Insurance · Annex III §5(c)

AI Act readiness for insurance firms.

If your firm uses AI in pricing, underwriting, or claims, you're operating under Annex III §5(c) of the EU AI Act and the 2025 EIOPA Opinion on AI Governance. cosantio gives MGAs, brokers, and carriers the workflow, artefacts, and named officer to be audit-defensible in time. Examples here are drawn from the Irish market we know best, but the obligations apply to insurers across the EU, with some country-specific variation.

Get the Insurance Scorecard →Book a 20-minute call

What governs AI in insurance

Four pieces of regulation. One workflow.

Insurance AI in Ireland and the EU is regulated by more than the AI Act. The four frameworks below overlap. cosantio's Insurance Scorecard maps your firm against all four at once.

01From 2027

EU AI Act, Annex III §5(c)

Source: Regulation (EU) 2024/1689

Classifies AI used for risk assessment and pricing of life and health insurance as high-risk. Triggers obligations on technical documentation, human oversight, accuracy, FRIA, EU registration, and post-market monitoring.

High-risk regime applies02 Dec 2027

02In effect

EIOPA Opinion on AI Governance

Source: EIOPA-BoS-25/360 · August 2025

Sector-specific supervisory expectations on AI governance and risk management, including data governance, record-keeping, fairness, explainability, human oversight, and cyber security, applied on a risk-based, proportionate basis. National competent authorities, including the Central Bank of Ireland, supervise on these terms.

Supervised byCBI · NCA

03In force

Product Oversight & Governance

Source: IDD POG · 2017/2358

If AI is part of product design, pricing, or target market identification, the product must be tested against customer outcomes and value-for-money. Periodic review, distribution monitoring, and intervention triggers are mandatory.

Applies toManufacturers · MGAs

04In force

CBI Insurance Supervisory Framework

Source: Central Bank of Ireland

Sector-specific Irish supervision. Operational resilience under DORA, fitness and probity for AI decision owners, and conduct expectations under the Consumer Protection Code. AI Act compliance does not replace it; it sits alongside.

ThemesDORA · CPC · F&P

Who's in scope

MGAs, brokers, and carriers. Different obligations.

The AI Act treats your firm differently based on whether you develop the AI or use it. That distinction (provider vs deployer) shapes which Article 16 or Article 26 obligations apply.

Typically Provider

MGAs.

Managing General Agents who build or significantly modify pricing models, underwriting algorithms, or claims-triage AI. Acting as provider under Article 25 means full Article 16 obligations.

Key obligation

Full Annex IV technical dossier, EU registration, post-market monitoring, conformity assessment.

Typically Deployer

Brokers.

Insurance intermediaries using third-party pricing engines, quote tools, or claims AI. Acting as deployer under Article 26 means a lighter but still substantive set of obligations.

Key obligation

Human oversight, transparency to customers, use according to instructions, and FRIA where the deployer falls within Article 27 scope.

Both roles

Carriers.

Insurers operating in EU markets, often both providers (in-house pricing and underwriting AI) and deployers (third-party fraud and claims systems). Both obligation sets apply, per AI system.

Key obligation

Per-system classification. One register, multiple roles, separate Annex IV dossiers for each provider-role system.

Article 25 caveat. Modifying a third-party AI system substantially (including changes to its intended purpose) reclassifies the deployer as a provider. A broker that fine-tunes a third-party pricing engine on its own book of business is almost certainly a provider, not a deployer. The Scorecard surfaces this where it applies to your firm.

In-scope AI systems

The systems insurance firms actually run.

Real systems we see across Irish and EU insurance firms. Classifications and obligations below are illustrative; your firm's classification depends on the specific use, not the product name.

System type

Typical use

Classification

Primary obligation

Pricing enginese.g. life, health, motor pricing

Algorithmic or ML-based determination of premium for new business and renewals. The headline §5(c) use case.

High-risk

Art. 27FRIA required before deployment

Underwriting risk assessmente.g. medical underwriting, property risk

Decisions on whether to accept, decline, or load risk based on automated risk scoring. Includes life expectancy and health scoring.

High-risk

Art. 14Human oversight by qualified underwriter

Claims triage & fraud detectione.g. first-notice-of-loss AI

Automated triage of claims into fast-track, standard, or fraud investigation. Affects customer outcomes materially.

High-risk

Art. 86Right to explanation for affected persons

Distribution & customer chate.g. quote chatbots, channel routing

Customer-facing AI for quote generation, FAQ, and channel routing. Not pricing decisions but customer interaction.

Limited-risk

Art. 50Customer disclosure of AI use

Internal analytics & reportinge.g. portfolio dashboards, MI

AI used for internal management information, portfolio analysis, or executive reporting. No direct customer effect.

Limited-risk

Art. 4Staff literacy training documented

Sample insurance dossier

What an audit-defensible insurance file looks like.

Excerpt from a sample Annex IV technical dossier for a life-insurance pricing engine. Every finding cites firm-specific evidence; every gap names an owner and a date.

