The EU AI Act and Insurance AI: High-Risk Systems, Compliance Obligations, and What Insurers Must Do Now

Last updated: June 2026 · Reading time: 9 minutes

---

The insurance industry has been among the earliest and most intensive adopters of AI in financial services. Actuarial models have given way to machine learning systems that assess individual risk profiles, automate claims decisions, detect fraud in real time, and price policies dynamically. These are powerful capabilities — and under Regulation (EU) 2024/1689, several of them attract the full weight of the EU AI Act's high-risk compliance regime.

This article examines which insurance AI applications fall within the high-risk classification, what that means operationally, and how insurers — whether they are providers building proprietary AI or deployers using vendor solutions — should approach compliance.

---

Where Insurance AI Sits in the EU AI Act's Risk Hierarchy

The EU AI Act does not have a category specifically labelled "insurance AI." Instead, the high-risk classification in Annex III is based on the function the AI system performs, not the industry it operates in.

For insurance companies, the relevant Annex III entry is Point 5(b): AI systems intended to be used for the purpose of assessing the creditworthiness of natural persons or establishing their credit score, where those assessments concern natural persons.

But Point 5(b) is not the only relevant provision. Depending on the specific application, insurance AI may also engage:

• Point 5(b) — Risk scoring and underwriting decisions that function as creditworthiness assessments
• Point 1 — Any biometric AI used for identity verification or fraud detection involving biometric data
• Point 6 — AI in essential private services that affect access to insurance products
• Point 4 — AI used in employment decisions, if the insurer also uses AI in its own HR processes

The scope question is not always self-evident. Insurance companies should conduct a mapping exercise that examines each AI system against all Annex III entries — not only the most obvious one.

---

Underwriting AI: The Clearest High-Risk Case

AI systems that assess individual risk profiles and generate underwriting decisions — whether for motor, health, property, or life insurance — are the clearest high-risk candidates in the insurance sector.

When an AI system takes a natural person's characteristics (age, location, health history, driving behaviour, property features) and produces a premium quote, a coverage decision, or an exclusion recommendation, it is performing a function analogous to creditworthiness assessment: it is determining that person's access to a financial product and on what terms.

Annex III, Point 5(b) designates as high-risk AI systems "intended to be used to evaluate the creditworthiness of natural persons or establish their credit score, with the exception of AI systems used for the purpose of detecting financial fraud."

The fraud detection exception is important. AI systems used exclusively for detecting fraudulent applications are carved out of Point 5(b). However, a combined system that both scores risk and flags fraud is likely to be treated as high-risk on the basis of its primary underwriting function.

What This Means for Underwriting AI Providers

If you develop or sell AI underwriting tools, you are a provider under Article 3(3) and must comply with Articles 9–15. That means:

• Establishing a risk management system under Article 9
• Ensuring training data quality and governance under Article 10
• Producing technical documentation to Annex IV standards
• Building in automatic logging under Article 12
• Delivering instructions for use to deployers under Article 13
• Enabling human oversight under Article 14
• Meeting accuracy and robustness requirements under Article 15
• Completing a conformity assessment under Article 43
• Registering in the EU database under Article 71

What This Means for Insurers Using Third-Party Underwriting AI

If you are an insurer that licenses and deploys third-party AI underwriting tools, you are a deployer under Article 3(4) and must comply with Article 26, including:

• Using the system only for its intended purpose as documented in the instructions for use
• Conducting a fundamental rights impact assessment before deployment (Article 27)
• Ensuring human oversight as specified by the provider
• Maintaining the logs generated by the system (minimum six months)
• Reporting serious incidents to the provider and relevant authority

---

Claims Processing AI: A More Nuanced Picture

AI in claims processing exists on a spectrum from administrative automation to substantive decision-making, and the AI Act's high-risk classification tracks that distinction.

An AI system that validates a submitted claim form against documented evidence and flags incomplete applications for human review is performing an administrative function — less likely to meet the high-risk threshold than a system that determines claim validity, calculates settlement amounts, or recommends denial.

However, when a claims AI makes or substantially influences decisions about whether a natural person receives payment under an insurance contract — effectively a decision about access to a financial service — it is likely to fall within the ambit of Annex III, Point 5(b) or Point 6.

Point 6 designates as high-risk AI systems used by private and public entities in the provision of essential private services where the AI determines access to, or the terms of, those services, where natural persons rely on those services. Insurance, particularly health and life insurance, may qualify as an essential private service in this sense, though the European Commission is expected to clarify guidance on the scope of Point 6 through delegated acts.

