Skip to main content

The future of regulation

Principles for regulating emerging technologies

As emerging technologies drive new business and service models, governments must rapidly create, modify, and enforce regulations. The preeminent issue is how to protect citizens and ensure fair markets while letting innovation and businesses flourish.


Sweeping technological advancements are creating a sea change in today’s regulatory environment, posing significant challenges for regulators who strive to maintain a balance between fostering innovation, protecting consumers, and addressing the potential unintended consequences of disruption.

Emerging technologies such as artificial intelligence (AI), machine learning, big data analytics, distributed ledger technology, and the Internet of Things (IoT) are creating new ways for consumers to interact—and disrupting traditional business models. It’s an era in which machines teach themselves to learn; autonomous vehicles communicate with one other and the transportation infrastructure; and smart devices respond to and anticipate consumer needs.

In the wake of these developments, regulatory leaders are faced with a key challenge: how to best protect citizens, ensure fair markets, and enforce regulations, while allowing these new technologies and businesses to flourish?

The assumption that regulations can be crafted slowly and deliberately, and then remain in place, unchanged, for long periods of time, has been upended in today’s environment. As new business models and services emerge, such as ridesharing services and initial coin offerings, government agencies are challenged with creating or modifying regulations, enforcing them, and communicating them to the public at a previously undreamed-of pace. And they must do this while working within legacy frameworks and attempting to foster innovation.

As seen from the history of early automobile regulation (see “A history lesson” sidebar), tough restrictions on motor vehicles—laws designed to protect pedestrians, horse-drawn carriages and even cattle—delayed advances in automobile development by decades. Today, regulators face similar challenges. They must balance their charge to protect citizens with advancing innovation in new technologies and businesses, resisting the urge to overregulate.

This study is the first in a series of Deloitte papers on the future of regulation. The next study will explore how regulators can utilize technologies and tools like machine learning, text analytics, and design thinking to dramatically change the way they operate, generate efficiencies, cut costs, and increase compliance and adoption.

Show more

This paper begins by exploring the unique regulatory challenges posed by digital-age technologies and business models. Section two describes the four critical questions policymakers and regulators must address when it comes to regulating the digital economy. Finally, section three provides a set of five principles to guide the future of regulation:

  1. Adaptive regulation. Shift from “regulate and forget” to a responsive, iterative approach.
  2. Regulatory sandboxes. Prototype and test new approaches by creating sandboxes and accelerators.
  3. Outcome-based regulation. Focus on results and performance rather than form.
  4. Risk-weighted regulation. Move from one-size-fits-all regulation to a data-driven, segmented approach.
  5. Collaborative regulation. Align regulation nationally and internationally by engaging a broader set of players across the ecosystem.

Challenges to traditional regulation

Scholars have identified a host of challenges emerging technologies present to traditional regulatory models, ranging from coordination problems to regulatory silos to the sheer volume of outdated rules.1 We have grouped four of the most important challenges into two buckets: business and technological (see figure 1).

Business challenges

The pacing problem

“Can regulators keep up with fintech?”2 “Drone regulators struggle to keep up with the rapidly growing technology.”3 “Regulatory scramble to stay ahead of self-driving cars.”4 “Digital health dilemma: Regulators struggle to keep pace with health care technology innovation.”5 Headlines like these capture a central challenge to today’s regulators.

Existing regulatory structures are often slow to adapt to changing societal and economic circumstances, and regulatory agencies generally are risk-averse. Rapid adaptation to emerging technology, therefore, poses significant hurdles—and, in turn, to the technology industries, where change occurs at a rapid rate.

“If the volume and pace of digital transformation continues to remain the way it is, the existing regulatory approach won’t work,” says Bakul Patel, the US Food and Drug Administration (FDA)’s associate center director for digital health. The gap between technological advancements and the mechanisms intended to regulate them—often called the “pacing problem”—is only growing wider. “There’s a disconnect between the speed, iterative development and ubiquitous connected nature of digital health technologies and the existing regulatory structures and processes,” says Patel. “The current regulatory approach is not well-suited to support that fast pace of development.”6

The pacing problem has acquired new urgency due to the speed with which modern innovations are scaling.7 Digital products, services, and industries can become very large, very fast. The policy cycle often takes anything from five to 20 years whereas a unicorn startup can develop into a company with global reach in a matter of months. Airbnb, for example, went from 21,000 arrivals in 2009 to 80 million in 2016.8 Meanwhile, cities and states are still trying to figure out how, and if, they can regulate short-term rental markets.9 Ride-hailing services have experienced similar hyper-growth as regulations in the space struggle to adapt.10

Tightening regulation for new, high-visibility industries brings new political and shareholder pressures. It’s one thing if regulation slows the launch of new firms or industries—and quite another if it strangles their growth.

Financial organizations—or “fintech”—are expected to attract more than $46 billion in investment by 2020.11 But this will depend, in part, on regulation. According to one survey, 53 percent of Asian fintech investors cite tightening regulations as one of the biggest challenges to fintech, second only to risk management, and 89 percent believe these regulations will continue to tighten.12

Industry regulatory challenges are compounded by the existing patchwork of regulations. Many national regulatory systems are complex and fragmented, with various responsible agencies exercising overlapping authority. The trade friction resulting from the redundancies and patchworks of regulation lies at the very heart of today’s trade agenda.

Coordinating with regulators across borders is another challenge. Since the late 1980s, many organizations and consortia have cropped up to serve as independent standards-creation bodies that accommodate the unique needs of emerging technology sectors.13

A history lesson

The history of automobile regulation offers a powerful lesson about the potential dangers of overregulating new technologies and industries. While attempting to develop automobiles in the late 1800s, British innovators were severely restricted by acts of Parliament that originally addressed the dangers posed by steam engines. In particular, the Locomotive Act of 1861 required that “locomotives”—defined as mechanically propelled vehicles—be manned by at least two persons and not exceed 10 mph on turnpike roads or two mph when passing through towns.

