Skip to content
Confir.
Free trial
Blog

Insurance AI Use Cases Under the EU AI Act: What Is High-Risk and What Is Not

Industry Guide23 May 2026· 13 min read· 2,594 words

Annex III 5(c): life/health insurance pricing AI is high-risk. Motor, property and fraud detection are not. Use-case map, FRIA rules. Deadline 2 Dec 2027.

Most EU AI Act guidance for insurers opens with a blanket claim that "insurance AI is high-risk." That is too broad. The Act is precise: only AI used for risk assessment and premium setting in life and health insurance is explicitly named as high-risk — in Annex III point 5(c) of Regulation (EU) 2024/1689. Motor pricing models, property underwriting tools, fraud detection systems, and chatbots serving policyholders sit in different tiers. Getting the classification right is the starting point for every compliance decision you make.

This article maps the insurance AI use-case landscape tier by tier. For the governance programme that sits behind these obligations — incident reporting, post-market monitoring, Solvency II alignment — see the companion page on EU AI Act governance for insurance.

The Use-Case Map: Four Tiers Across Insurance AI

High-Risk: Life and Health Insurance Risk Assessment (Annex III Point 5(c))

Annex III point 5(c) names "AI systems intended to be used for risk assessment and pricing in relation to natural persons in the case of life and health insurance." This is one of the most specific designations in Annex III. It covers:

  • Life insurance underwriting AI — systems that assess mortality risk, calculate life expectancy scores, or set life-policy premiums using machine-learning models on health, lifestyle, or behavioural inputs.
  • Health insurance underwriting AI — systems that assess applicants' health risk profiles, determine coverage eligibility, or set health policy premiums based on medical history, wearable data, or predictive health scores.
  • Critical illness and income protection underwriting AI — AI that processes health and lifestyle data to assess individual risk in disability, income-protection, or critical illness lines.

The two elements that jointly trigger point 5(c) are the insurance line (life or health, not motor or property) and the function (risk assessment or premium setting in relation to a natural person). If both are present, the system is high-risk. There is no further filter required.

One important nuance: Article 6(3) creates an exemption filter for Annex III systems that pose no significant risk of harm to health, safety, or fundamental rights. In practice, a system that merely reformats or retrieves an actuary's previously completed assessment could fall outside the high-risk tier. But any system that profiles natural persons is always high-risk regardless of the 6(3) conditions — and most life/health underwriting AI does exactly that.

Also High-Risk: Creditworthiness Checks an Insurer Runs (Annex III Point 5(b))

Some insurance groups run creditworthiness or credit-score checks before extending credit-linked insurance products, premium-financing arrangements, or combined bancassurance offerings. Those checks fall under Annex III point 5(b) — not 5(c) — and are also high-risk. The fraud-detection carve-out in 5(b) applies only to financial fraud detection, not to insurance-specific fraud screening.

If your organisation runs both creditworthiness AI and life/health underwriting AI, you have two separate Annex III obligations, each requiring its own classification record.

Not High-Risk: Motor, Property, Commercial, and Travel Insurance Pricing

AI systems used for motor insurance pricing (including telematics-based pricing), property and casualty underwriting, commercial risk pricing, or travel insurance do not fall within point 5(c). That designation is specific to life and health insurance.

Some of these systems could become high-risk through a different Annex III route — for instance, if a motor insurer's model effectively determines access to compulsory third-party liability cover for an individual in a way that resembles "access to essential services" under point 5(a). That stretch requires deliberate documentation under Article 6(3), not automatic classification. In the absence of a clear Annex III link, motor and property pricing AI is minimal-risk under current law.

The practical implication: your motor pricing team and your actuarial teams working on life/health products face very different obligations from 2 December 2027. Plan those workstreams separately.

Not High-Risk: Fraud Detection (Carved Out of Point 5(b))

The Annex III point 5(b) creditworthiness designation explicitly excludes "AI systems used for the detection of financial fraud." Insurance fraud detection AI — whether it screens claims for suspicious patterns, flags potentially fraudulent applications, or identifies organised fraud rings — falls outside the high-risk credit/insurance AI categories on this basis.

A note of precision: the carve-out addresses fraud detection as a classification matter. It does not extinguish every other obligation. If a fraud-detection system effectively determines whether a policyholder can access their claim, and that determination is never reviewed by a human, the deployer may face transparency duties under Article 50 or have obligations under Article 26. Classify first; then audit the edge cases.

Limited Risk: Chatbots and AI-Generated Customer Communications (Article 50)

Insurers and insurtech companies deploying customer-facing chatbots, virtual assistants, or AI-generated claim acknowledgement letters have Article 50 transparency obligations — which apply from 2 August 2026.

Under Article 50(1), persons interacting with an AI system in real time must be informed they are doing so, unless the context makes it obvious. Under Article 50(2), AI-generated synthetic content (including letters or notifications that are not obviously machine-produced) must be labelled. These are disclosure duties, not the full high-risk stack. The maximum penalty for breach sits in the €15 million or 3% tier under Article 99(4).

