This thesis addresses a key issue in the governance of the contemporary EU: the tension between the need to regulate innovation and the need to innovate regulation itself. In this context, the research focuses on regulatory sandboxes — controlled environments in which innovators can test new technologies under regulatory supervision — as a promising experimental tool for supporting innovation while ensuring compliance. This is particularly relevant in an increasingly digital landscape characterised by an unprecedented wave of EU legislation on digital services, data governance, artificial intelligence, and cybersecurity. While this legislation is necessary, it has generated a dense and costly compliance environment, especially for SMEs and start-ups. To investigate this issue, the thesis takes a mixed-methods approach, combining conceptual, legal, and empirical analyses. Conceptually, it reconstructs the definition, features and functions of regulatory sandboxes, situating them within the wider EU digital ecosystem. Legally, it conducts a systematic, cross-regime mapping of sandbox provisions across the AI Act, the Cyber Resilience Act and the Interoperable Europe Act, identifying their objectives, areas of convergence and regulatory gaps. Empirically, it draws on semi-structured interviews with regulators, sandbox operators and participating companies across Europe to capture their practical experiences, perceived benefits and operational challenges of the sandbox tool. Together, these methods provide a comprehensive understanding of how sandboxes function in theory, in law and in practice. These findings demonstrate that regulatory sandboxes can play a crucial role in enabling EU innovators to balance experimentation with compliance. Building on these insights, the thesis moves from theory to practice by proposing a scalable, multi-authority sandbox governance model centred on the collaborative involvement of AI and cybersecurity authorities, with sector-specific regulators incorporated where necessary. This operational blueprint provides Member States with concrete guidance on implementing national sandboxes under the AI Act, offering a framework that can also be adapted to other emerging technologies. In this sense, the thesis does not present itself as a final solution, but rather as the starting point of a research trajectory that will continue to evolve alongside one of the most promising and strategically significant regulatory instruments in the present and future of EU digital governance.
Innovating Regulation to Govern Innovation: An Operational Proposal for a Multi-Authority Model of AI and Cybersecurity Regulatory Sandbox / Bagni, F.. - (2026 Mar 17). [10.13118/filippo-bagni_phd2026-03-17]
Innovating Regulation to Govern Innovation: An Operational Proposal for a Multi-Authority Model of AI and Cybersecurity Regulatory Sandbox
Filippo bagni
2026
Abstract
This thesis addresses a key issue in the governance of the contemporary EU: the tension between the need to regulate innovation and the need to innovate regulation itself. In this context, the research focuses on regulatory sandboxes — controlled environments in which innovators can test new technologies under regulatory supervision — as a promising experimental tool for supporting innovation while ensuring compliance. This is particularly relevant in an increasingly digital landscape characterised by an unprecedented wave of EU legislation on digital services, data governance, artificial intelligence, and cybersecurity. While this legislation is necessary, it has generated a dense and costly compliance environment, especially for SMEs and start-ups. To investigate this issue, the thesis takes a mixed-methods approach, combining conceptual, legal, and empirical analyses. Conceptually, it reconstructs the definition, features and functions of regulatory sandboxes, situating them within the wider EU digital ecosystem. Legally, it conducts a systematic, cross-regime mapping of sandbox provisions across the AI Act, the Cyber Resilience Act and the Interoperable Europe Act, identifying their objectives, areas of convergence and regulatory gaps. Empirically, it draws on semi-structured interviews with regulators, sandbox operators and participating companies across Europe to capture their practical experiences, perceived benefits and operational challenges of the sandbox tool. Together, these methods provide a comprehensive understanding of how sandboxes function in theory, in law and in practice. These findings demonstrate that regulatory sandboxes can play a crucial role in enabling EU innovators to balance experimentation with compliance. Building on these insights, the thesis moves from theory to practice by proposing a scalable, multi-authority sandbox governance model centred on the collaborative involvement of AI and cybersecurity authorities, with sector-specific regulators incorporated where necessary. This operational blueprint provides Member States with concrete guidance on implementing national sandboxes under the AI Act, offering a framework that can also be adapted to other emerging technologies. In this sense, the thesis does not present itself as a final solution, but rather as the starting point of a research trajectory that will continue to evolve alongside one of the most promising and strategically significant regulatory instruments in the present and future of EU digital governance.| File | Dimensione | Formato | |
|---|---|---|---|
|
Mattia_Adamo_final.pdf
embargo fino al 31/03/2027
Tipologia:
Tesi di dottorato
Licenza:
Creative commons
Dimensione
6.06 MB
Formato
Adobe PDF
|
6.06 MB | Adobe PDF | Visualizza/Apri Richiedi una copia |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
