How is a regulatory sandbox different from an innovation hub?

An innovation hub offers guidance and informal advice to firms navigating existing rules, while a sandbox grants actual regulatory relief and permits live testing with real customers under monitored conditions.

Are regulatory sandboxes limited to financial services?

No. While they originated in fintech, sandboxes now exist for data protection, artificial intelligence, energy, mobility, and health technology. The EU AI Act requires Member States to operate AI sandboxes.

Do firms in a sandbox get a permanent license?

Not automatically. Sandbox participation is time-limited; firms must apply for full authorisation to continue operating after the testing period, though regulators may use insights to streamline that process.

Regulatory Sandbox | Model Diplomat

A regulatory sandbox is a supervised environment in which firms—typically fintech, healthtech, or other emerging-technology companies—can test innovative products, services, or business models with real customers while temporarily exempted from, or granted relief against, certain regulatory requirements. The regulator imposes safeguards such as customer caps, disclosure obligations, capital requirements, and time limits, and monitors outcomes to inform future rulemaking.

The concept was pioneered by the UK Financial Conduct Authority (FCA), which launched its Regulatory Sandbox in 2016 as part of Project Innovate. The model spread rapidly: the Monetary Authority of Singapore introduced its sandbox guidelines in 2016, the Australian Securities and Investments Commission (ASIC) followed the same year, and Abu Dhabi Global Market, Hong Kong Monetary Authority, and the Bank of Thailand established variants shortly after. By the early 2020s, the World Bank and UNSGSA had documented sandboxes in over 50 jurisdictions.

Sandboxes typically share several features:

Eligibility screening — applicants must show genuine innovation, consumer benefit, and a need for regulatory relief.
Cohort-based or rolling admission — firms enter for a defined testing window, often 6–12 months.
Tailored safeguards — bespoke conditions replace standard licensing rules.
Exit pathways — successful firms graduate into full authorisation; unsuccessful tests are wound down with consumer protections intact.

Beyond finance, the model has been extended to data protection (e.g., the UK Information Commissioner's Office sandbox launched in 2019), AI governance (Spain's AI regulatory sandbox under the EU AI Act, announced in 2022), and energy markets. The EU AI Act, adopted in 2024, requires Member States to establish at least one AI regulatory sandbox at national level.

Critics note that sandboxes can create competitive distortions, favour well-resourced applicants, and risk regulatory capture. Proponents argue they let regulators learn about emerging technologies without prematurely freezing rules, and give innovators legal certainty in an otherwise ambiguous environment.

Regulatory Sandbox

Frequently asked questions