Differences Between Regulatory Sandbox And Safe Harbor

This research paper focuses on two distinct concepts related to regulation and compliance in the context of emerging technologies and innovation: regulatory sandbox and safe harbor. Regulatory sandbox is a controlled testing environment where innovative products or services can be developed and tested under constant regulatory supervision. Safe harbor, on the other hand, is a legal provision that offers protection from liability under specific circumstances. By complying with certain rules or standards, entities can benefit from legal protection, which is particularly beneficial in new or uncertain legal environments. The paper presents a comprehensive analysis of the regulatory sandbox and safe harbor concepts, highlighting their main characteristics and differences. It also provides examples of both concepts from different jurisdictions and industries, with a focus on US and EU law. By comparing and contrasting various frameworks, the paper aims to provide a deeper understanding of these concepts, shed light on their key similarities and differences, and explore their role in regulating emerging technologies and innovation. Overall, this paper contributes to the ongoing discussion on how best to regulate and promote innovation in a rapidly changing technological landscape.


1.1. Definition and purpose of regulatory sandbox
1.2. Examples of FinTech Regulatory Sandboxes
1.2. European Blockchain regulatory sandbox
2.1. Definition and purpose of safe harbor provisions
2.2. Example of safe harbor provisions in the EU
2.1. Example of US safe harbor
2.3. Comparison between EU and US safe harbor provisions within DMCA and European e-Commerce Directive
2.4. Safe Harbor Agreement between EU and US
3.1. Similarities between regulatory sandbox and safe harbor provisions
3.2. Differences between regulatory sandbox and safe harbor provisions


1.1. Definition and purpose of regulatory sandbox

There is no universally recognized official definition for the term “Regulatory Sandbox,”, however to provide you with a comprehensive understanding of its meaning, here are some definitions from different jurisdictions:

  • EU Parliament¹: regulatory tool allowing businesses to test and experiment with new and innovative products, services or businesses under supervision of a regulator for a limited period of time;
  • FCA (UK)²: a safe space in which businesses can test innovative products, services, business models and delivery mechanisms without immediately incurring all the normal regulatory consequences of engaging in the activity in question;
  • Ministry of Science and ICT (Korea)³: a system that exempts or suspends existing regulations under certain conditions to enable market launch and testing of various new technologies and services;
  • UNSGSA (US)⁴: a regulatory approach, typically summarized in writing and published, that allows live, time-bound testing of innovations under a regulator’s oversight.

From the definitions above, we can summarize that a regulatory sandbox can be understood as a regulatory framework or approach that allows companies to test and experiment with new and innovative products, services or business models. It provides a temporary and controlled environment in which these tests can take place, possibly exempting participating entities from some existing legal requirements. The overall objective is to encourage innovation while maintaining adequate oversight and control by regulatory authorities.

Regulatory sandboxes are being implemented in various industries, including but not limited to the telecommunication sector⁵, health sector⁶ and the energy sector.⁷ However, in the past years the most common regulatory sandbox is in the FinTech sector. FinTech refers to technology-driven innovation in financial services that can create new business models, applications, processes, or products with a substantial impact on financial services. For example the UK’s FCA was the pioneer in launching a formal FinTech regulatory sandbox, which enables companies to test their innovations in the real market with actual consumers and is accessible to firms and technology businesses.⁸

1.2. Examples of FinTech Regulatory Sandboxes

FinTech refers to technology-driven innovation in financial services that can create new business models, applications or products with a substantial impact on financial services.9 Most of the time blockchain and cryptocurrency-related activities fall under the FinTech sector.

Here are some examples of regulatory sandboxes for blockchain and cryptocurrency-related activities worldwide:

