IRDAI's Regulatory Sandbox Regulations 2025: Key Changes For Insurance Innovation

Introduction

The IRDAI first introduced the regulatory sandbox framework in 2019 with the objective of permitting controlled experimentation in the insurance sector while maintaining policyholder protection and orderly market development¹. Conceptually, the sandbox operates as a controlled environment for innovation, allowing relaxations to participants from existing compliance requirements without diluting the underlying principles of prudential oversight and policyholders’ interests. The sandbox thus broadly serves a dual function, allowing the IRDAI to oversee experimentation in a controlled setting, while also giving Indian market participants a route to stress test technologies and new business models that are already beginning to influence insurance distribution, underwriting, servicing and claims elsewhere.

The market response to the regulatory sandbox framework appears to have been significant. IRDAI’s own press releases indicate that the sandbox initiative has received more than 350 applications across the first two cohorts², indicating substantial market appetite for testing new products, distribution models, servicing processes and technology-led solutions within a supervised environment. That interest was not merely theoretical, for instance, in the second tranche of approvals granted under the sandbox in 2020³, the IRDAI approved proposals such as Bajaj Allianz’s V-Pay Motor Insurance Product (offering broader coverage for minor scratches, mechanical and electrical breakdowns, etc), TATA AIG’s Parametric Insurance, TATA AIG’s Credit Insurance for TReDS Platform, ICICI Lombard’s Trade Credit Insurance for SME, and several life and health insurance related proposals built around monitoring wellness and prevention such as Health Savings, Outpatient Health Cover, Disease Management and Dynamic Term Cover.

Such a framework remains particularly relevant for emerging insurance models that depend on data, automation and/or alternate distribution modes. IRDAI’s own InsurTech Working Group had, even before the IRDAI (Regulatory Sandbox) Regulations 2025 (“2025 Regulations”), identified artificial intelligence and machine learning in underwriting, wearables in life and health insurance, telematics and IoT in motor insurance, and chatbot or voicebot enabled claims handling as some of the technologies likely to reshape insurance business in India⁴.

Against this backdrop, the 2025 Regulations were notified on 3 January 2025 in furtherance of an exposure draft of 4 November 2024. They repeal the erstwhile IRDAI (Regulatory Sandbox) Regulations 2019 (“2019 Regulations”).

The 2025 Regulations do not merely continue the earlier sandbox regime (which permitted only specific categories of innovation). Consistent with the series of IRDAI regulatory reforms in 2024-25 aimed at shifting from the earlier rule-based to a more principle-based framework, the 2025 Regulations materially widen the sandbox scope by permitting applications for promoting or implementing innovation in insurance in India “across the insurance value chain” and in any area requiring relaxation from any provision of the regulations, notification, master circular, guidelines, circular or other communication issued by the Authority, except for areas involving prudential and financial condition/stability matters such as “capital, liquidity, investment, solvency, reserving” and such other areas as decided by the Authority from time to time⁵.

This article examines the legal architecture of the 2025 Regulations, key changes introduced, potential implications for market participants, and certain aspects common across other sectoral regulators.

Legal Architecture of Regulatory Sandbox

The IRDAI possesses wide powers under the governing statutory framework (ie, the Insurance Act 1938 (“Insurance Act”) and the Insurance Regulatory and Development Authority Act 1999) to relax certain requirements set out under its regulatory framework including for “promoting efficiency in the conduct of insurance business”. In exercise of these powers, the requirements under the 2025 Regulations are as follows:

A.      Eligibility Criteria: Who May Apply?

The 2025 Regulations define an “applicant” broadly⁶. An applicant may be either a licensed entity (such as an Insurer, intermediary, or insurance intermediary) or an unlicensed individual/entity (any person other than an individual having the minimum net worth specified by the Competent Authority⁷, or any other person specified by the Competent Authority seeking singly or jointly permission for promoting innovation in insurance in India).

