Davide Rauhe
Photo credit: Chief Photographer, MoD
Executive Summary
This blog post
explores the emergence of experimental regulations and policies with focus on
its gained prominence within the European Union in the recent years.
As emerging
technologies, especially in the field of artificial intelligence (AI), continue
to shape our societies, there is a growing need for flexible regulatory
approaches that can adapt to rapidly evolving technological landscapes. Experimental
regulation and Regulatory sandboxes have gained popularity as a potential
solution to foster innovation while ensuring the maintenance of minimum
standards in fundamental rights and ethical questions.
Therefore, special
focus shall be laid upon the significance of regulatory sandboxes and their
implementation in the new AI Act on EU-level. This post analyzes the
significance of these new law-making methods and answers the question whether
or not lawmakers can benefit from them.
Regulation and
legislation can have strong impacts on the economy and society of a country.
However, both are still regarded as a merely bureaucratic action, despite its
influence on economic and social development. Indeed, legislation is by some
even considered a major force in enabling capitalistic structures, assuming
that law itself can create capital by allocating resources either by allowing,
shaping or even prohibiting certain economic behaviors.[1] This
is particularly the case when sudden and impactful technological improvements are
made as with them usually a shift in political and economic power is recorded
as well – its design and scope is therefore of even greater importance.[2]
This applies especially to the European Union as legislator, because the EU as
a regulative body influences other jurisdictions all over the world – a process
often describes as the so-called Brussels-effect.[3]
With the emergence
of increasingly complex technological and innovative economic models in various
economic sectors such as finance, commerce and others, there has been a greater
demand for more diverse and innovative regulatory approaches in various sectors.
However, the protection of fundamental rights standards takes a key role in
this discussion as well as the age of “information” or “surveillance”
capitalism comes with an increased danger for fundamental rights. Furthermore,
new technologies often tend to change the distribution of wealth within
societies and therefore possibly lead to either the reduction or the growth of
inequality depending on how they are regulated.[4] The
misalignment of innovation and regulation can therefore be extremely
problematic for societies.[5]
Major reasons for a misalignment have been localized in information gaps of
regulators, the inability of regulators to fully grasp the innovational model
itself and the invisibility of certain innovational flaws only until they
become critical and therefore unmissable.[6]
Experimental
regulations and regulatory Sandboxes may provide a fitting and promising remedy
to these conditions. Both concepts promise to handle innovative business models
more effectively through the implementation of different adaptability and
adjustment measures while also securing a sophisticated human rights standard. The
discourse over these specific forms of regulation gained more prominence with
the recent improvements of artificial intelligence (AI), a generic term that encompasses
various technologies that are considered to have some form of intelligent
behavior, and its spreading usage in various economic and scientific sectors. Especially
with the public roll out of ChatGPT and other artificial intelligence powered
Large Language Models (LLM), the potential of Artificial intelligence became
more apparent to a greater circle of persons, including policymakers.[7]
With the next
technological milestones in artificial intelligence development already on the
horizon, generally referred to as superintelligence, a dedicated and consistent
approach is essential here.[8]
The goal in this regard is to reach so-called superalignment, which translates
to agile and adaptive regulation combined with state of the art monitoring and
reactional measures for any form of super-intelligent machines.[9]
But there is still a long way to go. Until then, however, the goal must remain
to reach an alignment as far as possible.
Due to the rapid
evolution of this technology and its improvements and changes, experimental
regulation and sandboxes seem to serve here as the right method to effectively
regulate this technology while not preventing economic and/or scientific growth
using it. As seen in the recent implementation of the AI Act and its use of
experimental legislation and sandboxes these lawmaking forms found their way
into one of the most discussed and anticipated EU regulations in the recent
years. The EU’s AI Act represents therefore a significant milestone, using the
concept of regulatory sandboxes on the EU-Level for probably the technology of
the 21st century.
This blogpost tries
to assess whether this legislative approach is the right measure to tackle artificial
intelligence by analyzing its historical background and the legal implications
of it. After that, the case of experimental regulations and legislative
sandboxes and their effective provision in the AI act will be addressed through
a case study on the AI act.
