In the first instalment of IDnow’s ‘5 Questions For…’ interview series, we sit down with Marjolein Geus to discuss how the European Blockchain Sandbox has helped regulators and innovators turn Web3 ambition into compliance-by-design best practice, and ask what’s next…
Running from early 2023 to February 2026, the European Blockchain Sandbox was created to establish a pan-European framework to increase legal certainty for innovative blockchain technology solutions.
In just three years, the European Commission-funded initiative facilitated 60 cross-border regulatory dialogues across multiple sectors and regulatory topics.
In 2024, IDnow joined the IOTA Foundation consortium — alongside walt.id, HAVN Network, and Bloom Labs— and was tasked with building a Web3-ready KYC and identity verification solution. The goal: to help Crypto Asset Service Providers (CASPs) and self-hosted wallets meet the requirements of the EU’s Transfer of Funds Regulation (TFR), which forms part of the wider EU Anti-Money Laundering measures, including the upcoming Anti-Money Laundering Regulation.
In theory, the task appeared simple: as part of evolving anti-money laundering measures, crypto transactions should now include identifying information about the sender and receiver and follow AML standards similar to traditional financial services. In reality, however, there is considerable complexity and tension between AML data requirements and GDPR expectations, especially the principle that personally identifiable information (PII) shouldn’t be stored on-chain on blockchains or other DLT systems.
Speaking on the success of the European Blockchain Sandbox, Sebastian Elfors, who represented IDnow in the project said, “The solution we developed has the potential to go beyond the realm of cryptocurrency transactions, which was the scope of the project. For example, the Soulbound Tokens (non-transferable digital asset) that are issued could also be used for digital identities in the Web3 metaverse.”
“Although there may not be a regulatory framework with set requirements for Web3 or Web4 applications, trust brings growth and the European Blockchain Sandbox proved a great opportunity for these environments to become – or at least discuss becoming – more mainstream.”
Sebastian Elfors, Senior Architect at IDnow.
Now that the European Blockchain Sandbox has ended, we sat down with Marjolein Geus, Partner at Bird & Bird and Lead for the European Blockchain Sandbox, to discuss what the Sandbox achieved, what some of the most commonly recurring challenges were, and what comes next.
1. What gap did the European Blockchain Sandbox fill, and what outcomes did the project aim to deliver for the wider European ecosystem?
There is a perceived gap between innovation and regulation. On the one hand there is a need for innovators to better understand relevant regulations and how to comply and on the other hand there is a need for regulators to better understand innovative technologies and what it means from a regulatory perspective and their areas of competence. The European Blockchain Sandbox helped to bridge this gap.
The European Blockchain Sandbox provided a framework for innovators and regulators to enter into informal, confidential and cross-border dialogues to enhance mutual understanding and to identify not only potential regulatory challenges but also solutions. Bird & Bird as lead contractor set up and moderated in total 60 cross border dialogues (20 per annum) covering a range of regulatory areas and many different industry sectors. These dialogues allowed us to identify, with the help of the participating regulators and innovators, best practices, lessons learned and areas for clarification. The final best practices report, 3rd Cohort Best Practices Report – EU Blockchain Observatory and Forum was published in February 2026.
2. Across the dialogues, what were the most repeated compliance friction points that you saw across sectors (data protection, cyber security, accountability, consumer protection, AML expectations, cross-border issues)?
In total 60 selected innovative use cases participated in the project from all EU regions and covered many different industry sectors. We therefore covered a range of regulatory areas and looked at the interplay between different regulatory areas (e.g. GDPR/eIDAS; eIDAS/AML; eIDAS/Cybersecurity). There were important topics for discussion in every use case dialogue, but a common denominator for each of the dialogues was that a productive and efficient dialogue required a detailed understanding about the use case.
This would most of the time include information about categories of data that are being processed and for which purposes, the data flows, where the data is recorded/stored (on-chain/off-chain/in the cloud), who the stakeholders are; what their roles are; and who can access the data under what conditions. In crypto projects understanding the characteristics of the tokens is also key as well as understanding the role of the different stakeholders regarding these tokens and understanding the role and functionality of the smart contracts.
With the valuable contributions and engagement of the participants (both innovators and regulators) we were able to discuss many relevant issues such as how to comply with the General Data Protection Regulation (GDPR), how to comply with and make use of the eIDAS regulatory framework, how to comply with AML/KYC legislation in an efficient manner and how to identify the relevant regulations for financial sector use cases.