In 1865, Parliament significantly tightened the rules with an amendment known as the “Red Flag Act.” This law required self-propelled vehicles to be manned by a crew of at least three, with one person walking at least 60 yards ahead of the vehicle, carrying a red flag to warn pedestrians and other vehicles—including horse-drawn carriages—of the approaching locomotive. In addition, the act reduced the speed limit of self-propelled vehicles to 4 mph on highways, while maintaining the two-mph speed limit in towns and villages.14 The act was eventually repealed in 1896, but by that time its provisions had effectively stifled the development of road transport in the British Isles.15

In the United States, several states passed similar “red flag” laws in the late 1800s, to provide safety measures for early automobiles. Pennsylvania contemplated one of the most infamous red flag pieces of legislation in 1896, which would have required all motorists, upon encountering cattle or livestock, to immediately stop, “as rapidly as possible disassemble the automobile,” and “conceal the various components out of sight, behind nearby bushes until equestrian or livestock is sufficiently pacified.” The governor vetoed it.16

The point of this history lesson is not that no regulation was needed. Rather, it illustrates that the regulation enacted tended to reflect an understanding of yesterday’s technologies instead of what was emerging at the time.17 These examples illustrate the “too fast” problem. Regulators are trying to avoid this while simultaneously avoiding the “too slow” problem.

A good example of the latter is the continuing consumer exposure to radioactivity after its dangers were well understood. Hermann Joseph Muller first recognized the genetic effects and increased cancer risk associated with radiation exposure in 1927. But products such as the toy Radiumscope were still being sold into the 1940s18 and X-ray shoe-sizers were still being used until the 1970s.19

Show more

Disruptive business models

Many information-economy activities have developed in utter disregard of the executive branch organization chart, cascading around and across existing lines of authority.20

—Julie E. Cohen, professor of law and technology, Georgetown Law School

Disruptive forms of technological change often cross traditional industry boundaries. As products and services evolve, they can shift from one regulatory category to another. For example, if a ride-hailing company begins delivering food, it can fall under the jurisdiction of health regulators. If it expands into helicopter service, it will fall under the purview of aviation regulators. If it uses autonomous vehicles for passengers, it may come under the jurisdiction of telecommunications regulators.21

Despite facing often challenging regulatory regimes, ride-hailing companies have grown rapidly and have put an enormous amount of pressure on traditional regulatory regimes. Maintaining consistency in rules and regulations is particularly difficult in the sharing economy, which often blurs lines between vendors, facilitators, and customers.

The evolving, interconnected nature of disruptive business models also can make it difficult to assign liability for consumer harm. For example, if a self-driving car crashes, who is liable—the software developer, automobile owner, or the occupant?

Volvo Cars, the Swedish automaker, expects liability to shift from the driver to the manufacturer. “Carmakers should take liability for any system in the car,” Anders Karrberg, vice president of government affairs at Volvo Car Corp., told the U.S. House Energy and Commerce Committee's Digital Commerce and Consumer Protection subcommittee. “So, we have declared that if there is a malfunction to the [driving] system when operating autonomously, we would take the product liability.”22

Similarly, consider 3D-printed products. How should product liability laws be applied? Who is liable if 3D-printed furniture fails? Is it the store that printed the part, the supplier of the design, or the printer manufacturer?

In the case of virtual currencies, the anonymous, decentralized nature of transactions presents a particularly difficult challenge for regulators. In June 2016, the Decentralized Autonomous Organization—a project using the Ethereum blockchain-based platform—was drained of $55 million when an attacker exploited a flaw in the code.23 To date, the culprit hasn’t been identified and questions of liability remain.24 In this case and others, the properties that make technology appealing also can allow scam artists and hackers to take advantage of the industry’s overall lack of maturity.25

Technological challenges

We have a legal, regulatory framework built on the basis of mail, paper, words, versus a new world order which is digital, continuous, 24/7, and built on bits and bytes. Somehow we need to square these two worlds.26

—Aaron Klein, policy director, Center on Regulation and Markets, Brookings Institution

Data, digital privacy, and security

The growing use of smartphones, connected devices, and sensors has created a vast digital footprint in consumers’ lives—a trend that will only accelerate.

From a regulatory perspective, one important question is who owns all this data—the user or the service provider who stores it? If the service provider owns the information, what obligation does it have to store and protect it? And to what extent can data be shared with third parties? Can a car manufacturer charge a higher price to car owners who refuse the right to share their private data and less to those willing to share their data?

With no single global agreement on data protection, regulators around the world are taking different positions on these issues. Nearly 30 percent of nations have no data protection laws.27 Those that do, often have conflicting laws.28 The EU’s General Data Protection Regulation (GDPR), for instance, enshrines the principle of privacy, providing strict controls over cross-border data transmissions and giving citizens the right “to be forgotten.”29 In a survey, 82 percent of Europeans say they plan to use their new rights to see, limit, or erase their data.30 The US approach, by contrast, focuses on sector-specific rules (such as health care, financial, and retail) and state laws.

One emerging sector impacted by data regulation is digital health. A key development in digital health technology is Software as a Medical Device (SaMD), which can diagnose medical conditions, suggest treatments, and inform clinical management. SaMD allows patients to play a more active role in their own health care.

Regulatory agencies generally have regulated SaMD in much the same way as traditional medical devices such as heart stents. As the FDA has noted, however, this approach isn’t “well-suited for the faster, iterative design, development, and type of validation used for software-based medical technologies.”31

A stent remains untouched by the device maker once it’s released into the market. Software developers, though, can make continuous changes to their products remotely, after release. These changes may be related to security, feature updates, or improvements based on the data collected from users. But current regulatory practices emphasize vetting before products are released.

Another key regulatory challenge in the digital arena is cybersecurity.32 “Malicious cyberactivity has proliferated,” says the EC’s Andrus Ansip. “It has become more brazen and sophisticated, more imaginative, and international.”33 Cybersecurity is particularly critical in areas such as fintech, digital health, digital infrastructure, and intelligent transportation systems. The financial services industry was attacked 130 million times in 2017, while cyberattacks in the payment space alone have risen by 452 percent since 2015.34

In the digital health field, SaMDs continually collect and analyze data on medical images, physiological status, lab results, and more, raising potentially serious concerns about the protection of patient data. Autonomous vehicles could be targets of cyberattacks as well. What precautions should developers of autonomous vehicles take to ensure malicious hackers won’t force vehicles to crash or manipulate signals to cause traffic jams?

