What is the EU AI Act?

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive legal framework specifically regulating artificial intelligence. Adopted in March 2024, it uses a risk-based approach to classify AI systems into four tiers - unacceptable risk (banned), high risk (extensive obligations), limited risk (transparency requirements), and minimal risk (voluntary codes). Like GDPR, it has extraterritorial scope, applying to any organization worldwide whose AI systems are used within the EU.

What does my company need to do to comply with the EU AI Act?

To comply with the EU AI Act, organizations using AI must: implement automatic logging of all AI interactions with 6+ month retention (Articles 12, 19), establish human oversight including a kill switch to halt AI systems (Article 14), deploy data governance controls including masking and access restrictions for sensitive data (Article 10), set up continuous risk monitoring and incident reporting workflows (Articles 9, 73), ensure staff AI literacy (Article 4, already in force), and maintain comprehensive technical documentation (Article 11). Areebi provides all of these capabilities in a single platform.

Does the EU AI Act require a kill switch for AI systems?

Yes. Article 14(4)(e) of the EU AI Act explicitly requires that persons overseeing high-risk AI systems must be able to 'intervene in the operation of the high-risk AI system or interrupt the system through a stop button or a similar procedure that allows the system to come to a halt in a safe state.' This is a mandatory human oversight requirement for all high-risk AI systems. Areebi's admin kill switch provides exactly this capability - instant, company-wide AI shutdown with a full audit trail.

What logging is required under the EU AI Act?

Article 12 requires high-risk AI systems to have automatic logging capabilities that record events over the system's entire lifetime. Logs must enable traceability, risk identification, and post-market monitoring. Article 19 requires both providers and deployers to retain these automatically generated logs for a minimum of 6 months. Logs must be available to market surveillance authorities on request. Areebi's immutable audit logging captures every AI interaction with user identity, timestamps, prompts, responses, and policy decisions.

Does the EU AI Act apply to companies outside the EU?

Yes. Like GDPR, the EU AI Act has extraterritorial reach. It applies to any organization that places AI systems on the EU market, puts them into service in the EU, or produces AI outputs used within the EU. This means US, UK, Australian, and other non-EU companies serving European customers, employees, or partners must comply. Non-compliance exposes organizations to the same penalty framework regardless of where they are headquartered.

Is ChatGPT or enterprise AI considered high-risk under the EU AI Act?

General-purpose AI models like GPT-4, Claude, and Gemini are regulated separately as GPAI models under the EU AI Act, not directly classified as high-risk. However, enterprise applications built on these models become high-risk when deployed in domains listed in Annex III - including employment and HR decisions, credit scoring, education, law enforcement, and critical infrastructure management. The classification follows the use case, not the underlying model. Most enterprise AI copilots and productivity tools fall under limited risk with transparency obligations.

What is the difference between the August 2025 and August 2026 EU AI Act obligations?

August 2, 2025 activated GPAI model provider obligations, AI literacy requirements (Article 4), the full penalty regime, and governance infrastructure. August 2, 2026 is when full high-risk AI system obligations take effect - including conformity assessments, deployer obligations (Article 26), human oversight requirements (Article 14), logging mandates (Article 12), data governance (Article 10), and risk management (Article 9). Organizations should be preparing now, as building compliance infrastructure takes months.

EU AI Act Compliance

EU AI ActIndustry Cross-Reference

EU AI Act Compliance for Insurance AI

Insurance AI must meet EU AI Act obligations including Articles 10(5), 27, Articles 14, 26 and Articles 13, 50, 53. Areebi enforces and evidences these controls for insurers.

The Compliance Challenge

Proxy discrimination and unfair pricing that disadvantages protected groups - and EU AI Act expects it to be controlled and evidenced.

EU AI Act obligations such as Articles 10(5), 27 and Articles 14, 26 are continuous, but general AI tools generate none of the required evidence.

Leakage of health and financial data into ungoverned AI tools leaves insurers exposed when APRA and ASIC (Australia) and state insurance commissioners and the NAIC (United States) ask for proof.

Demonstrating how an automated decision was reached - required for Insurance AI - is impossible without per-interaction logging and human-oversight records.

How Areebi Helps You Comply

Bias + fairness testing Controls

Areebi operationalises EU AI Act Articles 10(5), 27 (bias + fairness testing) for Insurance AI with enforced policy and logged evidence, not documentation alone.

Human oversight + intervention Controls

Areebi operationalises EU AI Act Articles 14, 26 (human oversight + intervention) for Insurance AI with enforced policy and logged evidence, not documentation alone.

Transparency + disclosure Controls

Areebi operationalises EU AI Act Articles 13, 50, 53 (transparency + disclosure) for Insurance AI with enforced policy and logged evidence, not documentation alone.

