Book Free Call
EU AI Act high-risk insurance compliance Germany underwriting claims
ai-act

EU AI Act for German Insurers: High-Risk AI Compliance Guide

Which insurance AI is high-risk under the EU AI Act?

The EU AI Act classifies insurance AI as high-risk — specifically automated underwriting, premium calculation, and claims decisions for natural persons. German insurers must classify their AI systems and implement a quality management system before August 2026.

  • Automated underwriting for natural persons is explicitly high-risk under Annex III EU AI Act.
  • AI that denies claims or determines payout amounts carries full high-risk obligations.
  • Prohibited: social scoring, biometric categorisation based on vulnerability, exploitation of weaknesses.
  • August 2026 deadline: all high-risk AI systems must be registered and compliant.

The EU AI Act regulates insurance AI directly and comprehensively. Automated underwriting, AI-driven premium calculation, and systems that evaluate or deny claims are classified as high-risk under Annex III, point 5(b) of Regulation (EU) 2024/1689. German insurers and insurtechs must reach full high-risk compliance by August 2026 — including a quality management system, bias testing, technical documentation, and human oversight.

For a full overview of the EU AI Act framework, see our EU AI Act guide. BaFin coordinates enforcement for the German insurance sector.

Does the EU AI Act Apply to Insurance Companies?

Yes. The EU AI Act applies directly across all EU member states — no national implementing legislation required. For German insurers, this means: any organisation using AI that influences policy decisions, premiums, or claims for natural persons is subject to the high-risk obligations of the Regulation.

The Regulation covers insurance companies in two roles:

  • Provider: Any organisation that develops or places a high-risk AI system on the market carries the full obligations under Articles 9–17 EU AI Act.
  • Deployer: Any organisation using a third-party high-risk AI system in an insurance context carries deployer obligations — particularly human oversight, logging, and user information requirements.

The Regulation applies equally to established insurers, insurtechs, and embedded-insurance providers.

Which AI Systems Are High-Risk in Insurance?

Annex III, point 5(b) EU AI Act classifies AI systems as high-risk when used for risk assessment and pricing for natural persons, claims evaluation, or verification of insurance entitlements. Classification is purpose- and context-dependent.

High-risk AI in insurance:

  • Automated underwriting for natural persons (risk scoring, coverage decisions)
  • AI-driven premium calculation (dynamic pricing, telematics-based tariffs)
  • Eligibility determination systems (decisions on insurability)
  • AI that denies claims or determines payout amounts
  • Fraud detection with final decision authority over claims

Lower-risk AI in insurance:

  • Chatbots and virtual assistants for general customer service (transparency obligation under Art. 50 EU AI Act still applies)
  • Internal solvency models for Solvency II reporting without individual coverage decisions
  • Fraud-flagging systems that route cases for human review
  • Process automation without decision authority over claims

Our AI insurance underwriting compliance guide maps these obligations in detail. For document-heavy claims workflows, see our AI document analysis compliance resource.

Prohibited AI Practices for Insurers

Beyond high-risk classification, Article 5 of the EU AI Act establishes absolutely prohibited AI practices that have applied since February 2025. For insurers:

  • Social scoring: AI systems that evaluate natural persons based on social behaviour or personal characteristics and derive adverse treatment are prohibited.
  • Biometric categorisation: AI that categorises individuals based on biometric data by sensitive attributes (political opinion, ethnic origin, religion) is prohibited.
  • Exploitation of vulnerabilities: AI that systematically exploits the weaknesses of specific groups — such as financial hardship, age, or disability — to manipulate behaviour to their detriment is prohibited.

Violations of Article 5 prohibitions are the most severe sanction category: up to EUR 35 million or 7% of global annual turnover.

Obligations for High-Risk Insurance AI

Insurers using or developing high-risk AI systems must meet the following requirements:

  • Quality management system (Art. 9): Risk identification, evaluation procedures, corrective actions, and lifecycle monitoring for each high-risk system.
  • Data quality and bias testing (Art. 10): Training data must be representative, accurate, and tested for discrimination potential — especially relevant for underwriting models using demographic data.
  • Technical documentation (Art. 11): Complete description of system properties, performance metrics, training procedures, and limitations.
  • Transparency to deployers (Art. 13): Deployers must receive sufficient information to use the system appropriately.
  • Human oversight (Art. 14): Adequate intervention capabilities for humans, particularly for consequential decisions on claims or insurability.
  • Conformity assessment and registration (Art. 43, 71): Before deployment, a conformity assessment must be completed and the system registered in the EU AI database.

The intersection with GDPR matters: underwriting AI processing personal data must comply with both the AI Act and GDPR. Highly automated individual decisions are additionally subject to Article 22 GDPR.