AI-based challenges

In an April 2017 poll by survey firm Morning Consult, 71 percent of respondents felt there should be national regulations on AI in the United States, and 67 percent called for international regulations regulating AI technology.35 Yet AI in its various forms poses some of the most difficult challenges to traditional regulation.

The “black box” problem. Algorithms today make scores of strategic decisions, from approving loans to determining heart-attack risk. Given the importance of algorithms for consumers and businesses, it is important to understand them and make sense of their decisions. But algorithms often are closely held by the organizations that created them, or are so complex that even their creators can’t explain how they work. This is AI’s “black box”—the inability to see what’s inside an algorithm.

In response, some experts in the field have suggested making algorithms open to public scrutiny. Many aren’t made public because of nondisclosure agreements with the companies that developed them. That’s likely to change, however, at least in the European Union. In May 2018, the GDPR went into effect requiring companies to be able to explain how algorithms using the personal data of customers work and make decisions.36

Algorithmic bias. Algorithms are routinely used to make vital financial, credit, hiring, and legal decisions. In theory, this should lead to unbiased and fair decisions. But some algorithms have been found to have inherent biases. And while in some countries regulations explicitly prohibit discrimination in these and other areas, gray areas exist and often the underlying algorithms are opaque.

“People are basically getting or not getting those things that they need based on scores that they don’t understand and sometimes don’t even know exist,” says Cathy O’Neil, author of Weapons of Math Destruction. “Right there you already have something very dangerous.”37

A widely cited example of algorithmic bias was found in a study conducted by Harvard faculty member Latanya Sweeny. Her study concluded that searches for stereotypical African-American names are up to 25 percent more likely to be displayed alongside an arrest-related ad. Sweeney gathered this evidence by collecting more than 2,000 names suggestive of race. For example, first names such as Terrell, Tyrone, and Ebony suggest the person is black, while Amy, Jake, and Emma suggest the person is white.38

The critical questions

As government policymakers and regulators grapple with the regulatory challenges posed by digital technologies, four foundational questions are critical to address (see figure 2):

  • What’s the current state of regulation in the area?
  • What’s the right time to regulate?
  • What’s the right approach to regulation?
  • What has changed since regulations were first enacted?

1. What’s the current state of regulation?

The first step in the preregulatory phase should involve a thorough review and understanding of pertinent existing regulations, looking for those that might be blocking innovation, are outdated, or are duplicative. By current state, we refer to the whole ecosystem of regulation that could apply: from vertical service or sector regulation, for example, for motor vehicles; to convergent regulation where multiple sectors are involved; to lateral regulation such as employment or business licensing.

Often such a review hasn’t been done in many years. A Deloitte analysis of the 2017 US Code of Federal Regulations found that 68 percent of federal regulations have never been updated (see figure 3).39

A retrospective review forces regulators to evaluate whether alternatives to regulation or adjustments to current rules could adequately address the perceived problem.40 Denmark, for example, has created a task force to challenge outdated legislation and regulations in the wake of disruptive business models.41 The Danish Ministry of Environment and Food is home to one of the more aggressive regulatory modernization efforts. This includes cutting the number of regulations in its portfolio by one-third, plans to slash the number of laws it administers from 90 to 43, and an update of all existing laws to conform to the digital age.42

2. What’s the right time to regulate?

How can regulators avoid the too fast or too slow problem? A number of the principles outlined in the next section of the paper (particularly principles one and two, adaptive regulation, and regulatory sandboxes) are designed to help answer the when question by both bringing regulators closer to the technological innovations while also shifting to a more agile regulatory model.

3. What’s the right regulatory approach?

Policymakers have a host of reasons for regulating, but generally, they are trying to protect citizens, promote competition, and/or internalize externalities. Which of these reasons is most important in a given situation will impact how to answer the next critical question: What’s the best regulatory model to use? A wide variety of potential approaches exist between heavy, precautionary regulation on one end of the spectrum and little to no regulation on the other end (see figure 2).

And indeed, in areas ranging from cryptocurrencies to autonomous vehicles, we’re seeing regulatory models across the spectrum. Consider regulations pertaining to unmanned aerial systems (UAS), or drones. Governments have increasingly opted for one of two paradigms in building regulatory systems: UAS Allowance (broader permissiveness of UAS usage) or UAS restriction (usage permitted only within specific limits).

When answering the “what is the right approach?” question, an important consideration is what regulation scholar Adam Thierer calls “global innovation arbitrage.” As he explains: “Capital moves like quicksilver around the globe today as investors and entrepreneurs look for more hospitable tax and regulatory environments. The same is increasingly true for innovation. Innovators can, and increasingly will, move to those countries and continents that provide a legal and regulatory environment more hospitable to entrepreneurial activity.”43

We have already seen this scenario play out with genetic testing, unmanned aerial systems, autonomous vehicles, and the sharing economy.

4. What has changed since regulations were first enacted?

Considering the rapid rate at which emerging technologies are progressing and business models evolving, it is a good bet that in order to stay relevant, regulations applied today will need to be revisited within the next decade or so. There are a variety of ways to institutionalize such automatic reviews; these range from regulatory sunsetting with periodic review44 to processes like the European Union’s Regulatory Fitness and Performance (REFIT) program, which conducts retrospective evaluations to look for laws that are obsolete or in need of revision.

Principles for regulating emerging technologies

The following five principles can both help to answer the “when to regulate” and “how to regulate” questions as well as set a foundation for rethinking regulation in an era of rapid technological change (see figure 4).

1. Adaptive regulation

Shift from “regulate and forget” to a responsive, iterative approach.

Rapid change, pivoting business models, and experimentation are hallmarks of technology-driven businesses—but are rarely the norm in regulation.

Traditionally, regulators conceptualize new rules and regulations in response to market developments or new legislation. Next, they spend months or years drafting rules and presenting a first draft for public comment. Finally, they examine these comments—and there can be tens of thousands or even millions of them—and change the proposed draft accordingly.

