What §5(c) covers, and what it does not
Annex III §5(c) covers AI used "for risk assessment and pricing in relation to natural persons in the case of life and health insurance." That phrase is narrow on its face but broad in operation:
- In scope: traditional life-underwriting AI; medical-underwriting AI; behavioural-pricing AI for life or health products; claims-triage AI on health claims that influences benefits; chronic-condition prediction models used to set premiums.
- Out of scope (under §5(c)): property and motor pricing; non-life claims processing not affecting individual premium; reinsurance pricing models that operate on portfolios rather than natural persons.
- Borderline: motor telematics combined with health-adjacent biometrics; cyber-insurance pricing for individuals; pet-insurance pricing where the policyholder data dominates.
Where §5(c) does not apply, Article 50 transparency obligations may still apply to AI customer-facing interactions, and the rest of the AI Act baseline (literacy, prohibited practices, GPAI) still applies.
Provider obligations
- Article 9 risk management with proxy-discrimination as a first-class risk: gender, age, disability, ethnic-origin proxies through postcode and family history.
- Article 10 data governance — actuarial data sets are deep but historically biased; document the bias-testing methodology and the corrections applied.
- Article 11 + Annex IV technical documentation including the model-validation framework.
- Article 13 instructions for use written for underwriters and product actuaries — including the residual risks the deployer must monitor.
- Article 14 design for oversight — every adverse decision must be reachable by a human reviewer.
- Internal Annex VI conformity assessment is the default route.
Insurer (deployer) obligations
- Article 26(1) intended-purpose use: a model trained on group life cannot be repointed at individual life without re-validation.
- Article 26(2) human oversight — usually the underwriting team — with the authority to overturn the AI on individual cases.
- Article 27 fundamental rights impact assessment — compulsory in §5(c). The FRIA covers the categories of natural persons affected, foreseeable impact on fundamental rights (including non-discrimination), bias risk, oversight design, and mitigations.
- Article 26(11) serious-incident reporting under Article 73.
- GDPR Article 22 individual review and Article 9 special-category processing for health data.
- Solvency II Articles 41 (governance), 44 (risk management), 45 (ORSA), and 48 (actuarial function) — AI in solvency-relevant calculations is part of the regulated risk-management system.
Solvency II and EIOPA expectations
EIOPA's 2021 report on AI governance principles in insurance is the practical baseline: proportionality, fairness and non-discrimination, transparency and explainability, human oversight, data governance and record-keeping, robustness, performance. EIOPA's 2024 supervisory statement on differential pricing practices specifically warns insurers about behavioural-pricing AI that disadvantages identifiable groups. Where AI Act Article 10 data-governance evidence and EIOPA differential-pricing supervisory expectations diverge in detail, the stricter applies — typically EIOPA on the actuarial fairness side, AI Act on the technical-documentation side.
Enforcement landscape
National insurance supervisors are the practical first responders: BaFin, ACPR, IVASS, DNB, the Spanish DGSFP. EIOPA coordinates. National DPAs (CNIL, AEPD, Garante) lead on the GDPR Article 22 / Article 9 side and have already produced relevant enforcement decisions on insurance-data practices.