Insurance — EU AI Act Compliance

EU AI Act obligations for insurance AI: actuarial models, underwriting, claims assessment, and pricing AI for natural persons. Covers Annex III category 5(b) and Solvency II interaction.

Insurance and the EU AI Act — the Actuarial Challenge

The EU AI Act (Regulation (EU) 2024/1689) imposes its highest compliance burden on AI systems that affect the ability of natural persons to access essential services and financial products. Insurance sits at the centre of this concern. AI systems that determine whether a natural person can obtain motor, health, life, or property insurance — and at what cost — are, in many configurations, high-risk AI systems under Annex III, point 5(b) of the Act.

The defining challenge for the insurance sector is actuarial. For over a century, insurance pricing has been grounded in statistical modelling of risk across population cohorts. The EU AI Act does not prohibit actuarial differentiation, but it imposes substantive obligations on the AI systems through which such differentiation is executed when those systems operate at the level of the individual natural person. The shift from traditional pooling models to AI-driven individual risk scoring — enabled by telematics, health data streams, and behavioural analytics — is precisely what triggers the Act's high-risk regime.

Insurers operating in the EU must therefore undertake a systematic classification exercise: which of their AI systems produce individualised outputs that determine or significantly influence coverage decisions for natural persons? That classification exercise is not merely a compliance formality. Its outcome determines whether the insurer, as a deployer under Art. 26 (or provider under Art. 16), bears obligations relating to data governance, technical documentation, human oversight, conformity assessment, and registration in the EU database for high-risk AI.

The Act's application to insurance is further complicated by the sector's existing regulatory density. Solvency II Directive (2009/138/EC), the Insurance Distribution Directive (IDD) (EU) 2016/97, GDPR, and EIOPA's principles-based AI guidelines (2021) each impose requirements on actuarial modelling, customer treatment, and data use. These frameworks overlap with — but do not substitute for — EU AI Act obligations. Compliance programmes must address all simultaneously.

High-Risk AI Use Cases in Insurance

Actuarial Pricing Models for Natural Persons

Annex III, point 5(b) of the EU AI Act classifies as high-risk any AI system used to evaluate the creditworthiness of natural persons or to classify natural persons in terms of their risk profile for the purpose of accessing insurance services. This covers actuarial AI systems that:

Generate an individual risk score used to set a motor insurance premium for a named policyholder
Classify a natural person's health status or mortality risk to determine life insurance coverage eligibility or premium
Produce a property insurance pricing decision based on AI-assessed risk factors attributable to a specific natural person

The critical threshold is individual natural person impact. Actuarial AI applied to legal entities — corporate liability, commercial cargo, industrial property — does not trigger Annex III cat 5(b) unless natural persons are affected in a materially equivalent way. Insurers writing both personal and commercial lines must classify each AI system by the population it acts upon.

Motor Insurance Telematics and Pay-as-You-Drive Systems

Telematics-based insurance pricing systems that collect driving behaviour data — speed, acceleration, braking patterns, time-of-day usage — and use AI models to generate an individual premium for a named natural person are the paradigmatic high-risk insurance AI use case. These systems meet all elements of Annex III cat 5(b): they evaluate individual natural persons, they produce outputs that determine access to and pricing of insurance, and their AI-driven individualisation is precisely what distinguishes them from traditional actuarial pooling.

Providers of telematics scoring engines — whether developed in-house or licensed from a third-party vendor — must comply with Art. 9 (risk management), Art. 10 (data governance for training and validation datasets), Art. 11 read with Annex IV (technical documentation), Art. 12 (logging), Art. 13 (transparency), Art. 14 (human oversight), and Art. 15 (accuracy, robustness, cybersecurity).

Life and Health Insurance Underwriting AI

AI systems used in life insurance underwriting to assess longevity or mortality risk for individual applicants — determining whether coverage is offered and at what premium — are high-risk under Annex III cat 5(b) where they produce individualised assessments for natural persons. This includes AI systems that process health questionnaire responses, medical records (where lawfully accessed), or wearable device data streams to generate a risk score that influences underwriting decisions.