Data handling + minimisation Controls

Areebi operationalises EU AI Act Article 10 (data handling + minimisation) for Insurance AI with enforced policy and logged evidence, not documentation alone.

Data-subject rights + redress Controls

Areebi operationalises EU AI Act Articles 85, 86 (data-subject rights + redress) for Insurance AI with enforced policy and logged evidence, not documentation alone.

Insurance AI Under EU AI Act

Under EU AI Act Annex III(5)(b), AI used to assess risk and set pricing for life and health insurance, and AI used to evaluate creditworthiness, is classified high-risk - pulling insurance AI into the Act's most demanding obligations under Articles 9 to 15. Insurers and insurtech platforms now run AI across underwriting, pricing, claims and fraud - decisions that directly affect whether a person is covered and at what cost.

EU AI Act (Regulation 2024/1689) applies to providers, deployers, importers, and distributors of AI systems placed on the EU market or whose output is used in the EU. Includes non-EU providers serving EU users. Its penalty exposure - Up to EUR 35 million or 7% of global turnover (Article 99) - and effective timeline (August 1, 2024 (staggered through August 2, 2027)) mean insurers cannot treat AI as out of scope. The data most at stake in this sector includes policyholder personal and financial data, health and, for life and health lines, special-category medical data, actuarial and claims-history datasets and telematics and behavioural data, processed across automated underwriting and risk assessment, dynamic and usage-based pricing, claims triage and automated claims decisions and fraud detection.

Areebi gives insurers a single governed control plane - data-loss prevention, immutable audit logging and policy enforcement - mapped to the EU AI Act obligations set out below, with the parent EU AI Act guide and Insurance solutions for the wider programme.

EU AI Act Obligations That Matter Most for Insurance AI

The obligations below are the EU AI Act requirements most material to Insurance AI, each tied to its source clause. Insurance AI programmes should treat these as the control backbone:

Bias + fairness testing (Articles 10(5), 27): Article 10(5) requires bias detection and correction; Article 27 introduces fundamental-rights impact assessment for some deployers. For insurers, this bites hardest on proxy discrimination and unfair pricing that disadvantages protected groups.
Human oversight + intervention (Articles 14, 26): Article 14 mandates effective human oversight for high-risk AI; specific roles per Article 26 for deployers. For insurers, this bites hardest on inability to evidence how an automated decision about an individual was reached.
Transparency + disclosure (Articles 13, 50, 53): Article 13 (high-risk) and Article 50 (chatbots, synthetic content) impose user-disclosure obligations; Article 53 covers GPAI documentation. For insurers, this bites hardest on opaque underwriting or claims denials the policyholder cannot contest.
Data handling + minimisation (Article 10): Article 10 sets quality, governance, and bias-testing requirements for training, validation, and test datasets. For insurers, this bites hardest on leakage of health and financial data into ungoverned AI tools.
Data-subject rights + redress (Articles 85, 86): Article 86 grants affected persons a right to explanation of decisions; Article 85 a right to lodge complaints. For insurers, this bites hardest on opaque underwriting or claims denials the policyholder cannot contest.
Audit trail + documentation (Articles 11, 12; Annex IV): Articles 11-12 require technical documentation (Annex IV) and automated logging for high-risk AI systems. For insurers, this bites hardest on inability to evidence how an automated decision about an individual was reached.
Risk management process (Article 9): Article 9 mandates a risk management system across the lifecycle of high-risk AI systems. For insurers, this bites hardest on proxy discrimination and unfair pricing that disadvantages protected groups.

Because these duties are continuous rather than point-in-time, insurers need tooling that produces ongoing evidence - not a one-off assessment.

How Areebi Supports EU AI Act Compliance for Insurance AI

Areebi maps platform controls to the EU AI Act obligations above so insurers can evidence compliance continuously:

Article 12 logging obligations satisfied by immutable audit log with 6-month minimum retention.
DLP + provider routing supports Article 10 data-governance and Article 15 cybersecurity.
Per-tenant evaluation harness aligned with Article 14 human-oversight workflows.
Incident-response runbook templates align with Article 73 reporting window.

The same controls address this sector's sharpest risks - proxy discrimination and unfair pricing that disadvantages protected groups and opaque underwriting or claims denials the policyholder cannot contest - by keeping every AI interaction inside an enforced, logged boundary that APRA and ASIC (Australia) and state insurance commissioners and the NAIC (United States) expect to see evidenced.