---

Fraud Detection AI: Partially Exempted, Still Regulated

The explicit carve-out of fraud detection from Annex III, Point 5(b) does not mean fraud detection AI is unregulated. It means it is not automatically classified as high-risk under that specific entry. Such systems may still be:

• High-risk under another Annex III entry
• Subject to the general obligations applicable to all AI systems under Article 50 (transparency to users) or Article 52 (specific transparency for certain systems)
• Subject to GDPR obligations, particularly when processing sensitive personal data to infer fraud risk

Insurers should not treat the fraud detection carve-out as a blanket exemption from the AI Act.

---

The Pricing AI Question

Dynamic pricing AI — systems that adjust insurance premiums in real time based on behavioural data, telematics, or external data feeds — presents novel compliance questions.

Where such systems individualise premiums based on characteristics that correlate with protected attributes (disability, pregnancy, ethnic background), they may engage Article 5's prohibition on AI systems that exploit specific personal vulnerabilities, as well as the EU's anti-discrimination framework. The AI Act does not resolve the full scope of these issues, but providers and deployers should conduct discrimination risk assessments as part of their Article 9 risk management obligations.

---

Fundamental Rights Impact Assessment: A Critical Obligation for Deployers

Article 27 requires deployers of high-risk AI systems to conduct a fundamental rights impact assessment before deployment. For insurers, this is not a box-checking exercise — it is a substantive inquiry into whether the AI system's operation may discriminate, exclude, or disadvantage individuals in ways that are incompatible with EU fundamental rights law.

The assessment must consider:

• The nature of the fundamental rights at stake (access to insurance, non-discrimination, privacy)
• The likelihood and severity of adverse impacts
• The specific characteristics of the affected population
• Mitigation measures built into the system design

Insurers that cannot demonstrate a completed fundamental rights impact assessment prior to deploying a high-risk AI system risk enforcement action from national market surveillance authorities.

---

Intersection With Solvency II and IDD

The EU AI Act operates alongside — not instead of — sector-specific regulation. For insurers, that means Solvency II (governance and risk management of algorithms in insurance undertakings) and the Insurance Distribution Directive (IDD) requirements on fair customer treatment both remain fully applicable.

The AI Act adds a compliance layer; it does not replace existing requirements. In practice, the most efficient approach is to integrate AI Act compliance planning into existing Solvency II governance frameworks, treating high-risk AI risk management as an extension of operational risk management.

DILAIG's audit is designed to produce the four mandatory EU AI Act documents — risk assessment, technical documentation, instructions for use, and conformity declaration — in a format that can be integrated with existing regulatory documentation. Start your audit or contact our team to discuss insurance-specific compliance.

---

FAQ: EU AI Act and Insurance AI

Is all insurance AI subject to the EU AI Act? No. AI systems used for purely internal administrative purposes, marketing analytics (with no individual risk decisions), or general productivity tools are not automatically high-risk. The high-risk classification applies to systems that perform the specific functions listed in Annex III.

Does the AI Act apply to AI used by reinsurers? Yes, if the reinsurer places or uses high-risk AI systems in the EU market. The AI Act applies to providers and deployers established in the EU or whose systems are used in the EU, regardless of the specific segment of the insurance market.

When do high-risk AI obligations apply to insurers? Most high-risk AI obligations apply from 2 August 2026. Insurers with existing high-risk AI systems deployed before that date may benefit from a transitional period, subject to conditions in Article 111.

What happens if an insurer's AI system causes discriminatory underwriting decisions? In addition to AI Act enforcement, discriminatory AI decisions may trigger action under EU non-discrimination directives, GDPR's prohibition on solely automated decisions producing significant effects, and national insurance regulatory action. The consequences compound across regulatory frameworks.

Must insurers register their AI systems in the EU database? If the insurer is the provider of a high-risk AI system, yes — registration in the EU database under Article 71 is mandatory before placing the system on the market or putting it into service.

---

Key Takeaways

• Underwriting AI that individualises risk assessment or pricing decisions is likely high-risk under Annex III, Point 5(b).
• Claims processing AI that makes substantive decisions about benefit access may also qualify as high-risk under Points 5(b) or 6.
• Fraud detection AI is exempt from Point 5(b) but may still be regulated under other provisions.
• Deployers of high-risk AI must conduct a fundamental rights impact assessment before deployment.
• The AI Act operates alongside — not instead of — Solvency II and IDD obligations.
• High-risk obligations apply from 2 August 2026.
• DILAIG generates the four mandatory compliance documents for insurance AI providers and deployers.

---

Sources

• Regulation (EU) 2024/1689 — Full text, Official Journal of the EU, 12 July 2024
• Annex III — High-Risk AI Systems, including Point 5(b)
• Article 9 — Risk Management System
• Article 26 — Obligations of Deployers
• Article 27 — Fundamental Rights Impact Assessment
• Solvency II Directive 2009/138/EC
• Insurance Distribution Directive 2016/97/EU