§ EU AI Act · Article 59
AI Act Article 59: Obligations, Deadlines & Penalties
At a glance
Article 59 of the AI Act imposes 11 obligations on law enforcement authorities, provider. At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 59
Obligation 1
AI systems must be developed for safeguarding substantial public interest in specified areas such as public safety, health, environment, energy, transport, or public administration.
Regulation (EU) 2024/1689, Article 59, Article 59
- Obligated entity
-
provider
- Sector scope
- public safety, public health, environment, energy sustainability, transport, public administration
- Action required
-
develop
- Deadline
-
—
- Penalty
-
—
Obligation 2
Personal data processed in the sandbox must be necessary for complying with requirements where anonymised or synthetic data cannot effectively fulfill those requirements.
Regulation (EU) 2024/1689, Article 59, Article 59
- Obligated entity
-
provider
- Action required
-
assess
- Deadline
-
—
- Penalty
-
—
Obligation 3
Effective monitoring mechanisms must be implemented to identify high risks to data subjects' rights and freedoms, along with response mechanisms to mitigate risks or stop processing.
Regulation (EU) 2024/1689, Article 59, Article 59
- Obligated entity
-
provider
- Action required
-
monitor
- Deadline
-
—
- Penalty
-
—
Obligation 4
Personal data must be kept in a functionally separate, isolated, and protected data processing environment under the control of the prospective provider, with access restricted to authorised persons.
Regulation (EU) 2024/1689, Article 59, Article 59
- Obligated entity
-
provider
- Action required
-
secure
- Deadline
-
—
- Penalty
-
—
Obligation 5
Originally collected data can only be shared in accordance with Union data protection law, and any personal data created in the sandbox cannot be shared outside the sandbox.
Regulation (EU) 2024/1689, Article 59, Article 59
- Obligated entity
-
provider
- Action required
-
restrict
- Deadline
-
—
- Penalty
-
—
Obligation 6
Processing of personal data in the sandbox must not lead to measures or decisions affecting data subjects nor affect the application of their rights under Union data protection law.
Regulation (EU) 2024/1689, Article 59, Article 59
- Obligated entity
-
provider
- Action required
-
ensure
- Deadline
-
—
- Penalty
-
—
Obligation 7
Personal data processed in the sandbox must be protected by appropriate technical and organisational measures and deleted once sandbox participation terminates or the retention period ends.
Regulation (EU) 2024/1689, Article 59, Article 59
- Obligated entity
-
provider
- Action required
-
delete
- Deadline
-
once participation terminates or retention period ends
- Penalty
-
—
Obligation 8
Logs of the processing of personal data in the context of the sandbox must be kept for the duration of the participation in the sandbox.
Regulation (EU) 2024/1689, Article 59, Article 59
- Obligated entity
-
provider
- Action required
-
document
- Deadline
-
duration of participation
- Penalty
-
—
- Exemptions
- unless provided otherwise by Union or national law
Obligation 9
A complete and detailed description of the process and rationale behind training, testing, and validation, along with testing results, must be kept as part of the technical documentation.
Regulation (EU) 2024/1689, Article 59, Article 59
- Obligated entity
-
provider
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
Obligation 10
A short summary of the AI project, its objectives, and expected results must be published on the website of the competent authorities.
Regulation (EU) 2024/1689, Article 59, Article 59
- Obligated entity
-
provider
- Action required
-
publish
- Deadline
-
—
- Penalty
-
—
- Exemptions
- sensitive operational data in relation to law enforcement, border control, immigration or asylum authorities
Obligation 11
Processing of personal data in AI regulatory sandboxes for law enforcement purposes must be based on a specific Union or national law and subject to the same cumulative conditions as paragraph 1.
Regulation (EU) 2024/1689, Article 59, Article 59
- Obligated entity
-
law enforcement authorities
- Sector scope
- law enforcement
- Action required
-
comply
- Deadline
-
—
- Penalty
-
—
§ Deadlines
EU AI Act compliance deadlines
-
2025-02-02
Article 4 AI literacy
in_force
-
2025-02-02
Article 5 prohibitions (unacceptable risk)
in_force
-
2025-08-02
GPAI model obligations (Articles 51 to 56)
in_force
-
2026-08-02
Article 50(2) machine-readable marking (watermarking) of AI-generated content
provisionally_amended
-
2026-08-02
Article 50 transparency obligations OTHER than the 50(2) marking grace (for example disclosure that a user is interacting with an AI system)
scheduled
-
2026-08-02
Annex III stand-alone high-risk obligations
provisionally_amended
-
2026-08-02
National AI regulatory sandboxes (establishment deadline)
provisionally_amended
-
2026-12-02
NEW Article 5 prohibition: AI generation of non-consensual intimate imagery (NCII) and CSAM
provisionally_amended
-
2027-08-02
Annex I embedded (regulated-product) high-risk obligations
provisionally_amended
§ Frequently asked
Questions about Article 59
Who must comply with Article 59 of the AI Act?
+
law enforcement authorities, provider.
What does Article 59 of the AI Act require?
+
develop assess monitor
What is the compliance deadline for AI Act Article 59?
+
duration of participation; once participation terminates or retention period ends