On 19–20 April 2026, an Estonian delegation led by Secretary of State Keit Kasemets travelled to Helsinki to meet Finnish State Secretary Risto Artjoki and counterparts across the Finnish government. The headline outcome was modest in wording but significant in substance: the two countries agreed to jointly develop AI regulatory sandboxes for testing high-risk systems under the EU AI Act, with the 'Agentic State' — autonomous AI delivering public services — named as a shared priority. Kasemets framed the visit plainly: "Our goal today is simple: to identify concrete, actionable projects where we can work together quickly."
This is a small announcement that quietly models how Europe should be implementing one of the AI Act's better ideas.
What a sandbox is, and why the deadline matters
Article 57 of the EU AI Act requires every member state to ensure its competent authority operates at least one AI regulatory sandbox — a supervised environment where developers can build and test systems before market launch, with regulators on hand to give guidance and flag risks. The original deadline for operational sandboxes is 2 August 2026.
The case for sandboxes is genuinely strong, and worth stating fairly before critiquing anything. High-risk AI — systems used in employment, critical infrastructure, or public services — carries real potential for harm: opaque decisions, embedded bias, automation of consequential errors at scale. A sandbox lets a regulator watch a system in controlled conditions, build the institutional expertise to supervise it, and surface problems before, not after, deployment. Done well, it is pro-innovation and pro-accountability: firms get legal certainty and a faster route to compliance, while authorities learn how the technology actually behaves rather than regulating it from a whiteboard.
The problem is not the concept. It is the execution. As of August 2025, the European Parliamentary Research Service found that only one member state — Spain — had a sandbox up and running; five were actively implementing, four had merely declared intent, and sixteen had not communicated any plans at all. The Commission had not yet adopted implementing acts to guide the design, leaving each country to build a framework and the supervisory capacity from scratch. A pan-EU obligation with a hard date, no shared blueprint, and twenty-six laggards is a recipe for box-ticking sandboxes that exist on paper and teach regulators nothing.
Pooling beats duplicating
This is exactly the gap the Estonia–Finland approach addresses. Rather than each building a parallel national framework, the two states are sharing the technical and legal groundwork. Article 57 explicitly permits this: a sandbox "may also be established jointly with the competent authorities of other Member States," and a state can discharge its obligation by participating in an existing sandbox that offers equivalent national coverage.
For small administrations this is not a nicety — it is the only sensible path. Neither Estonia (1.4 million people) nor Finland (5.6 million) can spin up deep AI-supervision expertise in isolation by August. Pooling lets them split the cost of scarce talent, run larger and more varied test cohorts, and present EU institutions with a working cross-border template instead of a complaint. As the partnership's analysts put it, both want to be "rule-shapers rather than rule-takers" in AI governance — and the credible way to shape a rule is to demonstrate that you have already made it work.
The two also bring complementary assets. Finland hosts LUMI, one of Europe's most powerful supercomputers. Estonia brings the deeper relevant infrastructure for testing public-sector AI: X-Road, its secure data-exchange layer, which underpins more than 3,000 e-services and carries roughly 2.2 billion transactions a year, saving an estimated 1,345 working years annually. Critically, Estonia and Finland have run a cross-border X-Road federation since February 2018, so the data plumbing for joint public-service AI testing already exists. Kasemets pointed straight at this: "Both our countries are uniquely positioned thanks to strong data interoperability."
The Agentic State raises the stakes
Naming the 'Agentic State' as a priority is where ambition and caution should meet. Estonia's Eesti.ai programme — whose council approved 15 high-impact projects at its 8 April 2026 meeting, and which targets doubling the value of Estonian work by 2035 — envisions AI agents that don't just inform public services but execute them. Autonomous systems acting on citizens' behalf, drawing on X-Road's data flows, are precisely the high-risk category Article 57 sandboxes were designed for. A controlled environment to test agentic public services before they touch real benefits, permits, or records is the responsible way to pursue that vision rather than a reason to slow it down.
The risk worth naming
Proportionate regulation cuts both ways, and the honest concern here is not over-regulation but under-delivery. The Commission's Digital Omnibus has now proposed pushing the national sandbox deadline from August 2026 to August 2027 and creating a separate EU-level sandbox run by the AI Office. Extra time and a central facility are defensible given how few states are ready — but a softer deadline also invites the laggards to keep waiting. The Estonia–Finland model only delivers its promised value if other capitals treat it as a template to join, not as cover to do nothing.
The lesson from Helsinki is narrow but real. The AI Act's sandbox provision is one of its most pro-innovation features, and the bottleneck is implementation capacity, not legal text. Two small states have shown the cheapest fix is to stop duplicating and start pooling. Brussels should make joining a cross-border sandbox the default route to compliance, not the exception.