Sandbox - Application form

Sandbox - Application form


Regulatory Sandbox - Application for admission

1. Introduction

The application for admission must be completed with truthful, accurate and complete information in each part provided. More details can be provided by attaching specific supporting documentation. The application must be digitally signed by the legal representative of the company or by its attorney pursuant to art. 2909 of the Civil code authorised for this and sent together with the attachments indicated below. The administrative procedure cannot be started in case of incompleteness of the application, including that deriving from the absence of the required digital signature, or in the absence of a mandatory attachment. The certified email address to which the application must be sent is:[1].

2. Master data[2]

Company name

Registered office

Secondary registered office (foreign operators)

Tax code / VAT number

Contact person (name and qualification)

Website (if any)

Certified email/email

3. Company Information

A. Is the company authorised to carry out an activity reserved by the competent Supervisory Authority and/or does it carry out activities regulated by the competent Supervisory Authority? In the case of inclusion in a roll, list or register, provide the identification code:

Date of incorporation

Amount of revenue from the last approved financial statements (if any)

Total assets from the last approved financial statements (if any)

No. of employees (if any)

4. Information on the scope of the experimentation


Select one of the following options:

Financial services/retail investments/wholesale;
Asset management;
Market infrastructures;
Digital payments;
Digital lending;
Open banking / open finance;
Other, please specify:

Prevailing technology

Select one or more of the following:

Application Programming Interfaces (APIs);
Artificial Intelligence (AI);
Machine Learning (ML);
Data analysis / Big Data Analytics;
Digital ID and authentication systems;
Cloud computing;
Blockchain, Distributed Ledger Technology (DLT) and smart contracts;
Quantum computing;
Internet of Things (IoT);
Robotic Process Automation (RPA);
Natural Language Processing (NLP);
Advanced encryption mechanisms;
Other, please specify:

A. Indicate the activities for which admission to experimentation is requested:

1. activity subject to authorisation or inclusion in a roll, list or register by at least one of the Supervisory Authorities;
2. activity subject in the abstract to authorisation or inclusion in a roll, list or register by at least one Supervisory Authority, but falling within a case of exclusion provided for by law;
3. activity carried out in favour of a supervised or regulated entity by at least one Supervisory Authority also operating in Italy under the freedom to provide services;
4. activity carried out by a supervised or regulated entity by at least one of the Supervisory Authorities or by an entity operating in Italy under the freedom to provide services.

B. In the cases referred to in the numbers 3 and 4 above, specify whether the activity is carried out by or in favour of a subject having its registered office in another Member State of the European Union operating in Italy under the freedom to provide services.

C. Indicate if the application is submitted to other competent authorities (specify which ones)

5. Information on the project

A. Provide a detailed description of the project, indicating:

A.1. Objectives

A.2. Characteristics of the solution (product/service) to be tested: structuring, operation, distribution/delivery, together with practical examples of its application

A.3. Business Model (e.g. B2B, B2C, B2B2C) indicating its characteristics and the number of end users

A.4. Duration of the period for experimentation that is planned to be carried out

A.5 Reasons why an experimentation phase is requested

A.6 Indicate any other subjects involved in the initiative (e.g. technology suppliers, incubators/accelerators, universities, research centres, supervised or regulated entities towards which the activity is provided, etc.), the type of relationship (e.g. service agreements, partnerships, lenders/partners, etc.), their respective roles and responsibilities in the experimentation.

B. Explain to what extent the initiative is innovative compared to what is already present on the national market, specifying whether a new technology or a cutting-edge technology already in use for the offer of services, products or processes in the banking and financial or insurance sectors (Criterion - innovativeness) is used.

Internal and/or market analysis may be provided as a support (see optional attachments).

C. Indicate the supervisory guidelines or the general acts adopted by the Supervisory Authorities, as well as the rules or regulations adopted by the supervisory authorities, whose derogation is requested, in whole or in part, during the experimentation period, with reference to the following profiles:

capital requirements;
simplified and proportionate obligations for the activities to be carried out;
perimeters of operation;
disclosure obligations;
times for issuing authorisations;
professionalism requirements of the company representatives;
corporate governance and risk management profiles;
corporate forms that are admissible also by way of derogation from the corporate forms envisaged by the consolidated text of the laws on banking and credit, as per Legislative Decree no. 385 of 1 September 1993 from the Consolidated text of the provisions on financial intermediation, referred to in Legislative Decree no. 58 of 24 February 1998, and by the private insurance code, referred to in Legislative Decree no. 209 of 7 September 2005;
any financial collaterals

Indicate the details of the provisions of the supervisory guidelines or general acts issued by the Supervisory Authorities for which derogation is intended, explaining the reason.