II. Experimental Regulation and Regulatory Sandboxes
To comprehensively
analyze the concept of experimental regulation and regulatory sandboxes,
particularly in the realm of AI, it is essential to clarify its specific
meaning.
Experimental
Regulation is inherently designed to serve as a more adaptive and collaborative
approach to regulatory compliance in comparison to more conventional regulation
methods, offering a framework that fosters innovation while ensuring
accountability. Generally speaking, experimental regulation can be seen as
legislation which authorizes, monitors and executes legal experiments.[10]
In its core, experimental
regulation serves as an evidence-based form of law making in opposition to the
conventional “trial & error” approach.[11] Experimental
regulation tries to limit the unpredictability of that approach to an
acceptable amount.
The most notable
features of experimental regulation are its temporal nature, its derogation
from current, already existing statutes and finally the evaluation of the
results stemming from the execution of the experiment.[12] It
can be therefore defined as a form of legislation that includes legislative
measures on trial that serve the sole purpose of evaluating its effectiveness
and practicability before its widespread and definitive implementation.
Experimental
regulations are therefore a method for piloting fresh rules on a limited scale
to assess their practical efficacy, tailor them to evolving conditions, and
empower regulatory authorities to gain insights from the outcomes acquired in
real-world scenarios.[13]
In this regard experimental regulation serves as a form of anticipatory and
flexible regulation which encompasses preventive citizen protection while
promoting innovation at the same time; its experimental framework and limited
scale allows private actors and state authorities to analyze possible outcomes
of technologies as well as of the regulation itself in a more detailed, safe
and overall sophisticated way.[14]
Due to real-time feedback and constant evaluating of outcoming results, it is
specially feasible for subjects and industries that require a fast and reactive
regulative response to practical issues.
Furthermore, experimental
regulation can easily adapt to cultural changes in economic behavior as itself
is changing and adapting constantly as well.[15]
While it does not make sense to apply old regulation, which for instance was
made for regulating taxi and cab services to more innovative transport
companies like Uber, experimental regulation could adapt and adjust its rules
to the seemingly similar, but essentially different business models of new
market players more easily.[16]
The case-by-case approach of experimental regulation promises here a coherent
and up to date regulation even in times with increasingly faster changing
industries and economic realities.[17] Moreover,
it can even lead to a better cost-effectiveness of state spending as potential
negative monetary impacts can be detected faster and the regulation can be
adjusted before its widespread establishment.
Another and more
recent form of experimental regulation is Regulatory Sandboxes. As has been the
case with experimental regulation, one reason why sandboxes are being promoted
is that traditional legislation is no longer regarded as adequately fitting to regulate
innovative business models. These frequently outpace regulatory development,
which can stifle innovation or lead to unregulated deployments, which could be
seen in the case of Big Tech. Here, traditional legal measures like competition
law weren’t capable of regulating these companies effectively during their
rise-ups.[18]
In fact it could be even argued that their entire business-model cannot be
monitored with previous existing measures.[19]
The alternative to the
mere adjustments of already existing regulatory frameworks could be the
introduction of regulatory sandboxes. Introduced for the first time in 2016
within the UK for the enhancement of innovation within the fintech sector,
regulatory sandboxes can serve as a method to effectively promote innovation
while mitigating compliance with regulation.[20]
Sandboxes
facilitate close cooperation between public and private entities and provide
secure environments for fostering innovation by either temporarily applying an
alternate regulatory framework to a (pre-)selected group of companies or by
providing guidance on compliance through public actors.[21] Usually,
but not necessarily, both is the case. It therefore is a safe space for (often)
start-ups and established companies to test new technologies, products, or
services that are usually not compliant with current legislations within a
limited, well-defined scope and under public supervision.[22]
These controlled,
yet real-world environments allow for a sophisticated testing of services,
products and/or market approaches while minimizing the risks associated with
unchecked and new technologies as they affect here only a limited circle of
individuals and/or companies with proper safeguards provided.[23]
The sandboxes‘ duration depends on the decision-making authority, but they
usually last up to 12 months.[24]
While the private
parties involved in the sandbox regime gain important information on client
impressions, lawmakers can learn from emerging technologies and refine already
existing regulations, ensuring this way the maintenance of an ethical but also
efficient regulation.[25]
In contrast to experimental regulation in the narrow sense, regulative
sandboxes do not always foresee the derogation of existing legislature within
the laboratory-like framework.[26]
Here, the focus lies more on the collaborative factor between companies and the
regulator and sometimes even only between companies and other private actors.[27]
By offering a safe
space for experimentation, sandboxes shall promote ideally innovation and
learning on both sides, facilitating a two-way dialogue between innovators and
regulators. This dialogue is instrumental in fine-tuning the regulatory
framework as technologies advance since the knowledge necessary for effectively
regulating increasingly more complex economic models becomes more and more
complex itself.
