AI Regulation Tracker / Guidance
Denmark's Data Protection Authority Publishes AI Sandbox Final Reports Setting Concrete Compliance Expectations for Developers
Regulatory summary: On June 30, 2026, Denmark's data protection authority, Datatilsynet, together with the Danish Agency for Digital Government (Digitaliseringsstyrelsen), published two final reports from the regulatory AI sandbox they run jointly. The reports document guidance given to two projects, BrainCapture ApS building an AI system for automated interpretation of EEG signals.
Datatilsynet and the Danish Agency for Digital Government released final reports from their regulatory AI sandbox on June 30, 2026, covering a medical EEG interpretation system and a child conversation simulator. The reports show how controllers must handle legal basis, controller and processor roles, AI Act risk classification, and prohibited practice screening from the development phase.
Key takeaways
- The Danish sandbox expanded its guidance in this round beyond data protection to include risk classification under the EU AI Act. The two reports give worked examples of how developers should reason about legal basis for development and operation, controller and processor allocation, AI Act high-risk scenarios, and prohibited AI practices, and they emphasise doing this work in the startup and development phase before a system is fully built.
- AI product and engineering leads building systems that touch personal data; data protection officers and privacy counsel advising on legal basis and role allocation; healthcare technology developers building diagnostic support tools; child-welfare and education technology teams; and compliance officers mapping systems against AI Act risk tiers.
- Status: Published June 30, 2026.
- Take one AI project currently in development and run it through the same four questions the reports address: is there personal data, what is the legal basis, who is controller and who is processor, and what is the AI Act classification including prohibited-practice screening. Record the answers now, while the design can still change.
| Date | Jurisdiction | Rule | Affected professionals | Status or effective date |
|---|---|---|---|---|
| 2026-07-09 | Denmark / EU | The Danish sandbox expanded its guidance in this round beyond data protection to include risk classification under the EU AI Act. The two reports give worked examples of how developers should reason about legal basis for development and operation, controller and processor allocation, AI Act high-risk scenarios, and prohibited AI practices, and they emphasise doing this work in the startup and development phase before a system is fully built. | AI product and engineering leads building systems that touch personal data; data protection officers and privacy counsel advising on legal basis and role allocation; healthcare technology developers building diagnostic support tools; child-welfare and education technology teams; and compliance officers mapping systems against AI Act risk tiers. | Published June 30, 2026. Final reports available through Datatilsynet and the Agency for Digital Government. This is closed guidance from completed sandbox projects, not an open consultation. |
Frequently Asked Questions
Are the Danish AI sandbox reports legally binding?
No. They are guidance and regulatory precedent from completed sandbox projects, published June 30, 2026. They show how Datatilsynet reads existing data protection law and the EU AI Act, but they do not create new obligations on their own.
Which two projects do the reports cover?
BrainCapture ApS, building an AI system for automated interpretation of EEG signals, and Børns Vilkår, building an AI conversation simulator for training professionals in difficult conversations with children.
What is new compared with the first sandbox round?
This round added guidance on risk classification under the EU AI Act, on top of the data protection guidance that was the focus of the first round.
What prohibited AI practice did the reports flag?
The Børns Vilkår project raised AI systems that infer a person's emotions in workplaces and educational institutions, which the AI Act treats as a prohibited practice, along with high-risk scenarios in education and work-related contractual settings.
What is the main practical takeaway?
Resolve legal basis, controller and processor roles, AI Act risk classification, and prohibited-practice screening during the development phase, before a system's design is fixed, because both reports show these questions are cheaper and cleaner to answer early.
Internal links
Sponsored Training
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.