AI Governance Library

Regulatory Sandboxes for AI and Cybersecurity – Questions and Answers for Stakeholders

Regulatory sandboxes aren’t just buzzwords—they’re fast becoming one of the EU’s go-to tools for managing fast-moving AI and cybersecurity risks. This white paper brings together legal, technical, and policy perspectives to offer a grounded roadmap for building and using sandboxes the right way.
Jakub Szarmach
3 min read
Regulatory Sandboxes for AI and Cybersecurity – Questions and Answers for Stakeholders
Regulatory Sandboxes for AI and Cybersecurity
Regulatory Sandboxes for AI and Cybersecurity.pdf
9 MB
download-circle

What’s Covered?

The 225-page volume breaks down the concept and use of regulatory sandboxes for AI and cybersecurity across legal, operational, and ethical dimensions. It was published under the SERICS program with support from the CINI Cybersecurity National Lab and draws from both academic research and real-world sandbox experiences.

Chapters are structured into three broad pillars:

  • Conceptual foundations – The first few chapters (e.g., Longo, Mobilio & Giannelli) walk through how the EU defines regulatory sandboxes, their legal basis, and the conditions under which they make sense. These sections frame sandboxes as temporary, supervised experimental spaces for testing innovative tech—especially where standard rules might stifle early experimentation.
  • Legislative interplay – Several contributions (e.g., Bagni, Baldini, Bonel) explore how sandboxes could act as a “bridge” between different regulations, such as the AI Act, GDPR, Cyber Resilience Act, and Interoperable Europe Act. These sections are valuable for understanding how fragmented compliance regimes might be simplified through sandboxing—without lowering fundamental rights protections.
  • Practical insights – The final stretch of the book looks at sandbox participation incentives (Zarra), technical standards (Tartaro & Panai), cybersecurity risk assessment (Brinker), and comparative case studies (Seferi, von Thiessen). Francis closes the volume with a discussion on the ethical boundaries of sandboxing: who gets to participate, under what terms, and what kinds of risk trade-offs are justifiable.

Throughout, the authors underline the need for good regulation, not just more of it. This includes space for testing, mechanisms to learn from implementation, and safeguards that adapt to evolving technologies.

💡 Why it matters?

The AI Act and Cyber Resilience Act both mention regulatory sandboxes—but offer little guidance on how to design them. This volume fills that gap. It’s the most comprehensive attempt so far to spell out how EU regulators, companies, and researchers might actually operationalize sandboxes without compromising on rights, security, or accountability. For countries and institutions now scrambling to set up their own AI sandboxes, this is essential reading.

What’s Missing?

There’s a lot of ambition, but less focus on the mechanics of enforcement. What kind of oversight do sandbox authorities need to run safe experiments? What happens when a sandbox project goes wrong? The book acknowledges these issues, especially in Riccio’s chapter on liability, but doesn’t fully address enforcement models or cross-border cooperation.

Another gap: while the ethical section is thoughtful, the volume doesn’t engage much with marginalized users or digital divides. Most examples focus on companies, researchers, and public entities—but very little is said about inclusion or participation of civil society watchdogs in sandbox processes.

Also, there’s no template or practical toolkit—yet. For regulators who want to launch a sandbox next quarter, a supplementary “how-to” companion would make this paper even more useful.

Best For:

  • EU regulators designing or supervising sandboxes
  • Lawmakers working on AI, cybersecurity, or tech governance legislation
  • Startups and SMEs interested in early access pathways under the AI Act
  • Compliance officers exploring pre-market testing environments
  • Legal researchers and digital rights groups tracking how regulation evolves in practice

Source Details:

Regulatory Sandboxes for AI and Cybersecurity: Questions and Answers for Stakeholders, edited by Filippo Bagni & Fabio Seferi. Published February 2025 under the SERICS–Eraclito and CybeRights programs. ISBN 9788894137378.

Funded by the European Union’s NextGenerationEU initiative under Italy’s National Recovery and Resilience Plan.

👥 Contributors include:

  • Alessandro Armando (CINI Cybersecurity National Lab)
  • Andrea Simoncini (University of Florence, CybeRights PI)
  • Davide Baldini, Giuseppe Mobilio, Nils Brinker, Kate Francis, and others from across law, cybersecurity, and ethics

🧩 Context: The paper supports the EU’s broader “Better Regulation” strategy and connects directly to provisions in the AI Act (Article 53), CRA, and GDPR. It positions sandboxes as a regulatory instrument to simplify early compliance while preserving high standards in human rights and security.

🛠️ Key Frameworks Referenced:

  • Better Regulation Toolbox (July 2023)
  • Draghi Report on EU Competitiveness (Sept 2024)
  • AI Act & GDPR interaction zones
  • National sandbox pilots (incl. Zurich)
EU AI ACT Policy Report
About the author
Jakub Szarmach

Jakub Szarmach

Read next

AI Liability Along the Value Chain

Governance in the Age of Generative AI: A 360º Approach for Resilient Policy and Regulation

NIST: Reducing Risks Posed by Synthetic Content An Overview of Technical Approaches to Digital Content Transparency

METHODOLOGY FOR THE RISK AND IMPACT ASSESSMENT OF ARTIFICIAL INTELLIGENCE SYSTEMS FROM THE POINT OF VIEW OF HUMAN RIGHTS, DEMOCRACY AND THE RULE OF LAW (HUDERIA METHODOLOGY)

Professionalizing Organizational AI Governance Report

AI Governance Library

Curated Library of AI Governance Resources

AI Governance Library

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to AI Governance Library.

Your link has expired.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.