AI underwriting automation in EU insurance: regulatory map

Underwriting AI estimates the expected cost of insuring an applicant and translates that estimate into an accept/decline/refer decision and a price. Inputs include application data, third-party medical or driving records, telematics or wearable signals, document extracts and historical claims experience. Outputs include a binary decision, a price quote, exclusions and any uplift or loading.

For life and health, the AI Act treats the system as high-risk regardless of whether the final price is automated or human-set. The trigger is "risk assessment and pricing", not the act of issuing the policy. For property and casualty, the AI Act high-risk regime does not apply, but Solvency II's actuarial function obligations and EIOPA's principles do.

For high-risk life and health underwriting AI, Chapter III applies in full. Article 9 requires a continuous, iterative risk-management system. Article 10 requires data-governance with specific testing for bias on protected classes (and explicitly permits processing special-category personal data for that purpose). Article 11 sets technical-documentation requirements aligned with Annex IV. Article 12 mandates automatic event logging for the system's lifetime. Article 14 requires effective human oversight. Article 15 requires accuracy, robustness and cybersecurity proportionate to purpose [1].

Article 26 (deployer obligations) requires the insurer to use the system in accordance with provider instructions, monitor operation, and conduct a fundamental rights impact assessment under Article 27 before first use. Registration in the EU database under Article 49 is also a deployer duty.

EIOPA's 2021 principles - proportionality, fairness, transparency, human oversight, data governance, robustness - apply across the insurance value chain. National supervisors use them as the assessment baseline for AI governance reviews [2].

The principles overlap materially with the AI Act's high-risk obligations, but they apply to all insurance AI, not only Annex III 5(b) systems. Property and casualty underwriters that fall outside the AI Act high-risk perimeter still need to evidence EIOPA-aligned governance. Building one unified governance programme that satisfies EIOPA principles, AI Act obligations (where engaged) and Solvency II Article 41 avoids triple-running the documentation.

Article 41 of Directive 2009/138/EC requires an effective system of governance with risk management, internal control, internal audit and actuarial functions. The actuarial function under Article 48 has explicit responsibility for the technical provisions and the underlying assumptions. AI in underwriting that informs the price or the technical provisions falls inside the actuarial function's scope.

Practically, this means the actuarial function signs off the underwriting model, internal audit reviews it as third line, and material model changes go through documented governance. Treating an underwriting AI as an "operations tool" outside Solvency II governance is the most common supervisory finding.

An automated underwriting decision (decline or load) that produces a legal effect is the textbook Article 22 case. Insurers must rely on contract necessity (the typical basis for application processing), implement the right to human intervention and contest, and provide meaningful information about the logic, significance and envisaged consequences.

The 2024 EDPB guidelines clarify that "meaningful information" must be enough that the customer can meaningfully exercise contest rights. The SCHUFA judgment (C-634/21) extends the perimeter: a probability score that materially determines the decision is itself an automated decision under Article 22, even when generated by a third party.

Six layers. Data layer with documented lineage and exclusion of protected attributes plus validated proxies. Model layer with version control, technical documentation aligned with Annex IV and independent validation by the actuarial function. Decisioning layer with policy on auto-issue bands and mandatory human-review thresholds. Logging layer meeting Article 12 retention. Monitoring layer with drift detection, fairness testing and performance thresholds. Customer-facing layer providing meaningful information and contest pathway.