The problem with this process is twofold: First, regulators often don’t really know how businesses and consumers will react to new regulations; and second, the rules are rarely reconsidered once in effect.45

Adaptive approaches to regulation, on the other hand, rely more on trial and error and co-design of regulation and standards; they also have faster feedback loops. More rapid feedback loops allow regulators to evaluate policies against set standards, feeding inputs into revising regulations. Regulatory agencies have a number of tools to seek such feedback: setting up policy labs, creating regulatory sandboxes (detailed in the next section), crowdsourcing policymaking, and providing representation to industry in the governance process via self-regulatory and private standard-setting bodies.46

The National Highway Traffic Safety Administration (NHTSA)’s 2016 Federal Automated Vehicles Policy offers an example.47 By taking an iterative approach in designing policy for autonomous vehicles, the NHTSA responded to new data and technologies to make significant revisions to its initial policy of 2017.48

Soft law mechanisms—instruments or arrangements that create substantive expectations that are not directly enforceable—offer another tool for shifting to more adaptive regulation.49 Unlike hard law requirements such as treaties and statutes, soft law can include informal guidance, a push for industry self-regulation, best-practice guidance, codes of conduct, and third-party certification and accreditation.

While not legally binding, soft law instruments have several advantages over formal regulation in the arena of emerging technologies. They allow regulators to adapt quickly to changes in technology and business models, and to address issues as they arise without stifling innovation.50 Moreover, through deep engagement with affected stakeholders, they help regulators understand the nuances of the technology and its potential impacts.

One way regulators can apply soft law is to define the scope of issues to be addressed and ask industry to develop its own standards and codes of conduct in response. Elizabeth Denham, the UK’s information commissioner, has said that regulators should develop broad principles so that industry leaders can develop standards to align with them.51 Regulators then can certify the standards developed by private industry.

Concept in practice: Finland reforms its transportation regulation

Finnish officials recognized the need to reform their transport regulations to support their vision of mobility-as-a-service (MaaS), which considers transportation as an integrated system of different services. “We have to look at the transport system as one entity, with no borders and the ability to share data on payments, tickets, and location,” says Anne Berner, Finland’s minister of transport and communication.

Hence, the country decided not to reform or revise separate laws on taxis, public transport, roads, or the transport of goods but instead to create a new integrated transportation code. “We decided to remove those old laws and create a new transport code that incorporates all transport modes into one piece of legislation, to be technology-neutral, and to create the same level playing field for different transport modes,” Berner says. The aim is to deregulate existing transport while building the foundations for MaaS.52

2. Regulatory sandboxes

Prototype and test new approaches by creating sandboxes and accelerators

An accelerating trend for regulatory agencies is the creation of accelerators and “sandboxes,” in which they partner with private companies and entrepreneurs to experiment with new technologies in environments that foster innovation. “The role of a regulator is no longer just a regulator; it's more of a partner in bringing safe and effective technologies to the table for people to have that high confidence in those technologies,” says the FDA’s Patel.53

Accelerators are designed to speed up innovation. They often involve partnerships with private companies, academic institutions, and other organizations that can provide expertise in certain areas. Sandboxes are controlled environments allowing innovators to test products, services, or new business models without having to follow all the standard regulations (see figure 5).

The Canadian Securities Administrators (CSA), for example, launched a regulatory sandbox that provides time-limited relaxation from certain regulatory requirements placed on startups.54 “The objective of this initiative is to facilitate the ability of those businesses to use innovative products, services, and applications all across Canada, while ensuring appropriate investor protection,” says Louis Morisset, CSA chair and president and CEO of the Autorité des Marchés Financiers.55

Impak Finance, for instance, became the first company ever to legally raise $1 million via a cryptocurrency crowdsale in the Americas.56 As part of the CSA sandbox, it was exempted from registering as a security dealer and providing a prospectus. Impak will be allowed to remain in the sandbox for two years.57

Meanwhile, the United States is piloting a sandbox approach for unmanned aerial systems (UAS). The Department of Transportation’s Federal Aviation Administration has chosen 10 public-private partnerships to test UAS. “The pilot programs will test the safe operation of drones in a variety of conditions currently forbidden,” says Transportation Secretary Elaine Chao. These include operations over the heads of people, beyond the line of sight, and at night. “Instead of a dictate from Washington, this program takes another approach,” Chao says. “It allows interested communities to test drones in ways that they’re comfortable with.”58

Sandbox approaches are intended to help regulators better understand new technologies and work collaboratively with industry players to develop appropriate rules and regulations for emerging products, services, and business models.59

Sandboxes are not without their detractors who worry regulators might get too close to the startups and try to prop them up if they stumble in the market.60 With this in mind, the Brookings Institution’s Aaron Klein suggests a better metaphor might be that of a greenhouse: “A greenhouse is a thing in which small plants are put into full sunshine and transparency and allowed a unique environment that's different from the outdoor environment. By definition, it’s more protected and hospitable, and in time, it allows the plants to grow and flourish. Some of the companies in your greenhouse might fail, just like some plants in your garden die; others will grow and flourish, but there's full transparency, with some protection.”61

Concept in practice: The UK Financial Conduct Authority’s regulatory sandbox

The United Kingdom has been a pioneer in the use of accelerators and sandboxes as part of the regulatory process. Its Financial Conduct Authority (FCA), as part of its broader Project Innovate, launched the first fintech regulatory sandbox in June 2016. This sandbox allows businesses to test innovative products and services in a safe, live environment, with the appropriate consumer safeguards, and, when appropriate, is exempt from some regulatory environments.62 After its first year of operation, 90 percent of firms that completed testing in its first cohort were continuing toward a wider market launch, and more than 40 percent received investment during or following their sandbox tests.

The FCA released a report on what it learned from its first year. Some key lessons include:

  • Reduced time to market. Access to the regulatory expertise the sandbox offers reduced the time and cost of getting innovative ideas to market.
  • Facilitated investor funding. The feedback received from participating firms indicated that investors can be reluctant to work with companies not yet authorized by the FCA due to regulatory uncertainty.
  • Product and market testing. Many firms in the sandbox used the platform to assess the consumer traction and viability of their business models. Testing in the live environment helped businesses understand consumers’ reception to new pricing strategies or new technologies. This enabled them to constantly iterate on the business model.63
  • Testing viability of the underlying technology. The FCA conducted technology and cybersecurity reviews of the firms when setting up the sandboxes. This allowed the firms to test the viability of their underlying technology and build in appropriate measures to minimize cyber risk.64
  • Better consumer safeguards. Working closely with the FCA encouraged fintech startups to develop business models that mitigated risks for consumers. For example, all firms testing the use of digital currency for payment transfers were required to guarantee the funds being transferred and pay full refunds if they were lost in transfer.65
  • Reduced challenges in data sharing. For a few firms, their business model relied on obtaining users’ transactional data on loans, credit cards, current accounts, and pension balances from other financial institutions. Without a formal mechanism for data sharing in place, it was difficult for such firms to directly approach institutions.