This is a notable structural change from the 2019 Regulations. Under the earlier framework, the definition of applicant included any person other than an individual having a minimum net worth of Rs. 10 lakhs for the previous financial year and applications were accepted in specified cohorts through a more standardised/controlled approach⁸. This relaxation may also make the sandbox more relevant for arrangements between Insurers and specialist technology vendors. For instance, the IRDAI’s own InsurTech report had contemplated wider use cases⁹ involving wearables, telematics and data based risk assessment, and the 2025 Regulations arguably allow more room to accommodate such arrangements (than the more prescriptive 2019 Regulations).

B.      Scope of Innovation: A wider sandbox

Under the 2019 Regulations, the sandbox categories were limited to: “(a) Insurance Solicitation or Distribution (b) Insurance Products (c) Underwriting (d) Policy and Claims Servicing (e) Any other category recognised by the Authority.” However, as noted earlier, R4 of the 2025 Regulations now allows an applicant to seek permission for promoting or implementing innovation in insurance in India across the insurance value chain and in any area that requires IRDAI relaxation, subject to express carveouts for prudential and financial condition matters.

In other words, the 2025 Regulations move the sandbox from a closed-list framework to a much broader framework contemplating regulatory relaxations where needed. This in turn opens up a wide range of areas potentially for experimentation, including innovations in customer onboarding and digital authentication processes, blockchain-based claims settlement systems, and embedded insurance through third-party platforms.

C.      Conditions for Grant of Permission

Similar to the erstwhile Sandbox Regulations, the 2025 Regulations continue to prescribe the considerations for evaluating sandbox applications. However, 2025 Regulations introduces two new considerations¹⁰, ie (i) bringing efficiency in insurance business, and (ii) promoting ease of doing insurance business, in addition to the earlier considerations: (iii) promoting innovation beneficial to the insurance sector, (iv) serving policyholders’ interests, (v) conduciveness to orderly industry growth, and (vi) potential to increase insurance penetration.

This matters because now under the new framework, an applicant may potentially be able to justify a proposal not only by pointing to novelty or customer benefit, but also by showing that the proposal reduces operational costs and friction for Insurers, improves process efficiency (such as accelerated claims processing timelines), simplifies contract language or regulatory compliance, or otherwise improves how insurance business is carried on.

At the same time, the 2025 Regulations expressly require the applicant to comply with the relevant provisions of the Insurance Act, the IRDA Act 1999, the Digital Personal Data Protection Act 2023 (“DPDP Act”), and all other relevant statutes/regulations, thus clarifying that the regulatory relaxations under the sandbox cannot override primary legislation or other applicable statutes such as the DPDP Act¹¹.

D.      Application Process and Period of Experimentation

R5 of the 2025 Regulations sets out the procedural framework for filing an application. Such application must be made electronically “in the specified form” and accompanied by a non-refundable fee “as specified”. The Competent Authority may lay down such criteria and parameters for the experimentation stage as it deems fit, and may also determine the liabilities and responsibilities of an applicant that is granted permission.

Under the 2025 Regulations, the permission granted is valid for such “experiment period as specified”, and an applicant seeking extension must submit reasons along with a performance report. This is again a notable change, as the framework has moved away from prescribing fixed experimentation periods¹².

E.       Monitoring, Responsibility, and Conclusion of Sandbox Proposals

The 2025 Regulations require the applicant, after grant of permission, to ensure the integrity of systems, maintain confidentiality of policyholder data, and put in place adequate internal mechanisms for reviewing, monitoring and evaluating its controls, systems, procedures and safeguards¹³. More importantly, R9 and R10 make it explicit that the applicant is solely responsible for every action taken in respect of the proposal and remains liable to discharge all obligations thereunder, including legal obligations.

Upon completion of the experiment period¹⁴, the applicant must submit a report within 30 days on how the proposal met its objectives, along with policyholder feedback and such other information as may be specified. Further, the applicant must also submit a plan on how the proposal would be brought under the existing IRDAI regulatory framework. If satisfied, the Competent Authority may permit the proposal to transition into the ordinary regulatory framework.

