SADC regulatory sandboxes need a clearer legal home

SADC regulatory sandboxes are being discussed as tools for regional innovation and cross-border regulatory learning. That is a reasonable starting point. But the real question is not whether cooperation is attractive in principle. The real question is whether it has a clear legal home within Africa’s existing digital governance architecture.

That is why the latest UNU-CRIS policy brief matters. It identifies a real regional problem. Sandbox activity across Southern Africa remains fragmented, still largely centred on fintech, weakly coordinated across borders, and too lightly connected to data protection and wider digital governance. That diagnosis is useful. It deserves to be taken seriously.

It also needs to be placed more carefully.

Why SADC regulatory sandbox cooperation matters

There is nothing inherently wrong with discussing sandbox cooperation at SADC level. Southern Africa does need more structured exchange between regulators, better visibility over existing sandbox practice, and a more practical route for jurisdictions with limited capacity to participate in innovation governance without having to build every tool on their own.

That is the strongest part of the current regional argument. It is practical. It is collaborative. It recognises that fragmented national experimentation is often too narrow to keep pace with cross-border data flows, platform-based services, AI-enabled products, and regional market expansion.

Taken at that level, the case is sound. A regional coordination layer can add value.

Why lawful authority still comes before sandbox design

The difficulty begins when cooperation is allowed to sound like a sufficient governance answer by itself. It is not.

A regulatory sandbox may provide a controlled environment for experimentation. It does not determine lawful authority, institutional mandate, evidential sufficiency, or procedural remedy. Those questions remain prior. They cannot be settled by process design alone, and they do not disappear merely because a regional forum creates a useful mechanism for shared testing or shared learning.

This is the same discipline already developed in Law Before Code. Digital arrangements do not become legitimate because they are efficient, innovative, or well coordinated. They become defensible only when the public act they shape remains attributable to a lawful basis, a competent institution, a reviewable evidence pathway, and a remedy route that can still reach the live outcome.

Why SADC is a coordination layer, not a self-sufficient normative layer

This is where institutional placement matters. SADC is a plausible layer for peer exchange, regulator mapping, observer models, and regional operational coordination among Southern African authorities. It is a weaker layer if it is left looking like the principal legal home for data governance, personal data protection, cybersecurity, digital identity, or cross-border digital market rules.

If a new regional sandbox framework is discussed without saying clearly how it sits beneath existing African legal and policy instruments, the result is not clarity. It is additional uncertainty about which rules are foundational, which institutions are coordinating, and which authority remains compellable when a tested arrangement produces a contested outcome.

That is not merely a drafting weakness. It is a governance weakness.

Why AU frameworks already shape SADC sandbox governance

On data governance, personal data protection, and cybersecurity, Africa already has a continental layer. The Malabo Convention was adopted to strengthen national legislation and support harmonisation across the continent. The AU Data Policy Framework adds a broader policy architecture for trustworthy data governance and a more coherent African data space. The Digital Transformation Strategy for Africa 2020–2030 provides the wider strategic umbrella.

That does not make SADC irrelevant. It means that a SADC sandbox discussion should be presented as nested within an already established continental structure. If that nesting is left implicit, regulators and firms are left to infer the hierarchy for themselves.

The better approach is to make the layering explicit from the start.

Why AfCFTA digital trade also matters for regional sandbox cooperation

The same point applies once sandbox cooperation begins to touch cross-border payments, digital services, platform access, regional scale-up, or data-enabled market integration. At that stage, the discussion is no longer only about innovation support. It is also about digital trade and the rules that shape continental market development.

That is why the AfCFTA Digital Trade Protocol is part of the picture. Once sandbox language is used to support cross-border deployment, market access, interoperability, or regional digital commerce, AfCFTA is already in the room.

Again, this does not weaken the case for SADC cooperation. It strengthens the need for institutional precision. Regional coordination is useful only when it is visibly placed within the wider African framework that already governs the field.

Why comparative sandbox models support caution as much as cooperation

The external examples often used to support regional sandbox cooperation are useful, but they are more cautious than policy enthusiasm sometimes suggests. The OECD work on regulatory experimentation supports agile governance, but only with clear legal anchoring, bounded use, oversight, and exit discipline. The Pacific regional regulatory sandbox guidelines are valuable precisely because they preserve domestic regulator control rather than dissolving it. The EU cross-border testing model is also instructive, but it does not create a single supranational sandbox or erase national decisions. The Africa Sandboxes Outlook shows both the breadth of experimentation and the continuing governance and capacity gaps around it.

Why the public act remains the real governance object

This point is easy to miss because sandboxes are visible and politically attractive. But the sandbox is not itself the public act. It is an environment in which testing occurs. The legally meaningful object remains the function, decision, or outcome that may later produce or condition legal effect.

That distinction matters because shared environments, cross-border test arrangements, and cooperative workflows can begin to look authoritative merely because they are operationally central. Yet visibility is not authority. A regional process is not a legal basis. A platform is not a mandate.

This is also why the taxonomy set out in Digital Public Infrastructure is not DPG, DPF, or DPS matters here. Once the sandbox wrapper becomes the object of governance, the real discipline of lawful authority, institutional accountability, authoritative records, service logic, evidence continuity, and remedy reach begins to fade from view.

Why data protection, evidence, and remedy become decisive under cross-border conditions

The regional sandbox discussion becomes weakest precisely where the governance burden becomes heaviest. If the arrangement touches data sharing, digital identity, profiling, authentication, AI-assisted decision support, or cross-border disclosure, data protection and privacy are not peripheral questions. They sit at the centre of the arrangement.

The same applies to evidence. A regional sandbox that produces lessons but cannot support independent reconstruction of the legal basis, the acting institution, the authoritative records, the procedural path, and the resulting outcome remains too thin for serious reliance.

And the same applies to remedy. The real test of a regional sandbox is not whether firms can enter it. It is whether affected people and accountable institutions can still challenge, correct, suspend, or reverse what comes out of it. If a tested arrangement influences a public decision, who can stop it. If a source record is wrong, who corrects it. If a cross-border dependency fails, who remains compellable.

As argued in Data exchange platform governance, plumbing does not grant access, connectivity and capability do not settle lawful access or institutional responsibility. A regional sandbox does not escape that rule. It intensifies it.

What a stronger regional sandbox framework should now do

The strongest next step is not to reject regional sandbox cooperation. The strongest next step is to place it more carefully.

A stronger regional argument would show clearly how SADC cooperation sits beneath AU legal and policy frameworks. It would explain where AfCFTA becomes relevant once sandboxing moves into cross-border services, payments, or digital trade. It would distinguish coordination from authority, visibility from evidence, and regional learning from lawful public action.

Most importantly, it would return the centre of gravity to the real governance object. Not the sandbox. Not the framework. Not the regional process. The public act.

That is the point at which the discussion becomes genuinely useful.

A clearer legal home would make regional sandbox cooperation stronger, not weaker

Southern Africa does need more peer learning, more structured regulatory exchange, and more serious thinking about how to govern innovation across borders. That much is clear.

But regional sandbox cooperation will only add value if its legal home is made explicit. Without that clarity, the region risks adding another governance layer while leaving the hierarchy underneath it unresolved.

A regional sandbox can help. It will do so only if it is presented as a coordination and implementation layer within Africa’s wider digital governance architecture, while lawful authority, institutional mandate, evidential sufficiency, and procedural remedy remain exactly where they belong.