Annex III of Regulation (EU) 2024/1689 specifically classifies AI systems used for risk assessment and pricing in relation to natural persons in life and health insurance as high-risk. In practice that captures underwriting decision systems, pricing engines and a large share of fraud detection where it influences claims outcomes for policyholders. The classification is set out in Annex III and the supporting recitals on EUR-Lex.
EIOPA has been active on AI since 2019. It published 'Artificial intelligence governance principles' in 2021 setting fairness, explainability and human oversight expectations for insurance, and a 2024 supervisory statement on the use of AI by insurance and pension funds. Those texts now form the baseline on which the AI Act overlays directly binding rules across the single market.
The hard problem is overlap. An underwriting AI is simultaneously a high-risk AI system under Regulation 2024/1689, an Internal Model or model-risk component under Solvency II governance, a product-oversight artefact under IDD POG rules, and a processor of special category data under GDPR Article 9 where health information is involved. Each regime demands its own evidence and its own supervisor dialogue.
Underwriting, pricing, fraud detection, claims triage, subrogation and customer-service AI must each appear in a single register, with named owner, business purpose, training and inference data sources, and the downstream decisions the system influences for policyholders.
Life and health pricing and risk-assessment AI is high-risk by name in Annex III. Some non-life classification or routing systems may be limited or minimal risk. The classification rationale must be documented and defensible to the NCA, not assumed.
The effective system of governance under Solvency II Article 41 already obliges insurers to identify, measure and manage model risk. The AI Act layers a lifecycle risk-management programme on top, covering data, model performance and post-market monitoring.
For Annex III pricing and underwriting AI, Annex IV documentation covers intended purpose, system architecture, data provenance, validation results, performance metrics and known limitations. Where Solvency II Internal Model documentation exists, the two sets should map cleanly rather than duplicate.
Named reviewers, recorded override evidence and clear decline-reason transparency are required. The same artefacts feed conduct outcomes under IDD and, for UK firms, the FCA Consumer Duty fair-value and vulnerable-customer expectations.
Health insurance pricing, underwriting and claims AI processes special category data. Lawful basis, explicit consent considerations, DPIA and data minimisation expectations sit alongside AI Act technical documentation and cannot be satisfied by the AI Act file alone.
Insurers using chatbots, automated communications or AI-generated content must disclose AI use to customers. Particular care is needed for vulnerable customers under IDD conduct rules and, for UK insurers, the Consumer Duty cross-cutting outcomes.
Sets supervisory convergence and expectations on AI in insurance, including the 2021 AI governance principles and a 2024 supervisory statement on the use of AI by insurance and pension funds.
Day-to-day prudential and conduct supervision sits with the NCA in the insurer's home member state. AI Act market surveillance authorities are being designated nationally under the Regulation.
For UK insurers, FCA Consumer Duty (in force July 2023) sets fair value, outcomes and vulnerable-customer expectations that AI underwriting, pricing and claims systems must demonstrably meet.
GDPR Article 9 supervision of special category data, including health data used in insurance pricing and claims AI, sits with national data protection authorities under EDPB co-ordination.
EIOPA published 'Artificial intelligence governance principles' in 2021 and a supervisory statement on the use of AI in 2024. These set the baseline expectations on which the AI Act overlays directly binding rules; see EIOPA's website for the texts.
The timeline is phased: the Regulation entered into force on 1 August 2024, prohibited practices apply from 2 February 2025, and most high-risk obligations apply from 2 August 2026. The dates are set out in Regulation (EU) 2024/1689 on EUR-Lex.
In practice, insurers should expect their NCA to use the AI Act, IDD, Solvency II and GDPR jointly during supervisory dialogue rather than as separate workstreams. Public, insurer-specific enforcement actions under the AI Act should not be assumed at this stage.
| Adjacent rule | How it interacts |
|---|---|
| Solvency II (Directive 2009/138/EC) | Internal Model governance under Articles 112 to 127 already requires independent validation, a change policy and the use test. AI pricing and risk-assessment models inherit that prudential regime, and AI Act obligations sit on top rather than instead. |
| Insurance Distribution Directive (IDD, 2016/97) | Product Oversight and Governance under IDD requires identified target markets, fair-value assessment and distribution-strategy controls. AI used in underwriting, pricing and claims feeds those obligations directly, particularly where it shapes who is offered cover and on what terms. |
| GDPR Article 9 (special category data) | Health data is special category. Lawful basis, explicit consent considerations, DPIAs and minimisation requirements sit alongside Annex IV technical documentation; one cannot be substituted for the other and DPAs continue to supervise the personal-data dimension. |
| UK FCA Consumer Duty | In force from July 2023, the Consumer Duty's fair value, outcomes and vulnerable-customer expectations apply to AI used in UK underwriting, pricing, claims handling and customer service, regardless of where the underlying model is built or hosted. |
| Gender Directive (2004/113) and the Test-Achats ruling | Following Test-Achats, insurance pricing must not use gender as a rating factor. AI pricing models must not reintroduce direct or proxy gender pricing through correlated features; this fairness expectation predates the AI Act and continues to bind under it. |
“The mistake we see most is treating the Act as a fresh control build. Solvency II already mandates model governance and the use test; for an insurer the value is in reconciling those files with Annex IV, not in starting from scratch.”
No. The Annex III hook is AI used for risk assessment and pricing in life and health insurance. Other systems, such as marketing personalisation or back-office routing, may be limited or minimal risk and should be classified case by case.
No, but it covers a substantial share of the ground. Internal Model validation, change control and the use test map across to Article 9 risk management and Annex IV documentation, reducing duplication if the two are reconciled deliberately.
Reinsurance pricing and capacity-allocation models sit primarily under Solvency II governance. AI Act high-risk obligations apply where the model falls within an Annex III category, for example where it directly determines pricing for natural persons.
GDPR Article 9 governs special category data. Lawful basis, explicit consent considerations, DPIA and minimisation requirements sit alongside AI Act technical documentation and remain supervised by national data protection authorities.
8 to 16 weeks to a production-ready artefact set: AI inventory, Annex III classification, remediation plan and audit pack, mapped to the AI Act, Solvency II Article 41, IDD POG and GDPR Article 9.
The EU AI Act classifies AI used for risk assessment and pricing in life and health insurance as high-risk under Annex III, requiring technical documentation, human oversight and post-market monitoring. EIOPA sets supervisory expectations and national competent authorities supervise day-to-day. The practical challenge is overlap: the same models already sit inside Solvency II governance, IDD product oversight and GDPR Article 9 for health data. The Regulation entered into force on 1 August 2024, with most high-risk obligations applying from 2 August 2026.