What is a regulatory sandbox?
A regulatory sandbox , although there is no clear definition, is a regulatory approach which is generally described as a controlled testing environment for new technologies, under the supervision and in close contact with regulators. This environment is usually characterised by a degree of legal lenience while aiming to maintain appropriate safeguards – managing this delicate equilibrium is crucial towards a successful deployment of any sandbox. Such an environment gives place to a mutually beneficial relationship: innovators work within a laxer legal framework while having a direct channel to the regulator, boosting legal certainty; meanwhile, regulators can closely monitor new technologies and their impact on the affected sectors, gathering data for future measures, such as changes in regulation.
Regulatory sandboxes are most appealing when regulators need to deal with fast‑paced industries and even faster technological developments, allowing them to have a pulse on the industry without stifling innovation. This is especially important in sectors deemed particularly competitive and of high public interest. Regulators are often more lenient, overlooking some missteps when dealing with technologies whose development is considered public interest. However, as it will be shown below, this is not always the case nor a necessary part of a sandbox. In essence, a regulatory sandbox is a direct line of communication between companies and the regulator, and the commitment to dialogue from both parties.
Past examples
The first case of an official regulatory sandbox was an initiative from British Financial Conduct Authority (FCA), which is still active. The FCA Sandbox was launched in 2016, following a 2015 study on the feasibility of establishing a first-of-its-kind regulatory sandbox for financial services. In this study, the FCA explores the potential benefits and challenges of a sandbox (such as reducing the time of getting innovative ideas to market and reducing regulatory uncertainty for new products), as well as going into detail on how this sandbox should operate on a practical level. Due to its long running nature, the FCA Sandbox constitutes an excellent case study for anyone interested in sandboxes. Furthermore, the FCA has provided several quality publications and studies regarding the implementation of the sandbox and its effects, such as this lessons learned report, a 2017 review of the sandboxes’ first year of activity.
Recently, the EU has proposed the creation of a European AI Sandbox, by means of the
Artificial Intelligence Act (AI Act), whose original version was proposed in 2021, with a revised version appearing in 2022, still under discussion.
One important detail to retain from the AI Act vision for the implementation of sandboxes is that it does not create a single European sandbox, but instead provides a framework for each Member State or group of Member States to create their own sandboxes (Article 53(1) of the AI Act). By choosing this approach, the Commission risks differing implementations of sandbox regimes by the different Member States, which can lead to a patchwork of AI rules throughout the EU, contrary to the much-desired goal of harmonisation at a European level (more information on the AI Act can be found on the following European Parliament Briefing).
Another key takeaway from the AI Act is how it deals with the question of liability, which is unavoidable when dealing with AI matters. The regulators’ concern with AI liability has materialised in several proposals, which combined aim to tackle this complex issue: the AI Act, the AI Liability Directive and a proposal for amending the Product Liability Directive (PLD). The changes to the PLD make it so that its no-fault liability provisions can be applied to instances of damages caused by defective software – in this particular case, AI systems (more on AI and liability can be found in a recent insight here).
Regarding the European AI Sandbox, the regulator explicitly states that there will not be a derogation of existing regulation, including liability – as per Article 53(4) of the AI Act. It remains to be seen how this choice will affect the willingness of companies to join this initiative, but it is, undoubtedly, a point of major importance for private actors. It should not be surprising if this line has deterrent effects on AI innovation.
Advantages and Risks
Based on these and other examples of sandbox implementation, several advantages and risks should be highlighted:
Advantages
From the companies’ perspective, the major advantages of this kind of regulation stem from having quick and reliable access to a source of legal information from within the regulatory body. This added information enhances legal certainty and helps companies avoid legal roadblocks to the deployment of their products. A especially relevant consequence of this, highlighted by the FCA Sandbox and other studies, is that the legal certainty from participating in an initiative such as this can be very attractive for investors, acting like an approval stamp from the regulator, signalling that there won’t be major legal concerns in getting the new product to the market.
The advantages for the regulator are tied with the knowledge gained from closely following the implementation and development of new products and dialogue with companies. The live stream of data provided by this environment can aid the regulator in deploying policies in a timely manner. Moreover, by simply establishing a sandbox, the regulator signals that it is an attractive option for innovative companies, by being willing to dialogue and support innovation.
Risks
One of the main risks inherent to any regulatory sandbox is that of being too lenient and not setting the appropriate safeguards. The consequences, however, vary drastically depending on the specific industry targeted by the sandbox.