3. Outcome-based regulation

Focus on results and performance rather than form

Traditionally, regulations have tended to be prescriptive and focused on inputs. When the focus of regulation shifts from inputs to outcomes, the way government intervenes in markets changes. This shift can create operational efficiencies for regulators and greater freedom for innovators.

Outcome-based regulation specifies required outcomes or objectives rather than defining the way in which they must be achieved. This model of regulation offers businesses and individuals more freedom to choose their way of complying with the law.

Prioritizing performance and outcomes enables governments to develop regulations (or other, softer mechanisms such as guidelines) that focus on the positive effects regulators are looking to encourage (or the negative effects they’re looking to prevent). Consider three different ways of structuring UAS regulations:

  • You must have a license to fly a drone with more than xx kilowatts of power (input—not very helpful).
  • You cannot fly a drone higher than 400 feet, or anywhere in a controlled airspace (output—better).
  • You cannot fly a vehicle in a way that endangers human life (outcome—best; addresses the impact or effect it has).

Often, emerging technologies’ real potential can be harnessed only when they are meshed together, such as using blockchain to secure data generated by autonomous vehicles, or using a combination of machine learning and natural language processing to prescribe medication via a chatbot. For such connections to happen, innovators need room to innovate. Outcome-based regulation can provide the leeway needed to experiment.

Concept in practice: Australia’s guidelines for autonomous vehicles

Australia has developed performance-based guidelines for autonomous vehicles. “Guidelines are preferable to legislation as they allow the flexibility to be quickly amended and updated, if required,” states a policy paper by Australia’s National Transport Commission (NTC). The paper goes on to say that regulations for automated vehicles should be “proportionate, performance-based, and regularly reviewed.”66

Paul Retter, NTC chief executive, believes multiple issues should be addressed before making autonomous vehicle a reality on the road. “Our focus is on ensuring the regulatory system remains flexible enough to accommodate evolving technologies as they come to market while always prioritizing public safety,” says Retter.

Industry stakeholders also are evaluating performance-based standards. The Australian Automobile Association suggests that standards for automated vehicles should be performance-based and technology-agnostic, and that the responsible parties and processes for certifying vehicle modifications should be clearly identified and unambiguous.67

4. Risk-weighted regulation

Shift from one-size-fits-all regulation to a data-driven, segmented approach

Speed to market is imperative for businesses, especially startups with business models predicated on emerging technologies. Speed to market also can make digital services and products more effective. As they are used, they usually collect data on their users. With the help of advanced analytics and, in many cases, AI, the data can then be analyzed to detect new patterns and trends, information that can make the product more accurate, safe, effective, and personalized. Because of this iterative factor, the sooner safe and effective products get to the market, the better.

One way to accelerate the approval of business models based on emerging technologies would be to draw inspiration from the precheck systems for airline travel used in many countries. These work by using data to certify low-risk flyers, who then receive a lower level of scrutiny and inspection.

A similar approach could be used to help expedite approvals of new business models. It would allow certain companies to go through a streamlined and predictable approval process, contingent on their providing access to key information.

The State of New Jersey allows commercial trucks enrolled in NJPass to bypass weigh stations. Qualification is based on their Federal Motor Carrier Safety Administration rating and data on history of roadside inspections.68 “This system [focuses] on higher-risk carriers and provide[s] more efficient use of our limited New Jersey State Police resources,” explains Paul Truban, NJDOT’s manager of the Bureau of Freight Planning and Services.69

A data-driven, risk-based approach shouldn’t be just limited to preapprovals, however. It can be extended to a dynamic, regulatory approach, based on real-time data flows between companies and their regulators. Already, many regulatory bodies, from the US Securities and Exchange Commission to the European Commission, have established such data flows with industry.70

The resulting data could then be analyzed and compared with regulations or expected outcomes to decide whether a firm is in compliance. Firms in compliance would be listed as safe, and if not, the data systems could produce a set of action items to meet the standard, or, in the case of a more serious violation, issue reprimands or penalties such as removal from the safe list.

Regulators also can use open data to complement their own data or for independent inspection. In the case of digital health software, a regulator could monitor products through publicly available data on software bugs and error reports, customer feedback, software updates, app store information, social media, and GitHub.71 Once the data flows are integrated, this part of the regulatory process can be automated. Enforcement can become dynamic and reviewing and monitoring can be built into the system.

Consider an experiment in the city of Boston. The city’s usual food safety process, which relied on random selections of restaurants for further scrutiny, needed improvement. The city’s data portal72 hosts public data on restaurant food safety inspections as well as many other aspects of city life. To more effectively identify restaurants in need of regulatory attention, the city collaborated with Yelp and Harvard Business School to sponsor an open competition to develop an algorithm that could predict health code violations. More than 700 contestants participated, using restaurant inspection data and years of Yelp reviews.73

While participants analyzed the reviews, looking for common words and phrases,74 Harvard economists evaluated the submissions against the city’s actual inspection reports. The verdict: The winning algorithm could improve inspectors’ ability to find violations by 30 percent to 50 percent.75

Yet another form of risk-based regulation could lower the high entry cost of regulatory certification. Daniel Castro of the Center for Data Innovation suggests moving to a “cloud computing model of regulation,” in which scalability is built into the regulatory model. For instance, if a company’s product or service were targeted toward only a few users, it might receive fewer checks since its potential adverse impact would be limited. Only after that company grew and began selling its products more widely would it encounter a more thorough investigation.76

Concept in practice: The FDA’s Pre-Cert process

For certain digital health products, the FDA already uses risk-based approaches that balance potential risks with patient benefits.