Alternatively, indicate the new elements of the project that require experimentation and joint testing with one or more Supervisory Authorities, highlighting the reasons why the ordinary channels of interaction with the Bank of Italy, Consob and IVASS are not enough.

D. Show the added value of the project with reference to at least one of the following areas:

a. benefits for end-users in terms of quality of service, promotion of competition, conditions of access, availability, end-user protection or costs;

b. efficiency of the banking, financial, insurance system or of the operators participating in them;

c. less burdensome or greater effectiveness in the application of banking, financial and insurance regulations;

d. improvement of the systems, procedures or internal processes of operators in the banking, financial or insurance sector in relation to risk management. (Criterion - added value)

Analyses or simulations may be provided as a support.

E. Provide a preliminary feasibility study (proof of concept), including a prospective assessment of the economic and financial sustainability or financial coverage of the project (Criterion – sustainability and maturity).

The business plan must be attached as a support to the assessment, which must contain the following specifications:

a. organisational structure;

b. assessment of technical feasibility;

c. need for resources (technological, human and logistical) necessary for the experimentation and the methods of finding them;

d. assessment of expected profitability, capital requirements and expected cash flows;

e. sources of financial coverage (indicating the subjects that have undertaken the commitment to guarantee any liquidity needs);

f. other.

F. Identify the main risks of the activity (including ICT, cyber security and related to data protection) illustrating the related means to mitigate their impacts.

G. Explain in detail the measures and means to protect the end users, which must include at least:

a) complete, clear and accessible information for customers about the experimentation nature of the project and the related risks, made known in the forms and methods most appropriate to the type of product or service offered;

b) mechanisms for collecting the user's conscious consent to enter into a relationship with the subject admitted to the experimentation: in particular, the user's conscious consent must concern the understanding of the experimentation nature of the product or service offered and the related implications, its structure, characteristics and risks of damage to the user;

c) recognition of the right to withdraw from the contract at any time with a notice of at least 15 days, without charges or penalties related to the withdrawal;

d) forms of communication to the public concerned regarding the admission to the experimentation, the activities covered by the test and the possibility that the activities may not continue at the end of the experimentation period, specifying in this case the related implications and effects on any contracts stipulated with the user;

e) mechanisms for prompt compensation in the event of liability of the service provider admitted to the experimentation, in addition to the ordinary instruments available to customers.

H. Describe the potential impact of the end of the experimentation on the activities started during the experimentation phase, and still in place at the end of the experimentation, and the measures to manage this impact.

I. Describe the outcome of any experimentations carried out with other authorities, including foreign ones. In particular, it must be specified that it does not fall within the case of inadmissibility provided for by art. 6 paragraph 3 of the Regulation.

L. Indicate whether and in what terms the activity would need support from the authority during the test.

6. Information on the Test Plan (criterion – maturity)

A. Indicate the progress of the project and provide the test plan (e.g. Gantt) with a clear and credible indication of the objectives and related milestones, also indicating a preliminary proposal of metrics for monitoring the test.

B. Indicate which variables will be used at the end of the experimentation phase to measure the positive outcome thereof.

C. Indicate the type of users who will participate in the experimentation phase and the methods with which they will be selected.

D. Describe the next steps if the test is successful.


1. Declaration of commitment, for FinTech operators who carry out the activities provided for by art. 5, paragraph 1, letter b) of the FinTech Experimentation Regulation, to request the authorisation or registration required by law for the performance of the activity, in the event of a positive outcome of the experimentation.

2. Declaration of not having initiated proceedings for the settlement of the over-indebtedness crisis provided for by Law no. 3 of 27/1/2012 (company based in the Italian territory).

3. Declaration of not having initiated proceedings equivalent to those provided for by Law no. 3 of 27/1/2012 according to the applicable national regulations (company based outside the Italian territory).

4. Declaration of: i) not being subjected to over-indebtedness proceedings ii) not being a commercial entrepreneur subject to bankruptcy or reorganisation proceedings, iii) not being a collective commercial entrepreneur in liquidation.

