The EU AI Act's high-risk AI system provisions entered application for insurance underwriting and claims systems in August 2025 after the two-year transitional period from the Act's entry into force. The practical question we have been fielding from portfolio companies and prospective investments throughout this period is: what does "in application" actually mean for a startup running an ML underwriting model for a carrier client in Germany or the Netherlands? The answer is more nuanced than either the optimists or the pessimists in the debate have suggested.
I want to describe what has concretely changed for the companies we are tracking, and where the regulatory picture remains genuinely unsettled. This is not a legal opinion and it is not a compliance guide. It is an investor's field observation from conversations with founding teams, general counsels at carrier clients, and supervisory staff over the past several months.
The Conformity Assessment Requirement: Theory Versus Practice
The AI Act requires that high-risk AI systems — including systems used to evaluate natural persons for insurance risk assessment — undergo a conformity assessment before being placed on the market or put into service. For most insurance AI systems, this is a self-assessment: the deployer conducts and documents its own evaluation against the Act's requirements and draws up an EU declaration of conformity. Third-party conformity assessment by a notified body is mandatory only for a narrower set of systems, and the notified body infrastructure for AI in financial services is still being established.
In practice, the conformity assessment framework has created significant documentation work for carriers and their technology vendors without yet producing a clear supervisory test. National competent authorities across EU member states are in different stages of readiness to audit AI Act conformity. The BaFin in Germany has been more active than most in developing an operational assessment framework; the Danish FSA and the Dutch DNB are working through the interface between the AI Act requirements and the existing EIOPA supervisory guidance on Big Data Analytics that has been in place since 2019. The interaction between these two regulatory layers — one being the AI Act's horizontal AI regulation and the other being the sector-specific EIOPA guidance — is not yet fully resolved, and both regulatory bodies have acknowledged this.
The implication for InsurTech companies is that the documentation requirement is real and needs to be met, but the enforcement regime is still crystallising. Companies that have built their technical documentation, risk management system, and post-market monitoring processes to AI Act specification are in a better position than those that have not — not only because of compliance risk but because the documentation process itself surfaces model risks that matter independently of regulatory enforcement.
The Post-Market Monitoring Obligation: This Is the Hard Part
The AI Act's post-market monitoring obligation is the requirement that has generated the most operational discussion in the portfolio. High-risk AI system operators must establish a post-market monitoring system that actively and systematically collects and analyses data on the performance of their AI system after deployment, with specific requirements around reporting to competent authorities and, in some cases, to affected persons.
For an underwriting model, post-market monitoring means tracking model performance — not just accuracy on a held-out test set, but predictive calibration on live underwriting decisions, drift in the input feature distribution, and, critically, fairness metrics across protected characteristics on the actual deployed population. This is substantively more demanding than the monitoring most InsurTech companies were conducting before the Act entered application. It requires retaining structured records of model inputs and outputs at the individual decision level, with sufficient metadata to reconstruct the model's behaviour at any given point in time if a supervisory authority requests it.
We are not saying this is unachievable for well-resourced companies. Several companies in the portfolio have built monitoring infrastructure that meets or approaches this standard. But the monitoring obligation has real operational cost, and it is not a one-time investment — it is ongoing infrastructure that needs to scale with the volume of decisions the model makes. Startups that priced their product without factoring in the ongoing cost of AI Act compliance infrastructure are finding that the margin profile of their business looks different than it did in 2022 when most of these products were priced.
What EIOPA's Updated Big Data Analytics Guidelines Add
EIOPA published updated supervisory guidance on the use of Big Data Analytics and AI in insurance in mid-2025, incorporating the AI Act framework and providing sector-specific interpretation of how the Act's requirements apply to insurance underwriting, claims assessment, and pricing functions. The updated guidance is broadly consistent with EIOPA's earlier position but adds specificity in two areas that matter for InsurTech companies.
First, the updated guidance addresses the interaction between the AI Act's prohibited AI practices — specifically the prohibition on AI systems that exploit vulnerabilities of persons based on their age or disability to distort their behaviour in ways that cause harm — and the insurance context. EIOPA's position is that AI systems used to identify and segment policyholders based on vulnerability indicators must be designed with specific safeguards, and that the use of behavioural signals to identify potentially vulnerable customers for differential pricing treatment is subject to the prohibited practice provisions even if the differential treatment is framed as a benefit rather than a harm. This is a more specific interpretation than most carriers and their vendors had been working from.
Second, the updated guidance explicitly addresses AI systems deployed by carriers through third-party technology vendors. The carrier remains responsible for AI Act conformity for systems deployed in its name, even when the system is operated by a technology company under a service agreement. This reinforces the pattern we have observed in commercial negotiations, where carriers are increasingly including AI Act compliance representations in vendor contracts and conducting their own audit of vendor conformity assessment documentation before deployment. For InsurTech companies selling into carrier distribution, the procurement process now routinely includes regulatory documentation review that did not exist two years ago.
The Market Response: Standardisation Is Underway
The most interesting development in the second half of 2025 has been the emergence of informal standardisation in AI Act compliance documentation for insurance applications. Several of the larger InsurTech companies that have gone through carrier procurement processes multiple times have developed technical documentation templates that anticipate the questions carriers ask, and these templates are beginning to circulate in the industry through law firms that advise both sides of the carrier-vendor relationship.
This informal standardisation is, on balance, good for the market. It reduces the transaction cost of carrier procurement, gives smaller companies a starting point for their own documentation, and creates a de facto standard that supervisory authorities can use as a reference when evaluating conformity. We are not saying the informal standard perfectly captures the regulatory requirement — it is built from commercial practice, not from regulatory analysis, and there are areas where the emerging commercial template understates the monitoring obligation. But it is a starting point, and the alternative — every company building documentation from scratch with no reference point — is worse.
For founders building in the current environment, the practical advice is to engage with the documentation requirement now rather than treating it as future work. The companies that are moving through carrier procurement fastest are those that can produce a complete technical documentation package at the first request, rather than discovering during due diligence that the documentation does not yet exist. In European insurance, speed through the carrier procurement process is a form of competitive advantage, and it is increasingly determined by regulatory documentation quality rather than by product features alone.