Connected – March 2026
This issue has been edited by Tobias Bräutigam, Marjolein Geus and Quirijn Mohr with contributions from the Regulatory & Public Affairs team.
In this Connected edition, we present the last report of the pan-European blockchain regulatory sandbox project, an initiative of the European Commission that was set up and operated by the Bird & Bird European regulatory team. The European Blockchain Sandbox provided a framework for a cross-border regulatory dialogue on innovative Distributed Ledger Technology (DLT) use cases with regulators and supervising authorities on national and EU level. It identified not only challenges but also solutions from a legal & regulatory perspective in a safe and confidential environment and thus increased legal certainty for innovative decentralised technology solutions, including blockchain often in combination with other innovative technologies such as AI, IoT and Cloud Computing.
The core of this newsletter includes the findings from the last round of regulatory dialogues.
At the end of this Connected edition, we turn to two other important updates: a summary of the state of play of the Digital Omnibus reform project of the EU as well as an update on NIS2 implementation in Poland.
Click on the links below to jump to the respective article:
Contents
- European Blockchain Sandbox Report
- AI and Data Omnibus: Legislative update
- NIS2 Directive implementation in Poland: What businesses need to know
Please get in touch if you have any questions or would like further information on these topics.
SIGN-UP TO RECEIVE THIS MONTHLY NEWSLETTER BY CLICKING HERE
The European Blockchain Sandbox Report
The pan-European blockchain regulatory sandbox was a European Commission initiative set up and operated by Bird & Bird’s European regulatory team. Over three years, it provided a framework for cross-border regulatory dialogue on innovative Distributed Ledger Technology (DLT) use cases with regulators and supervising authorities at national and EU level, identifying legal and regulatory challenges and practical solutions to increase legal certainty for innovative decentralised technology solutions, including blockchain often deployed in combination with AI, IoT and Cloud Computing.
The third and final Best Practices Report, published on 11 February 2026, brings that work to a close. Spanning more than 230 pages and covering over 20 regulatory areas, it draws on 60 confidential regulatory dialogues between blockchain and DLT innovators and approximately 125 national and EU regulators and authorities, making it one of the most comprehensive practical guides to blockchain and DLT regulation to date.
The Report addresses the full breadth of relevant EU regulation, including the GDPR, eIDAS 2, MiCAR, the AI Act, the Data Act, AML/KYC requirements, NIS2, the Cyber Resilience Act, and the frameworks governing Digital Product Passports, the European Health Data Space and decentralised finance. It identifies areas of legal uncertainty, maps the interplay between overlapping regulatory instruments, and sets out the developments that innovators and regulators should be aware of in the period ahead.
The three successive cohorts of dialogues were structured so that lessons learned in earlier rounds could inform subsequent discussions, enabling the third and final cohort to engage with additional regulatory areas and undertake a more focused analysis across a range of industry sectors. The findings from that final round are the central focus of this edition of Connected.
Whether your practice touches on token classification, digital identity, data governance, cybersecurity or AML compliance, or involves refining blockchain applications to support compliance across financial services, healthcare, energy or customs, the Report offers structured guidance drawn directly from live regulatory dialogue conducted by Bird & Bird’s team of specialists.
Click below to read our full analysis of the key findings, lessons learned, and recommendations.
Read the full analysis
AI and Data Omnibus: Legislative update
What began as a procedural fix for delayed harmonised standards has evolved into a substantive legislative exercise. Across the AI and Data Omnibus files, the Commission’s simplification initiative is giving way to policy debates on fundamental rights, regulatory scope, and institutional balance.
Read the full story
For more information, please contact Oliver Belitz and Paolo Sasdelli.
NIS2 Directive implementation in Poland: What businesses need to know
Poland’s amended Act on the National Cybersecurity System (the “Cybersecurity Act“) takes effect on 3 April 2026. While transitional periods offer some flexibility, the scope and complexity of the new requirements make early preparation critical for businesses affected. In the case of multinationals, aligning group-wide NIS2 programmes might be required.
Read the full story
