AI that prices life and health insurance sits inside the EU AI Act's high-risk list. Annex III point 5(c) classifies as high-risk "AI systems intended to be used for risk assessment and pricing in relation to natural persons in the case of life and health insurance", and that classification pulls in Article 27 — the deployer's duty to run a Fundamental Rights Impact Assessment (FRIA) before the system goes live. This article is the worked insurance build on the generic FRIA template: a complete, all-six-sections assessment for an insurer deploying an AI underwriting and pricing engine, with a precise in-scope and out-of-scope table for insurance lines and the depth on special-category health and genetic data that life and health underwriting demands. You can produce a structured first draft with the free FRIA generator. One timing note up front: 2 August 2026 is the legally binding application date for stand-alone Annex III high-risk systems and their FRIA; the Digital Omnibus (provisionally agreed ~7 May 2026) would defer that to 2 December 2027, but it is not yet law as of June 2026, so keep preparing on the 2 August 2026 basis.
Is your insurance AI in scope? Annex III point 5(c)
Annex III point 5(c) of the EU AI Act classifies as high-risk "AI systems intended to be used for risk assessment and pricing in relation to natural persons in the case of life and health insurance". The trigger is narrow and specific. It names life and health insurance, and it names two functions: risk assessment and pricing. An AI underwriting engine that sets a risk class, applies a premium loading, or returns an accept, decline, or refer decision for an individual life or health policy falls squarely inside the category. The classification is binding law, verified against the EU AI Office's AI Act Service Desk entry for Annex III.
The Commission's draft guidelines on the classification of high-risk AI systems, published 19 May 2026, indicate that either risk assessment or pricing can bring a system into scope; both functions need not be present. The same draft guidelines indicate that point 5(c) reaches private long-term care insurance, personal pension products in so far as they significantly affect a person's livelihood in old age, credit life insurance (mortgage protection), and public health insurance where AI performs the individual risk assessment. These guidelines are draft, under stakeholder consultation, and not binding; the scope edges they describe may change before they are finalised. Treat them as a planning signal and confirm the final text against the Commission's draft guidelines.
The boundary tracks health cover rather than the life or non-life label. The draft guidelines place motor, home and property, and liability pricing AI outside point 5(c), along with insurance-based investment products, claims management and portfolio-level product design. Where a line provides health cover, the position changes: the guidelines treat accident, sickness and private health insurance as health insurance, so AI risk assessment or pricing for those lines can fall inside 5(c) even though they are written as non-life business. Do not assume a non-life label keeps an accident or sickness book out of scope. That boundary does not switch off every other duty either: GDPR, the Article 50 transparency obligations, and insurance conduct-of-business rules can still apply to lines that are out of 5(c). The 5(c) FRIA duty applies regardless of whether the insurer is a public or private body. The public and private gating in Article 27 governs the general Annex III categories; for credit scoring (point 5(b)) and life and health insurance (point 5(c)) the FRIA is owed by every deployer. For a fuller treatment of how a system lands in Annex III, see the high-risk classification guide.