EU AI Act Compliance Checklist for Insurers

  1. Create an AI system inventory — map all AI touching customer decisions on policies, premiums, or claims, including third-party systems
  2. Document risk classification — clearly distinguish high-risk from lower-risk systems under Annex III
  3. Rule out prohibited practices — confirm no deployed system falls under Article 5 prohibitions
  4. Implement a quality management system — per Article 9 EU AI Act for all high-risk systems
  5. Test data quality and bias — evaluate training data for representativeness and discrimination potential
  6. Create technical documentation — per Article 11 EU AI Act for all high-risk systems
  7. Establish human oversight — document and test intervention capabilities for automated decisions
  8. Clarify GDPR overlap — especially for underwriting AI with personal data and Article 22 GDPR implications
  9. Plan BaFin integration — align AI Act obligations with VAG, MaGo, and Solvency II requirements
  10. Complete conformity assessment and register — enter high-risk systems in the EU AI database by August 2026

Timeline for German Insurers

DateRequirement
February 2025Prohibited AI practices (Art. 5) in force
August 2025GPAI model obligations (Chapter V) in force
August 2026Full high-risk requirements for new systems
August 2026Existing high-risk systems must be compliant

Systems deployed after August 2026 must be compliant from day one. A structured overview of all deadlines is in our EU AI Act compliance guide.

How Compound Law Helps

  • AI system inventory and classification under EU AI Act and Annex III
  • Underwriting compliance frameworks aligned with AI Act and BaFin requirements
  • Claims AI policy review and decision architecture
  • Insurtech-specific AI Act advice including GDPR overlap
  • Technical documentation, bias testing, and quality management systems
  • BaFin integration strategy and registration support

Book an initial consultation

Frequently Asked Questions

Is insurance AI high-risk under the EU AI Act? Yes. The EU AI Act explicitly classifies AI used in underwriting, premium calculation, risk scoring, and claims decisions for natural persons as high-risk under Annex III, point 5(b). This applies to insurtechs and traditional insurers alike.

Which insurance AI use cases are high-risk? High-risk: automated underwriting, dynamic pricing, risk scoring, eligibility determination, and AI that denies claims or sets payout amounts. Lower risk: fraud flagging for human review, internal solvency models, and process automation without decision authority.

When must German insurers comply with the EU AI Act? Prohibitions on banned AI practices applied from February 2025. Full high-risk requirements apply from August 2026 — for both new systems and existing systems that must be updated.

What obligations apply to high-risk insurance AI? Quality management system (Art. 9), data quality and bias controls (Art. 10), technical documentation (Art. 11), transparency (Art. 13), human oversight (Art. 14), and EU AI database registration (Art. 71).

Does the EU AI Act apply to insurtechs? Yes. Insurtechs face the same high-risk obligations as traditional insurers — regardless of size or licence type.

What are prohibited AI practices for insurers? Prohibited since February 2025: social scoring, biometric categorisation by sensitive characteristics, and exploitation of group vulnerabilities. Fines up to EUR 35 million or 7% of global turnover.

Related Industry Guides

EU AI Act August 2026 compliance deadline checklist for companies in Germany
ai-act

AI Act August 2026 Deadline — What Businesses Must Do Now

EU AI Act deadline: August 2, 2026. High-risk AI deployers must act now — conformity assessments, FRIA, and EU database registration are mandatory.
AI telecoms regulation Germany: EU AI Act, GDPR and TKG 2021 compliance guide
ai-act

AI Regulation for Telecoms in Germany: EU AI Act, GDPR & TKG 2021

German telecom operators face AI obligations under the EU AI Act, GDPR, and TKG 2021. What applies, what's high-risk, and when you must comply.
EU AI Act recruitment AI compliance Germany — high-risk Annex III
ai-act

EU AI Act and Recruitment AI in Germany: Compliance Guide

AI recruitment tools in Germany are high-risk under EU AI Act Annex III. What employers need to comply before the August 2026 deadline.

Frequently asked questions

Is insurance AI high-risk under the EU AI Act?

Yes. The EU AI Act explicitly classifies AI used in insurance underwriting, premium calculation, risk scoring, and claims decisions for natural persons as high-risk under Annex III, point 5(b) of Regulation (EU) 2024/1689.

Which insurance AI use cases are high-risk under the EU AI Act?

High-risk: automated underwriting, dynamic pricing, risk scoring, eligibility determination, and AI that denies claims or determines payout amounts. Lower risk: fraud flagging for human review, internal solvency models, and process automation without decision authority.

When must German insurers comply with the EU AI Act?

Prohibitions on banned AI practices applied from February 2025. Full high-risk requirements — quality management system, bias testing, documentation, human oversight — apply from August 2026.

What obligations apply to high-risk insurance AI?

High-risk insurance AI requires: a quality management system (Art. 9), data quality and bias controls (Art. 10), technical documentation (Art. 11), transparency to deployers (Art. 13), human oversight (Art. 14), and registration in the EU AI database (Art. 71).

Does the EU AI Act apply to insurtechs?

Yes. Insurtechs using AI for underwriting or claims processing face the same high-risk obligations as traditional insurers — regardless of company size, licence type, or whether the AI system is built in-house or sourced from a third party.

What are prohibited AI practices for insurers?

Prohibited since February 2025: social scoring of natural persons, biometric categorisation based on sensitive characteristics, and AI that exploits the vulnerabilities of specific groups. Violations carry fines of up to EUR 35 million or 7% of global turnover.

Book Free Call