AI in EU Insurance: EIOPA Guidelines, Solvency II Implications, and the EU AI Act for Insurers

EIOPA AI governance guidelines

The European Insurance and Occupational Pensions Authority (EIOPA) first addressed AI governance through a June 2021 report from its Consultative Expert Group on Digital Ethics, which set out six AI governance principles. EIOPA subsequently published a formal Opinion on AI Governance and Risk Management (EIOPA-BoS-25-360) on 6 August 2025, addressed to national supervisors. The Opinion follows a risk-based and proportionate approach and does not introduce new legal requirements — it provides guidance on how existing insurance-sector legislation (Solvency II, IDD) applies to AI systems.

The EIOPA guidelines cover six key areas: data and data governance (quality, representativeness, bias assessment in training data); model transparency (explainability of AI decisions to policyholders and supervisors); AI governance and risk management (board accountability, AI risk as a category of operational risk); human oversight (genuine oversight of AI decisions, particularly for consequential underwriting and claims decisions); non-discrimination (monitoring for proxy discrimination and demographic bias); and audit (independent review of AI systems).

National supervisors across EU member states are expected to apply the EIOPA guidelines as supervisory expectations — meaning insurers should treat them as regulatory requirements in practice, even though they are formally supervisory guidance rather than binding law.

Solvency II and AI model risk

Solvency II's system of governance requirements, including the ORSA, create obligations for insurers to identify and manage all material risks including those arising from their business models. AI model risk — the risk that AI models produce incorrect outputs, are used outside their validated scope, or fail in ways that affect the insurer's financial position or conduct — is now explicitly expected to be within scope of Solvency II risk governance.

Practically, this means: AI models used in pricing, underwriting, and reserving should be captured in the insurer's model inventory; material AI model failures should be reported in the ORSA; and the risk function should have visibility of AI model risk alongside traditional actuarial model risk. For life insurers using AI in mortality, morbidity, or persistency modelling, the intersection with actuarial professional obligations is particularly significant.

EU AI Act: insurance as high-risk AI

The EU AI Act's Annex III lists AI systems used in life and health insurance underwriting and pricing — specifically, AI that evaluates the credit standing of natural persons or establishes their credit score (which includes insurance risk scoring), and AI used to evaluate persons for access to essential services — as high-risk AI. This classification triggers the full suite of EU AI Act high-risk AI obligations from August 2027: conformity assessment, technical documentation, data governance requirements, human oversight design, accuracy and robustness requirements, and registration in the EU AI database.

For EU insurers with AI-driven underwriting, this is a significant compliance requirement. The technical documentation alone requires detailed explanation of the AI system's design, the training data used, testing conducted, limitations, and ongoing monitoring procedures. Conformity assessment may require involvement of a notified body depending on the system's risk classification.

Proxy discrimination: EIOPA's priority concern

EIOPA has specifically flagged proxy discrimination as a priority supervisory concern in insurance AI. Proxy discrimination occurs when an AI model uses variables that are technically neutral — postcode, occupation, education level, social media activity — but which are highly correlated with protected characteristics such as race, ethnicity, religion, or disability status, producing discriminatory outcomes without directly using protected characteristics as inputs.

Insurance has particular exposure to proxy discrimination because many traditional underwriting variables correlate with demographic characteristics. AI models, which can identify correlations in data that humans might not notice, can amplify these effects. EIOPA expects insurers to conduct bias audits that go beyond testing for direct discrimination to assess proxy discrimination — what indirect effects do model variables have on demographic groups?