5. Declaration of commitment by operators with registered office in a State not belonging to the European Union who intend to provide the activities referred to in art. 5, paragraph 1, lett. b) and c), to open a secondary office or a representative office in Italy within forty-five days from the provision for admission to the experimentation.

6. Plan for the cessation of activities (see article 12, paragraph 1 letter e) point 4) of Ministerial Decree no. 100 of 2021).

7. Self-certification proving the integrity requirements of company representatives/directors and the criteria of correctness[*].

8. Self-certification proving the approval of the financial statements[*].

9. Certification with which the subjects to whom the activity is intended to be provided consent to be the recipients of the activity or part of the activities admitted to the experimentation and to the derogation according to the provisions of letter E. Section "3. Information on the project" of this form (see art. 5 paragraph 1 letter C Fintech Experimentation Regulation). Where necessary in the light of the applicable regulations, the draft of the service outsourcing contract.

10. Business plan.

11. Information and documents required pursuant to the mandatory applicable legislation for obtaining authorisation or inclusion in the relevant rolls (see Article 5, paragraph 1, letter A of the Fintech Experimentation Regulation).


  • Market analysis,
  • quality certifications,
  • safety and environment certifications,

Please read the privacy policy referred to in the attachment Personal data protection policy"



Digital signature of the legal representative

(photocopy of the identification document is enclosed)


In accordance with the provisions of the European and national legislation on the protection of personal data, we inform you that CONSOB, Via G.B. Martini, 3, ROME, as Data Controller, processes personal data relating to the persons who apply for admission to the regulatory Sandbox, acquired during the activity of selecting eligible applications.

Data processing is necessary to ascertain the existence of the eligibility requirements for the regulatory Sandbox. Data concerning the existence of criminal convictions, application of security measures, pending criminal proceedings or proceedings for the application of security measures are processed in order to ascertain the necessary requirements for admission to the Sandbox, in accordance with the provisions of art. 7, paragraph 2, of the Ministerial Decree no. 100 of 2021.

The data are also processed by means of IT procedures, using appropriate security measures to guarantee the confidentiality of personal data as well as to prevent undue access to the data by third parties or unauthorised personnel.

Personal data will be stored for the time necessary for the exercise of institutional functions.

In relation to the personal data pertaining to the subjects admitted to the regulatory Sandbox, the processing of personal data will continue for the purposes inherent to the experimentation.

The data will not be disseminated and may be disclosed to public authorities and third parties in the cases provided for by law or regulation; without prejudice to the right to verify the veracity thereof with the competent administrations pursuant to art. 71, paragraph 4, of Presidential Decree 445 of 2000. Personal data processed in the exercise of supervisory functions can be transferred to foreign Supervisory Authorities to facilitate the performance of the related functions, according to the guarantees provided for by the Administrative Agreement signed for this purpose by Consob on 7 June 2019, available on the institutional Consob's website.

The data may be disclosed to the Heads of the Organisational Units involved in the activity related to the regulatory Sandbox, as well as to the employees of the Offices authorised to process it.

Without prejudice to any limitations provided for by law (art. 23 GDPR; art.2 undecies, Legislative Decree no. 196/2003), the interested parties have the right to access personal data and other rights recognised by the legislation (arts. 15-22 of the GDPR) such as the right to obtain the rectification or integration of data, the right to obtain the cancellation, transformation into anonymous form or the blocking of those processed in violation of the law as well as the right to oppose in everything in part, for legitimate reasons, to the processing thereof.

These rights can be asserted against the Data Controller: CONSOB, National Commission for Companies and the Stock Exchange, via G.B. Martini no. 3 - 00198 Rome --- certified e-mail:, mail:

The Data Protection Officer for Consob can be contacted at Consob (e-mail:

If data subjects believe that the processing that concerns them is carried out in violation of the law, they may lodge a complaint with the Guarantor for the protection of personal data --- Piazza di Monte Citorio, no. 121 --- Rome.


[1] In case of objective impossibility to forward the model and the attachments by certified email (PEC), not attributable to the applicant, the competent Consob offices must be contacted at the email address, well in advance of the deadline of the time window, illustrating the circumstances impeding the use of the certified email.

[2] In case of a request for the activities provided for in article 5, paragraph 1, letters b), c) and d) submitted jointly, the field must be completed with information on all the entities involved, pursuant to article 7, paragraph 3.

[*] This information may be omitted in the requests for the activities indicated in art. 5 paragraph 1 letter A and D of the Fintech Experimentation Regulation.

Go to Sandbox