Inversely, the other major risk associated with sandboxes is that of too much regulation: if the regulator is too stringent, he might have a negative effect on innovation, slowing it down or even halting it altogether.
The European Blockchain Regulatory Sandbox
After briefly analysing sandboxes in general, it is time to review the initiative that brought on this insight: the European Blockchain Regulatory Sandbox (EBRS). The EU blockchain regulatory sandbox is part of the European Blockchain Services Infrastructure (EBSI), which was created along with the European Blockchain Partnership (EBP) in 2018. On a surface level, there are two essential documents that shed some light on the inner workings of the EBRS: the EBRS launch announcement and the EBRS FAQ section.
The EBRS aims to accept and accompany 20 projects per year. These projects should come from EU companies – although non-EU companies can participate through consortiums with EU based companies – and have a validated proof of concept for a blockchain application (this validation being done through case studies, financial information, etc.)
Regarding the EBRS structure and operations, one should note that, while being an initiative of the Commission, the EU sandbox will be set up and managed by a consortium of legal experts between the law firm Bird & Bird and blockchain experts WBNoDE. Furthermore, participants will be screened by a panel of independent academics.
Both the EBRS launch announcement and FAQ section are rather vague regarding concrete details on the operation of the sandbox. However, one thing is certain until now: sandbox participants will not be exempt from existing regulatory requirements.
A deeper dive into the EBRS documentation is needed for further clarification. To this effect, one can look into the tender CNECT/2021/OP/0019, through which the legal experts responsible for the sandbox were procured – more precisely into the tender specifications document.
According to the tender, the EBRS aims to foment dialogue and cooperation between national and EU regulators with companies and remove legal uncertainties for blockchain based projects (mentioning the potential combination with other new technologies such as AI or the Internet of Things) and guide these companies through the existing regulatory requirements. With this aim in mind, the two main concrete goals of the sandbox are:
-At the individual use level – provide legal certainty regarding innovative solutions and help companies navigate the relevant legal framework and successfully deploy their projects in accordance with those rules.
-At a broader level – summarise all the individual experiences into a general report, highlighting key issues found in the current regulation.
The tender also provides valuable information regarding the minimum requirements that are expected of the contractor – in this case, the law firm Bird & Bird:
-Set up the sandbox and operate it under the Commission’s control.
-Organise calls for both companies and regulators interested in participating in the sandbox, as well as screening and selecting candidates to participate in the sandbox.
-Provide selected projects with tailored legal advice regarding each specific business case, which includes summarising relevant EU and national laws and identifying areas in which regulatory questions are likely to arise. The contractor is also expected to identify relevant regulators, as well as establishing a bridge between the companies and those regulators.
These requirements provide much needed clarification regarding what kind of sandbox can be expected, with three major takeaways: the sandbox will operate at a national level, guidance will be very tailored, considering the national law applicable to each specific project, and there is no major regulatory act accompanying the sandbox – this initiative is simply a tool to help companies navigate existing regulation.
Furthermore, the tender explains the power structure between the Commission and the contractor:
-The European Commission’s Directorate-General for Communications Networks, Content and Technology is responsible for operating the sandbox.
-The contractor will conduct the day-to-day management of the sandbox while receiving instructions from the European Commission.
Finally, according to the tender, upon the end of the project, we can expect a legal memorandum summarising the legal advice provided and proposed solutions to all relevant legal questions and challenges that arose during the duration of the sandbox.
Final remarks
Sandboxes, as a regulatory tool, can be an answer to the shortcomings of traditional lawmaking regarding the constant fast paced innovation that characterises the technological sector. Rooted on dialogue between companies and regulators, sandboxes are an easy way to provide legal certainty and guidance to the first, while providing critical data for political and regulatory decision making for the latter. Finally, sandboxes are very malleable by nature, and thus their risks and advantages can vary wildly in a case-by-case scenario. As it is shown by the European sandboxes mentioned in this insight, the regulator can choose to implement a sandbox without giving any leeway regarding existing legal provisions, thus mitigating one of the major concerns regarding this topic – that of the regulator being too lenient with companies. As for the converse risk, that this approach might be too restraining, while it may be true, the advantages of participating in a sandbox and having an open line to the regulator will hopefully outweigh this concern. The sui generis nature of sandboxes makes it difficult to predict how the deployment of the EBRS and AI Sandbox will play out but, based on previous examples, a positive outlook on this experiment can be justified.