EU AI Act from 02 Aug 2026 — what insurers as deployers must do

Regulation (EU) 2024/1689 — the AI Act — has been in force since 1 August 2024, but with staggered application dates ^[1]. The prohibitions on unacceptable AI practices under Art. 5 have applied since 2 February 2025; the obligations for general-purpose AI models (GPAI) under Art. 51 et seq. have applied since 2 August 2025. The substantive cut-off for insurers is 2 August 2026: that is the day the obligations for high-risk AI systems under Art. 6–17 and the deployer obligations under Art. 26 and 27 become fully applicable ^[1].

For insurers, this step matters far more than the GPAI date. Core insurance-specific AI — risk assessment and pricing in life and health insurance — is high-risk under Annex III point 5(c). An institution running such a system in production on 2 August 2026 must have the high-risk obligations documented and met ^[1]. Note the moving deadline: the Digital Omnibus on AI (COM(2025) 836) would push this Annex III date to 2 December 2027 — as of mid-2026 there is political agreement but no regulation published in the Official Journal; until formal adoption, 2 August 2026 governs ^[7].

Annex III of the AI Act lists eight high-risk areas; for insurers, Annex III item 5(c) is the central entry: "AI systems intended to be used for risk assessment and pricing in relation to natural persons in the case of life and health insurance" ^[1].

Crucially: the Annex III list expressly covers life and health insurance, not property/casualty. That is a deliberate narrowing. But: if the same AI system is used in both life and non-life pricing, it counts as high-risk for its life application, and the full compliance stack must be built — a partial high-risk classification ("just the one use-case line") is not possible ^[2].

Other Annex III entries can also bite: AI evaluating the creditworthiness of natural persons (Annex III point 5(b)) touches occupational-pension providers and insurers with credit products, and AI in the employment and recruiting context (Annex III point 4) touches every insurer's HR function. Risk assessment and pricing in life and health insurance itself sits in point 5(c); other entries such as the emergency-call and triage systems in point 5(d) target public bodies and concern insurers only exceptionally. A full high-risk inventory across all relevant Annex III entries is step one of 2026 preparation.

The AI Act distinguishes two roles with different obligations. The provider develops the AI system (or has it developed) and places it on the EU market under its own name; it carries the conformity-assessment obligation under Art. 16–24. The deployer uses an AI system under its own authority in the EU; it carries the obligations under Art. 26 and 27 ^[1].

In 2026 insurance practice, most institutions are deployers: the AI pricing system was developed by a third party (e.g. an InsurTech vendor or a subsidiary) and conformity-assessed. The insurer purchases it and uses it in operations.

But: a party that substantially modifies a high-risk system supplied by the provider — for example by re-training on its own data or by changing the intended purpose — itself becomes a provider under Article 25 and takes on the full provider obligation set ^[1]. What counts as a substantial modification (Article 3(23)) is not yet settled in detail; the Commission only published draft guidelines on high-risk classification in May 2026, with dedicated Article 25 guidance still to come ^[3]. Insurers with active model-tuning teams must therefore assess this role question individually and on the record.

Art. 26 of the AI Act lists the deployer obligations explicitly. For 2026 inspection preparation the list breaks down into ten items ^[1].

1. Follow provider instructions. The AI system must be used in accordance with the provider's instructions and the documented intended purpose. Deviations must be documented and conformity-assessed.

2. Ensure human oversight (Art. 14). The deployer is responsible for ensuring that the natural persons overseeing the system are sufficiently qualified and have the actual capacity to intervene.

3. Take responsibility for input-data quality. To the extent the deployer controls the input data, it must ensure that data is appropriate for the intended purpose.

4. Monitor operation. The deployer monitors the system's performance against the intended purpose and reports substantial risks or serious incidents.

5. Logging. The deployer must keep the logs the system generates for at least six months (longer if required by other EU law).

6. Inform affected workers. Before deploying a high-risk system in the workplace, affected workers and their representatives must be informed — both directly and in accordance with national worker-representation rights.

7. Transparency to affected natural persons. Where the system makes decisions about natural persons, those persons must be informed that AI was used.

8. Consistency with GDPR Art. 22. Where the AI system produces a decision based solely on automated processing, the requirements of GDPR Art. 22 (right to human review, right to contest) apply in parallel with Art. 26 AI Act.

9. FRIA preparation (Art. 27). Insurers as deployers must perform a Fundamental Rights Impact Assessment before putting the system into service — see next section.

10. Notification to the national competent authority. In the event of serious incidents, the deployer is obliged to notify the national market-surveillance authority without undue delay.