Health insurance AI that segments individual applicants by health risk profile for the purpose of pricing or eligibility determination is subject to the same classification. Insurers must be attentive to the intersection of GDPR Art. 9 (health data as special category data) and the AI Act's Art. 10 data governance requirements: training datasets containing health data require an explicit GDPR Art. 9(2) legal basis, and this basis must be documented in the technical documentation required by Annex IV.

Claims Assessment and Settlement AI

The classification of claims AI depends on its functional role in the claims decision workflow. Two scenarios must be distinguished:

AI that significantly influences a claims outcome for a natural person: where an AI system assesses a claim and its output directly results in reduction, rejection, or conditional payment of an insurance benefit to a natural person — even if nominally reviewed by a human — the system is likely high-risk under Annex III cat 5(b), because it effectively determines the natural person's access to insurance benefits.
AI that flags claims for human investigation: where the AI output is one input among several considered by a claims handler who makes an independent substantive decision, and the handler has the authority and information to depart from the AI's assessment, the system may not be high-risk. This distinction must be documented and operationally genuine, not nominal.

Insurance Fraud Detection

AI systems used to detect potentially fraudulent claims occupy an important borderline. Where the fraud detection AI triggers an automatic adverse action — suspension of payment, policy cancellation — affecting a natural person without substantive human review, it is likely high-risk. Where the AI only generates a fraud risk flag that is then investigated by a specialist handler who retains full decision authority, it may not be. Insurers should document the fraud AI workflow in detail and assess whether the operational human oversight is substantive or nominal.

Provider vs Deployer in Insurance

Distinguishing Roles

The EU AI Act imposes different obligation sets depending on whether an organisation is a provider (develops and places the AI on the market) or a deployer (uses a third-party AI system in a professional context). For insurers, this distinction is commercially significant:

An insurer that develops its own telematics scoring engine or actuarial pricing AI is a provider under Art. 3(3) and bears the full provider obligations under Art. 16: quality management system, technical documentation, EU Declaration of Conformity, CE marking, registration in the EU database, and post-market monitoring.
An insurer that licenses actuarial AI software from a vendor is a deployer under Art. 3(4) and bears deployer obligations under Art. 26: implementation in accordance with the provider's instructions, human oversight, log maintenance, and incident reporting.
An insurer that modifies a licensed AI system in ways that alter its intended purpose — for example, by applying a telematics model to a policyholder population outside the validated scope — may be re-classified as a provider under Art. 25(1) with full provider obligations.

Deployer Due Diligence for Actuarial Vendor AI

Insurers deploying third-party actuarial AI systems must exercise structured due diligence before and after deployment:

Pre-deployment: Verify that the AI system is registered in the EU database for high-risk AI under Art. 49, bears a CE mark, and is accompanied by an EU Declaration of Conformity. Request and review the technical documentation summary, including accuracy and bias metrics, the validated use case scope, and the intended purpose statement.

Contractual protections: Procurement contracts with AI vendors should specify: the vendor's obligation to notify the insurer of significant updates or re-assessments; the vendor's obligation to produce updated post-market monitoring data on request; and the boundaries of the permitted deployment scope — with a clear mechanism for the insurer to request a scope extension assessment rather than proceeding unilaterally.

Ongoing monitoring: Under Art. 26(5), deployers must monitor the performance of high-risk AI systems in their operational context. For actuarial AI, this means tracking model performance against actual claims outcomes, monitoring for distributional shift between the training population and the live policyholder population, and escalating material deviations to the vendor for investigation.

Interaction with Solvency II, IDD, and GDPR

Solvency II — System of Governance and ORSA

The Solvency II Directive Pillar II requirements establish a System of Governance over actuarial and risk management functions. The Own Risk and Solvency Assessment (ORSA) requires documented risk identification, stress testing, and internal model governance. These requirements overlap substantially with the EU AI Act's Art. 9 risk management system and the model validation components of Annex IV technical documentation.

