The Empty Sandbox: The EU's Flagship AI-Innovation Track Is Quietly Stalling
The Digital Omnibus is sold as timeline relief for business, but the AI Act's one genuinely pro-innovation tool, the regulatory sandbox, is barely being built: one of 27 member states is operational, the deadline has slipped to 2027, and design limits may keep it from delivering.
The headline from Brussels this summer is relief. On 29 June the Council signed off the Digital Omnibus, the first amendments to the AI Act, postponing deadlines and trimming obligations to make Europe friendlier to builders. Inside that package sits a quieter story. The Act's one genuinely pro-innovation instrument, the regulatory sandbox, where companies test AI systems with a regulator before launch, is not being built at the pace the law assumed. A year before the mandate was meant to bite, one member state of 27 had a sandbox running. The deadline has slipped to 2027, and the design carries limits a delay does not fix. The question for anyone counting on Europe's sandbox promise: is there any sand in it?
Signal Identification
This is a regulatory pivot with an implementation gap at its core. The signal is not that the EU is deregulating; that story is well told. It is that the instrument meant to carry the pro-innovation half of the bargain is failing to materialise, so the relief being advertised to firms is, for now, largely notional. A tool that exists in statute but not in operational capacity cannot do the work the competitiveness narrative assigns it.
What's Changing
Start with the count. The AI Act requires every member state to have at least one AI regulatory sandbox operational by 2 August 2026, yet as of August 2025 only Spain had one up and running; five were actively implementing, four had declared an intention, and sixteen had communicated no plans (European Parliamentary Research Service, 01/04/2026). Spain's AESIA sandbox has hosted 12 high-risk systems; most of the bloc has nothing. The Commission had not adopted the implementing acts either, leaving member states to design, staff and build sandboxes on their own.
Then the deadline moved. On 29 June the Council gave final approval to the Digital Omnibus, which postpones the national sandbox obligation by a year to 2 August 2027 (Council of the EU, 29/06/2026). The deferral is framed as pragmatic relief, buying standards bodies such as CEN-CENELEC time to finish the technical work that underpins the rules (Inside Privacy, 18/05/2026).
The limits are structural, not just about the calendar. Sandboxes have spread worldwide, over 60 by early 2025, but regulators repeatedly hit capacity and expertise ceilings, cross-authority coordination is hard, and without alignment firms may "jurisdiction hop" to the most permissive regime (OECD.AI, 18/03/2026). Article 57 also keeps sandbox participants fully liable for any damage to third parties during testing (European Commission, Article 57).
Member-state AI sandbox readiness (of 27, as of August 2025)
Source: European Parliamentary Research Service (01/04/2026), citing state of play as of August 2025. Bar length scales at 18px per member state.
Disruption Pathway
The pathway runs in three stages. Through 2026 the deadline slips to 2027 while most capitals are still not building, and a handful, led by Spain, run real programmes. When the new deadline arrives in 2027, uneven national capacity produces a patchwork: a few well-resourced sandboxes function while many are nominal boxes ticked to meet the letter of the mandate. From 2027 to 2029 the consequences show up in behaviour: providers gravitate to the most capable or most permissive sandboxes, and the sandbox "exit reports" meant to smooth conformity assessment carry uneven weight depending on which authority issued them.
Stress concentrates on the people the tool was meant to help. SMEs and start-ups, the named beneficiaries, may lack the compliance staff and legal expertise to navigate an application and ongoing oversight, while high-risk developers in health or employment are deterred by liability that the sandbox does not waive (The Regulatory Review, 28/05/2026). Three adaptations follow: an EU-level sandbox and stronger AI Office coordination written into the omnibus; joint and cross-border sandboxes to pool scarce regulator capacity; and firms quietly building direct compliance instead, treating sandbox entry as optional rather than a route they can plan around.
Why This Matters
For AI developers, their boards and the investors betting on Europe as an innovation-friendly market, the sandbox is not a reliable off-ramp from AI Act compliance. Firms counting on sandbox access for speed-to-market, regulatory clarity or shelter from early fines should assume it will not be there on the advertised schedule, and resource direct conformity work now. For member states, the credibility of the whole competitiveness pivot rests on building supervisory capacity most of them have not yet stood up; a mandate met on paper but not in practice converts a pro-innovation promise into another compliance line.
