PowerQuantEUSend your AI questionnaire

Insurers increasingly use AI systems for risk assessment, pricing, claims handling and customer interaction. The EU AI Act (Regulation (EU) 2024/1689) sets differentiated requirements depending on the system's area of use and risk level. Because the regulation applies directly, no separate national implementing law is required for the AI Act itself.

Which insurance systems are classified as high-risk

Under Annex III, certain AI systems used for risk assessment and pricing in relation to life insurance and health insurance fall within the high-risk category. So not all AI within insurance is high-risk – what is decisive is that the system is used for these specific purposes within these lines of insurance.

Systems falling outside Annex III, for example certain administrative automation or internal process optimisation, are not covered by the high-risk requirements but may still be caught by the transparency requirements in Article 50.

Roles: provider or deployer

The regulation distinguishes between the provider, who develops or places the system on the market, and the deployer, who uses the system in their activities. An insurer that purchases a ready-made AI system is typically a deployer.

Note that Article 25 can reclassify a deployer as a provider – for example, upon a substantial modification of the system or if the company puts its own name on it. This has significant consequences, since the provider's obligations are more extensive.

The deployer's obligations under Article 26

For high-risk systems, the deployer is required, among other things, to:

  • use the system in accordance with the provider's instructions for use
  • ensure human oversight by competent personnel
  • monitor the operation of the system and report serious incidents
  • ensure that input data is relevant for the intended purpose

In certain cases, the deployer must also carry out a fundamental rights impact assessment (FRIA) under Article 27.

Claims handling and transparency

AI support in claims handling should be assessed against Annex III and against the transparency requirements. Article 50 sets requirements for transparency in, among other things, interaction with AI systems (such as chatbots) and for AI-generated content, so that the natural person receives information that they are interacting with or exposed to AI. Article 50 applies from 2 August 2026.

Timeline

  • 2 February 2025: Article 4 (AI literacy) and Article 5 (prohibited practices) in force.
  • 2 August 2026: Article 50 (transparency) applies. The Annex III obligations for deployers apply from this date under the original timeline.
  • 2 December 2027: Proposed postponement of the Annex III obligations via the Digital Omnibus (approved by the European Parliament on 16 June 2026; the Council awaits OJ publication). This is a Digital Omnibus proposal and is not yet in force.

Penalties

Fines are governed by Article 99. For prohibited practices under Article 5, fines can amount to 35 million EUR or 7 % of global annual turnover. Infringements of, among other things, Article 50 and the high-risk obligations can lead to up to 15 million EUR or 3 %. Incorrect or misleading information to authorities can lead to up to 7.5 million EUR or 1 %.

Before procurement

  • Map whether the AI system is used for risk assessment or pricing within life or health insurance (Annex III high-risk).
  • Establish your role: deployer or provider – and keep an eye on Article 25.
  • Request the provider's documentation and instructions for use ahead of Article 26 compliance.
  • Plan for human oversight and incident reporting.
  • Assess whether a FRIA under Article 27 is required.
  • Ensure Article 50 transparency towards the customer ahead of 2 August 2026.

This page is general information about the AI Act and does not constitute legal advice.