The
micro-optimizing and technology-specific approach promises to lead to
satisfactory results, that can then be applied to a greater scale or other
sectors/technologies.[28]
It also minimizes knowledge gaps between regulators and innovators as the
constant exchange of information lets the legislator gain a wider understanding
of new products, which makes it in turn easier to adjust regulation to the
specifics of the product.[29]
Here, it is crucial to adjust regulation in the early stages of the development
process as later changes may be already outdated or even harmful to the new
standard, which the innovation usually gains more quickly after a certain
period of time.[30]
Overall Sandboxes can therefore lead to better informed and tested regulation,
making it likely to prevent flaws in legal regimes like the before-mentioned
competition law.
Furthermore, sandboxes
can accelerate efficient, coherent, and ‘bullet-proof’ regulation, thus also
improving legal certainty for businesses.[31] On
top of that they also make it easier for companies to comply with upcoming
regulation, as the experiences from the sandbox can already be used to amend or
adjust the companies’ respective services, products and mechanisms while the
legislative process is still running. Therefore, the time for these products
and services to be deployed onto the respective markets can be significantly
shortened. An established and well-planed learning and knowledge sharing
mechanism could then foster the achieved results and make them useful for
future sandboxes and thus amplify the gained knowledge. Sandboxes therefore
promise to serve as a framework for nurturing innovation, but also compliance.
Regulation thus often turns here into some sort of Governance based on enhanced
communication.[32]
III. The ‘smart’ legal framework in practice: The AI Act
The most recent and
significant use of sandboxes can be found in the new AI Act of the EU, which came
into effect in August 2024, trying to regulate Artificial Intelligence and its
usage.[33] In general, the EU
chose to follow a horizontal regulating approach with implementing the AI Act.[34]
In this regard many artificial intelligence tools already fall under current
legislation regarding several different sectors, like data protection law or
competition law.[35]
This is usually not due to the peculiarities of the artificial intelligence
used, but rather of varying reasons connected to other issues regarding the
product or the company.
However, the EU legislator
attempted to at least minimize negative consequences of artificial intelligence
in particular before the implementation of the AI Act in a non-centralized and
somewhat chaotic approach, enshrining some regulative measures in different
legal initiatives like the GDPR, cf. Art. 22 or 35.[36] Most
of these regulations were of vertical nature, mostly born out of pressure to
quickly react to fast-changing technologies and the legal vacuum they nurtured
from.[37]
The amendments were necessary due to the lack of a general law constraining and
defining the powers and limits of this technology.[38]
With the AI Act such a law now exists, crossing the threshold of regulation
being predominantly reactive to being increasingly more structural and
therefore preventive.[39]
Through its implementation the EU now seeks to create a comprehensive framework
and ecosystem to enable citizens to nurture the benefits of artificial
intelligence while simultaneously minimize its risks EU-wide.[40]
The EU followed in
this regard a mostly risk-based approach, meaning that it categorizes artificial
intelligence systems and foundation models into different risk categories with
different compliance standards according to the specific risk level the
respective artificial intelligence systems falls under.[41]
Providers as well as deployers of such systems will then be obliged to perform
certain duties and comply with the regulation in order to mitigate risks
stemming from risky artificial intelligence.[42] This
approach does justice to the different types and areas of application of
artificial intelligence, some of which have very different potential risks for
society.