Minimal Risk: Everything Else

Internal AI tools that improve underwriter productivity without directly driving a coverage or pricing decision — document-summarisation models, internal search tools, actuarial model-building assistants — carry no mandatory obligations under the Act. Voluntary codes and good data practices apply.

Deployer Obligations for Life and Health Insurance Undertakings

Insurance undertakings deploying a high-risk underwriting AI system are deployers under Article 26 unless they have substantially modified the system or put it into service under their own name, in which case Article 25 converts them to a provider. Most insurers buying third-party underwriting models are deployers.

Article 26 — Deployer obligations include: using the system only in accordance with the provider's instructions; assigning human oversight responsibilities to qualified underwriters; retaining logs of the system's operation for at least six months; and monitoring in-use performance. Workers and their representatives must be informed before workplace deployment.

Article 27 — Fundamental Rights Impact Assessment (FRIA). Life and health insurance deployers are explicitly in scope under Article 27 by virtue of operating under Annex III point 5(c). The FRIA covers seven elements set out in Article 27(1)(a)–(g) and must be completed before deployment. It must address the risk of discriminatory pricing or coverage denial for protected groups, the use of health data under GDPR Article 9, and the right to an effective remedy for affected policyholders. The FRIA must be notified to the national market surveillance authority.

Article 14 — Human oversight. The underwriting AI must be designed and used so that qualified underwriters can monitor, intervene, and override AI outputs in real time. Fully automated underwriting decisions — with no human review capability for consequential cases — do not meet Article 14's requirements.

GDPR Article 9 and the Gender Directive

Two cross-cutting legal constraints run alongside the EU AI Act for insurers.

GDPR Article 9 — Special-category health data. Life and health insurance underwriting AI typically trains on and processes health records, medical questionnaire responses, wearable device outputs, and lifestyle data — all special-category data under GDPR Article 9. Processing requires a specific legal basis: the most plausible for commercial insurance are Article 9(2)(b) (processing necessary under national law, where national insurance regulation mandates risk classification) or, in narrow circumstances, Article 9(2)(j) (scientific research with appropriate safeguards). Each basis must be documented in the EU AI Act Article 10 data governance section of the Annex IV technical documentation pack. Where the legal basis is contested, seek a formal DPO opinion before placing the system on the market.

EU Gender Directive (2004/113/EC) and proxy discrimination. The Court of Justice of the EU's Test-Achats judgment (2011) prohibited gender-based pricing in insurance across the EU. A life or health underwriting AI that does not use gender as a direct variable can nonetheless produce systematically different pricing for men and women if it relies on correlated proxies — occupation codes, postcode clusters, lifestyle-activity scores. Under both the Gender Directive and the EU AI Act's Article 10 data governance requirements, providers must test training data and model outputs for proxy discrimination and document that testing in the technical file. Subgroup accuracy testing across sex, age, disability status, and national origin is not optional.

Solvency II model governance. Insurance undertakings regulated under Solvency II already manage model risk through the Own Risk and Solvency Assessment (ORSA) framework. Article 9 of the EU AI Act (the risk management system for high-risk AI) and Solvency II's model governance requirements can be aligned into a single framework. The same risk-identification, risk-evaluation, and residual-risk documentation can serve both regulators — provided both regulatory mappings are explicit in the documented output.

Provider Obligations for Insurtech Vendors

If you develop and place a life or health underwriting AI system on the market — whether as a standalone SaaS product or as an integrated component within a broader underwriting suite — you are a provider under Article 16. The provider stack includes:

  • Article 9 — a continuous risk management system identifying discriminatory pricing risk, accuracy failures by demographic group, and health-data misuse as the foreseeable risks to document.
  • Article 10 — data governance covering training-data composition, GDPR Article 9 legal basis for health data, representativeness analysis, and bias testing across protected demographic groups.
  • Article 11 / Annex IV — technical documentation in nine areas, completed before market placement.
  • Article 13 — transparency information to deploying insurers, specifying the validated population, accuracy by subgroup, variables used, and variables excluded (particularly proxies for protected characteristics).
  • Article 14 — design human oversight mechanisms into the system so deployers can implement meaningful underwriter review.
  • Article 15 — accuracy testing across demographic subgroups is mandatory, not a best practice. An underwriting AI with good aggregate accuracy but systematic overpricing for a specific demographic group fails Article 15.
  • Article 43 — conformity assessment by internal self-assessment (Annex VI procedure). Annex III point 5(c) does not require a notified body; that route applies to point 1 (biometrics). Complete the self-assessment before placing the system on the market.
  • Article 47 / Annex V — draw up the EU Declaration of Conformity and keep it for ten years.
  • Article 49 — register the system in the EU AI Act database under Article 71 before placing it on the market.
  • Article 73 — report serious incidents (AI malfunctions that produce systematic discriminatory risk determinations at scale) to the national market surveillance authority within the relevant time windows set out in Article 73(2)–(4).