Technical Report · Annex IV (EU) 2024/1689

EU AI Act Conformity · Insurance Pricing

Provider: Sample Broker LtdSector: Insurance · MGA

CSC-2026-0419Issued 13 May 2026

System

PricePilot (v3.2)

Intended purpose

Life insurance pricing engine for Irish broker market

Hardware

AWS EC2 · EU-west-1

Oversight

Underwriter in the loop · mandatory secondary review for declines

01Risk ManagementArt. 9 · 3 questions

Is there a documented risk management system covering the full lifecycle?

Compliant

Cited evidence

Risk Management Framework v2.4 (Q1 2026) covers design, deployment, and post-market phases. Reviewed quarterly by the Risk Committee, chaired by the COO.

Is there a process for post-market risk monitoring?

Action required

Remediation plan

By end of Q3 2026, stand up a monthly data drift monitor with alerting to the Compliance Officer. Owner: A. Murphy (Head of Risk). Aligned with EIOPA Opinion 5.2 on continuous monitoring.

05Human OversightArt. 14 · 3 questions

Can a qualified underwriter override the AI's pricing or decline decision?

Compliant

Cited evidence

All declines and loaded-risk decisions above threshold X are routed to underwriter review. Override rate logged and reviewed monthly. Underwriter holds CII qualification.

Are operators trained on automation bias and explainability?

Compliant

Cited evidence

Quarterly training programme covers automation bias, explanation of model outputs, and how to use SHAP attribution. Attendance log maintained in the AI Literacy Register.

+ 9 more pillars in the full platform dossier · 25 questions across Annex IV

What you'll get

Start with the Scorecard. Go deeper in a demo.

The Scorecard is the same eight questions for every sector, but the result is sector-specific. Insurance firms get EIOPA Opinion alignment, POG mapping, and a §5(c) FRIA readiness check layered on top of the core readiness assessment.

Recommended start

Fast Scorecard.

Free · 3 minutes · no login

Eight plain-English questions. A regulator-grade PDF that scores your firm against every AI Act obligation already in force, with insurance-specific framing throughout.

Classification under §5(c), with FRIA trigger flag
Status on Article 4, 5, 50, and 11 obligations
EIOPA Opinion alignment summary
Prioritised action plan with weeks-to-readiness estimate

~3 min · PDF in 5Start the Scorecard →

Deep dossier

Deep Dossier.

Demo · 20 minutes · with our team

The full Annex IV workflow inside the platform: 25 questions across 11 pillars per AI system, producing a regulator-grade technical dossier for the Central Bank, EIOPA-aligned auditors, or your carrier. Book a demo to walk through a sample and the insurance-specific features.

Annex IV-shaped technical dossier per system
Cited evidence and remediation plans per finding
Sample pricing-engine pillar map (PricePilot reference)
Signed cover sheet for board and regulator use

~20 min · live walkthroughBook a demo →

Common questions

Things insurance firms ask us first.

Yes. The AI Act applies to anyone who places on the market, puts into service, or uses an AI system in EU scope. Brokers using a pricing engine, quote tool, or claims-triage AI are deployers under Article 26.

Deployer obligations are lighter than provider obligations, but they are not optional. They include human oversight, customer transparency, use according to instructions, and a Fundamental Rights Impact Assessment where Article 27 applies.

The vendor is responsible for the system's design, technical documentation, and conformity assessment. You are still responsible for how the system is used.

Article 26 deployer obligations sit with your firm regardless of vendor compliance. If you modify the system substantially (including changing its intended purpose), Article 25 can reclassify you as a provider with the full Article 16 obligation set.

A common example: a broker that fine-tunes a third-party pricing model on its own book of business is almost certainly a provider.

The EIOPA Opinion on AI Governance and Risk Management (EIOPA-BoS-25/360, August 2025) is the European supervisor's view on how insurance-specific AI use should be governed.

It is not a regulation, but national competent authorities, including the Central Bank of Ireland, supervise on this basis. It focuses on insurance AI that is neither prohibited nor high-risk under the Act, and firms are expected to align with its principles: data governance, record-keeping, fairness, explainability, human oversight, and cyber security.

Treating it as non-binding is a defensible interpretation. Treating it as the actual supervisory expectation is what most regulated firms are doing.

The standalone high-risk regime applies from 2 December 2027 under the Digital Omnibus VII agreement reached in May 2026. That agreement is provisional, pending formal adoption and publication, expected before August 2026. For high-risk AI embedded in regulated products, the deadline extends to 2 August 2028.

Several obligations are already in force: Article 4 (AI literacy) and Article 5 (prohibited practices) since February 2025, plus the penalty regime. Article 50 transparency obligations apply from 2 August 2026. The 2027 date is when you need to be audit-defensible on Annex IV; none of the in-force obligations are deferred.

Eighteen months sounds like a lot. For a firm building its first technical dossier, it isn't.

Insurance · §5(c)

Find out where your insurance firm stands.

Eight questions. Three minutes. A regulator-grade PDF with §5(c) classification, EIOPA Opinion alignment, and a prioritised action plan for your firm.

Get the Insurance Scorecard →Or book a 20-minute call