implementing provisions.

2. Our state of preparation for an application

K0NSULT is carrying out preparatory work directed towards a future application to a national AI regulatory sandbox. The current stage is the building of an application package and an evidence base, not participation in a sandbox.

Stage 1 — Reconnaissance DATA

Contact with the public administration and mapping of competent authorities. Documented correspondence (section 3).

Stage 2 — Application package IN PREPARATION

Compiling the documentation required for the application (section 4). Steps:

AI system description (purpose / functions / architecture / boundaries) — DRAFT
DPIA — scope / data categories / protection measures — IN PROGRESS
Model provider registry (model cards: Claude/Groq/Gemini) — IN PROGRESS
Test plan — methodology / hypotheses / KPIs — IN PROGRESS
Declaration of Conformity (DoC) — skeleton ready, no signature yet
Collection of evidence of dialogue with the administration — DONE (section 3)

Stage 3 — Application BLOCKED (Stage 2)

Submission of the application to the competent national authority. Has not taken place. Order after completing the package:

Submission of application + package to the designated authority
Preliminary assessment by the authority — statutory deadline 30 days
Agreement of the test plan with the authority
Sandbox testing — up to 12 months (Art. 60 AI Act)
Final report (exit report) + conclusions for the DoC

Participant status will be updated only after formal acceptance by the authority.

3. Evidence of contact with the administration

The foundation of readiness to apply is a documented, genuine dialogue with the public administration on matters related to the AI Act. The figures below come from the programme's correspondence dataset.

16letters sent

11institutional responses

7e-Delivery UPO

Institutions that responded (11): CERT.PL, Ministry of Digital Affairs, Ministry of Finance, Ministry of National Education (MEN), Ministry of Family, Labour and Social Policy (MRiPS), Ministry of Justice (MS), Ministry of the Interior and Administration (MSWiA), Ministry of Foreign Affairs (MSpr), Ministry of Health (MZ), RCL/DPNT, Comarch.

Evidence item	Count	Status
Letters sent to the administration	16	DATA
Substantive responses from institutions	11	DATA
UPO — official delivery acknowledgements (e-Delivery)	7	DATA

These figures form the foundation of readiness to apply. Full evidence index for the programme: /evidence-index.

4. Application package (under construction)

A checklist of the documentation being prepared for a future application. Most items have the status COMING SOON — this is a declaration of the scope of work, not a completed package.

Package element	Description	Status
System description	UNIONAI: orchestration of LLM models (Claude/Groq/Gemini) in a controlled research environment. Scope: AI agent federation, continuous audit, human-in-loop (Art. 26). Boundary: research, not commercial deployment. → /ai-act	DRAFT
Roles	Provider: K0NSULT Sp. z o.o. · Operator: Tomasz Obara · Users: researchers and UNIONAI programme partners. Grassroots Lobbing: supporting partner (not an AI provider).	DATA
Risk assessment	Preliminary classification: GPAI + Art. 50 (transparency). Research systems — exemption Art. 2(6). Self-classification tool: /ai-truth/ocena	DRAFT
Human oversight	Human-in-the-loop: operator approves each agent action outside the sandbox. OPERATOR_KEY gated endpoints. Audit logs per session. Kill-switch mechanism via flyctl.	DRAFT
Test plan	Environment: Fly.io (fra), isolated from prod. Methodology: (1) compliance hypotheses per component SYS-1..SYS-7, (2) regression tests after each commit (tsc+smoke), (3) smoke anon→401 (auth gate), (4) /production-gate — 3 operator signatures. KPI: claim_proven/claim_total ≥ 95%, zero autonomous deliveries, zero CRIT open. Timeline: after package completion → authority → max. 12 months. → procedures	IN PREPARATION
DPIA	Data protection impact assessment (Art. 35 GDPR + Art. 59 AI Act) — in progress. Scope: session logs (hash, not content), agent scoring (pseudonymous DID), correspondence with the administration (sender data). Data categories: no sensitive data Art. 9 GDPR in the research phase. Measures: TLS encryption, gated operator access (OPERATOR_KEY), 90-day retention. GDPR controller: K0NSULT Sp. z o.o. DPIA skeleton: → procedures.	IN PREPARATION
Entity data	K0NSULT Sp. z o.o. — KRS, NIP, representation, e-Delivery channel.	DATA
Evidence of dialogue with the administration	Correspondence, responses, UPO (section 3).	DATA

5. Related

› AI Truth & Governance Portal — main page of the transparency portal
› Processes and procedures — how we verify evidence (claim ≤ proof)
› Evidence index — full base of proof-packs

Disclaimer. This page is informational and research in nature and describes a state of preparation, not participation. It does not constitute a certification, it is not an opinion of a notified body, nor a legal conclusion (not a certification · not a notified body · not a legal conclusion). The status and figures reflect the state of knowledge as at the date of publication and are subject to update.