| Insurance line & AI use | Annex III 5(c) high-risk? | FRIA required? |
|---|---|---|
| Individual life insurance — risk assessment or pricing of natural persons | Yes (binding) | Yes — deployer duty, regardless of public/private status |
| Private health insurance — risk assessment or pricing | Yes (binding) | Yes |
| Private long-term care insurance — risk assessment or pricing | Yes, per the Commission's draft guidelines (not yet final) | Yes, if confirmed |
| Credit life insurance (mortgage protection) — risk assessment or pricing | Yes, per the Commission's draft guidelines | Yes, if confirmed |
| Personal pension products affecting old-age livelihood — risk assessment | Likely, per the Commission's draft guidelines | Yes, if confirmed |
| Accident / sickness cover written as non-life — risk assessment or pricing | Yes, treated as health insurance per the draft guidelines | Yes, if confirmed |
| Motor, home/property, liability — pricing | No — outside the Annex III 5(c) first wave | Not on this basis |
| Standalone claims handling / fraud detection (separable system) | Outside 5(c) (purpose is fraud detection) | Not on this basis (GDPR, EIOPA/IDD rules may apply) |
| Fraud feature bundled into a life/health risk-assessment or pricing system | Yes — point 5(c) has no fraud exception | Yes |
Fraud detection: point 5(c) has no fraud carve-out
The express fraud-detection carve-out in the high-risk list lives in point 5(b) — creditworthiness and credit scoring, "with the exception of AI systems used for the purpose of detecting financial fraud". The worked credit version of this assessment is in the credit-scoring FRIA example. Point 5(c) contains no parallel fraud exception. The Commission's draft guidelines are explicit on the asymmetry: in contrast to point 5(b), point 5(c) provides no exception for fraud detection, so an AI system intended for risk assessment or pricing in life and health insurance stays high-risk even when it also carries a fraud-detection feature.
The boundary is therefore narrow. A standalone, separable fraud-detection system — one that does not itself perform risk assessment or pricing — sits outside 5(c) on scope grounds, because detecting fraud is neither risk assessment nor pricing. A fraud feature bundled into the underwriting or pricing engine does not remove the 5(c) classification. Record which case you are in, with the system boundary drawn explicitly, so an examiner can follow the reasoning.
Who owes the FRIA, and the six Article 27(1) components
In this worked example a European life and health insurer ("the insurer") puts into production an AI underwriting and pricing engine for individual term life and private health policies. The model is built by a third-party vendor (the provider) and tuned in-house. At each new application and at renewal repricing it ingests application data — age, declared medical history, BMI, smoker status, a lifestyle questionnaire — together with structured medical-questionnaire data and selected external or behavioural signals, and it outputs a risk class, a premium loading, and an accept, decline, or refer-to-underwriter decision for a natural person. Because it performs risk assessment and pricing for natural persons in life and health insurance, it is high-risk under Annex III 5(c), and the insurer owes a FRIA under Article 27 before deployment.
The insurer is the deployer and carries the FRIA duty. The third-party model vendor is normally the provider, but that split is not automatic. Under Article 25 the insurer can itself become a provider — and take on the provider obligations — if it makes a substantial modification to the system, puts it on the market or into service under its own name or trademark, or changes the system's intended purpose; in-house tuning can cross that line, so confirm the role before relying on it. For the FRIA, the deployer should obtain enough from the provider to assess fundamental-rights risk: the Article 13 instructions for use and information — intended purpose, known limitations, accuracy and the built-in human-oversight measures — backed by contractual evidence on training data and residual bias. The provider draws up the Annex IV technical documentation for its own conformity assessment and the authorities; neither that documentation nor the provider's conformity assessment discharges the deployer's FRIA. Accountability for the FRIA is non-transferable; outsourcing the model does not outsource the duty.
Article 27(1) lists six mandatory components; the table maps each to what this insurer documents. Notifying the market surveillance authority of the FRIA results is a separate Article 27(3) step that follows the assessment, covered in the final section.