3. What did you learn about making “privacy-by-design” real while still meeting regulated requirements?
It’s important to take regulatory compliance into account as early as possible when designing the use case. Compliance by design or by default will normally be easier to realise at the beginning of the project.
The best practices reports provide helpful guidance and the fact that the European Blockchain Sandbox was a three-year project with three consecutive cohorts of selected use cases, made it possible to build on the previously identified lessons learned. And of course we also identified areas for clarification where further regulatory certainty on EU level, either in EU legislation or through guidance by EU regulators would be welcome.
4. Moving from pilots to production: what ‘trust layer’ still needs to exist off-chain, and why doesn’t blockchain remove the need for it?
This is a highly relevant topic for the blockchain/DLT area because the data recorded on-chain can normally not be deleted/erased and processing of personal data is an important element for many use cases meaning that the right to erasure needs to be complied with.
As a starting point it is important to limit the personal data (which could also be pseudonymised data) that is recorded on-chain as much as possible and to store data that allows for indirect identification of natural persons off-chain while the off-chain recorded data can be erased and the link to the data on chain can be permanently broken. But there may be other/better solutions, depending on the use case and the type of blockchain infrastructure that is being used.
5. Looking back now that the Sandbox has concluded: what’s one recommendation you’d give regulators, and one you’d give innovators, to speed up safe adoption?
A recommendation for regulators would be to continue to engage in an open, informal and constructive regulatory dialogue with innovators and other regulators at the national and EU level and to find the right framework to facilitate such dialogues.
“The regulatory sandbox concept is a valuable approach for areas of new technology where there is a lack of legal certainty around evolving regulations. Interplay with new technologies and exposure to real life use cases can help to build regulatory capacity in digital domains.”
Marjolein Geus, European Blockchain Sandbox Lead.
A recommendation for innovators would be to include compliance with relevant regulations early in the development process. And to approach regulation not as something to shy away from, but to have confidence in compliance and look at regulation as a tool that can help the use case to mature and grow and to incur confidence with customers. Selecting business partners and service providers that provide compliant solutions is an important element.
Bonus: Many teams want to share less data but to have more trust. What does good look like for a ‘compliance-grade’ identity approach in Web3 (i.e., strong verification, fraud prevention, and audit evidence) while still respecting data minimisation, and where can identity providers like IDnow add the most value?
EU regulation provides relevant guidance in terms of data that must be shared (e.g. in the context of AML or sector specific data sharing obligations) and may be shared or may not be shared (e.g. in the context of compliance with the GDPR and horizontal data regulation).
Moreover, EU regulatory frameworks provide important tools that can be used by providers to help customers comply with relevant regulations. Although each use case will be responsible for its own compliance, it is not necessary for each use case to re-invent the compliance wheel on all fronts. Part of the compliance exercise is also to identify which elements can be outsourced and which elements are better developed in-house. External specialist identity providers like IDnow clearly can play an important role by helping customers and other stakeholders to develop compliant innovative solutions and business models.
Blockchain vs Regulation: A Mismatch not Worth Fighting?
If there’s one thing that’s clear from speaking with Marjolein and reflecting on the three years of the European Blockchain Sandbox, it’s that blockchain needn’t necessarily be seen in opposition to regulation. In fact, a more useful approach to blockchain and DLT is compliance-by-design; built to ensure transparent data flows, which makes it clear what sits on-chain vs off-chain, and how evidence decisions can be made without collecting more data than necessary.
That’s also where identity becomes a practical enabler. Whether the use case is decentralised finance, tokenised assets, or blockchain-based data sharing, regulated adoption depends on being able to answer a familiar set of questions: Who is behind the action? What can we prove? What can we minimise? And how do we handle exceptions safely?
“As blockchain-enabled solutions move from pilots into regulated, real-world deployment, they will still need a trust layer for identity assurance that can handle exceptions (e.g. automated checks with expert (human) fallback) for compliant, high-quality identity decisions.”
Sebastian Elfors, Senior Architect at IDnow.
At IDnow, we’re continuing to focus on this bridge between innovation and regulated reality, helping organisations combine privacy-by-design verification, fraud prevention, and audit-ready evidence so that new digital ecosystems can scale with trust.
If you’re interested in more insights from industry insiders and thought leaders from the world of regulation, fraud and fraud prevention, check out one of our other interviews below.
- Oonagh Van Den Berg, founder of compliance community platform.
- Paul Stratton, ex-police officer and financial crime trainer
- Lloyd Emmerson, Director of Strategic Solutions at Cifas
By
Jody Houton
Senior PR & Content Manager at IDnow
Connect with Jody on LinkedIn
