Will AI Regulatory Sandboxes Work?

The EU’s AI sandboxes create room to experiment, but critics express concern about their efficacy.

Testing a new artificial intelligence (AI) system on real people can carry real risks. The European Union wants to let companies experiment anyway—just under supervision.

When the EU’s AI Act entered into force in August 2024, it brought an unusual regulatory experiment with it: controlled environments in which companies could develop and test AI systems under regulatory supervision before releasing them to the market. These so-called AI regulatory sandboxes are designed to foster innovation while identifying and mitigating risks to fundamental rights, health, and safety. With the deadline approaching for member states to establish their sandboxes, the European Commission is still working out the details of the new regulatory initiative. In December 2025, the Commission launched a stakeholder consultation on a draft implementing law setting out common rules for the establishment and operation of AI regulatory sandboxes.

Whether sandboxes can deliver on both their innovation and promises of safety, however, remains an open and contested question.

At their core, AI regulatory sandboxes reflect a recognition that traditional regulation struggles to keep pace with fast-moving technology. The AI Act permits prospective providers to develop, train, validate, and test innovative AI systems for a limited time under regulatory supervision within a controlled environment. Participants may use documentation from their sandbox experience to demonstrate compliance with the AI Act, and they are protected from administrative fines for violations during the sandbox period as long as they follow the guidance of their national authority in good faith.

Sandbox proponents point to the UK’s Financial Conduct Authority fintech sandbox as evidence that the model works. One major study found that participants in the UK sandbox raised significantly more capital after entry into the sandbox than did comparable non-participants. Advocates contend that this iterative, evidence-based approach to rulemaking may be better suited to fast-moving technology than traditional forms of regulation.

Supporters also argue that sandboxes generate something equally valuable: regulatory knowledge. Rather than issuing rules abstractly, regulators can observe AI systems in operation, learn where risks materialize, and calibrate requirements accordingly. National authorities are required to submit annual reports to the AI Office documenting progress and results—including best practices, incidents, and lessons learned—with the aim of informing the possible revision of AI regulations. For an area of technology evolving as rapidly as AI, this feedback loop between regulator and regulated may prove as significant as any individual sandbox outcome.

But critics raise a different set of concerns. The empirical record on whether sandboxes achieve their stated goals is thinner than what their proponents suggest. Although participants in the UK fintech sandbox did raise more capital, critics argue that the sandbox model creates a façade of regulatory legitimacy without adequately addressing systemic risk—a concern that translates directly to the AI context.

Critics also express structural concerns about who will gain access to AI sandboxes. Although access to the sandboxes is free of charge for small and medium-sized enterprises (SMEs) and startups, skeptics question whether smaller firms will have the compliance infrastructure and legal expertise needed to navigate the application and ongoing oversight processes. SMEs may face a proportionally greater burden of compliance than do multinational firms, exacerbating inequalities in innovation capacity.

Critics also point out that sandbox participation does not suspend a participant’s exposure to legal harm. Sandbox participants remain fully liable, under applicable EU and national liability law, for damages caused to third parties during testing. This provision has been criticized for potentially deterring developers from joining sandboxes. For high-risk applications in areas like healthcare or employment—where the stakes of a failed test are borne by individuals—this raises difficult questions about the appropriate limits of supervised testing.

The draft implementing law itself reflects just how many of these tensions remain unresolved. The proposal sets out the operational framework for the creation, management, and supervision of sandboxes, including eligibility limited to AI systems that have not yet been placed on the market, and requires authorities to agree on a detailed sandbox plan with each participant covering objectives, timelines, methodologies, and safeguards. Yet the Commission has also created uncertainty by succumbing to industry pressure and agreeing to pause part of the AI law.

In addition, the EU’s broader drive toward regulatory simplification reflects persistent concerns that EU digital regulations deter uptake, delay time to market, and introduce compliance asymmetries across member states. However, these criticisms preceded the proposal of the Digital Omnibus, which would amend the EU AI Act to reduce regulatory burdens. One of the amendments would allow the EU AI Office to establish an EU-level sandbox alongside existing national ones, creating a dual-layer structure. Currently in the trilogue negotiation phase, the amendment is likely to be adopted in 2027.

As an August 2026 implementation deadline for the member states’ sandboxes draws closer, how these design choices are ultimately resolved will determine whether the EU’s AI sandboxes become a genuine model for innovation-compatible regulation, or instead will turn out to be just a well-intentioned mechanism that falls short of its ambitions on both innovation and regulation.