Insurers should conduct a structured gap analysis to identify which Solvency II governance artefacts can be leveraged for AI Act compliance and which gaps remain. Key gaps typically include: AI-specific bias testing and fairness assessment (not addressed in Solvency II); Art. 10 dataset documentation for training and validation data (which extends beyond Solvency II model validation scope); Art. 12 automatic logging of AI system operation; and Art. 14 human oversight mechanism design. Where an internal model approved under Solvency II incorporates AI components, the governance framework for that model must be extended to satisfy AI Act obligations before the system can be lawfully deployed under the high-risk regime.

Insurance Distribution Directive — Fairness and Transparency

The IDD (EU) 2016/97 requires that insurance distribution is conducted in the customer's best interest, with information presented in a comprehensible manner. Where AI is used in the distribution process — for example, in a digital platform that generates personalised product recommendations or premium quotes — the IDD's fairness and disclosure obligations align with the EU AI Act's Art. 13 transparency requirements. Insurers should integrate AI Act disclosure obligations into IDD product disclosure documents (IPIDs) and Key Information Documents, ensuring that the AI's role in the distribution or pricing decision is communicated in language accessible to the policyholder.

GDPR — Special Category Data and Automated Decision-Making

GDPR Art. 9 classifies health data, genetic data, and data concerning a person's physical or mental health condition as special category data, processing of which is prohibited absent a specific derogation. Life and health insurers using such data in AI training or scoring must identify and document a valid Art. 9(2) legal basis — most commonly explicit consent under Art. 9(2)(a) or a member state law derogation under Art. 9(2)(b) — for each data category and processing purpose.

GDPR Art. 22 restricts solely automated decisions that produce legal or similarly significant effects for natural persons. An AI underwriting decision that automatically rejects a coverage application, or an AI claims decision that automatically reduces a benefit payment, without human involvement constitutes solely automated decision-making under Art. 22. The data subject is entitled to: human review of the decision; an explanation of the principal factors influencing the automated decision; and the right to contest the outcome. Insurers must build these rights into their customer-facing processes and ensure the internal review mechanisms are substantively functional.

EIOPA AI Guidelines

EIOPA's principles-based guidelines on AI use in insurance (2021) established sector expectations around transparency, non-discrimination, data quality, and model explainability ahead of the AI Act's entry into force. EIOPA is developing sector-specific implementation guidance for the EU AI Act, and insurers should monitor EIOPA outputs closely. National supervisors — ACPR (France), BaFin (Germany), IVASS (Italy), DNB (Netherlands) — will implement supervisory expectations in alignment with EIOPA guidance, and sector-specific Q&A publications are expected during the Act's implementation period.

Enforcement — EIOPA and National Supervisors

EIOPA's Supervisory Role

EIOPA (European Insurance and Occupational Pensions Authority) does not have direct enforcement authority under the EU AI Act, which designates national supervisory authorities as competent authorities under Art. 70. However, EIOPA coordinates supervisory convergence across EU insurance regulators and issues binding and non-binding technical standards. EIOPA's AI governance expectations — expressed through guidelines, opinions, and supervisory statements — will shape how national supervisors implement AI Act requirements in the insurance context. Insurers should treat EIOPA outputs as authoritative sector guidance even where they are not legally binding.

National Insurance Supervisors as AI Competent Authorities

National insurance supervisors in major EU markets are positioned to exercise AI Act competent authority functions over insurance AI systems:

ACPR (Autorité de contrôle prudentiel et de résolution) in France, which has published supervisory expectations on AI in financial services
BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht) in Germany, with an established track record in algorithmic decision-making supervision
IVASS (Istituto per la Vigilanza sulle Assicurazioni) in Italy
DNB (De Nederlandsche Bank) in the Netherlands

These authorities have powers under Art. 74 and Art. 75 to request access to training data, technical documentation, and logs; to conduct on-site inspections; to order corrective measures; and to recommend financial penalties for non-compliance. Fines for placing non-compliant high-risk AI on the market may reach €30 million or 6% of global annual turnover, whichever is higher.