Art. 27 requires certain deployers to perform a Fundamental Rights Impact Assessment (FRIA) before putting a high-risk system into service. Insurers are expressly within the scope (Art. 27(1)(b)) when deploying high-risk systems under Annex III item 5 ^[1]. The FRIA is a stand-alone obligation, in addition to the GDPR DPIA (data-protection impact assessment).

FRIA content (Art. 27(1)(a)–(g)): description of the deployment context; categories of natural persons affected; specific risks to their fundamental rights; description of risk-mitigation measures; human-oversight arrangements; frequency of use; complaint and contestation mechanisms ^[1].

Importantly, Article 27(3) requires notifying the national market-surveillance authority of the FRIA results — via a filled-out template that the EU AI Office is to develop under Article 27(5) ^[1]. As of mid-2026 that official template has not been published; deployers work with their own structures in the meantime but should expect to migrate their FRIA into the eventual format.

The FRIA is also not a one-off. Because it is tied to a specific deployment context (Article 27(1)), material changes to that context — a new applicant population, new tariffs, a changed data source — force a fresh review and, where appropriate, an update ^[1]. Separately, EIOPA published an Opinion on AI governance and risk management in insurance in August 2025; it deliberately leaves the high-risk systems of the AI Act out of scope but is the key supervisory reference for the non-high-risk AI an insurer runs ^[4].

High-risk systems under the AI Act produce a documentation load along several axes. The deployer must retain the logs the system generates, to the extent it controls them — at least six months, unless other Union law requires otherwise (Article 26(6)) ^[1]. Add the FRIA and its updates, the human-oversight records, every notification to market surveillance and the provider instructions. For the FRIA itself Article 27 sets no separate retention period; keeping it for the whole operating life of the system is sound practice — the fixed 10-year period in Article 18 applies to the technical documentation of the provider, not to the deployer.

In practice that means documentation must be kept so it can be produced on a supervisory request quickly and consistently. Collections of scattered PDFs in shared folders do not structurally meet that expectation.

Article 73 requires reporting serious incidents (defined in Article 3(49)) to the national market-surveillance authority. The duty falls primarily on the provider and, where applicable, the deployer. The deadlines are tiered: in principle immediately and no later than 15 days after becoming aware (Article 73(2)); 2 days for a widespread infringement or a serious and irreversible disruption of critical infrastructure (Article 73(3)); and 10 days in the event of the death of a person (Article 73(4)) ^[1].

In parallel, Article 49 provides for registering high-risk systems in the EU database (the database itself is governed by Article 71); certain entries become publicly accessible under Article 71(4). The database goes live with the application of the high-risk rules — another reason to prepare the inventory and the registration data early rather than wait for the cut-off ^[1].

A high-risk AI system changes an insurer's compliance topology across several frameworks simultaneously. DORA (Regulation (EU) 2022/2554): a deployer using an externally sourced AI system has an ICT third-party provider — which belongs in the DORA third-party register ^[5]. Solvency II: if the AI system produces underwriting or pricing decisions, it is part of the internal-control system within the meaning of Solvency II Art. 41 and must be referenced in the ORSA ^[6]. GDPR: Art. 22 (automated decisions) applies in parallel and extends the FRIA obligation by the GDPR DPIA.

The most frequent 2026 inspection question: "Show me the link between your AI Act FRIA, your GDPR DPIA and your DORA third-party register for the same AI system." Insurers that can produce consistent documentation here have a substantive maturity lead over competitors operating with three separate Excel trackers.

Four source streams produce continuous new material: (1) Commission and AI Office guidance concretising Annex III, Articles 26 and 27 — such as the May 2026 draft on high-risk classification ^[3]; (2) EIOPA, whose 2025 Opinion on AI governance frames the non-high-risk layer and whose supervisory practice keeps developing ^[4]; (3) national supervisory letters (BaFin, FMA, ACPR) refining jurisdiction-specific expectations; (4) implementing and delegated acts under the AI Act still emerging — such as on the EU database and the FRIA template.

Horizon Scanner monitors the four source streams above in parallel and routes every AI Act finding to the responsible team the day it is published. Each finding is matched against the insurer's internal high-risk inventory: when new EU AI Office guidance touches an Annex III use case marked active in the inventory, the alert flows automatically into the FRIA review list.

Concretely for the ten Art. 26 obligations: logs are timestamped, FRIA updates are tested against the deployment-context changes under Art. 27(1), board briefings on the AI status are pre-assembled quarterly, and every cross-framework link (AI Act ↔ GDPR ↔ DORA ↔ Solvency II) is consolidated into a single audit view — the view the supervisor wants to see in a 2026 inspection.