EU AI Act Compliance Checklist

Confirm which Insurance AI systems fall in scope of EU AI Act (Regulation 2024/1689) (EU AI Act)

Address bias + fairness testing per Articles 10(5), 27: Article 10(5) requires bias detection and correction; Article 27 introduces fundamental-rights impact assessment for some deployers.

Address human oversight + intervention per Articles 14, 26: Article 14 mandates effective human oversight for high-risk AI; specific roles per Article 26 for deployers.

Address transparency + disclosure per Articles 13, 50, 53: Article 13 (high-risk) and Article 50 (chatbots, synthetic content) impose user-disclosure obligations; Article 53 covers GPAI documentation.

Address data handling + minimisation per Article 10: Article 10 sets quality, governance, and bias-testing requirements for training, validation, and test datasets.

Address data-subject rights + redress per Articles 85, 86: Article 86 grants affected persons a right to explanation of decisions; Article 85 a right to lodge complaints.

Address audit trail + documentation per Articles 11, 12; Annex IV: Articles 11-12 require technical documentation (Annex IV) and automated logging for high-risk AI systems.

Address risk management process per Article 9: Article 9 mandates a risk management system across the lifecycle of high-risk AI systems.

Stand up continuous evidence (audit logs, oversight records) to prove EU AI Act compliance to APRA and ASIC (Australia) and state insurance commissioners and the NAIC (United States)

Frequently Asked Questions

Does EU AI Act apply to Insurance AI?

Under EU AI Act Annex III(5)(b), AI used to assess risk and set pricing for life and health insurance, and AI used to evaluate creditworthiness, is classified high-risk - pulling insurance AI into the Act's most demanding obligations under Articles 9 to 15. EU AI Act (Regulation 2024/1689) applies to providers, deployers, importers, and distributors of AI systems placed on the EU market or whose output is used in the EU. Includes non-EU providers serving EU users. In practice that means insurers running automated underwriting and risk assessment, dynamic and usage-based pricing, claims triage and automated claims decisions and fraud detection must bring those systems into scope.

Which EU AI Act requirements matter most for Insurance AI?

The obligations with the sharpest impact are bias + fairness testing (Articles 10(5), 27), human oversight + intervention (Articles 14, 26) and transparency + disclosure (Articles 13, 50, 53). These govern how insurers handle policyholder personal and financial data and health and, for life and health lines, special-category medical data and how automated decisions about individuals are overseen and explained.

What are the penalties for EU AI Act non-compliance?

EU AI Act (Regulation 2024/1689) carries Up to EUR 35 million or 7% of global turnover (Article 99). For insurers the bigger exposure is often commercial - lost partner and reinsurer trust, and regulator scrutiny from APRA and ASIC (Australia) and state insurance commissioners and the NAIC (United States) - which is why continuous, evidenced controls matter.

How does Areebi help Insurance AI meet EU AI Act?

Areebi enforces EU AI Act controls at the point of AI use - Article 12 logging obligations satisfied by immutable audit log with 6-month minimum retention. Every interaction is logged immutably, so insurers can evidence Articles 10(5), 27 and Articles 14, 26 on demand rather than reconstructing it after the fact.

Related Resources

Ready to achieve EU AI Act compliance for your AI?

See how Areebi maps to EU AI Act requirements with a personalised demo.

Get a Demo Free AI Risk Assessment

Related resources

Compliance

SOC 2 Compliance for Insurance AI

Insurance AI must meet SOC 2 obligations including CC2.1-CC2.3; P1.1, C1.1-C1.2; P1-P8 (Privacy) and P5.1-P5.2. Areebi enforces and evidences these controls for insurers.

GDPR Compliance for Insurance AI

Insurance AI must meet GDPR obligations including Article 5(1)(a); Recital 71, Article 22(3) and Articles 13, 14, 22(3). Areebi enforces and evidences these controls for insurers.

HIPAA Compliance for Insurance AI

Insurance AI must meet HIPAA obligations including 45 CFR 164.520, 45 CFR 164.502(b); 164.514 and 45 CFR 164.524-528. Areebi enforces and evidences these controls for insurers.

Australian Privacy Act ADM Compliance Checklist

A comprehensive 45-control checklist across 10 compliance domains to help organisations comply with Australia's Privacy Act automated decision-making transparency obligations under APP 1.7, 1.8, and 1.9. Covers system inventory, materiality assessment, privacy policy updates, DLP deployment, sensitive data controls, audit logging, alerting, kill switch implementation, and documentation - mapped to specific APP provisions and the Explanatory Memorandum.

What is AI Bias Testing?

Learn what AI bias testing is, key methodologies including disparate impact analysis and fairness metrics, regulatory requirements from NYC Local Law 144 and the Colorado AI Act, and how to implement bias testing programs.