Dual Supervision: AI Act and Sector Regulation

Insurance supervisors conducting AI Act enforcement will do so in the context of their broader prudential and conduct mandates. An AI Act investigation into a biased actuarial pricing model may simultaneously engage Solvency II Pillar III reporting obligations, IDD conduct requirements, and GDPR enforcement by the data protection authority. Insurers should assume that supervisory interventions will be cross-functional and design their compliance programmes accordingly.

Compliance Roadmap for Insurers

Step 1: AI System Inventory and Classification

Conduct a comprehensive inventory of all AI systems used in: premium pricing; underwriting acceptance or rejection; claims assessment or payment; fraud detection; customer risk scoring; and distribution or product recommendation. For each system, assess whether it produces outputs that determine or significantly influence outcomes for individual natural persons. Systems meeting this threshold require classification assessment against Annex III cat 5(b).

Step 2: Provider/Deployer Determination

For each high-risk AI system, determine whether the insurer is the provider, deployer, or — critically — whether use outside the vendor's validated scope has triggered re-classification as a provider. Engage legal counsel to assess borderline configurations, particularly where in-house data or policyholder populations have been used to fine-tune or extend a licensed model.

Step 3: Gap Analysis against AI Act Obligations

Map existing Solvency II governance artefacts, ORSA documentation, and internal model validation processes against the AI Act requirements under Art. 9 (risk management), Art. 10 (data governance), Art. 11 and Annex IV (technical documentation), Art. 12 (logging), Art. 13 (transparency), Art. 14 (human oversight), and Art. 15 (accuracy, robustness, cybersecurity). Document identified gaps and assign remediation responsibility.

Step 4: Data Governance and GDPR Alignment

For each high-risk AI system, audit training and validation datasets. Document data provenance, collection methods, representativeness across relevant policyholder demographic groups, and known limitations. Ensure GDPR legal bases are in place for all personal data and, where applicable, for special category data. Integrate Art. 10 documentation into the Annex IV technical file.

Step 5: Human Oversight Mechanism Design

Design operationally realistic human oversight mechanisms for each high-risk AI deployment. For underwriting AI, this means a qualified underwriter has the information, authority, and workflow time to review and depart from the AI's recommendation before it affects the policyholder. For claims AI, it means a claims handler has substantive review authority — not a nominal sign-off function. Document the oversight design and include it in the technical documentation.

Step 6: Vendor Due Diligence and Contract Remediation

For third-party actuarial AI systems, implement the pre-deployment due diligence process described above and review existing vendor contracts. Where contracts lack provisions requiring the vendor to maintain AI Act compliance documentation, notify the insurer of significant changes, and permit audit of AI system performance, remediate through contract amendment or renegotiation. Establish internal procedures for monitoring AI system performance in the live policyholder population and reporting significant deviations to vendors and, where required, to supervisory authorities.

Official AI Act Compliance Deadline Calendar

Updated 2026-06-20 · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.

Obligation	Applies to	Original date	New date	Status	Countdown	Legal basis
Prohibited Practices (Art. 5)	All providers and deployers	2 February 2025	2 February 2025	active	—	AI Act Art. 5
GPAI Rules (Chapter 5)	GPAI model providers	2 August 2025	2 August 2025	active	—	AI Act Art. 51-56
High-risk AI — Annex III (standalone)	Providers of standalone Annex III systems	2 August 2026	2 December 2027	deferred	—	AI Omnibus 2026 Art. 6(2)
High-risk AI — Annex I (embedded)	AI embedded in Annex I regulated products	2 August 2026	2 August 2028	deferred	—	AI Omnibus 2026 Art. 6(1)
AI-Generated Content Marking	Providers of generative GPAI systems	2 August 2025	2 August 2025	active	—	AI Act Art. 50(2)
Regulatory Sandboxes	National competent authorities	2 August 2026	2 August 2026	active	—	AI Act Art. 57

⬇ Download JSON · CC BY 4.0

AI Act meets DORA and NIS2

Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.

