Skip to content

EU AI Act & Insurance: High-Risk AI, Underwriting Rules & Governance Priorities

    The EU AI Act created the world’s first broad AI rulebook and ranks among the toughest technology laws adopted by the European Union. Its penalties reach €35 mn or 7% of global annual turnover, well above GDPR’s 4% ceiling.

    The EU AI Act is the world’s first comprehensive AI regulation and arguably one of the strictest technology laws ever adopted.

    The Act reaches beyond EU borders. Any AI system whose output reaches users in the EU falls within its scope, regardless of where the developer operates, according to Beinsure.

    5 Key Highlights

    • The EU AI Act is the world’s first comprehensive AI rulebook. It applies across sectors and establishes a risk-based framework for AI development, deployment, transparency, and governance.
    • Penalties are among the toughest in technology regulation. Breaches can lead to fines of up to €35 mn or 7% of global annual turnover, exceeding the GDPR maximum of 4%.
    • The Act has global reach. Non-EU companies can fall within scope when their AI systems produce outputs used by people in the European Union.
    • High-risk AI systems face extensive compliance duties. Recruitment tools, credit scoring, medical diagnostics, education systems, and critical-infrastructure AI may require risk management, documentation, human oversight, conformity assessments, and EU registration.
    • Rules alone will not make Europe an AI leader. Compliance must be matched by investment in computing capacity, capital, data access, talent, and scalable commercial markets.

    High-risk AI systems face demanding obligations

    The category covers recruitment software and credit scoring, alongside medical diagnostics, education systems or critical infrastructure.

    Developers must run risk-management processes, prepare technical documentation, provide human oversight, complete conformity assessments and register systems in the EU, according to Beinsure. The rules also ban social scoring, workplace emotion recognition and bulk scraping of facial images.

    AI-generated material, deepfakes and AI-led interactions must carry transparency notices and labels. According to Beinsure, these duties place a heavy compliance burden on firms operating high-risk systems across several markets.

    Some of its key provisions are striking:

    • Fines of up to €35 mn or 7% of global annual turnover, almost twice the maximum GDPR penalty of 4%.
    • Extraterritorial reach. Any AI system whose outputs are used in the EU falls under the regulation, regardless of where the developer is based.
    • High-risk AI systems, including hiring algorithms, credit scoring, medical diagnostics, education and critical infrastructure, must comply with extensive requirements: risk management, technical documentation, human oversight, conformity assessments and EU registration.
    • Social scoring, workplace emotion recognition and mass facial image scraping are prohibited.
    • AI-generated content, deepfakes and AI interactions require mandatory transparency and labeling.

    Industry estimates put the initial cost of bringing one high-risk AI system into line at about €50,000. Businesses then face annual costs of roughly €29,000 for ongoing compliance.

    The policy timetable created another problem. Before many central provisions took effect, the EU’s Digital Omnibus package moved large parts of the rollout into 2027-2028.

    AI technical standards remained incomplete

    AI technical standards remained incomplete

    Regulators had not completed their preparations, and at least 12 Member States had yet to establish supervisory authorities.

    The rules demanded compliance from businesses before public authorities had built the machinery needed to supervise them. For founders and investors, the sequence looks backwards.

    Before many of the law’s core provisions even took effect, the EU postponed large parts of the implementation until 2027-2028 through the Digital Omnibus package.

    The reasons were practical: technical standards were incomplete, regulators were not ready and at least 12 Member States had failed to establish the required supervisory authorities.

    Businesses were expected to comply before governments were fully prepared themselves. Meanwhile, global AI investment tells a very different story.

    Insurance Europe has urged the European Commission (EC) to withdraw its proposed Artificial Intelligence Liability Directive (AILD), arguing that it could lead to legal uncertainty and hinder innovation.

    The insurance industry body has expressed concerns that the directive, as currently drafted, may increase compliance burdens for businesses and leave consumers confused about their rights.

    While recognizing the EC’s intention to ensure fair compensation for AI-related damages, Insurance Europe believes the AILD introduces more problems than it solves.

    Insurance Europe notes that the directive’s overlap with other existing and upcoming regulations, such as the EU’s AI Act and the revised Product Liability Directive (PLD), will create a complicated and uncertain legal environment. Beinsure analyzed the report and highlighted the key points.

    Global investment data paints a different picture

    Stanford’s AI Index 2026 puts U.S. private AI investment at $285.9 bn in 2025, up 160% year on year. Europe recorded growth of only 7.2%, according to Beinsure. Generative AI attracted $163.6 bn in the U.S., against $4.7 bn for China and Europe combined.

    According to Stanford’s AI Index 2026

    • U.S. private AI investment reached $285.9 bn in 2025, up 160% year over year.
    • Europe recorded just 7.2% growth.
    • In generative AI, the U.S. attracted $163.6 bn, while China and Europe combined attracted only $4.7 bn.

    Mario Draghi’s competitiveness report puts the share of European unicorns that moved to the U.S. at around 30%. Other startups are weighing similar moves as they seek capital, computing resources and larger commercial markets.

    The three AI centres now follow distinct routes. The U.S. puts capital and product development first, then relies on courts for enforcement after disputes emerge.

    China mixes targeted rules with substantial state funding. It has narrowed the frontier-model performance gap with the U.S. to 2.7%.

    Europe put wide-ranging obligations in place before producing AI companies able to compete at the same scale. According to Beinsure, the investment gap leaves European founders with fewer options as compliance costs rise and global rivals spend faster.