DPDP Act Compliance: Practical Implications for Sandbox Participants

Notably, the 2025 Regulations expressly require applicants to comply with the DPDP Act¹⁵, in addition to the applicable insurance statutory and regulatory framework.

Under the DPDP Act, consent must be “free, specific, informed, unconditional and unambiguous”, and must be limited to such personal data as is necessary for the specified purpose¹⁶. The Data Principal must also be given notice¹⁷ describing the personal data and the purpose of its processing. Further, where consent is the basis of processing, the Data Principal has the right to withdraw consent at any time¹⁸, and a Data Fiduciary must erase personal data upon withdrawal of consent or once it is reasonable to assume that the specified purpose is no longer being served, unless retention is necessary for compliance with law¹⁹.

For proposals which rely heavily on data collection and processing, the concerns under the DPDP Act are highly relevant since the more predictive a model seeks to become, the more granular the data it may wish to process. For instance, an AI-driven health underwriting model may seek to rely on lifestyle inputs such as exercise patterns, sleep cycles or biometric indicators, a telematics-based motor insurance product may depend on continuous data on driving behaviour, and a wearable-linked wellness model may require persistent monitoring of health parameters. In each such case, the applicant would need to be able to justify why each category of personal data is genuinely necessary for the stated purpose, and how that data will be retained or erased.

Consequently, for sandbox participants whose proposals rely on health data, telematics data, behavioural data, wearable-linked data or other personal data, the requirements will not be limited to establishing the regulatory merits of their proposal under the IRDAI framework. They will also need to demonstrate that they possess the systems/infrastructure abilities for handling personal data and complying with the DPDP Act.

Inter-operable Sandbox: Relevance for Hybrid Products

The 2025 Regulations also recognise that some sandbox proposals may cut across more than one financial sector, for instance, innovations in the insurance space may overlap with related innovations with payments, lending, capital markets, pensions and the wider available digital infrastructure. R12 therefore provides that the process and procedures for regulatory sandbox applications spanning more than one financial sector shall be as specified by the Competent Authority.

This assumes importance because the Reserve Bank of India (“RBI”) has, through its official FAQs on the Inter-operable Regulatory Sandbox (“IoRS”)²⁰ clarified that hybrid financial products and services falling within the remit of more than one financial sector regulator (involving RBI, SEBI, IRDAI, IFSCA and PFRDA) may be tested through a common window rather than through multiple standalone sandbox applications. In this regard, the RBI has expressly indicated that cross-sector products such as insurance products linked to banking services, InsurTech, WealthTech and cross-border payment solutions may fall within the IoRS framework. For insurance market participants whose proposal genuinely cuts across or straddles insurance and another regulated financial activity, the IoRS may offer a more efficient route for experimentation rather than parallel applications across multiple sandbox frameworks.

Conceivably, hybrid products may also emerge at the intersection of insurance and other regulated financial products or infrastructure. These might include insurance bundled with coupons or other prepaid instruments, investment-linked insurance involving alternative assets such as REITs or InvITs, or products covering loss, theft or fraud associated with NFT-like holdings or even blockchain based lending. Whether any such proposal is ultimately permissible would depend on its exact structure and the applicable regulatory framework, but the IoRS framework would be relevant for such proposals.

Practices from international markets indicate that such sandbox arrangements have been useful in testing the commercial viability of such hybrid models. By way of comparative illustration only, the Bank of Lithuania has separately described the testing of a peer-to-peer insurance platform (in which participants form groups to pool funds, collectively decide on compensation for member losses, and share surplus amounts²¹) in its regulatory sandbox, and AXA Global Healthcare has described the launch of a virtual healthcare payment card for eligible outpatient treatment (without upfront out-of-pocket expenditure or subsequent reimbursement processes)²².

Concluding Remarks

The most significant change under the new sandbox framework for Insurers, insurance intermediaries and potential technology companies, is that experimentation is no longer confined to the closed categories specified earlier. Instead, the framework is now framed as a broader mechanism for permitting innovation “across the insurance value chain”, subject of course to carveouts for prudential and financial norms, as well as continued compliance with provisions under primary legislation.