Explore regulation-dora.eu ↗

Frequently Asked Questions

Is our motor insurance pricing algorithm high-risk under the EU AI Act?

A motor insurance pricing algorithm is likely high-risk under Annex III, point 5(b) if it evaluates the creditworthiness or risk profile of individual natural persons to determine premium levels or coverage eligibility. Telematics-based pay-as-you-drive systems that score individual driver behaviour and use that score to set premiums for named policyholders fall squarely within this category. Traditional actuarial pooling models that assign individuals to actuarial classes without AI-driven individual scoring occupy a greyer area, but any AI component that generates an individualised score used to price or accept a natural person's policy should be assessed under Art. 6(2) read with Annex III cat 5(b).

Does Solvency II ORSA cover the AI Act's risk management system requirements?

No, but there is substantial overlap that should be exploited. The EU AI Act's Art. 9 requires a risk management system that identifies, analyses, and mitigates foreseeable risks across the AI system lifecycle. The Solvency II Pillar II Own Risk and Solvency Assessment (ORSA) and System of Governance requirements demand documented risk identification and internal model governance over actuarial and pricing processes. The governance structures, documented risk assessments, and model validation procedures developed for Solvency II can form the foundation for AI Act compliance, but must be supplemented to address AI-specific obligations: bias testing, data governance under Art. 10, automatic logging under Art. 12, and human oversight under Art. 14. A gap analysis against Annex IV technical documentation requirements is essential.

What must insurers disclose to policyholders about AI use in underwriting or pricing decisions?

Where a high-risk AI system is used to make or significantly influence a decision affecting a natural person — including acceptance, rejection, or pricing of insurance coverage — the deployer must provide meaningful information to the natural person under Art. 26(6) of the EU AI Act and, where automated decision-making under Art. 22 of GDPR is engaged, the data subject rights provisions of Art. 13–15 and 22 GDPR apply. Policyholders are entitled to an explanation of the logic of automated decisions, the right to request human review, and the right to contest the outcome. Insurers using AI underwriting tools must therefore design customer-facing disclosure processes and implement human review mechanisms that are genuinely accessible — not contingent on specialist knowledge.

Are claims fraud detection AI systems high-risk?

Not automatically. Fraud detection AI that flags claims for human investigation — where the human investigator makes the final decision on whether to pay, reduce, or decline the claim — may not meet the threshold for high-risk classification under Annex III cat 5(b), because the AI does not independently determine access to insurance for natural persons. However, if the fraud detection system's output directly triggers an automatic reduction, suspension, or denial of a claim payment to a natural person without substantive human review, the system is likely high-risk. Insurers should document precisely how fraud AI outputs are used in the claims workflow and ensure that where natural persons are affected, meaningful human oversight intervenes before a deprivation of benefit occurs.

What documents should we request from our actuarial software vendor?

Insurers deploying third-party actuarial AI tools should contractually require the following: the EU Declaration of Conformity and CE marking documentation for high-risk systems; technical documentation as required by Annex IV, including the intended purpose statement, training dataset descriptions, validation and testing results (including bias and accuracy metrics across demographic subpopulations), and the risk management file; instructions for use addressed to the deployer; post-market monitoring data and incident reports; and the parameters and conditions within which the system has been validated, including any restrictions on use cases or policyholder populations. Deployment outside the scope of the vendor's instructions for use may re-classify the insurer as a provider with full provider obligations under Art. 16.

Stay ahead of AI Act changes

Get compliance alerts when deadlines or obligations change.

No spam. One-click unsubscribe.