The Gibraltar Regulatory Authority have announced the launch of the beta phase of its Regulatory Sandbox.

A statement from the GRA follows below:

The Gibraltar Regulatory Authority, in its capacity as the Information  Commissioner, is pleased to announce the launch of the “beta phase” of its Regulatory  Sandbox. This initiative provides organisations with a controlled  environment to test innovative products, services, or data uses, while receiving guidance  to ensure compliance with Gibraltar’s privacy and data protection laws prior to full-scale  deployment. 

The Sandbox is designed to reduce regulatory uncertainty and support the development  of compliant solutions in emerging sectors and technologies, further strengthening  Gibraltar’s position as an innovation-focused economy. 

The GRA’s CEO and Information Commissioner said: 

“Regulatory sandboxes provide a trusted environment for innovation,  enabling organisations to test new ideas with regulatory support. This helps  them move faster, achieve compliance more effectively, and deliver  meaningful public benefit”. 

Who can participate in the Sandbox? 

The Sandbox is open to organisations of all sizes, including start-ups, small and medium sized enterprises (SMEs), large enterprises, public bodies, and non-profit organisations. 

Participation is intended for any product, service, or model that will involve the processing  of personal data under Gibraltar’s data protection framework. 

1 The Information Commissioner is the Chief Executive Officer of the Gibraltar Regulatory Authority. 

June 23, 2026 

Eligibility criteria 

Applicants must demonstrate how their product or service uses new knowledge or  technologies to deliver meaningful public benefit. Benefits may be societal, economic, or  operational, and will be assessed based on both breadth (the number of individuals  affected) and depth (the extent of impact). The assessment will also consider the relative  significance of the benefits, recognising that some initiatives may deliver more substantial  or strategically important outcomes. The Sandbox may prioritise these interventions for  their potential to generate meaningful improvements. 

Proposals will be assessed for viability, including operational, technical, and regulatory  feasibility. 

How does the Sandbox operate? 

The Sandbox offers a range of advisory and supervisory mechanisms, including: • In-person or virtual workshops to support early-stage development; • Iterative, informal guidance throughout the project lifecycle; 

• Step-by-step walkthroughs of proposed processing activities; and 

• Ongoing informal supervision during testing. 

At the conclusion of the Sandbox process, participants will receive an “exit report”  summarising their engagement, key data protection considerations and generalisable  insights.  

A “statement of regulatory comfort” may also be issued, where agreed in advance and  subject to all participation conditions being met. Where appropriate, this will confirm that,  based on the information provided during participation, the GRA has not identified any  indications of non-compliance with applicable data protection laws. 

Sandbox model 

The Sandbox is currently in its “beta phase”, meaning its structure, processes, and  governance may evolve on experience and participant feedback. 

Participation will follow a phased intake model, beginning with an “expression of interest”  stage, followed by a full application process for shortlisted organisations. One project will  be selected at a time to ensure appropriate oversight and regulatory support. 

Sandbox projects are expected to run for approximately 12–15 months from initial  expression of interest to completion, although timelines may vary depending on the  complexity and risk profile of each proposal.

How to apply? 

Further information is available on the GRA website under the “Data Protection” section,  within the "Regulatory Sandbox" tab: https://www.gra.gi/data-protection/regulatory sandbox 

Enquiries can be directed to: [email protected]