| Component | What the insurer documents | Basis |
|---|---|---|
| 1. System description & intended purpose | The underwriting and pricing engine, its intended purpose per the provider, vendor details, operational context (broker point-of-sale and direct online), and the Annex III 5(c) classification | Art 27(1)(a) |
| 2. Duration & frequency of use | Production start date, indefinite duration, volume in applications per day, event-triggered at each application and renewal, and geographic/market scope | Art 27(1)(b) |
| 3. Categories of affected persons | Applicants and renewing policyholders, with vulnerable groups called out (disability, chronic or genetic conditions, older applicants) | Art 27(1)(c) |
| 4. Specific risks to fundamental rights | The risk register below, scored by likelihood and severity, with mitigation and residual risk | Art 27(1)(d) |
| 5. Human oversight measures | Underwriter review of declines and material loadings, medical-officer sign-off, and oversight roles, qualifications and training | Art 27(1)(e) |
| 6. Measures if risks materialise | Manual underwriting pathway, adverse-action explanations, and the complaint and redress channel triggered if a risk materialises | Art 27(1)(f) |
Affected groups and the rights at stake in life and health underwriting
Section 3 of the FRIA identifies who the system affects. The directly affected groups are applicants for life and private health cover and existing policyholders at renewal. Vulnerable groups that need special attention in underwriting include people with disabilities; people with chronic or genetic conditions such as diabetes, cancer survivors, HIV-positive applicants, and people with hereditary conditions; older applicants; applicants with a mental-health history; and pregnant applicants. Indirectly affected are dependents and named beneficiaries who rely on the cover.
The rights at stake map onto the EU Charter of Fundamental Rights. The sharpest hook for underwriting is **Article 21** non-discrimination, which expressly names genetic features, disability and age among its prohibited grounds — exactly the attributes underwriting touches. Article 26 recognises the right of persons with disabilities to benefit from measures securing their independence and participation. Article 7 protects private and family life, and Article 8 protects personal data.
Health and genetic data are special categories under GDPR Article 9. Processing is prohibited unless an Article 9(2) condition applies, for example explicit consent (9(2)(a)) or substantial public interest (9(2)(g)) on a Union or Member-State legal basis. Article 9(4) lets Member States maintain or introduce further conditions on genetic, biometric and health data, which is directly relevant to insurance underwriting: national law may restrict or prohibit the use of genetic test results in pricing. The FRIA records the lawful basis for every special-category field the model touches and honours any national restriction.
Worked example: a completed insurance FRIA risk register
Section 4 is where the FRIA becomes concrete. Score each risk on the same likelihood x severity matrix set out in the generic FRIA template, and calibrate severity to the insurance harm: an erroneous decline or a discriminatory loading can foreclose access to life or health cover, so most rights-level harms here rate Major on severity even when likelihood is only Possible. The register below shows how the insurer documents the risks of its life and health underwriting engine: each fundamental right at stake, the harm scenario, a likelihood and severity rating, the mitigation, and the residual risk that remains afterward. This is a practical level of specificity to target, and the part this article adds on top of the generic template.
| Fundamental right | Harm scenario | Likelihood | Severity | Risk | Mitigation | Residual |
|---|---|---|---|---|---|---|
| Non-discrimination (Art 21) — covers genetic features, disability and age | Pricing uses health-correlated proxies (occupation, postcode, claims or prescription history, wearable or lifestyle data) or special-category data that systematically push higher premiums or declines onto people with disabilities, chronic or genetic conditions, and older applicants. | Possible | Major | High | Quarterly disparate-impact testing across disability, health-status, age and sex strata; every rating factor justified on an objective actuarial basis; bar use of genetic data and bar non-actuarial proxy inference; actuarial-fairness sign-off by a qualified actuary; remove or transform proxies that lack a demonstrable risk basis. | Medium |