As part of its Digital Health Innovation Action Plan, the FDA created a Pre-Cert pilot program for eligible digital health developers that demonstrate a culture of quality and organizational excellence based on objective criteria—for example, excelling in software design, development, and testing. The pilot intends to look “first at the software developer or digital health technology developer, not the product.”77

The idea behind this is to allow the FDA to accelerate time to market for lower-risk health products and focus its resources on those posing greater potential risks to patients. Precertified developers could market lower-risk devices without additional FDA review, or with a simpler premarket review.

But precertification is just one part of the model; the FDA intends to monitor the performance of these companies continuously, with real-world data. Scorecards and corresponding Pre-Cert levels could go up or down based on performance and effectiveness data. If scores fall below a defined threshold, the organization might lose certain benefits, such as expedited reviews for less-risky products or eligibility for Pre-Cert status until it can resolve any product issues through a new assessment.78

5. Collaborative regulation

Align regulation nationally and internationally by engaging a broader set of players across the ecosystem

A recent global survey of more than 250 experts and leaders of financial institutions indicated that regulatory divergence—inconsistent regulations across different nations—costs financial institutions from 5 percent to 10 percent of their annual revenue. The patchwork of international financial regulations costs the global economy $780 billion annually.79

As the digital economy expands, with new business models, technologies, products, and services, regulators around the world can benefit from collaborative approaches such as co-regulation, self-regulation, and international coordination. Through multi-stakeholder meetings that produce concrete policy guidance and voluntary standards, regulators and firms as well as other interested parties can be engaged in the process.

This ecosystem approach—when multiple regulators from different nations collaborate with one other and with those being regulated—can encourage innovation while protecting consumers from potential fraud or safety concerns. In this approach, private, standard-setting bodies and self-regulatory organizations also have key roles to play in facilitating collaboration between innovators and regulators.

The fintech space has shown glimpses of regulatory convergence (see figure 6). For example, Singapore has signed 16 agreements with entities in 15 different countries. These agreements include information exchanges with other nations’ regulators and regulated businesses, referrals of firms attempting to enter a regulatory partner’s nation, and guidance for companies on the regulations of nations they wish to enter.80 Such agreements could lead to standard frameworks and guidelines across nations.

Global and regional institutions can play a key role in facilitating these cross-border agreements. The Asia-Pacific Economic Cooperation, for example, enables cross-border data flow among its members through a set of principles and guidelines designed to establish cross-border privacy protections while avoiding barriers to information flows. Businesses agree to follow the privacy rules; independent entities monitor and hold the companies accountable for privacy breaches.81

Concept in practice: Internet governance and multi-stakeholder engagement

In certain instances, regulators can benefit from working directly with businesses, innovators, and other players to define rules for emerging technologies. For example, the internet’s decentralized, global structure defied regulatory logic and demanded a new framework to address its revolutionary nature.

In 1997, after considering various regulatory approaches to internet governance, the Clinton Administration released a set of principles called The framework for global electronic commerce to guide the development of digital communications technologies. The framework outlined a number of general principles to guide the government’s treatment of cyberspace and forestall aggressive regulatory action. Among these:

  • The private sector should lead.
  • Governments should avoid undue restrictions on electronic commerce.
  • Where governmental involvement is needed, its aim should be to support and enforce a predictable, consistent, and simple legal environment for commerce.
  • Governments should recognize the internet’s unique qualities.
  • Electronic commerce through the internet should be facilitated globally.82

Taken together, these principles establish a de facto regulatory structure that sidesteps the traditional process for promulgating new rules in favor of a system of co-regulation and multi-stakeholder engagements. Such systems can help induce constructive dialogue among various stakeholders who might otherwise be less amenable to compromise.


For technological innovation, regulation can be catalytic—or a hindrance. As emerging technologies evolve, regulators from around the world are rethinking their approaches, adopting models that are agile, iterative, and collaborative to face the challenges posed by emerging technologies and the fourth Industrial Revolution. To promote innovation, regulators are also moving toward creating outcome-based regulations and testing new models in sandboxes. The principles outlined in this paper can help regulators balance consumer protection and innovation effectively. This is the first study in our series on the future of regulation. Look for our additional papers in the months and years ahead.

Center for Government Insights


Mitali ChatterjeeNeha MalikMahesh Kelkar, and Sushumna Agarwal from the Deloitte Center for Government Insights also contributed to the research of the project, while John O’LearyBruce Chew, and Melissa Majerol from the center provided thoughtful feedback on the drafts. David Noone and Ally Landers played a critical role in project coordination. Swapnil Kuldiwar provided research support for some important sections of the study.


Dozens of subject matter experts from throughout the Deloitte network contributed to this report. In particular, the authors would like to thank Allan MillsSimon CooperEllen Derrick, and Florian Linz of Deloitte Australia; Christiane CunninghamPatrick WautersHelena Vieira GomesMartina BarberoKarim MoueddeneHilde Van de Velde, and Richard Doherty of Deloitte Belgium; Howard YeungSaad RafiCharles PerronRichard CarlsonJames GordonAndrew MeddJerrett MyersKeith DavisAlan Ribeiro, and Andy Potter of Deloitte Canada; Carsten JoergensenClaus Frelle-Petersen, and Gustav Jeppesen of Deloitte Denmark; Arindam Guha of Deloitte India; Grant Frear and David Lovatt of Deloitte New Zealand; Margaret DoyleValeria GalloDavid Strachan, and Suchitra Nair of Deloitte UK; James LaddVal SrinivasHemal VaidyaAsif DharChristopher CormackBeth FloresPaul TattonCorrine SchmidtShrupti Shah, and Paul Sallomi of Deloitte Consulting LLP;  and David GrunerDavid BarnesChristopher SpothKatherina Sityar, and Justin Seewald of Deloitte Touche Tomatsu.


The authors would also like to thank the following individuals for their insights and inputs on the report: Bakul Patel from the US Food and Drug Administration (FDA), Murray Jack from the New Zealand Financial Markets Authority, Burkhard Ober from Alliance SE, Paolo Perotti from the Danish Ministry of Environment and Food, Daniel Castro from the Center for Data Innovation, Adam Thierer and Jerry Ellig from the Mercatus Center at George Mason University, Marcus Peacock from the Business Roundtable, and Aaron Klein from the Brookings Institution.