Several operational aspects of the 2025 Regulations remain to be specified by the Competent Authority, including net-worth eligibility, fees, forms, various procedural aspects, and inter-operability of the IRDAI sandbox with other sectoral regulators. In this regard, the 2025 Regulations expressly empower the Competent Authority to issue circulars, guidelines and directions, and to provide clarifications.

Further subordinate guidance, whether by way of a “master circular” or otherwise appears likely to be issued by the IRDAI in this regard in order to operationalise the new sandbox framework.

Footnotes

1   R2 of the erstwhile Sandbox Regulations is in the following terms:

“2. Objectives.-- The objectives of these Regulations are:

(1) To strike a balance between orderly development of insurance sector on one hand and protection of interests of policyholders on the other, while at the same time facilitating innovation;

(2) To facilitate creation of regulatory sandbox environment and to relax such provisions of any existing Regulations framed by the Authority for a limited scope and limited duration, if such a relaxation is needed.”

2. See IRDAI’s press release on “Granting approval to proposals from Health, Motor and Intermediaries department under the Regulatory Sandbox” of 14 January 2020, and the Exposure draft on IRDAI (Regulatory Sandbox) (Amendment) Regulations 2021, which records that the first cohort of the Regulatory Sandbox received 173 applications and the second cohort received 185 applications. The same note also records that the first cohort covered concepts such as wellness, wearables, usage-based insurance, KYC onboarding, distribution and products.

3. See IRDAI’s Press Release on “2nd tranche of approvals under the Regulatory Sandbox” of 31 March 2020, available at https://irdai.gov.in/documents/37343/1092396/2nd+tranche+of+approvals+under+the+Regulatory+Sandbox.pdf/5230c60a-46c2-fbfb-8393-5f2a51f34d74.

4.   See IRDAI’s Report on “InsurTech – Working Group Findings & Recommendations” of 31 July 2018, available at https://irdai.gov.in/documents/37343/366723/Report+on+InsurTech+-Working+Group+Findings+%26+Recommendations.pdf/a3b8f207-f16d-f76f-8660-ea53edabc677.

5.   R4 of the 2025 Regulations.

6.   R3(1)(b) of the 2025 Regulations.

7.   “Competent Authority” means the Chairperson, or such Whole-Time Member, committee of Whole-Time Members or officer(s) of the Authority, as may be determined by the Chairperson.

8.   R5 of the 2019 Regulations.

9.   Supra 4.

10. R6(1) of the 2025 Regulations.

11. Supra.

12. Under the original 2019 Regulations, sandbox permission was granted for 6 months, with extension not permissible beyond a further 6 month. After being amended in 2022, the framework allowed permission for up to 36 months, and stated that “under no circumstances” would the applicant be granted extension of time beyond 12 months.

13. See R9 of the 2025 Regulations.

14. See R11 of the 2025 Regulations.

15. R6(1) of the 2025 Regulations.

16. §6(1) of the DPDP Act.

17. §5(1) of the DPDP Act.

18. §6(4) of the DPDP Act.

19. §8(7) of the DPDP Act.

20. Please see the RBI’s FAQs on “Inter-operable Regulatory Sandbox (IoRS)” of 17 September 2025, available at https://www.rbi.org.in/commonman/English/scripts/FAQs.aspx?Id=3822.

21. See Bank of Lithuania, “Peer-to-peer insurance platform – the first innovation tested in the Bank of Lithuania’s regulatory sandbox” (2 March 2021), available at https://www.lb.lt/en/news/peer-to-peer-insurance-platform-the-first-innovation-tested-in-the-bank-of-lithuania-s-regulatory-sandbox.

22. See AXA Global Healthcare, “Healthcare Payment Card” (20 February 2024), available at https://www.axaglobalhealthcare.com/en/about-us/news/2024/healthcare-payment-card/.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.