| Rights of persons with disabilities (Art 26) | Applicants with a declared disability or chronic condition are auto-loaded or auto-declined by rule, with no individualised medical assessment, foreclosing access to life or health cover. | Possible | Major | High | Mandatory human-underwriter review of every decline or material loading involving a disability or chronic condition; individualised assessment via a manual underwriting pathway; reasonable-accommodation review; medical-officer sign-off on adverse outcomes. | Medium |
| Private life (Art 7) & personal data (Art 8) — GDPR Art 9 special-category data | The model processes or infers special-category health and genetic data beyond what is necessary, or infers health status from non-medical data, without a valid GDPR Art 9(2) condition. | Possible | Major | High | Data-minimisation and lawful-basis review; explicit consent (Art 9(2)(a)) or another valid Art 9 condition; prohibit inference of health or genetic status from proxy data; integrate with the GDPR DPIA (Art 27(4)); honour Member-State Art 9(4) restrictions on genetic and health data in insurance. | Low |
| Access to essential services | An erroneous risk score wrongly declines cover or prices it unaffordably, excluding the applicant from health protection or from the life cover needed to secure a mortgage (credit life). | Unlikely | Major | Medium | Accuracy thresholds and back-testing aligned with Article 15; manual-assessment fallback; referral of borderline cases to a human underwriter; affordability check and an appeal route. | Low |
| Effective remedy / explanation (Art 47; GDPR Art 22) | An applicant receives an automated decline or loading with no intelligible reason and no route to contest, in breach of the GDPR Art 22 safeguards for solely-automated decisions. | Possible | Moderate | Medium | Per-decision adverse-action reasons in plain language; where the decision rests on contract necessity or explicit consent, GDPR Art 22(3) safeguards — human intervention, the right to express a view and to contest; a logged human-review workflow; an accessible complaint and redress channel. | Low |
FRIA, DPIA and GDPR Article 9 / Article 22 integration
A life and health underwriting model almost always processes personal data, so the insurer holds a GDPR DPIA as well as the FRIA. Article 27(4) lets the deployer build on an existing DPIA where it already covers the FRIA obligations; the FRIA complements the DPIA. The FRIA reaches every Charter right, so it almost always needs analysis beyond the DPIA. For the DPIA itself, see DPIA for AI systems; to draft both together, the DPIA + FRIA generator produces an integrated draft.
Automated underwriting decisions also engage GDPR Article 22, which governs decisions based solely on automated processing that produce legal or similarly significant effects. A decline or a material premium loading qualifies. Such a decision is permitted only on an Article 22(2) basis — in insurance, typically contract necessity (22(2)(a)) or the applicant's explicit consent (22(2)(c)). Where the decision rests on either route, the Article 22(3) safeguards — the right to obtain human intervention, to express a view, and to contest the decision — apply and have to be wired into the deployment, with a logged human-review workflow. The applicant's right to an explanation draws on the GDPR transparency duties and, for high-risk systems, on AI Act Article 86 (the right to an explanation of individual decision-making); give plain-language adverse-action reasons per decision.
How the FRIA sits with insurance-sector rules
Insurers operate under sector supervision alongside the AI Act. EIOPA published its Opinion on Artificial Intelligence governance and risk management on 6 August 2025, addressed to national supervisors. It applies a risk-based, proportionate approach across data governance, record-keeping, fairness, cyber security, explainability and human oversight, and it interprets existing sectoral law — the Insurance Distribution Directive (IDD) and Solvency II — for AI use. It does not set new requirements and does not change the scope of the AI Act or of sectoral law.
AI systems that are high-risk or prohibited under the AI Act are excluded from the Opinion's scope. A life or health pricing model is high-risk under Annex III 5(c), so the AI Act governs it, including the Article 27 FRIA. EIOPA's principles principally bear on the insurer's non-high-risk AI — non-life pricing, claims handling, distribution, and standalone fraud detection. The EIOPA Opinion does not replace the FRIA.
Notification, the awaited template, and the timeline
Once the FRIA is performed, Article 27(3) requires the deployer to notify the market surveillance authority of its results. Article 27(5) tasks the AI Office with an official template and questionnaire to support the notification; as of June 2026 that template has not yet been published, and its absence does not excuse the duty. Until it exists, notify against your own documentation of the Article 27(1) components. The Article 27 mechanics are summarised on the AI Act Service Desk.
