The AI Act in the Insurance Sector

Regulation (EU) 2024/1689 (the AI Act) creates a uniform legal framework for the development, the placing on the market, the putting into service and the use of artificial intelligence systems (AI systems) in the European Union. This legal act promotes the uptake of human centric and trustworthy artificial intelligence (AI) while ensuring a high level of protection of health, safety, and fundamental rights as enshrined in the Charter of Fundamental Rights of the European Union (the ‘Charter’). At the same time, it is intended to boost innovation and employment and to make the European Union a leader in the uptake of trustworthy AI.

Definition of Artificial Intelligence

An ‘AI system’ means a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments (Article 3 no. 1 AI Act).

Risk-based requirements

Systems available in the EU are classified into four risk categories to ensure adequate regulation and monitoring:

• Unacceptable risk: the purpose of such systems is not compatible with fundamental rights in the European Union (e.g. predictive policing or social scoring) (Article 5 AI Act).
• High-risk AI systems: using such systems harbours a high probability of damage being caused and a high extent of damage in relation to individual and public interests in the areas of healthcare, security and fundamental rights. There shall therefore only be allowed to be placed on the market or put into service provided that certain requirements are observed. Such kinds of AI systems are listed inter alia in Annexes I and III of the AI Act (Article 6 AI Act).
• Limited risk: this category covers AI systems for which user risk is able to be minimised by meads of disclosure obligations. This primarily focuses on chat bots and systems that are capable of generating or manipulating (“deepfakes”) image, audio, text or video content (Article 50 AI Act).
• Minimal risk: This category covers all other AI systems. They are only subject to the general requirements (recital 165 in conjunction with Article 95 AI Act).

Scope

The AI Act’s scope covers

• providers of AI systems (i.e. natural or legal persons, a public authority, agency or other body that develops an AI system or has an AI system developed and places it on the market or puts it into service under its own name or trademark, whether for payment or free of charge) irrespective of whether they are established in the European Union or in a third country, as well as
• deployers of AI systems (i.e. a natural or legal person, public authority, agency or other body, using an AI system under its authority except where the AI system is used in the course of a personal non-professional activity), established in the European Union (Article 2 AI Act).

National Authorities

Each Member State shall establish or designate at least one notifying authority and at least one market surveillance authority as national competent authorities to supervise the application and implementation of the AI Act (Article 70 AI Act).

• The notifying authority is responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring.
• Where AI systems pose risks or fail to meet the requirements set out in the AI Act, market surveillance authorities are authorised to intervene, to conduct remote surveillance and to access the provider’s documentation, data sets and source code. The national competent authority stated in the financial services law shall as act the market surveillance authority for high-risk AI systems placed on the market, put into service, or used by financial institutions (Article 74 (6) AI Act).