  1. Singapore: The Monetary Authority of Singapore (MAS)’s FinTech Regulatory Sandbox was launched in 2016 and it comes in three variations to meet different needs. It allows financial institutions and FinTech companies to test innovative financial products or services in a real-world environment, but with clear limitations on territory and duration. Once the experimentation phase is successfully completed and the company exits the sandbox, it is required to fully comply with all relevant legal and regulatory requirements. To be eligible for the sandbox, fintech companies must meet certain criteria, such as having a clear business plan, a well-defined target market, and the ability to manage and mitigate risks. Once accepted into the sandbox, companies are granted certain regulatory exemptions, such as waivers or modifications to existing regulations.10
  2. Denmark: The Danish Financial Supervisory Authority (FSA) established the FT Lab sandbox initiative in 2018, allowing selected companies to securely test their innovative financial products and services. Its primary purpose is to facilitate the testing of innovative financial products and services, encourage the Danish FSA’s understanding of Fintech, promote the development of beneficial financial products and services for consumers and society, and support the implementation of new technologies in the financial sector. The FT Lab is limited to a maximum of five companies at any given time, and all applications are evaluated based on criteria such as whether the activity is directly or indirectly covered by financial legislation, whether the product or service benefits consumers and society, whether there is a need for testing in the FT Lab, and whether the company is ready to participate in the FT Lab. The business model or technology being used must be new. 11
  3. Malta: The “Malta Financial Services Authority (MFSA) Sandbox,” was launched in 2020. The sandbox provides a controlled environment for fintech companies to test their innovative financial products and services in a live market setting without having to comply with all of the regulatory requirements applicable to established financial services providers. The MFSA Sandbox aims to promote innovation and competition in the financial sector, while also ensuring consumer protection and maintaining the integrity of the financial system. Fintech companies that are accepted into the sandbox are given access to certain regulatory exemptions, such as reduced capital requirements and simplified reporting obligations. To be eligible for the MFSA Sandbox, companies must meet certain criteria, such as being a fintech startup or having a new and innovative product or service. The sandbox operates on a case-by-case basis, and companies must apply to the MFSA to participate. The MFSA has also established a dedicated Innovation Hub to support fintech startups and other innovators in the financial services sector. The Innovation Hub provides guidance and assistance to companies that are interested in entering the MFSA Sandbox or that are seeking to navigate the regulatory landscape more broadly.

1.2. European Blockchain regulatory sandbox12

In 2023 the European Commission established a Blockchain Regulatory Sandbox for innovative uses of Distributed Ledger Technology (DLT). The sandbox aims to encourage regulatory dialogue and cooperation with companies and public entities for validated blockchain-based use cases. It provides legal advice and regulatory guidance in a safe and confidential environment. The regulatory sandbox is open to any blockchain infrastructure, it will accept diverse public and private sector blockchain use cases and will address complex regulatory issues related to digital identity, cyber security, consumer protection, competition law, smart contracts, liability, AML/KYC rules, and sector-specific regulations. However, it will not exempt participants from existing regulatory requirements. 

Start-ups, scale-ups, and public entities with a validated proof of concept can apply to this regulatory sandbox. The application must be submitted by a legal entity registered in the EEA for at least six months and include a proof of concept and completed application form. Use cases will be selected based on their business case maturity, relevance to policy, and legal considerations. Selected use cases receive legal advice and have two virtual meetings with national and EU regulators/supervisors. 20 blockchain projects will be selected annually. This regulatory sandbox will identify and exchange best practices across sectors and geographic regions. The initiative is operated by a group of legal and blockchain experts and overseen by a panel of independent academics. 

This regulatory sandbox promotes legal certainty by facilitating dialogue and cooperation between innovators and regulators at national and EU levels. Companies can showcase their solutions and receive legal advice in a confidential environment, expanding their understanding and network. Although applying and participation in this regulatory sandbox is free, companies will not be reimbursed for any costs they may incur. National regulators and supervising authorities can discuss regulatory issues on a cross-border level through the pan-European Sandbox framework. They can support relevant use-case applications and contribute to best practices and lessons learned. Regulators will also have the opportunity to exchange experiences and enhance their knowledge of blockchain technology. Best practice reports will be published and the most innovative regulator will be awarded a prize each year.


2.1. Definition and purpose of safe harbor provisions

While there is no universally recognized official common definition for safe harbor provisions, they can generally be understood as provisions within laws or regulations that offer protection from liability or penalties if certain conditions are met.  These provisions aim to reduce liability for individuals or entities if they fulfill certain requirements or meet predetermined criteria.13 Safe harbor provisions are implemented as legal mechanisms that grant protection or immunity from legal consequences or liabilities for individuals or entities in particular situations. They are commonly included in legislation or regulations to create a sense of certainty and predictability for entities operating within a specific field or industry.14 Safe harbor provisions encourage innovation and experimentation by establishing a legal framework that allows individuals or entities to freely explore new ideas or approaches without being immediately exposed to legal consequences and liability.

