Scaling AI in insurance: striking the right regulatory balance

Artificial Intelligence (AI) is rapidly changing the way insurers operate, offering opportunities to enhance efficiency, improve risk modelling, and deliver more tailored services to consumers. AI already plays a growing role across the insurance value chain-from pricing and underwriting to claims handling and customer interaction-and this trend is set to accelerate. According to EIOPA's 2024 Digitalisation Report[1], 50% of non-life insurers and nearly a quarter of life insurers already use AI, with many more planning to adopt it within the next three years.

The main drivers of AI adoption include increasing availability of real-time and behavioural data, customer expectations for digital services, and the potential to cut costs and enhance operational precision. At the same time, AI is seen as a strategic tool to improve fraud detection and support financial inclusion through better-targeted offerings.

Yet, scaling AI across the sector is far from straightforward. Many insurers face structural limitations-legacy IT systems, fragmented data sources, and a lack of AI-specific skills. There are also risks linked to model explainability, potential discrimination and bias, cybersecurity vulnerabilities, and concentration risk in the AI supply chain. These challenges are particularly relevant for high-impact use cases where decisions may affect customer access to products or claims outcomes.

To provide a consistent legal foundation for the development and use of AI across sectors, the EU has introduced the AI Act, a landmark regulation that classifies AI systems based on their risk. In the insurance context, AI systems used for pricing and risk assessment in life and health insurance are designated as "high-risk" and will be subject to specific requirements.

While the AI Act offers greater legal clarity, it also adds a new compliance layer for firms already navigating complex sectoral rules under Solvency II, IDD, and DORA. Coordinating the application of these frameworks is essential to avoid excessive burden, or uncertainty-particularly for smaller players or early-stage innovations. Taken together, the AI Act and existing financial and digital regulations do provide a solid foundation to support the responsible development of AI in insurance. The sector benefits from established principles on governance, risk management, and consumer protection, while the AI Act introduces a risk-based framework that offers clarity for high-risk use cases.

To support sound implementation, EIOPA recently published a supervisory Opinion on AI governance and risk management.[2] The Opinion clarifies supervisory expectations on how existing sectoral legislation should be interpreted considering AI, especially for use cases that are not covered by the AI Act's high-risk classification. It promotes a risk-based and proportionate approach, encouraging undertakings to adapt governance measures-such as human oversight, data quality controls, and documentation-based on the specific characteristics and risks of each AI application.

At the same time, building supervisory capacity is essential. AI challenges traditional supervisory methods, requiring new expertise to assess model design, data pipelines, explainability techniques, and emerging risks. EIOPA is working to foster supervisory convergence by promoting common interpretations and expectations across Member States. This is vital to ensure a level playing field and to provide consistent signals to the market.

A particularly dynamic area is Generative AI (GenAI), which introduces distinct challenges and opportunities. These systems, capable of generating text, images, or code, open new frontiers-from internal process automation to customer communication-but also raise concerns about hallucinations, misuse, and explainability. To better understand emerging practices, EIOPA is currently conducting a survey on GenAI adoption, governance, and use cases in the insurance sector. Preliminary results suggest rapid uptake, especially in back-office functions such as document summarisation, internal tooling, and code assistance.

GenAI use is likely to expand, and building supervisory knowledge now will help ensure firms adopt appropriate safeguards from the start. EIOPA's ongoing work aims to foster a constructive dialogue between supervisors and industry, combining innovation with strong consumer protection and prudential safeguards.

Ultimately, the successful scaling of AI in insurance depends not only on regulatory design but also on supervisory clarity, capacity, and trust. A coherent and proportionate framework-anchored in sound supervision and cross-sectoral coordination-can give firms the confidence to invest, innovate, and deploy AI responsibly across the value chain.

Thanks to Malte Heissel for his contribution to this article.

[1]EIOPA's Report on the digitalisation of the European insurance sector

[2]Consultation paper and impact assessment on EIOPA's Opinion on AI governance and risk management