Cover image by: Kotryna Zukauskaite

  1. Ryan Hagemann, Jennifer Skees, and Adam Thierer, “Soft law for hard problems: The governance of emerging technologies in an uncertain future,” Colorado Technology Law Journal, February 5, 2018, p. 30.

    View in Article
  2. Gary Stern, “Can regulators keep up with fintech?” Yale Insights, December 13, 2017.

    View in Article
  3. Andy Pasztor and Robert Wall, “Drone regulators struggle to keep up with the rapidly growing technology,” Wall Street Journal, July 10, 2016.

    View in Article
  4. Nathan Bomey and Thomas Zambito, “Regulators scramble to stay ahead of self-driving cars,” USA Today, June 25, 2017.

    View in Article
  5. David Raths, “Digital health dilemma: Regulators struggle to keep pace with health care technology innovation,” Government Technology, January 13, 2015.

    View in Article
  6. Interview with Bakul Patel, May 7, 2018.

    View in Article
  7. Interview with Adam Thierer and Mercatus Center at George Mason University, June 6, 2018.

    View in Article
  8. Rani Molla, “Airbnb is on track to rack up more than 100 million stays this year—and that’s only the beginning of its threat to the hotel industry,” Recode, July 19, 2016; Nathan McAlone, “This chart shows exactly how insane Airbnb’s growth has been over the past 5 years,” Business Insider India, September 8, 2015.

    View in Article
  9. Patrick Tuohely, “Cities and states are struggling to regulate Airbnb,” The Hill, January 10, 2018.

    View in Article
  10. Ian Hathway and Mark Muro, “Ridesharing hits hyper-growth,” Brookings The Avenue, June 1, 2017.

    View in Article
  11. Nate Nead, “Fintech: General industry overview 2017,” Investment Bank.

    View in Article
  12. AMTD Asset Management, Global FinTech survey report, August 20, 2017, p. 28.

    View in Article
  13. Andrew Updegrove, “Standards, cycles and, evolution: Learning from the past in a new era of change,” Consortium Standards Bulletin, May 2005.

    View in Article
  14. Wolverhampton History & Heritage Website, “Car building,” accessed June 11, 2018.

    View in Article
  15. Encyclopedia Britannica, “History of automobile,” accessed June 11, 2018.

    View in Article
  16. Enacademic, “Red flag laws,” accessed June 11, 2018.

    View in Article
  17. Bill Loomis, “1900–1930: The years of driving dangerously,” Detroit News, April 26, 2015. In 1917, Detroit and its suburbs had 65,000 cars on the road, resulting in 7,171 accidents and 168 fatalities. Three-fourths of the victims were pedestrians, reflecting the need for regulations.

    View in Article
  18. Adrienne Crezo, “9 ways people used radium before we understood the risks,” Mental Floss, October 9, 2012.

    View in Article
  19. Wikipedia, “Shoe-fitting fluoroscope,” June 11, 2018.

    View in Article
  20. Julie E. Cohen, “The regulatory state in the information age,” Theoretical Inquiries in Law, 17, no. 2 (2016).

    View in Article
  21. Hagemann, Skees, and Thierer, “Soft law for hard problems.”

    View in Article
  22. Ashley Halsey III, “When driverless cars crash, who gets the blame and pays the damages?Washington Post, February 25, 2017.

    View in Article
  23. David Siegel, “Understanding the DAO attack,” Coin Desk, June 15, 2016.

    View in Article
  24. Matthew Leising, “The ether thief,” Bloomberg, June 13, 2017.

    View in Article
  25. Dong He et al., “Virtual currencies and beyond: Initial considerations,” International Monetary Fund, January 2016.

    View in Article
  26. Interview with Aaron Klein, Washington, DC, May 22, 2018.

    View in Article
  27. United Nations Conference on Trade and Development, “Data protection regulations and international data flows: Implications for trade and development, p. 8.

    View in Article
  28. For example, some laws exclude small businesses (e.g., Australia and Canada). Other common exemptions apply to types of data subject (e.g., only to children, or to employee data); the sensitivity of data (e.g., only to sensitive data such as medical or financial records); sources of data (e.g., restricted to either online or offline data collection); and sectoral data (e.g., exemptions related to the private and public sector, or laws that are restricted to specific sectors such as health and credit). See United Nations Conference on Trade and Development, “Data protection regulations and international data flows: Implications for trade and development.”

    View in Article
  29. Andrada Coos, “EU vs US: How do their data protection regulations square off?,” Endpoint Protector, January 17, 2017.

    View in Article
  30. Pega, “GDPR: Show me the data,” December 2017.

    View in Article
  31. Food and Drug Administration, “Digital action plan,” accessed June 11, 2018.

    View in Article
  32. There are already regulations in place to tackle cybersecurity, such as Cyber Security Information Sharing Act (US), The German IT Security Law (Germany), and The Cybersecurity Act (Singapore).

    View in Article
  33. European Commission, “Speech by vice-president Ansip on cybersecurity at the RSA conference 2018,” April 18, 2018.

    View in Article
  34. ThreatMatrix, Q4 2017 cybercrime report, 2017.

    View in Article
  35. Morning Consult, National tracking poll #170401: March 30–April 01, 2017, April 2017.

    View in Article
  36. Bahar Gholipur, “We need to open the AI black box before it’s too late,” Futurism, January 18, 2018; European Commission, “A European approach on artificial intelligence,” press release, May 22, 2018.

    View in Article
  37. Nikhil Sonnad, “Data scientist Cathy O’Neil on the cold destructiveness of big data,” Quartz, December 6, 2016.

    View in Article
  38. MIT Technology Review, “Racism is poisoning online ad delivery, says Harvard professor,” February 4, 2013.

    View in Article
  39. Daniel Byler, Beth Flores, and Jason Lewris, “Using advanced analytics to drive regulatory reform: Understanding presidential orders on regulation reform,” Deloitte, 2017.

    View in Article
  40. Marcus C. Peacock, Sofie E. Miller, and Daniel R. Perez, “A proposed framework for evidence-based regulation,” The George Washington University, February 22, 2018.