The application dates sit inside the wider EU AI Act phasing. 2 August 2026 is the legally binding date for stand-alone Annex III high-risk systems and their Article 27 FRIA. The Digital Omnibus, provisionally agreed around 7 May 2026, would defer that to 2 December 2027 once published in the Official Journal. It is not yet law as of June 2026. Keep preparing on the 2 August 2026 basis. The EU AI Act requirements guide tracks the full phasing.
| Obligation | Binding date | After Digital Omnibus* |
|---|---|---|
| Prohibited practices (Art 5) + AI literacy | 2 Feb 2025 | Unchanged |
| GPAI model obligations, governance, most penalties (GPAI-provider fines under Art 101 from 2 Aug 2026) | 2 Aug 2025 | Unchanged |
| Transparency (Art 50) | 2 Aug 2026 | Unchanged (provisional Art 50(2) marking grace to 2 Dec 2026) |
| Life/health pricing FRIA + high-risk, stand-alone (Annex III) | 2 Aug 2026 | 2 Dec 2027 |
| High-risk embedded in products (Annex I) | 2 Aug 2027 | 2 Aug 2028 |
Frequently Asked Questions
Is insurance AI high-risk under the EU AI Act?
AI used for risk assessment or pricing in life and health insurance is high-risk under Annex III point 5(c); the Commission's draft guidelines treat either function as enough. The boundary tracks health cover: accident, sickness and private health lines can fall inside as health insurance. Motor, property, household and liability pricing sit outside this point in the first wave, though other obligations such as GDPR, the Article 50 transparency rules, and EIOPA/IDD conduct rules can still apply.
Do I need a FRIA for an insurance pricing model?
Yes, if the model does risk assessment and/or pricing for natural persons in life or health insurance. The FRIA is a deployer duty under Article 27, owed regardless of whether the insurer is a public or private body. The Commission's draft guidelines suggest either risk assessment or pricing is enough to be in scope.
Is non-life / property & casualty insurance covered?
Motor, property/household and liability pricing AI is outside Annex III 5(c) in the first wave. Health cover is the exception: the Commission's draft guidelines treat accident, sickness and private health lines as health insurance, so AI risk assessment or pricing for those can fall inside 5(c). Lines that stay outside still carry GDPR and conduct-of-business obligations.
Can we use health or genetic data in an underwriting model?
Health and genetic data are special categories under GDPR Article 9; processing is prohibited unless an Article 9(2) condition applies, for example explicit consent. Member States may impose further restrictions on genetic and health data under Article 9(4), and Charter Article 21 expressly bars discrimination on genetic features, disability and age, so direct or proxy use needs strong justification and disparate-impact testing.
How does the FRIA relate to our DPIA?
Article 27(4) lets you reuse a GDPR DPIA where it already covers FRIA obligations; the FRIA complements it. The FRIA covers all Charter rights, so it almost always needs analysis beyond the DPIA.
Does EIOPA's AI Opinion replace the FRIA?
No. EIOPA's Opinion of 6 August 2025 interprets existing sectoral law (the IDD and Solvency II) for AI and excludes AI-Act high-risk systems from its scope. A life or health pricing model is high-risk under the AI Act, so the AI Act — including the Article 27 FRIA — governs it; EIOPA's principles mainly bear on the insurer's non-high-risk AI.
When is the FRIA deadline for insurers?
2 August 2026 is the legally binding date. The Digital Omnibus, provisionally agreed around 7 May 2026, would defer it to 2 December 2027 once published in the Official Journal, but that is not yet law as of June 2026, so keep preparing on the 2 August 2026 basis.
Key Takeaways
AI that prices life and health cover is high-risk under Annex III 5(c), and the FRIA is the insurer's duty under Article 27. The work is the same whichever date governs: classify each insurance line against 5(c), document the six Article 27(1) components, run the right-by-right risk register with real depth on health and genetic data, wire human underwriter oversight into every adverse decision, and prepare the Article 27(3) notification of results. Start now — inventory your AI underwriting and pricing systems, draft the assessment with the free FRIA generator, and map the controls and evidence you will need to show a supervisor. This article is for general information only and is not legal advice; confirm your obligations under Article 27 with qualified counsel, and re-check the regulatory status — including the draft Commission guidelines and the Digital Omnibus — before relying on any date.