2.2. Example of safe harbor provisions in the EU

Articles 11 to 15 of E-commerce Directive 2000/31/EC

The E-commerce Directive provisions on liability were adopted to address the inconsistencies observed in court rulings and national legislation that resulted in legal uncertainty for online service providers in the EU. The directive aims at defining a set of specific rules under which ‘information society service’ providers (‘online intermediaries’) who host or transmit illegal content provided by a third party are exempt from liabilities when certain conditions are fulfilled. 

Rather than establishing a broad liability regime for online intermediaries, the directive outlines precise rules that exempt these intermediaries from being held accountable under EU law, known as safe harbor regimes.

The E-commerce Directive establishes a safe harbor principle that exempts three types of online intermediaries from liability under specific conditions. Under the safe harbour regimes, online intermediaries are immune from liability unless they are aware of the illegality and are not acting adequately to stop it.

  • Mere conduit service providers (Art. 12) are exempted from liability when the service provider is only passively involved in data transmission (i.e. the interconnection provided by traditional Internet service providers and network operators) and,
  • Caching providers (Art. 13) are exempt from liability when they temporarily and automatically store data for more efficient transfer (e.g. proxy server) and if several technical conditions for storing information are met (e.g. local copy identical to the original), and,
  • Hosting providers (Art. 14) are exempt from liability if these companies that store data for their users (e.g. web hosting) do not know that they are hosting illegal activities or information and act quickly to remove or disable access to the illegal information.15

When certain conditions are met, this EU legislation exempts online intermediaries from a broad range of liabilities, including contractual, administrative, tortious, penal, civil, or any other form of liability. These exemptions cover various activities initiated by third parties, such as copyright and trademark infringements, defamation, misleading advertising, unfair commercial practices, unfair competition, and the publication of illegal content. In establishing these liability rules, a careful balance is sought between the interests of different stakeholders, including citizens, creators, and rights holders. The aim is to prevent unlawful information handling on the internet while safeguarding fundamental rights within the EU, such as freedom of expression, personal data protection, property rights, and the freedom to conduct business.16

2.1. Example of US safe harbor

For example Section 512 of the Digital Millennium Copyright Act (DMCA)17 establishes four safe harbors that limit the liability of online service providers for the actions of their users or subscribers. The immunity provided by the §512 “safe harbor” is limited to entities that meet the criteria of a “service provider” as per the definition laid out by the DMCA. Moreover, the said immunity can only be granted to a provider once it satisfies certain eligibility requirements. The four safe harbors within DMCA includes: 

  • transitory digital network communications (this safe harbor applies to service providers that transmit or communicate digital content over a network and it protects them from liability for infringing content that is transmitted or communicated by their users);
  • system caching (this safe harbor applies to service providers that temporarily store digital content in their systems or networks to improve the speed and efficiency of content delivery and shields them from liability for infringing content that is temporarily stored in their systems or networks);
  • information storage (this safe harbor applies to service providers that store digital content at the direction of their users or subscribers and it protects them from liability for infringing content that is stored on their systems or networks at the direction of their users or subscribers); and 
  • information location tools (this safe harbor applies to service providers that provide tools or services that allow users to locate digital content on the internet and it shields them from liability for infringing content that is located through their information location tools). 

These safe harbors provide legal protection to service providers that comply with certain requirements and help to balance the interests of copyright owners, online service providers, and users. 18

2.3. Comparison between EU and US safe harbor provisions within DMCA and European E-Commerce Directive

The US DMCA’s safe harbor provisions and the European E-commerce directive’s safe harbor provisions share some similarities, but there are also some key differences between them. The DMCA’s safe harbor provisions specifically focus on copyright infringement19, while the E-commerce directive’s safe harbor provisions cover a broader range of torts, such as defamation, hate speech, and illegal business practices. Under the DMCA, ISPs are required to designate an authorized agent to receive notifications of alleged copyright infringement, but there is no such requirement in the E-Commerce Directive. The e-commerce directive applies to all categories of IPSs, including internet access providers, while the DMCA only applies to certain types, such as web service providers and search engines. The DMCA requires ISPs to remove or disable access to infringing material upon receiving valid notice from the copyright owner, while the E-Commerce Directive allows ISPs to avoid liability by removing or blocking access to illegal content when they become aware of it, regardless of whether a third-party notification has been received.

