Introduction
Over the past three years, Artificial Intelligence (AI) has emerged as the most widely discussed and utilized new technology. AI is rapidly being adopted by insurance undertakings, transforming every aspect of the business, including internal processes, product development, distribution, and customer services. As highlighted by the Ethical AI in Insurance Consortium (‘EIAC’), approximately 80% of insurers have already integrated AI into their operations[1].
AI also introduces new risks, particularly in cybersecurity. As businesses increasingly rely on AI systems to handle critical operational functions, their exposure to cyber threats grows. This explains the fast-growing cyber-risk insurance segment of the market.
This article aims to provide an indicative overview of the main legal aspects of AI’s applications in the insurance sector, with a focus on compliance with laws and standards.
Application and benefits of AI in insurance
AI tools can significantly enhance insurers’ internal processes, particularly by automating claims handling. Data received from various sources (e.g., policyholders, employees, experts, third-party claimants, etc.) can be automatically collected and processed, improving efficiency and saving time. For instance, in automobile liability insurance cases involving third-party claims, AI systems can examine all submitted documents (e.g., liability declarations from the insured, photographs of the crash site and vehicle damage, medical reports for injuries and public records like traffic police accident reports). The AI can then assess the data provided, determining whether to approve, deny or escalate it to a human agent. It can also summarize key information and provide recommendations, allowing insurance agents to process claims faster and more accurately.
Many insurers use AI-powered fraud detection systems to identify suspicious claims by analyzing unusual patterns in documents and data collected from various sources, including the internet (e.g., checking the weather on the day of the crash). This helps insurers prevent fraudulent payouts. Additionally, AI enables insurers to analyze vast datasets from different sources, generating valuable insights that help them understand business challenges and make better decisions.
Finally, AI tools significantly improve customer relationship management and service delivery, enhancing overall customer satisfaction. While the automation of internal processes streamlines customer services, the use of 24/7 AI-powered chatbots can further enhance the customer experience, freeing human insurance agents to engage with more complex cases. Specifically, a generative AI chatbot integrated into an insurer's website or mobile app, can quickly and around-the-clock respond to customer inquiries, providing information, help, personalized guidance, product suggestions, price quotes, or even routing a client to a human insurance agent for more complicated issues.
In Greece, Groupama launched a chatbot in 2020, followed by ERGO Hellas in 2023. Eurolife FFH introduced “OSCAR” (Open Service for Customers and Recommendations) in 2025, via which customers may even purchase pet insurance policies.
Legal considerations for compliance
The Insurance Distribution Directive no. 2016/97 (IDD), does not include provisions regarding insurance distribution via AI systems such as chatbots. However, according to the European Insurance and Occupational Pensions Authority (‘EIOPA’), the IDD applies equally to distribution conducted by both human insurance agents and AI bots[2]. While the 2016 legislation did not refer to AI in the IDD due to its limited incorporation in insurance distribution at the time, the Directive should now be interpreted and implemented in light of technological advancements, particularly AI applications in the insurance distribution. Taking into consideration the extended integration of AI systems throughout the insurance value chain (especially in providing information and distributing products), EIOPA has also published a consultation paper titled “Opinion on Artificial Intelligence Governance and Risk Management”. Stakeholders may submit comments by 12 May 2025.
Another important sectoral legislation is the Solvency II Directive (Directive 2009/138, implemented through Greek Law 4364/2016), which provides rules for governance, risk management, transparency requirements, and supervisory framework for insurance undertakings within its scope. According to Article 41 of Solvency II (corresponding to Article 30 of Greek implementing Law 4364/2016), each insurance or reinsurance company is required to maintain an effective system of governance, proportionate to the nature, scale, and complexity of its operations and management. Such governance framework, which includes the company's organizational structure and risk management policies, must integrate the AI Governance Framework, mandated for high-risk AI systems under the EU AI Act. This includes, among others, the allocation of responsibilities for AI systems oversight, the development of policies regarding risks arising from AI implementation and the establishment of business continuity measures in case of emergencies affecting AI systems.
The AI Act applies across all economic sectors, including insurance companies using AI in their operations. Insurance undertakings incorporating AI systems classified as high-risk under the AI Act, such as those used for risk assessment and premium pricing in life and health insurance for natural persons, must comply with numerous governance and risk management requirements as outlined in the relevant articles of the AI Act[3]. When insurers employ AI systems not classified as high-risk, the AI Act imposes only transparency obligations, as specified in the respective articles[4], while these systems remain subject to additional sector-specific regulations. However, when an AI system is classified as prohibited under the AI Act, insurance sectoral legislation ceases to apply, as the system’s use is completely forbidden.
Additionally, Regulation 2022/2554 (‘DORA’) on digital operational resilience for the financial sector also applies to insurance companies with the exception of small and medium-sized insurers. DORA introduces obligations regarding Information and Communications Technology (‘ICT’) risk management, ICT third-party risk management (internal governance and risk framework), and ICT-related incident reporting and digital operational resilience testing. These requirements ensure that such systems, including AI applications, are robust and resilient against cyberattacks and operational disruptions, thereby protecting financial stability. Under Greek Law 5193/2025, the Bank of Greece is designated as the competent authority responsible for implementing and enforcing the provisions for insurance undertakings.
Finally, as AI systems both train on and process personal data, insurance undertakings must comply with GDPR requirements in addition to those outlined above. Particular attention must be given to providing transparent information to customers regarding the processing of their personal data through AI, ensuring personal data security, conducting data protection impact assessments (DPIAs), and safeguarding enhanced rights regarding automated individual decision-making that produces legal or similarly significant effects on customers (such as insurance product denials or claim rejections). An important provision for insurance undertakings under Greek implementing Law 4624/2019, is the prohibition of Article 23 on processing genetic data for health and life insurance.
The importance of an AI governance framework for an insurance undertaking
Establishing an AI governance framework within the general governance framework is crucial for insurers to comply with laws (such as Solvency II, GDPR, AI Act, DORA) and adhere to standards, good practices, ethics and codes of conduct (i.e., soft law). There is no universal solution; the design of an AI Governance Framework depends on the unique needs of each insurer. A tailored framework ensures that AI tools used in business processes are risk-mitigated, structured, secure, resilient, operational, transparent, fair, human-centric, respectful of privacy and other human rights, and ultimately efficient and profitable. Consequently, a well-designed AI governance framework fosters high-quality customer service, trusted products, and customer loyalty, streamlines employee operations, and enhances competitiveness and brand reputation.