Decision-action posture for this signal: Prepare — build direct AI Act compliance capability now and treat sandbox entry as optional upside, contingent on a named national sandbox becoming genuinely operational.
Counter-Argument
The strongest objection is that this is early-stage lag, not failure. Sandboxes are proliferating and being institutionalised worldwide, with over 60 identified and credible programmes running in Spain, Luxembourg, Singapore and Brazil; the UK's fintech precedent suggests participants raise more capital after entry (OECD.AI, 18/03/2026). On this read the one-year slip is sensible sequencing while standards and capacity catch up, and the count will fill in.
Even granting that, the EU's specific bet is the hard case: 27 simultaneous, cross-authority sandboxes covering high-risk AI on a legal deadline. The evidence, one operational of 27, a year's slip, unwaived liability and SME capacity gaps, shows the promised relief will not arrive when advertised. A tool that exists in principle but not in operational capacity is not relief a board can plan around.
Implications
On the available evidence this reads as a durable implementation gap rather than a passing delay; the inflection is whether member states build genuine supervisory capacity before the 2027 deadline rather than tick the box. The winners are the few well-resourced national sandboxes, Spain and Luxembourg among them, and the firms and jurisdictions that use a capable sandbox to attract inward AI investment (European Parliamentary Research Service, 01/04/2026). The losers are the SMEs the instrument was written to help, and the EU's competitiveness story if the sandbox stays notional while the compliance obligations around it harden.
Early Indicators to Monitor
- Member states beyond Spain bring operational AI sandboxes online ahead of the 2 August 2027 deadline.
- The Commission adopts the implementing act setting common rules for establishing and running sandboxes.
- The AI Office publishes and maintains its promised public list of planned and existing sandboxes.
- The first national annual and exit reports appear, showing real throughput of AI systems, not pilots.
- An EU-level sandbox is stood up under the omnibus and begins accepting cross-border cases.
Disconfirming Signals
- A clear majority of member states have operational sandboxes by the 2027 deadline.
- The implementing act harmonises design enough that "jurisdiction hopping" between sandboxes does not emerge.
- SME and start-up uptake is strong, with published participation numbers rising.
- Exit reports are shown to materially accelerate conformity assessment by notified bodies.
- Documented cases show sandbox participation speeding AI market entry, as in the UK fintech precedent.
Strategic Questions
- Build direct AI Act compliance now, or wait for a national sandbox to become genuinely operational?
- Locate AI testing in the most capable EU sandbox jurisdiction, or outside the EU entirely?
- At what point does sandbox non-availability become a reason to deprioritise the EU market?
Keywords
AI regulatory sandbox; EU AI Act; Article 57; Digital Omnibus; regulatory experimentation; AESIA; CEN-CENELEC; conformity assessment; regulatory arbitrage; SME compliance; AI Office; innovation policy
Bibliography
Source tiers: Tier 1, governments, regulators and intergovernmental bodies. Tier 2, think-tanks, academic institutes, major consultancies and quality data providers. Tier 3, quality journalism and specialist trade press. Tier 4, vendor, company and practitioner sources, used only as directional corroboration.
- Tier 1 AI regulatory sandboxes: State of play and implementation challenges. European Parliamentary Research Service. Published 01/04/2026.
- Tier 1 Artificial intelligence: Council gives final green light to simplify and streamline rules. Council of the European Union. Published 29/06/2026.
- Tier 1 Article 57: AI regulatory sandboxes (Regulation (EU) 2024/1689). European Commission (AI Act Service Desk). Accessed 13/07/2026.
- Tier 2 Why AI Sandboxes matter for responsible innovation and public trust. OECD.AI Policy Observatory. Published 18/03/2026.
- Tier 3 Will AI Regulatory Sandboxes Work? The Regulatory Review (Penn Program on Regulation). Published 28/05/2026.
- Tier 3 EU AI Act Update: Timeline Relief, Targeted Simplification, and New Prohibitions. Inside Privacy (Covington & Burling). Published 18/05/2026.
- Tier 3 EU Lawmakers Reach Provisional Agreement to Delay Key EU AI Act Obligations. Sidley Austin (Data Matters). Published 22/06/2026.