Even though there are some key differences between both legal acts and safe harbor provisions included in those acts, there are also some similarities which testify to the fact that both sets of provisions have a similar purpose. For instance, both sets of provisions aim to provide legal certainty and protection for IPSs that may host or transmit third-party content, and establish certain conditions that IPSs must meet in order to be eligible for safe harbor protection. Furthermore, both sets of provisions limit their liability for copyright infringement or other illegal activity committed by third parties using their services, as long as the IPSs  meet the specified conditions. Finally, both DMCA and E-Commerce directive does not give internet service providers an obligation to monitor the information that they transmit.

To conclude, both the DMCA and E-Commerce Directive safe harbor-related provisions aim to shield ISPs from third-party content liability, but their requirements and focus on different types of illegal activities vary.

2.4. Safe Harbor Agreement between EU and US

The EU-US Safe Harbor was an agreement established in 2000 to facilitate the transfer of personal data between the EU and the US. It allowed US companies to self-certify that they complied with EU data protection standards, thus enabling them to receive personal data from the EU citizens. The Safe Harbor Agreement was the overall agreement between the EU and the US, while the Safe Harbor provisions were the specific rules and requirements that US companies had to follow to comply with the agreement and to receive personal data from the EU citizens. These provisions included requirements related to notice, choice, access, security, and enforcement, among others. 20

The Safe Harbor Agreement between the US and the EU established specific requirements and provisions that US companies had to follow in order to participate. However, the agreement did not provide any immunity from liability for US companies in cases where they violated the Safe Harbor provisions or EU data protection laws. US companies that participated in the Safe Harbor Agreement were still subject to legal action and liability for any breaches of data protection laws or other violations of EU regulations. In fact, one of the reasons that the Safe Harbor Agreement was invalidated by the European Court of Justice (ECJ) in 2015 was due to concerns that it did not provide adequate protection for EU citizens’ personal data, and that US companies that participated in the agreement were not held accountable for violations of EU data protection laws21. As a result, the EU and the US developed a new agreement called the EU-US Privacy Shield, which aimed to provide stronger safeguards for personal data transferred between the two regions22. However, the Privacy Shield was also invalidated by the ECJ in 2020, and companies must now use alternative mechanisms such as Standard Contractual Clauses or Binding Corporate Rules to transfer personal data between the EU and the US23.


3.1. Similarities between regulatory sandbox and safe harbor provisions

Regulatory sandbox and safe harbor provisions share several similarities, including their aim to promote innovation, reduction of regulatory barriers, and offering protection to participants or companies. Both concepts also encourage the development of new technologies or business models and can benefit both companies and consumers. Moreover, they are relatively new concepts developed to address the rapidly changing technological landscape. Lastly, both aim to balance innovation with consumer or stakeholder protection.

3.2. Differences between regulatory sandbox and safe harbor provisions

Regulatory SandboxSafe Harbor
PURPOSEDesigned to promote innovation and experimentation by providing a controlled testing environment for new products, services, or business models under the supervision of a regulatory authorityDesigned to provide legal protection to entities from liability under certain circumstances
NATUREisn’t legal provision, but is a program established by regulatory authorities where interested eligible entities/companies have to apply to participateis a provision in law or regulation 
ELIGIBILITYonly few that meet the criteria aro chosen by the regulators to participate in a sandbox, it does not apply to the general group of projects that would fall under the provisionapplies to group of entities that meets certain criteria specified in a specific legal act
SCOPETypically applies to specific areas of law, such as copyright, securities, or data privacy. Can be applied to a variety of sectors and industries, including finance, healthcare, and transportation.
DURATIONMay not have a specific time limit.Typically time-limited.
LIABILITYDo not offer legal immunity but provide a safe testing environment.Provide legal immunity from liability under certain circumstances.
REGULATORY OVERSIGHTSupervised by a regulatory authority.Not necessarily supervised by a regulatory authority – do not require active oversight or monitoring
TIMINGimplemented before entities engage in new activities.come into effect after specific conditions are met

In conclusion, regulatory sandbox and safe harbor are two distinct concepts related to regulation and compliance in the context of emerging technologies and innovation. Regulatory sandbox provides a controlled environment for businesses to experiment and innovate under regulatory supervision for a limited time period, while safe harbor is a legal provision that provides protection from liability under certain conditions. Examples of regulatory sandboxes for blockchain and cryptocurrency-related activities include the Monetary Authority of Singapore’s FinTech Regulatory Sandbox, the Danish Financial Supervisory Authority’s FT Lab, and the Malta Financial Services Authority Sandbox. In 2023, the European Commission established a Blockchain Regulatory Sandbox for innovative uses of DLT. While the term safe harbor is commonly used in the US, in the EU, safe harbor provisions are not typically referred to as such, but are instead legal instruments that provide similar protections or immunities as safe harbor provisions in the US. The DMCA and E-Commerce Directive are examples of legal instruments that provide safe harbor provisions in the US and EU with the purpose to protect ISPs from third-party content liability.

