EU AI Act for Insurance: Why Life and Health Pricing AI Is High-Risk by Name

Almost every industry has the same conversation about the EU AI Act: is what we do actually high-risk, or are we reading too much into Annex III? The categories are written broadly, the examples are illustrative, and reasonable people end up disagreeing about scope.

Insurance doesn't get to have that conversation. The regulation names it. Annex III, point 5(c) lists AI systems "intended to be used for risk assessment and pricing in relation to natural persons in the case of life and health insurance." That's not an interpretation a consultant sold you. It's in the text. If that's your product, you're high-risk, and the only real question is what to do about it.

High-risk by name, not interpretation

Being named directly changes the posture. For most companies, the first compliance task is a genuine classification exercise: work through the Annex III categories, document your reasoning, and decide whether you land in high-risk or limited-risk. There's judgment involved, and a defensible "we concluded we're not high-risk because X" is a legitimate outcome.

For life and health insurance pricing, that path is closed. A supervisor doesn't need to build a case that your underwriting model is in scope, because the legislature already did. That removes a line of argument and means the realistic plan is compliance, not classification debates. The flip side: it also removes ambiguity, which makes planning easier. You know exactly where you stand on day one.

Which insurance AI is high-risk

The named category is risk assessment and pricing for life and health insurance in relation to individuals. In practice that pulls in:

• Life and health risk scoring. Any model that evaluates an individual applicant's risk profile to inform a life or health policy decision.
• Premium pricing for life and health. Systems that set or materially influence what an individual pays, including newer approaches like health scoring from wearables or telematics-style data.
• Underwriting eligibility. AI that decides or heavily influences whether someone is offered life or health cover at all, including automated decline logic.

There's also a second, separate trigger that catches insurers sideways. Annex III, point 5(b) covers AI used to evaluate creditworthiness or establish credit scores. If you assess creditworthiness for premium financing or instalment payment plans, that's its own high-risk hook, independent of the life and health listing.

What falls outside

The important nuance is that the listing covers specific lines, not the entire industry. Reading it as "all insurance AI is high-risk" is as much a mistake as missing the listing altogether. Generally outside the named category:

• Property and casualty pricing. Point 5(c) names life and health. P&C lines aren't in that specific listing.
• Motor insurance telematics used purely for vehicle and driving-based pricing, as long as it isn't tied to health assessment.
• Internal actuarial and reserving models that inform portfolio-level decisions without making or driving individual-level outcomes.
• Claims fraud analytics that flag cases for human review, rather than automatically restricting an individual's access to a service.

What Solvency II already covers

Insurers are not starting from zero, and it's worth being honest about that rather than pretending the AI Act is an entirely new universe. If you operate under Solvency II, you already have model governance, validation, and documentation muscle. If you run GDPR DPIAs, you already have a data-protection and risk-assessment discipline. Both carry over to parts of the AI Act's risk management (Article 9) and data governance (Article 10).

What they don't cover is the AI-specific layer the Act adds on top:

• Bias and discrimination documentation across protected groups, with evidence, not assertions
• Conformity assessment before the system goes to market
• Registration in the EU database of high-risk systems
• Automatic event logging designed for traceability (Article 12)
• Instructions for use written for the deployer, not the model team

EIOPA has signalled that AI Act supervision will sit alongside existing insurance supervision rather than replace it, so the realistic expectation is additive obligations, not a swap. Map what your Solvency II work already satisfies, then scope the genuinely new pieces. Our overlap mapping walks through which existing controls count.

What insurers should do now

The high-risk obligations land on December 2, 2027, which feels far away and isn't, given the documentation involved. A sensible sequence:

• Inventory every AI and advanced model touching life or health pricing, underwriting, or eligibility, plus any creditworthiness scoring for premium financing.
• Separate the genuinely high-risk systems from the P&C and internal models that fall outside, so you're not over-scoping.
• Map your Solvency II and GDPR documentation against Articles 9 and 10 to see what you can reuse.
• Stand up the AI-specific pieces early: bias testing, logging, and the technical documentation that a conformity assessment will demand.

We built a deeper industry page for this if you want the obligation list and scope breakdown in one place: EU AI Act for insurance. The honest summary is that insurers are better prepared than most industries for this kind of regulation, but "named in the text" means there's no wiggle room on whether to start.