    View in Article
  41. Danish Ministry of Business, “Disruption task force”, accessed May 25, 2018.

    View in Article
  42. Interview with Paolo Perotti, Danish Ministry of Environment and Food, May 25, 2018.

    View in Article
  43. Adam Thierer, “Global innovation arbitrage: Driverless cars edition,” Technology Liberation Front, August 22, 2016.

    View in Article
  44. Jon Sanders, “A regulatory reform that’s working: Sunset provisions with periodic review,” The John Locke Foundation, Research Brief, August 17, 2017.

    View in Article
  45. See, for instance, Chris Brummer and Daniel Gorfine, “Fintech: Building a 21st century regulator’s toolkit,” Milken Institute Center for Financial Markets, October 2014.

    View in Article
  46. World Economic Forum, “Agile governance reimagining policy-making in the fourth industrial revolution,” January 2018.

    View in Article
  47. Marcus C. Peacock, Sofie E. Miller, and Daniel R. Perez, “A proposed framework for evidence-basedRegulation,” Regulatory Studies Center, February 22, 2018.

    View in Article
  48. NHTSA’s revised guidance clarified that guidance is voluntary and that entities do not need to wait to test their automated driving systems. It also removed the elements of registration and certification from its safety assessment letter as both were already subject to state government regulations. The guidance also urged states not to codify the voluntary guidance as some states tried to do with its 2016 guidance. See Marc Scribner, “NHTSA Releases Improved Federal Automated Driving System Guidance,” Competitive Enterprise Institute, September, 12, 2017.

    View in Article
  49. Gary E. Merchant and Brad Allenbey, “Soft law: New tools for governing emerging technologies,” Bulletin of the Atomic Scientists, 73, no. 2 (2017), pp 108–14, DOI: 10.1080/00963402.2017.1288447.

    View in Article
  50. William McGeveran, “Friending the privacy regulators,” Arizona Legal Review (2016), p. 987.

    View in Article
  51. Testimony of Elizabeth Denham, United Kingdom information commissioner, before the House of Commons Committee on Science and Technology, January 23, 2018.

    View in Article
  52. ITS International, “Leading Finland’s transport revolution,” June 2017.

    View in Article
  53. Interview with Bakul Patel, May 7, 2018.

    View in Article
  54. Canadian Security Administrators, “CSA regulatory sandbox,” accessed June 11, 2018.

    View in Article
  55. Cision, “The Canadian securities administrators launches a regulatory sandbox initiative,” February 23, 2017.

    View in Article
  56. Cision, “1st legal ICO in the Americas: Impak coin raises over $1M up-to-date for social good,” September 5, 2017.

    View in Article
  57. Jack Coles, Peter Reeves, and Georgina Willcock, “Regulator in Quebec accepts ICO into regulatory sandbox,” Lexology, September 19, 2017.

    View in Article
  58. Aaron Boyd, “10 drone programs get federal ok to break the rules,” NextGov, May 9, 2017.

    View in Article

    Deloitte and Confederation of Indian Industry, “Regulatory sandbox: Making India a global fintech hub,” July 2017, p.16.


    View in Article
  60. Interview with Jerry Ellig, Mercatus Center, George Mason University, May 17, 2018.

    View in Article
  61. Interview with Aaron Klein, Brookings Institution, May 22, 2018.

    View in Article
  62. United Kingdom Financial Conduct Authority, “Regulatory sandbox,” November 5, 2015.

    View in Article
  63. Financial Conduct Authority, Regulatory sandbox lessons learned report, October 2017, pp. 5–6.

    View in Article
  64. Ibid.

    View in Article
  65. Ibid, p. 11.

    View in Article
  66. National Transport Commission Australia, Regulatory reforms for automated vehicles, November 2016, pp. 22–29.

    View in Article
  67. National Transportation Commission Australia, “Would you travel in an automated vehicle?” May 4, 2018.

    View in Article
  68. Traffic Technology Today, “New Jersey and IRD launch new truck weigh station bypass program,” November 22, 2016.

    View in Article
  69. New Jersey Department of Transportation, “NJPass System will allowcommercial truck fleets to bypass weigh stations,” November 18, 2016.

    View in Article
  70. The EU Customs Data Model is based on data provided by traders which not only helps the commission collect revenue and taxes but also in assessing and preventing security risks presented by goods and traders involved in international transactions. See: Jean-Luc Delcourt, “The EU custom model,” EU CDM, June 2016.

    View in Article
  71. Asif Dhar, Mike Delone, and Dan Ressier, Reimagining digital health regulation: An agile model for regulating software in health care,” Deloitte Center for Government Insights, March 2018, p.13.

    View in Article
  72. City of Boston, “Data portal.”

    View in Article
  73. Laura Adler, “What can Boston restaurant inspectors learn from Yelp reviews?” Digital Communities, May 26, 2015.

    View in Article
  74. Peter Bull, Isaac Slavitt, and Greg Lipstein, “Harnessing the power of the crowd to increase capacity for data science in the social sector,” 2016 ICML Workshop on #Data4Good, June 24, 2016.

    View in Article
  75. DrivenData, “Keeping it fresh: Predict restaurant inspections,” accessed October 9, 2016.

    View in Article
  76. Interview with Daniel Castro, Center for Data Innovation, May 15, 2018.

    View in Article
  77. Food and Drug Administration, “Digital action plan.”

    View in Article
  78. Dhar, Delone, and Ressier, “Reimagining digital health regulation,” p. 13.

    View in Article
  79. International Federation of Accountants and Business at OECD, “Regulatory divergence:Costs, risks, impacts,” February 2018, p. 4.

    View in Article
  80. U.S. Government Accountability Office, “Additional steps by regulators could better protectconsumers and aid regulatory oversight,” February 2018, p. 72.

    View in Article
  81. Joshua P. Meltzer and Peter Lovelock, “Regulating for a digital economy: Understanding the importance of cross-border data flows in Asia,” Brookings Institution, March 20, 2018.

    View in Article
  82. The White House, “The framework for global electronic commerce.”

    View in Article

Did you find this useful?

Thanks for your feedback

If you would like to help improve further, please complete a 3-minute survey

Related content