Both concepts aim to provide certainty and predictability for entities operating in a particular field and encourage innovation, but they differ in nature, purpose, scope, duration, eligibility, timing, and regulatory oversight. 

¹ https://www.europarl.europa.eu/RegData/etudes/BRIE/2022/733544/EPRS_BRI(2022)733544_EN.pdf
² https://www.fca.org.uk/publication/research/regulatory-sandbox.pdf
³ https://www.sandbox.or.kr/guidance/intro.do
⁵ For example, in 2019 Thailand’s National Broadcasting and Telecommunications Commission (NBTC) has established a sandbox programme to facilitate technology testing for the adoption of 5G in Thailand. Source: https://www.nbtc.go.th/getattachment/spectrum_management/38995/05-1-CU_5GcenterInformation.pdf.aspx 
⁶ For example, in 2018 the Ministry of Health of Singapore introduced the Licensing Experimentation and Adaptation Programme, a regulatory sandbox initiative to enable safe experimentation around new and innovative healthcare services in Singapore, source: https://www.moh.gov.sg/home/our-healthcare-system/licensing-experimentation-and-adaptation-programme-(leap)—a-moh-regulatory-sandbox 
⁷ For example in 2017 The United Kingdom Office of Gas and Energy Markets (OFGEM) launched a regulatory sandbox programme called Innovation Link for innovators in the energy market, enabling them to trial innovative business products, services and business models that cannot currently operate under existing regulations, source: https://www.ofgem.gov.uk/about-us/how-we-engage/innovation-link 
⁸ Source available at: https://chifl.sufe.edu.cn/_upload/article/files/53/ae/3d75929d4041afcd7b4f9a5176c4/8c14f99a-48f9-4101-8ed1-6bff37ae6169.pdf, last visited on 12.4.2023
⁹  Source available at: https://www.sciencedirect.com/science/article/pii/S0166497221000183#bib36, last visited on 12.4.2023
¹⁰ Source available at: https://www.mas.gov.sg/-/media/mas-media-library/development/regulatory-sandbox/sandbox/fintech-regulatory-sandbox-guidelines-jan-2022.pdf, last visited on 11.4.2023
¹¹ Source available at: https://www.dfsa.dk/Supervision/Fintech/FT-lab, last visited on 12.4.2023 
¹² Source available at: https://ec.europa.eu/digital-building-blocks/wikis/display/EBSI/Sandbox+Project, last visited on: 31.3.2023
¹³  Source available at: https://corporatefinanceinstitute.com/resources/economics/safe-harbor/, last visited on 11.4.2023
¹⁴ Source available at: https://www.winston.com/en/legal-glossary/safe-harbor.html, last visited on 11.4.2023
¹⁵ Source available at: https://www.europarl.europa.eu/RegData/etudes/IDAN/2020/649404/EPRS_IDA(2020)649404_EN.pdf 
¹⁶ Source available at: https://www.europarl.europa.eu/RegData/etudes/IDAN/2020/649404/EPRS_IDA(2020)649404_EN.pdf
¹⁷ The Digital Millennium Copyright Act (DMCA) is US copyright law that was passed by the United States in 1998 to implement two treaties of the World Intellectual Property Organization (WIPO).
¹⁸ Source available at: https://www.everycrsreport.com/reports/R43436.html , last visited on 11.4.2023
¹⁹  §512 DMCA, full text available at: https://www.copyright.gov/legislation/dmca.pdf, last visited on 13.4.2023
²⁰  Source available at: https://www.experian.co.uk/business/glossary/safe-harbour-agreement/, last visited on 12.4.2023
²¹ Source available at: https://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf, last visited on 12.4.2023
²² Source available at: https://ec.europa.eu/commission/presscorner/detail/en/IP_16_216, last visited on 12.4.2023
²³ Source available at: https://www.europarl.europa.eu/RegData/etudes/ATAG/2020/652073/EPRS_ATA(2020)652073_EN.pdf, last visited on 12.4.2023