Technical Sandboxes Enable Regulatory Learning for the EU AI Act and Rapid AI Development

The European Union’s forthcoming AI Act seeks to govern a rapidly evolving technological landscape, but its success hinges on a capacity for continuous adaptation and learning. Tom Deckenbrunnen, Alessio Buscemi, and Marco Almada, from the Luxembourg Institute of Science and Technology and the University of Luxembourg, alongside Alfredo Capozucca and German Castignani, investigate how this ‘regulatory learning’ can be effectively implemented. Their research addresses a critical gap in the Act’s framework , a lack of clearly defined technical mechanisms for gathering and processing information necessary for informed policy adjustments. The authors propose a theoretical model that decomposes regulatory learning into micro, meso, and macro levels, identifying AI Technical Sandboxes as vital components for generating the evidence needed to drive this process. This work offers a crucial bridge between legal requirements and technical implementation, fostering a more productive dialogue between legal and technical experts and ultimately strengthening the EU’s approach to AI governance.

An adaptive approach is required to govern artificial intelligence technologies, given their rapid development and unpredictable emerging capabilities. To maintain relevance, the AI Act embeds provisions for regulatory learning, yet these provisions currently operate within a complex network of actors and mechanisms lacking a clearly defined technical basis for scalable information flow. This paper addresses this gap by establishing a theoretical model of the AI Act’s regulatory learning space, decomposed into micro, meso, and macro levels of analysis, situating diverse stakeholders from the EU Commission to AI developers within an established framework.

EU AI Act’s Regulatory Learning Model Mapping

The study establishes a theoretical model of the EU AI Act’s regulatory learning space by decomposing it into micro, meso, and macro levels to map information flow between stakeholders. Scientists meticulously mapped actors and their interactions, extending existing hierarchical analyses to model the dynamic interplay between enforcement and evidence aggregation. The work leverages an extended ‘bathtub model’ to visualise this flow, pinpointing how technical compliance demands from the EU AI Act exert pressure on AI system providers and developers, constituting the micro level.

Activities in designing and assessing AI systems generate the micro-level evidence necessary to inform adaptation at the macro level, potentially leading to amendments of the AI Act itself or the creation of implementing acts. The research highlights a disconnect between the AI Office’s legal and operational autonomy, identifying it as an example of ‘quasi-agencification’ within EU governance. To overcome this, the study pioneered a functional reasoning approach, tracing the top-down enforcement pipeline from legislation to technical assessments, defining three levels of abstraction , legislative, regulatory, and technical , where learning can occur. Experiments reveal that SMEs, facing high-risk AI classifications, must demonstrate compliance with articles 8 to 27 of the AI Act, undertaking iterative assessments throughout their solution’s development lifecycle. Participation in structures like standardisation processes and advisory forums allows micro-level information and experience to propagate to the meso and macro levels.

A consistent, reproducible methodology within an AITS makes AI system development transparent, potentially aiding interpretation of legal requirements and assessment results. Results confirm that the implementation of AITS methodologies in engagements with Member State Authorities (MSAs) enables comparable assessments, allowing MSAs to gather evidence and refine their understanding of translating high-level legislation into technical operationalisation. As the number of AI Regulatory Sandbox (AIRS) engagements grows, the machine-readable data generated supports aggregation and scalable analysis at both meso and macro levels, allowing the AI Office to design guidelines and Codes of Practice, and the Commission to evaluate the suitability of standards for legal force. Further investigation demonstrates that Notified Bodies, responsible for certification, act as initial meso-level aggregators, passing on collected evidence and performing preliminary sector-specific data analysis. This work demonstrates that a robust technical foundation is necessary to support the AI Act’s ambition of future-proof regulation, moving beyond existing legal mechanisms for review and standardisation. By applying social learning theory, the research highlights the importance of AITS in reproducibly generating technical evidence, while also outlining requirements for machine-readable solutions to ensure efficient data aggregation.

The authors acknowledge limitations including socio-political challenges such as regulatory capture and legislative inertia, which a technical framework alone cannot resolve. Future research will focus on implementing the components detailed within the study, potentially transforming the compliance process into a source of valuable regulatory insight for both companies and regulators. The authors caution that the success of the AI Act ultimately depends on operationalising this socio-technical infrastructure, and that the proposed AITS represents a key step towards balancing governance with continued innovation.