Navigating the Digital Maze: A Risk Manager's Guide to EU Regulatory Simplification

1. Introduction: The Growing Challenge of Digital Regulation

While digital transformation offers significant opportunities for insurers to enhance efficiency and customer engagement, it is accompanied by an expanding patchwork of complex, overlapping, and often inconsistent EU digital regulations. For risk managers and compliance officers, this fragmented regulatory approach creates significant operational friction, diverting resources from innovation and customer service to duplicative compliance exercises. This article breaks down the key challenges and proposed simplifications in critical areas like AI, Cloud, Cybersecurity, and Data, drawing on detailed analysis from Insurance Europe to provide a clear path forward for navigating this maze.

2. The Core Problem: A Complex Web of Overlapping Rules

The central issue facing the insurance sector is an operational environment governed by a dense web of digital regulations. This complexity spans artificial intelligence, cloud computing, data protection, and cybersecurity, creating significant administrative and compliance burdens. Key pieces of legislation contributing to this landscape include the AI Act, the Digital Operational Resilience Act (DORA), the General Data Protection Regulation (GDPR), the Cyber Resilience Act (CRA), Solvency II, and the Insurance Distribution Directive (IDD). The interactions between these frameworks often result in redundant obligations and legal uncertainty, demanding a strategic approach to simplification.

3. Guiding Principles for a Coherent Framework

To address these challenges, a set of guiding principles has been proposed to foster smarter, more streamlined legislation. These principles advocate for a regulatory environment that is fit for purpose and genuinely simplified.

• Real burden reduction: Eliminate obligations that are duplicative, immaterial, or of limited value.
• Clarity and transparency: Avoid relabeling complexity as simplification and communicate legislative intentions and impacts openly.
• Coordination across layers: Ensure alignment between different EU authorities and rules to prevent divergence.
• Evidence‑based rulemaking: Allow sufficient time for implementation and evaluation before revising existing rules.
• Respect implementation realities: Engage with companies early in the legislative process to understand practical complexities and allow adequate time for implementation.
• Limit external reporting: Encourage data exchange between authorities rather than requiring multiple, separate reports from insurers.
• Aim for global coherence: Address contradictions and fill gaps in EU‑level guidance to create a more consistent international framework.

4. Deep Dive: Key Challenges and Recommendations by Policy Area

4.1. Artificial Intelligence (AI)

The AI Act introduces new rules that overlap with a wide body of existing EU legislation already governing the insurance sector, creating a significant risk of duplicative compliance efforts.

• Existing Frameworks: The insurance sector is already subject to robust regulation that addresses many risks associated with AI. The Solvency II framework, particularly Articles 41, 44, and 46, contains extensive provisions on governance, risk assessment, and outsourcing. The Insurance Distribution Directive (IDD) includes rules on product oversight, governance, and the requirement under Article 17(1) to act fairly in the best interests of customers. Furthermore, DORA addresses the resilience of AI systems, while the GDPR governs the use of personal data in AI applications.
• Key Recommendation - Avoiding Duplication: To prevent redundant requirements, clear guidance should be provided on how existing Solvency II and IDD requirements already meet the obligations of the AI Act. This would offer implementation clarity and prevent insurers from having to build parallel compliance structures for what are often the same underlying risks.
• Key Recommendation - Scope Clarification: Explicit clarification is needed to confirm that traditional statistical methods, such as generalised linear models (GLMs), fall outside the scope of the AI Act's definition of an AI system. This is critical to avoid ambiguity and unnecessary burdens related to long‑standing statistical modeling practices and to focus the definition on the more salient characteristics of machine learning, namely inference and autonomy.

4.2. Cloud Services & Third‑Party Risk Management

A key point of friction exists between DORA and Solvency II regarding the oversight of critical ICT third‑party providers, particularly cloud services.

• The Audit Challenge: Under Solvency II, Article 274 of Commission Delegated Regulation (EU) 2015/35 demands that insurers have "effective access to all information... including carrying out on‑site inspections." This obligation persists even when recognized third‑party certifications or direct audits by European Supervisory Authorities (ESAs) under DORA already exist. This approach is costly, impractical for a service that is remote by nature, and may inadvertently increase concentration risk by forcing firms to rely on a limited number of providers that can accommodate such audits.
• Recommendations for Efficiency:
  1. Allow for more efficient use of recognized third‑party certifications and audit reports to avoid forcing financial entities to duplicate these efforts.
  2. Permit financial institutions to access the results of audits conducted by the ESAs' Joint Examination Teams under DORA, which would eliminate the need for duplicative individual audits.
  3. Allow financial institutions to adjust the audit obligation proportionally to selected parts of the services provided by a critical ICT service provider, as the provider may also deliver services that are not critical for the institution.
  4. Clarify that for ICT services, insurers should primarily focus on complying with DORA, which should take precedence over the Solvency II outsourcing rules to streamline compliance.