Penalty Exposure

Breach of high-risk obligations by a provider or deployer sits in the Article 99(4) tier: €15 million or 3% of total worldwide annual turnover, whichever is higher. For SMEs and start-ups, Article 99(6) caps the fine at the lower of the percentage and the fixed amount — a meaningful protection for smaller insurtech firms. Supplying incorrect information to a national market surveillance authority is a separate, lower tier: €7.5 million or 1% under Article 99(5).

The deadline for Annex III stand-alone systems is 2 December 2027, deferred from the original 2 August 2026 date under the Digital Omnibus agreement reached in May 2026. Building the technical file and running the conformity assessment for a health underwriting AI system takes months. Starting in mid-2026 is not early.

How Confir Helps Insurance Companies Classify and Document

Confir's classification and documentation workflow is deterministic and rule-based — the same intake produces the same finding, with the rule that fired recorded in plain text. For insurance AI, the workflow covers:

Classification (AIRC module). Confir guides providers and deployers through the Annex III point 5(b)/5(c) analysis: is this life or health insurance? Does it perform risk assessment or premium setting on natural persons? It also runs the Article 6(3) exemption filter and records whether the system profiles natural persons. The output is a documented classification with its regulatory basis.

FRIA for life/health insurance deployers (AITO module). Confir's Article 27 FRIA workflow covers all seven elements of Article 27(1)(a)–(g) with insurance-specific prompts — discriminatory pricing risk, GDPR Article 9 health-data legal basis, and right-to-remedy for affected policyholders.

Conformity package. Confir generates the full Annex IV §1–9 technical documentation, the Annex V Declaration of Conformity, and a Datasheet PDF export ready for deployer sharing or market surveillance authority submission.

Frequently Asked Questions

Is all insurance pricing AI high-risk under the EU AI Act?

No. Only AI used for risk assessment and premium setting in life and health insurance is high-risk under Annex III point 5(c). Motor, property, commercial, and travel insurance pricing AI does not fall under this designation. Creditworthiness AI an insurer runs sits in the separate Annex III point 5(b). Fraud detection is carved out of point 5(b) and is not high-risk on that basis.

When do the high-risk obligations for insurance AI apply?

Under the Digital Omnibus political agreement of May 2026, Annex III stand-alone systems (including life/health insurance AI under point 5(c)) must comply from 2 December 2027, deferred from the original 2 August 2026 date. Article 50 transparency obligations for chatbots and AI-generated communications apply from 2 August 2026. Article 5 prohibitions have been in force since 2 February 2025.

Which insurers must complete a Fundamental Rights Impact Assessment?

Deployers of high-risk AI systems in Annex III point 5(c) — life and health insurance risk assessment and pricing — are in scope for the Article 27 FRIA. This applies because the FRIA obligation covers deployers of systems in Annex III point 5(b) (creditworthiness) and 5(c) (life/health insurance) specifically. The FRIA must be completed before deployment and notified to the national market surveillance authority.

Does the fraud detection carve-out apply to all insurance fraud detection AI?

The carve-out in Annex III point 5(b) exempts "AI systems used for the detection of financial fraud" from the creditworthiness high-risk designation. This covers insurance fraud detection in the context of that provision. However, if a fraud-screening system functions as a claims-eligibility gate with no human review, the deployer should separately assess Article 26 and Article 50 obligations. The carve-out addresses risk classification, not every other compliance question.

What is the penalty for non-compliance with high-risk insurance AI obligations?

Breach of high-risk obligations sits in the Article 99(4) tier: €15 million or 3% of total worldwide annual turnover, whichever is higher. For SMEs and start-ups, Article 99(6) limits the fine to the lower of the two figures. Supplying incorrect information to an authority is a separate tier at €7.5 million or 1% under Article 99(5).

How does GDPR Article 9 interact with life insurance AI training data?

Life and health insurance underwriting AI typically processes health records and lifestyle data, which is special-category data under GDPR Article 9. Processing in AI model training requires a specific legal basis — most commonly Article 9(2)(b) (necessity under national law) or Article 9(2)(j) (scientific research with safeguards). The chosen legal basis must be documented in the EU AI Act Article 10 data governance section of the Annex IV technical file. Where the legal basis is uncertain, a formal DPO opinion before placing the system on the market is the conservative course.

Related guides

Manage your EU AI Act compliance in one place

Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.

Start free trial →

Related guides

Guide

Agentic AI and the EU AI Act: Classification, Oversight, and Compliance

Agentic AI is not a risk category under the EU Act. Classification follows use case and Annex III. Covers Art 14 oversight, GPAI roles, and 2027 deadlines.

EU AI Act Guide

EU AI Act for SaaS Startups: The Founder's Compliance Guide

Provider vs deployer, Art 25 trap, Annex III triage, Art 50 from Aug 2026, high-risk obligations by Dec 2027. 30-day checklist for SaaS founders.

Industry Guide

Which Fintech AI Systems Are High-Risk Under the EU AI Act?

Credit scoring (Annex III 5(b)) is high-risk; fraud detection is not. Map fintech AI to EU AI Act tiers, obligations, and the 2 December 2027 deadline.