    The contrast between the three major AI ecosystems is becoming increasingly clear

    • The U.S. prioritizes capital, innovation and ex-post enforcement through courts.
    • China combines targeted regulation with massive state investment and has narrowed the frontier model performance gap with the U.S. to just 2.7%.
    • Europe has focused on comprehensive regulation before building globally competitive AI champions.

    The debate matters for countries preparing to harmonise local AI legislation with EU rules during the accession process. Copying the legal framework without matching investment would leave local firms exposed to the same cost pressures.

    Without investment in computing infrastructure, talent, capital and data, legislation cannot create global AI leaders.

    Rules alone do not produce global AI leaders. Europe also needs computing infrastructure, access to capital, quality data and technical talent before regulation turns into an asset rather than another barrier.

    What is the EU AI Act?

    The EU AI Act, published by the European Commission in July 2024, introduces the first regulations on AI development and usage across sectors to protect citizens’ rights. The AI Act ensures that Europeans can trust what AI has to offer. While most AI systems pose limited to no risk and can contribute to solving many societal challenges, certain AI systems create risks that we must address to avoid undesirable outcomes.

    The AI Act (Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence) provides AI developers and deployers with clear requirements and obligations regarding specific uses of AI. At the same time, the regulation seeks to reduce administrative and financial burdens for business, in particular small and medium-sized enterprises (SMEs).

    The AI Act is the first-ever legal framework on AI, which addresses the risks of AI and positions Europe to play a leading role globally.

    The AI Act entered into force on August 1, and will be fully applicable 2 years later, with some exceptions: prohibitions will take effect after six months, the governance rules and the obligations for general-purpose AI models become applicable after 12 months and the rules for AI systems – embedded into regulated products – will apply after 36 months.

    AI Act introduces further complexities for insurance leaders

    AI Act introduces further complexities for insurance leaders

    How will the EU AI Act affect the insurance industry? Insurance use cases that cross into multiple markets, functions, or data types must adhere to the highest applicable risk category outlined in the EU AI Act. For example, applying voice recognition for fraud detection is classified as high risk due to the biometric data involved.

    Most insurers will rely on external large language models, such as OpenAI’s ChatGPT, with responsibility for compliance resting on the developers of these models.

    This arrangement influences insurers’ AI procurement and partner evaluation processes.

    The EU AI Act also overlaps with existing regulations, including Solvency II, DORA, CPC, IAF, and GDPR, which may cover some of the Act’s requirements. Further, the Act’s reach extends beyond Europe, applying to any non-European insurers whose AI impacts EU citizens.

    To ensure compliance with the EU AI Act, insurers should create a multidisciplinary AI governance team. This team should bring together specialists from business, compliance, data, AI, IT, and legal fields to address ambiguities in the Act, such as complex conditions on AI-assisted underwriting. With such expertise, the team can guide the organization through unclear areas, particularly those linked to data usage restrictions.

    Equipping data science and engineering teams with advanced skills is also crucial. By developing expertise in tools and techniques necessary for building compliant AI, these teams can ensure systems meet legal standards.

    They also need to stay vigilant about new security threats, such as inversion and evasion attacks, which require specific measures to protect sensitive data and maintain model integrity.

    Lastly, following standards, especially the anticipated ISO 42001, will provide insurers with a clear pathway to comply with the Act’s requirements in risk and quality management.

    FAQ

    What is the EU AI Act?

    The EU AI Act is Regulation (EU) 2024/1689, a broad legal framework governing artificial intelligence in the European Union. It is designed to manage AI risks, protect fundamental rights, and set obligations for developers, providers, deployers, and other parties involved in AI systems.

    When does the EU AI Act apply?

    The Act entered into force on August 1, 2024, with obligations phased in over time. Prohibited AI practices apply first, followed by governance rules and requirements for general-purpose AI models. Most provisions will become fully applicable after a two-year transition period, although some product-related rules have a longer timetable.

    Does the EU AI Act apply to companies outside Europe?

    Yes. The Act has extraterritorial reach. An organization based outside the EU may be subject to the rules when its AI system, model, or output is used by people in the EU. This makes the Act relevant to global technology providers, insurers, platforms, and businesses serving European customers.

    What AI systems are considered high risk?

    High-risk systems can include AI used in recruitment, employment decisions, credit scoring, medical diagnostics, education, law enforcement, migration, and critical infrastructure. These applications receive stricter scrutiny because they can materially affect people’s rights, access to services, safety, or economic opportunities.

    What compliance obligations apply to high-risk AI systems?

    Providers of high-risk AI systems may need to establish risk-management processes, maintain detailed technical documentation, ensure data quality, enable meaningful human oversight, perform conformity assessments, monitor performance after deployment, and register certain systems in the EU database.

    Which AI practices are prohibited?

    The Act bans certain uses considered unacceptable-risk AI. These include social scoring, some forms of workplace emotion recognition, and indiscriminate scraping of facial images to build facial-recognition databases. Organizations should assess their systems early to ensure they do not use prohibited practices.

    How will the EU AI Act affect insurers?

    Insurers may face heightened obligations where AI is used in underwriting, claims, fraud detection, customer interactions, or biometric analysis. AI use cases that involve sensitive data, multiple functions, or cross-border markets may fall into higher-risk categories. Insurers should establish multidisciplinary AI governance involving business, compliance, legal, IT, data, and security teams, while reviewing suppliers and external model providers carefully.

    ……………….

    AUTHORS: Oleg Parashchak – CEO & Founder of Finance Media Holding, Editor-in-Chief of Beinsure, Peter Sonner – Lead Tech Editor at Beinsure