4.3. Cybersecurity: The Battle Against Duplication

Cybersecurity regulation is a prime example of administrative overlap, especially between the Cyber Resilience Act (CRA) and the Digital Operational Resilience Act (DORA).

• CRA vs. DORA Overlap: The CRA introduces horizontal cybersecurity rules for digital products, while DORA provides a comprehensive operational resilience framework specifically tailored to the financial sector. Because financial services offered through digital channels are already subject to DORA's stringent requirements, which cover the entire lifecycle of these systems, from development to decommissioning, the CRA creates redundant obligations. The primary recommendation is to issue a clear exemption from the CRA for financial entities that are already subject to DORA.
• Streamlining DORA:Since DORA came into force, significant administrative burdens have been identified. The following recommendations target key areas for simplification and increased efficiency.
  • Incident Reporting:The current thresholds and processes for incident reporting are overly burdensome and divert attention from critical events.
    • Raise the financial thresholds for classifying a "major incident" to a more material level (e.g., EUR 100,000) to reduce reporting on low‑severity events.
    • Focus reporting on system‑critical incidents and allow interim reports to use estimates, ensuring crisis management remains the priority over precise reporting during an event.
  • Register of Information (ROI) Simplification:The ROI reporting process requires significant manual effort that can be drastically reduced.
    • Eliminate non‑essential fields, consolidate duplicates, and simplify the overall data structure of the ROI template.
    • Enhance templates to minimize repetitive manual data entry by, for example, allowing multi‑value data fields for items like "country of storage" to avoid duplicating entire records for a single contract.
    • Standardize column codes and naming across EU and national templates to mitigate errors caused by mismatches.
  • Reporting Process & Harmonization:The submission process itself is fragmented and creates duplicative work.
    • Create a single European cyber incident reporting template compatible with all relevant regimes (e.g., DORA, GDPR) to eliminate the need for manual input into multiple different templates.
    • Harmonize digital submission interfaces (e.g., XML/JSON‑based) at the national level to allow for better integration with firms' internal systems.
    • Streamline reporting into a single submission point to avoid financial entities having to report the same information to multiple teams within a single national authority or to multiple authorities when operating cross‑border.
  • Centralized Subcontractor Information: To streamline due diligence, a centralized European repository of subcontractor information should be established to complement the Global LEI index and enhance transparency.
• Ensuring Proportionality in DORA: There is a clear need for a more proportional application of DORA's requirements. It is recommended to provide reduced, risk‑based requirements for undertakings with a low‑risk profile, such as those already defined as small and non‑complex undertakings (SNCUs) under Solvency II.

4.4. Data Governance: Clarifying GDPR and AI Act Conflicts

The interplay between the GDPR, the AI Act, and the Data Act creates legal uncertainty that can hinder data‑driven innovation.

• Automated Decision‑Making (GDPR Art. 22): A narrow interpretation of GDPR Article 22 could be seen as a prohibition on automated decision‑making, hindering digital solutions. For instance, offering online motor insurance via a mobile app where a premium is automatically calculated is a form of solely automated decision‑making. It is recommended to clarify that Article 22 provides a data subject with rights (such as obtaining human intervention or contesting a decision) and is not an outright ban on automated processes that are necessary for entering into or performing a contract.
• Impact Assessment Overlap (GDPR vs. AI Act): There is significant duplication between the data protection impact assessment (DPIA) required under GDPR and the fundamental rights impact assessment (FRIA) mandated by the AI Act. This is compounded by a key difference: the AI Act's FRIA has a mandatory reporting obligation under Article 27(3), while the GDPR's DPIA does not. It is recommended to create a single, coherent assessment pathway, either by aligning the FRIA with the existing DPIA or by developing a sector‑specific template to avoid this duplication of effort.
• Legal Basis for AI Training: A clear legal basis is lacking for using special categories of personal data (sensitive data) for AI training purposes beyond the narrow scope of bias detection in high‑risk systems. It is recommended to introduce a specific, narrowly scoped legal basis for this purpose, conditioned on strict safeguards, to ensure AI models can be trained effectively and without bias.
• Anonymisation Uncertainty: There is legal uncertainty regarding when data is considered sufficiently anonymised. To ensure coherence with new legislation like the Data Act (e.g., Art. 18(5)), it is recommended to adopt a "relative approach," clarifying that pseudonymised datasets held by a recipient without reasonable means of re‑identification may be treated differently from personal data. This clarification would support data‑driven innovation while maintaining privacy safeguards.

5. Conclusion: The Path Forward for Risk Management

The goal of these proposed changes is not to eliminate regulation but to make it more coherent, streamlined, and risk‑based. Simplifying the EU's digital regulatory framework is essential for the insurance sector. It will enable firms to invest confidently in innovation, better support their customers, and contribute to Europe's overall economic resilience. For risk managers, a more rationalized framework means a critical shift in focus from navigating duplicative compliance tasks to managing the substantive digital risks and opportunities facing the industry.