Europe has built one of the world’s most ambitious digital regulatory frameworks. This pursuit responds to legitimate aims, such as protecting the rights of its citizens, building trust, and reducing the risks associated with technologies that evolve rapidly. Yet, after several years during which the central question has been how much to regulate, we find ourselves at a moment where we must determine how to craft a regulation capable of learning as technology evolves. The difficulty lies with institutions that must apply broad legal concepts to technical systems whose evolution outpaces traditional legislative cycles.
Regulatory sandboxes (controlled testing environments) offer a particularly useful answer to this challenge, as they allow a company to experiment with an innovative solution for a limited period, within defined boundaries and under the supervision of authorities. On the one hand, the organization gains a clearer understanding of how obligations apply to its system and, on the other, the regulator obtains direct knowledge about the technologies that, otherwise, would be analyzed mainly through documents, consultations or post-market procedures.
“After years in which the central question has been how much to regulate, we must determine how to build a regulation capable of learning as technology evolves”
The value of sandboxes is especially evident in AI. A norm may require risk management, transparency, traceability, robustness or human oversight. Turning these obligations into effective processes requires metrics, testing, records, responsibilities, design decisions and a great deal of internal coordination. The sandbox makes that translation between the rule and practice possible by allowing checks of whether safeguards work, whether the required documentation reflects the system’s actual behavior, and whether the planned controls are appropriate for the use context.
Nevertheless, a purely regulatory approach to sandboxes, aimed at clarifying the application of the rule through dialogue and documentary review, is no longer sufficient. Conducting a proper analysis requires that the regulator be able to observe how the system actually operates under controlled conditions. It requires incorporating evaluation tools, real testing environments, shared methodologies and traceability mechanisms. In short, it calls for adding a technological dimension. This shift toward a technoregulatory sandbox allows supervision to rely on technical evidence rather than mere formal statements, which is highly useful for both authorities and the organization that owns the evaluated system.
“Conducting proper analysis requires the regulator to observe how the system actually operates under controlled conditions”
Similarly, for the participating organization, the real usefulness of a sandbox is also determined by its outcomes. If a company spends months reviewing its system, tightening controls, and generating documentation, and then must restart from scratch all authorization or conformity procedures, the incentive to participate decreases. The evidence gathered within the controlled environment should be transferable to later stages through recognized documentation, usable validations or expedited procedures for components already evaluated. In this way, the sandbox becomes a launchpad to the market and does not remain a standalone experience with negligible legal or commercial consequences.
This continuity is particularly important for small and medium-sized enterprises (SMEs) and startups and scaleups, which face proportionally higher compliance costs.
Finally, there is an even more ambitious opportunity. Each new sandbox typically rebuilds entry criteria, protocols, safeguards, templates and exit mechanisms. Europe must move toward a common and modular architecture that enables the creation of new controlled environments with greater speed and coherence. This is what Adigital has termed the “generators of sandbox creation.” Our proposal includes shared definitions, testing cycles, risk typologies, documentary formats and interoperability criteria, while preserving each authority’s adaptability.
“Sandboxes stop being isolated projects and become part of a stable infrastructure of technological governance that does not relax the rules, but enhances the support”
In this way, sandboxes cease to be isolated projects and become part of a stable infrastructure of technological governance that does not loosen the rules, but improves the support. Authorities accumulate knowledge, improve their supervisory capabilities and compare results across different experiences. Companies find more predictable procedures and reusable compliance artifacts. The entire European market gains coherence.
In this context, Spain starts from a position of advantage. We carry the accumulated experience of the financial sandbox and have developed the first regulatory sandbox pilot for artificial intelligence. But that initial edge will only consolidate if we are able to turn the experience gained into reusable methodologies, institutional capacity and procedures that facilitate innovation and strengthen the confidence of both companies and authorities.
With a digital economy that already accounts for 27% of GDP, future growth will depend on our ability to deploy complex technologies with safety, speed and predictability. If Spain can consolidate the accumulated experience and turn it into an institutional practice, it will not only improve its own technological governance but also contribute to defining how Europe regulates innovation in the coming decades.