The AI Act
introduces different forms of governance and regulation including complete
prohibitions, the possibility of substantive fines, reporting, record keeping,
documentation, transparency and human oversight obligations, but also providing
among others the option to establish regulatory artificial intelligence sandboxes.[43]
Proponents of regulatory sandboxes saw this as a great opportunity for the
successful implementation of this legal measure on a large scale. Thus, the EU
followed other legislators who already established AI-Sandboxes in their own
respective jurisdictions, for example Russia,[44] Brazil,
Norway, United Kingdom or Spain.[45]
But how and how
well did the EU design these sandboxes? As outlined above the specific
operationalization and the actual design of a sandbox are extremely influential
on its success.
IV. The AI Act as a Case Study
If regulatory
sandboxes are regarded as a sub-category of experimental regulation, both forms
of legislation have found their place in the AI Act in the form of a regulatory
AI sandbox, which can be found in Art. 57 ff. AI Act. According to these
Articles each Member State shall establish at least one AI regulatory sandbox
alone or jointly with other Member States and their competent authorities, cf.
Art. 57(1) AI-Act. Accordingly, Member States must either introduce such an AI
regulatory sandbox themselves or participate in a sandbox established by
another Member State. This applies to the extent and only if participation in
the sandbox of the other Member State is comparable to the establishment of its
own. In this respect, this should be of particular interest and advantage to smaller
member states if their own AI sector is too small to introduce an AI regulatory
sandbox. Larger member states are likely to regularly fail this restrictive
condition, unless the scale of the desired sandbox is correspondingly large.
To prevent segmentation
and fragmentation of regulatory sandbox regimes across the EU, the Commission
is obliged under Art. 58(1) of the AI Act to adopt an implementing act in which
the modalities for the establishment, development, implementation, operation
and monitoring of the AI sandboxes. Art. 58 of the Act lists numerous points
that must be observed by the national authorities when establishing and
operating sandboxes. It is to be welcomed that the national authorities are
given an appropriate amount of leeway to shape the concrete form of the
sandboxes without it being too extensive. For example, the authorities can
determine the length of the respective sandbox themselves, which makes sense in
line with the concept of sandboxes based on individual projects, cf. Art. 58(2)(h)
AI-Act.
As outlined above,
the success of regulatory sandboxes and experimental regulation is also highly
dependent on the evaluation process as it is a crucial part of conducting the
sandbox and gaining important information for future regulation attempts. Here,
the national competent authorities responsible for the establishment and
operation of the sandboxes must send annual reports to the AI Office and the European
artificial intelligence Board – two organs introduced by the AI Act in order to
monitor and guarantee the success of the regulation – in accordance with Art.
57(16) AI Act, in which they report on the progress and results of the
implementation of these sandboxes, including best practices, incidents, lessons
learned and recommendations on their establishment and, where appropriate,
application and possible revision of this Regulation. Depending on whether the
expected and previously mentioned implementing act of the Commission further
specifies these evaluation obligations, the standard of the respective
assessments could even be increased accordingly.
Furthermore the
AI-Act provides several organizational points that should guarantee the
successful implementation of European Union AI sandboxes. Pursuant to Art. 57(1)
AI-Act the Commission may provide assistance in the form of technical support,
advice or the providing of tools for the establishment as well as the operation
of such AI regulatory sandboxes. Depending on whether – and if yes on how – the
support is actually given, the sandbox framework in the AI Act may turn out as
a success or a failure. This of course also depends on whether the support of
the Commission is needed in the first place. Since the sandboxes will probably
remain national to the greatest extent and according to Art. 57(1) AI-Act might
be even conducted on a regional or local level, the centralized expertise of
the Commission might turn out to be unnecessary. However, when two or more
member states establish and/or operate an AI sandbox together according to Art.
57(1) Para. 1, 2 AI-Act, it may be useful to obtain information from a
supranational body like the Commission as it might have more supranational
resources in the first place.
According to Art.
53(17) AI-Act the Commission must create a comprehensive interface to give
stakeholders and interested parties an overview of the sandboxes and, if
necessary, contact options, which should make the access to the sandboxes
easier. The attempt to amplify supranational cooperation and cross-border
innovation is reflected several times within the regulation, cf. Art. 57 Para.
