EU Regulatory Sandboxes: An Opportunity for Coordinating AI Innovation
Card Grid View — Burden & Stenberg (2025)
1. Core Purpose of Regulatory Sandboxes
- Not a loophole
- Sandboxes are NOT exemptions from regulation
- Regulation still applies — but with supervisory flexibility
- Primary goal: regulatory learning, not deregulation
- True purpose
- Enable controlled testing of innovative technologies
- Provide legal certainty for innovators
- Allow authorities to learn how regulation should adapt
- Facilitate knowledge sharing between regulators and firms
2. Four Shared Features
- Legal basis
- Formal regulatory framework authorizing the sandbox
- Clear rules of engagement for participants
- Supervised environment
- Authority oversight throughout the testing period
- Monitoring and reporting requirements
- Time-limited testing
- Fixed duration for sandbox participation
- Clear entry and exit criteria
- Safeguards & transparency
- Measures to protect consumers and markets
- Openness about what is being tested and learned
3. Three Responsibilities of Authorities
- Enable innovation
- Provide guidance and support to sandbox participants
- Facilitate experimentation within legal boundaries
- Reduce regulatory uncertainty for innovators
- Safeguard public interest
- Protect consumers, data privacy, and fundamental rights
- Ensure risks are identified and mitigated
- Generate regulatory learning
- Document insights from sandbox experiments
- Feed learnings back into policy-making
- Update regulatory frameworks based on evidence
4. Avoiding Silo Management
- The problem
- Each regulation creates its own sandbox (AI Act, GDPR, EHDS, NZIA, etc.)
- Separate authorities run sandboxes without coordination
- Risk of inconsistent outcomes and missed synergies
- Why coordination matters
- AI cuts across multiple regulatory domains
- Fragmented sandboxes create confusion for innovators
- Shared learnings improve all sandboxes
- Prevent conflicting regulatory interpretations
5. Transparency & Openness
- Why transparency is critical
- Builds trust in the sandbox process
- Enables knowledge sharing across sandboxes
- Prevents regulatory capture by powerful firms
- Risks of opacity
- Secret agreements undermine public accountability
- Lessons learned stay hidden and cannot inform policy
- Risk of companies using sandboxes as "black boxes"
- Recommendation
- Publish outcomes and insights (with appropriate confidentiality)
6. Governance Recommendations
- Key governance advice
- Establish cross-sandbox coordination mechanisms
- Create common reporting standards
- Share data and insights between authorities
- Starting point
- Begin with sandboxes from related regulations
- Test coordination on Cyber Resilience Act, Data Act, etc.
- Use these learnings to inform AI Act sandboxes
- Long-term vision
- Integrated regulatory sandbox ecosystem across EU
7. Risks & Misconceptions
- Common misconceptions
- Sandboxes are loopholes for less regulation — FALSE
- Sandboxes only benefit large companies — they help SMEs too
- Sandboxes mean no oversight — authorities are actively involved
- Real risks
- Opaque governance undermines legitimacy
- Fragmented silos create inconsistent outcomes
- Authorities may lack resources or expertise
- Risk of regulatory capture by well-funded participants