RatedWithAI

RatedWithAI

Accessibility scanner

AI RegulationJune 22, 2026

EU AI Act for Insurance 2026: Life & Health Risk Pricing Is High-Risk

Insurance is the sector most people forget is named in the EU AI Act — but it is. Annex III calls out AI used for risk assessment and pricing of life and health insurance as high-risk by name. That puts insurers and the insurtechs powering them in the same heavy compliance tier as credit scoring, with one important nuance: not every line of insurance is covered.

High-Risk
Life & health risk-assessment and pricing AI (Annex III)
Aug 2026
Enforcement deadline for high-risk insurance AI
€15M
Max fine for high-risk violations (or 3% global turnover)

The Line Annex III Actually Draws

The EU AI Act's high-risk list is specific about insurance. It covers AI systems "intended to be used for risk assessment and pricing in relation to natural persons in the case of life and health insurance." Read that carefully: the trigger is the combination of life or healthcover and risk assessment or pricing of a natural person. That's where the heavy obligations attach.

What it does not automatically sweep in: motor, property, travel, or commercial-lines underwriting AI, and back-office models that don't price or assess individual risk. Those aren't named in that high-risk category. They can still be touched by transparency rules, GDPR, or insurance-specific supervision — but they don't carry the full high-risk regime by default.

How Insurance AI Sorts Out

High-Risk Insurance AI
  • Life insurance underwriting and risk scoring
  • Health insurance risk assessment of individuals
  • AI pricing of life/health cover for natural persons
  • Medical-data-driven premium models
  • Wearable/behavioral data risk scoring (life/health)
  • Automated decline/loading decisions on life/health
Usually Not in the High-Risk Category
  • Motor, property, travel underwriting AI
  • Commercial-lines pricing models
  • Fraud detection (narrower profile)
  • Claims triage that doesn't price/assess risk
  • Customer-support chatbots (transparency only)
  • Internal forecasting and capital modeling

The judgment calls live in the gray zone. A "claims triage" model that effectively decides who gets paid, or a wellness-data model that quietly feeds into life/health pricing, can pull the high-risk classification toward it. The safe approach is to classify by the model's real-worldeffect on an individual's access to or price of life/health cover, not by the team that owns it.

The Core Obligations for High-Risk Insurance AI

Articles 9–15 set the high-risk requirements. Here's how each lands on a life/health pricing model:

1

Risk Management System

An ongoing, documented process across the model lifecycle — including the risk of discriminatory pricing against protected groups, a long-standing flashpoint in insurance regulation.

2

Data Governance and Bias Testing

Training data must be relevant and representative, with documented testing for proxy discrimination — where postal code, occupation, or behavioral signals stand in for health status or protected characteristics — and evidence of measured disparate outcomes.

3

Technical Documentation

An Annex IV technical file covering architecture, data, features, validation, and performance. For insurers this overlaps heavily with the model-governance documentation supervisors already expect under Solvency II and actuarial standards.

4

Transparency and Explainability

Deployers must be able to interpret outputs and apply them appropriately, supporting meaningful explanations to policyholders for adverse underwriting decisions.

5

Human Oversight

A human must be able to understand, override, or decline the AI's output. Fully automated life/health declines with no human-review path are exactly what this provision targets.

6

Accuracy, Robustness, and Logging

Consistent performance and automatic event logging. Retained decision logs are also what you'll need to defend against discrimination complaints and answer data-subject requests on sensitive health data.

The Compliance Checklist for Insurance

For Insurtech AI Providers (You Build the Model)

  • Identify which models price/assess life/health risk
  • Build Annex IV technical documentation
  • Run and document disparate-impact bias audits
  • Complete a conformity assessment before EU launch
  • Register the system in the EU high-risk database
  • Appoint an EU authorized representative if non-EU
  • Give insurer customers deployer instructions
  • Separate fraud and pricing models in your docs

For Insurers Using Third-Party AI (Deployers)

  • Verify the vendor's AI Act conformity status
  • Request technical and bias-audit documentation
  • Implement human oversight on automated declines
  • Provide adverse-decision explanations to applicants
  • Run a DPIA covering health/special-category data
  • Disclose AI use in underwriting to applicants
  • Maintain decision logs for audit and complaints
  • Designate an AI compliance owner

It Layers on Top of Rules You Already Follow

Insurance is already heavily supervised, and the AI Act doesn't displace GDPR, Solvency II model governance, or local conduct rules — it stacks on them. The upside is reuse: special-category health data already demands a strong GDPR lawful basis and a DPIA, and actuarial governance already requires model validation and documentation. Much of the Annex IV file can be built from materials you already maintain.

The inefficient path is treating AI Act, GDPR, and prudential compliance as three programs. The efficient path is one model-governance system that satisfies all three for your life/health pricing AI at once.

What Non-Compliance Costs

High-risk violations reach €15M or 3% of global annual turnover. For insurers, though, the reputational and supervisory fallout from a documented discriminatory-pricing finding usually outweighs the fine — it can trigger overlapping action from data-protection and insurance regulators, and an order to pull a pricing model off the EU market is a direct revenue hit. Life and health pricing AI is precisely the high-impact, individual-affecting use case regulators have signaled they'll examine first.

Frequently Asked Questions

We only write motor and home insurance. Are we high-risk under the AI Act?

Not under the named insurance category. Annex III calls out life and health insurance risk assessment and pricing specifically. Motor and property underwriting AI isn't in that high-risk category — though transparency rules, GDPR, and the manipulation prohibition can still apply, and you should document why a given model sits outside the high-risk tier.

Our health insurer uses a third-party underwriting engine. Whose obligation is it?

Both parties have roles. The vendor that builds and places the high-risk system on the market is the provider and carries the conformity, documentation, and registration duties. As the insurer deploying it, you're the deployer: human oversight, applicant disclosures, a DPIA, decision logging, and verifying the vendor's conformity status are on you.

Does using wearable or behavioral data change our classification?

It doesn't change the category — life/health risk assessment and pricing is high-risk regardless of data source — but it raises the stakes on data governance and bias testing. Behavioral and wearable signals are exactly where proxy discrimination claims arise, so document representativeness and disparate-impact testing thoroughly.

Is our claims-fraud model high-risk?

Fraud detection has a narrower profile than risk pricing and isn't the named high-risk insurance use case. But if the same model's output also influences who gets paid or what they're charged, the high-risk classification can attach to that downstream use. Keep fraud and pricing models — and their documentation — cleanly separated.

Know Which Models Are Named

The whole insurance compliance question turns on one distinction: is the model assessing or pricing life/health risk for an individual? If yes, it's high-risk and the August 2026 clock is running. If no, you have a lighter — but not empty — set of duties.

Inventory your models, classify by real-world effect, run the bias audits, and build the Annex IV documentation on top of the actuarial and GDPR records you already keep. Life and health pricing AI is first in line for regulator scrutiny.