1 or 4 AI Act, which stipulate that the sandboxes should be designed in such a
way that competent authorities from other member states can also participate if
needed. Also, there is the possibility of a European Union AI regulatory
sandbox for the EU institutions themselves, which can be established by the
European Data Protection Supervisor.
All the above-mentioned
points promise to guarantee a successful implementation of regulatory
AI-sandboxes on an EU level. However, there are also points in which the EU
only partly succeeds in establishing a coherent and effective sandbox
environment. To effectively attract applicants to participate in a regulatory
sandbox there should be exemptions from the existing regulatory burden. However,
there is no mention of this in the AI Act, at least not explicitly. The reason
for this is not entirely clear. Here too, the legislator could have easily
continued to pursue the risk-based approach and made the derogation from
existing rules and regulation dependent on the respective risk level of the
respective artificial intelligence technology. There should still be incentives
for companies to participate in the sandbox, such as faster distribution of
products to the European Union market. Especially with a complex technology
such as artificial intelligence, it would have made sense to offer incentives
to deviate from the now comprehensive legislation in order to try out new
approaches and ideas.[46]
Rather, a genuine
“experimentation clause” should have been chosen here, which would
have given the supervisory authority a certain amount of leeway to act flexibly
in the application of the existing legal framework and to deviate from it
accordingly if necessary.[47]
Furthermore, applicants could also be attracted by monetary incentives. Here
the providers of artificial intelligence systems that fall under the AI-Act are
spared administrative fines as long as they respect the sandbox plan and the
terms and conditions for their participation and followed the guidance given by
the national competent authority, Art. 57(12) AI-Act.
It also has to be
noted that AI Sandboxes introduced by the AI-Act do not play a too prominent
role in regard to the rest of the regulation. Due to the partly extensively
broad wording and categorization of certain artificial intelligence systems,
there remains the fear of overregulating the technology;[48]
this could have been easily mitigated or even prevented if the sandbox would
have been given a more central role in the legislation as this is exactly one
of the main advantages of regulatory sandboxes: balancing regulating and
innovation.
It can be said that
by establishing AI regulatory sandboxes, the AI Act has taken an important and
necessary step towards the flexible and innovative regulation of artificial
intelligence, perhaps the most important technology of this century. The EU has
indeed successfully fulfilled many of the points that should be considered when
establishing and designing regulatory sandboxes. However, some other points, in
particular the lack of flexibility to deviate from the provisions of the AI Act
within the sandbox, were implemented rather inadequately by the EU. This is
particularly unfortunate because, due to the importance and significance of the
AI Act, a full-fledged regulatory sandbox would have sent an important signal
to stakeholders, companies and citizens: namely that the EU is an innovative
and progressive legislator. After analyzing the sandboxes in the AI Act, this
can only be partially attributed to the EU.
Since artificial
intelligence would have been an excellent application example for effective sandboxes
outside of fintech – both in terms of the concept of the technology itself and
the importance and potential market capitalization of AI-driven business models
– it is particularly unfortunate that the EU has only created a partially promising
sandbox here.
While the two
discussed forms of smart legislation – experimental regulation and regulatory
sandboxes – offer several advantages, they also have flaws that can be
mitigated under the right conditions. These approaches introduce innovation and
empiricism to a traditionally bureaucratic and slow legislative process, with
the aim of rationalizing lawmaking, especially in technocratic fields. However,
politics is not always purely rational and should account for emotions and
ideologies, as long as they avoid extremism. While these legislative models can
be useful in managing disruptive technologies and national emergencies, their
effectiveness depends on careful design by legislators. As seen in the AI Act
case study, success is not guaranteed, but with continued use, these approaches
are likely to improve, benefiting both society and the legislative process. It
was expected that the goal of super-alignment could not have been reached by
the AI-Act and its use of experimental regulation. However, the EU did take a
big step towards a modern approach of law-making and an alignment as far
reaching as possible when it comes to the AI-Act. Whether this approach will be
successful in regulating such an important and influential technology as AI
remains to be seen.
