Across Africa and other regions, regulators are under growing pressure to adapt to rapid technological change. One of the most visible tools on the table is the regulatory sandbox, a controlled environment where innovation can be tested under supervision. In principle, sandboxes promise both flexibility and oversight. In practice, they present regulators with difficult questions that have no straightforward answers.

To learn more about the relevance of sandboxes, here is our 5-minute introduction.

To help tackle these challenges, Datasphere Initiative has, through its co-creation labs across Africa, gathered first hand insights into the specific concerns that practitioners, particularly regulators, are working to address as they embark on their sandboxing journeys. This article maps these recurring dilemmas and the key questions facing regulators at the forefront of innovation.

Uncharted Territory: Knowledge Gaps and New Mindsets

The first challenge is knowledge itself. Despite the growing interest in sandboxing, many authorities still lack access to concrete experiences from peers. Few case studies exist that spell out how to design a sandbox, what to prioritize, or how to assess outcomes. This absence of shared learning makes each new attempt feel like starting from scratch.

A deeper obstacle lies in a necessary paradigm shift: from a traditional “regulate and forget” mindset to a more adaptive “test and learn” approach—to learn iteratively, adapt rules over time, and accept a degree of uncertainty. For institutions built on predictability and legal certainty, this adjustment is not minor. It demands not only new procedures, but also a cultural willingness to experiment.

Furthermore, the success of any sandbox hinges on how effectively it is established by the relevant authority, requiring minimum building blocks in areas such as data governance, stakeholder engagement, and transparency. 

Yet, many regulators, particularly those in emerging sectors are still grappling with fundamental questions of what, how, who, and when to sandbox, reflecting a broader uncertainty around scope, readiness, and strategic alignment. 

But even when regulators acquire new knowledge and embrace a learning mindset, another barrier quickly emerges: without a legal foundation, their experiments cannot take shape.

Without Legal Grounding, Sandboxes Risk Stalling

Studies, such as the CyberSecNatLab white paper on regulatory sandboxes, have highlighted that regulatory sandboxes can be established through a variety of regulatory instruments, though legislation provides the strongest foundation. 

This raises difficult questions. What happens when clear regulatory guidelines about sandboxing are missing? For example, can democratic legitimacy be a consideration, and how does that work in practice? Can the deliberations of regulatory authorities contribute to constructing the legal basis through specific acts that are not necessarily of a regulatory nature? 

Without clarity on where to anchor the sandbox legally, technical teams are left uncertain about how to proceed, highlighting the need to build capacity in navigating such legal complexities.

Legitimacy provides permission to sandbox, but it does not answer the harder question: what exactly should be tested, and who decides?

Drawing the Boundaries: What a Sandbox Should Cover

This involves articulating specific sandbox issues to be tackled, selecting aligned regulators and stakeholders, establishing shared strategic objectives, and deciding on sandbox structure, timeline, budget, and coordination processes. It also requires establishing potential risks, developing mitigation measures, setting governance structures, and addressing information disparities.

For example, when testing innovation solutions against existing regulations or laws, regulators must dissect the legislation to decide which parts to test and establish the basis for testing specific elements over others. 

This sounds straightforward, but becomes complex when factors like politics, resources, and stakeholder interests come into play. 

In our engagements, practitioners consistently grapple with key questions such as: Do we test all elements of the regulations? How do we decide which elements to test and when? What determines the testing period? Who should be engaged and how?

Every decision about scope comes with costs. Timelines require staff time, stakeholder engagement requires coordination, and risk management requires expertise. Inevitably, the scope debate becomes a resource debate.

Funding Dilemmas: Who Pays for Experimentation?

Sandboxes require dedicated resources, time, and expertise from both innovators and regulators, which presents another significant obstacle for practitioners to navigate. 

The funding issue has recurred in all our co-creation labs discussions in Kigali and Abuja and other conversations on sandbox innovation in Africa. 

Discussions have centered on how funding models could be structured to ensure equitable cost-sharing and benefits, highlighting public-private partnerships as a sustainable solution for financing sandbox initiatives, and the need for governments to make provisions for core funding within their institutions to foster regulatory experimentation.

In cases where emerging technologies like AI are being tested, resource constraints have intensified the debate among practitioners about whether to act early or wait for these technologies to be fully established—a notion that presents its own challenges.

The High Stakes of Regulatory Experimentation

There is significant anxiety around regulatory experimentation. What if it does not work? 

Some of the authorities that could significantly benefit from regulatory experimentation are Data Protection Authorities (DPAs), with applications ranging from helping innovators understand data protection and privacy laws to helping authorities better understand emerging solutions and technologies. For example, in our Sandboxes for AI report, we identified over 6 AI sandboxes being led by DPAs.

However, DPAs in Africa, for example, are relatively new institutions facing growing expectations and responsibilities to balance protection with innovation promotion. They cannot afford to get it wrong, so while they show interest, they remain skeptical—a hesitation that is compounded by their limited understanding of how sandboxes can be effective. 

Fear and hesitation coexist with optimism. If regulators doubt their capacity, they also recognize that standing still is not an option.

Equipping Regulators for the Next Phase

The dilemmas surrounding sandboxing are unlikely to disappear soon. They reflect the deeper paradox of governing in an age of rapid innovation: the need to protect while enabling, to act while learning, to regulate while remaining open to change. 

Across Africa, several dialogues have demonstrated that regulators across sectors are enthusiastic about the regulatory flexibility that sandboxes offer and are eager to implement them.  However, to move to the next level, these fundamental challenges must be addressed to enable meaningful regulatory experimentation.

The next phase of regulatory experimentation will depend less on technical design and more on building the confidence, legitimacy, and capacity for regulators to take informed risks.

Our Work

At the Datasphere Initiative, we are committed to supporting this next phase. Through our engagements on AI sandboxes and cross-border experiments, we have helped surface these dilemmas and build communities able to confront them together.

For regulators and practitioners ready to move from dialogue to practice, we have developed a suite of offerings, from global and regional forums to immersive training and tailored advisory support. These include our Sandbox Summer School, a five-day intensive program, alongside other resources designed to equip decision-makers for responsible experimentation. Explore our services to learn how we can support your sandboxing journey.
The post Ready to sandbox or not? A regulator’s dilemma appeared first on The Datasphere Initiative.