Navigating the Maze: A Call for Simpler, Smarter Digital Regulation in the EU Insurance Sector

1. Introduction: The Digital Dilemma for European Insurers

The European insurance industry plays a dual and vital role in the digital economy. On one hand, insurers are key drivers of digital transformation. They build societal cyber resilience, offer sophisticated cyber insurance solutions, and use digital tools to improve the customer experience and promote financial inclusion. The sector's use of data is pivotal to increasing the insurability of risks and is also key for detecting and preventing fraud. On the other hand, the industry's capacity for innovation is being challenged by a growing patchwork of complex, overlapping, and sometimes inconsistent digital regulations spanning AI, cloud, data protection, and cybersecurity.

This regulatory landscape diverts valuable resources from innovation and customer services. The upcoming "Digital Omnibus package" from the European Commission presents a critical opportunity to create a more coherent and streamlined legislative framework. A simplified, predictable regulatory environment is essential for the sector to invest confidently in digital innovation and support Europe's overall economic resilience.

2. Core Principles for a Coherent Digital Framework

To make digital legislation fit for purpose, Insurance Europe proposes that EU policymakers implement several guiding principles to ensure any simplification is meaningful and effective:

• Real burden reduction: Eliminate obligations that are duplicative, immaterial, or of limited value.
• Clarity and transparency: Avoid relabelling complexity as simplification and communicate intentions and impacts openly.
• Coordination across layers: Ensure alignment between rules from the European Commission, European Supervisory Authorities (ESAs), and other involved authorities.
• Evidence‑based rulemaking: Allow sufficient time for the implementation and evaluation of new rules before revising them.
• Respect implementation realities: Engage with companies early in the legislative process, as what seems simple on paper can be highly complex in practice.
• Limit external reporting from insurers: Encourage the exchange of relevant data between different authorities rather than imposing separate reporting streams on companies.
• Aim for global coherence: Address contradictions and fill gaps where EU‑level guidance is missing.

3. Streamlining Artificial Intelligence (AI) Governance

While the AI Act is a new and significant piece of legislation, it is complemented by a wide body of existing EU law that already addresses many potential AI risks in the insurance sector. Established frameworks like Solvency II contain robust provisions for governance, internal controls, and risk assessment. The Insurance Distribution Directive (IDD) ensures product oversight and that products meet customer needs, regardless of the technology used. Furthermore, DORA ensures the resilience of AI systems, and the GDPR governs the use of personal data in AI applications.

Key Recommendations for AI Regulation

1. Clarify the interplay with existing financial services rules: Guidance is needed to show where existing requirements under Solvency II and the IDD already meet the obligations of the AI Act. This will prevent unnecessary duplication and provide much‑needed clarity for implementation.
2. Explicitly scope out traditional statistical models: Clarification is required to confirm that traditional statistical methods, such as generalised linear models (GLMs), do not fall under the AI Act's definition of an AI system. This would avoid ambiguity and unnecessary compliance burdens for long‑standing analytical practices.

4. Reforming Cloud and Third‑Party Audit Requirements

Under the Digital Operational Resilience Act (DORA) and Solvency II, insurers face duplicative and burdensome audit obligations for their critical ICT third‑party providers, including cloud services. The rules demand "effective access to all information... including carrying out on‑site inspections," a requirement that is increasingly irrelevant and impractical for the remote nature of cloud computing. A greater focus should be on certifications and compliance with security standards.

The core issue is that regulation stipulates that institutions "must not rely solely on third‑party certifications or audit reports... over the long term." Consequently, even when a provider holds recognized certifications or has been audited by the ESAs, financial institutions are still required to conduct their own costly and resource‑intensive audits. This not only creates inefficiency but can inadvertently increase concentration risk, as firms may limit their reliance to a small number of providers they can feasibly audit.

Key Recommendations for Cloud Oversight

• Allow for a more efficient use of recognized certifications and third‑party audit reports to avoid duplicative efforts by individual insurers.
• Provide financial institutions with access to the audit results from the ESAs' Joint Examination Teams under DORA.
• Enable proportional audits that focus only on the specific services a provider delivers to an institution that are deemed critical.
• Clarify that for ICT services, the specific provisions in DORA should take precedence over the more general outsourcing rules in Solvency II.

5. Untangling the Web of Cybersecurity Legislation

The proliferation of cybersecurity regulations has created significant overlaps and implementation challenges for the insurance sector. A more coordinated approach is urgently needed.

Cybersecurity Act (CSA) and Reporting Burdens

The planned revision of the Cybersecurity Act is an opportunity to reduce administrative burdens. The priority should be to address duplicative cyber incident reporting requirements that exist across different laws.

• Ensure consistent reporting formats and a risk‑based approach to reporting thresholds to avoid low‑value reports.
• Issue clear guidance to member states to prevent conflicting national frameworks.
• Provide institutions with insight into the authorities' expectations regarding the criteria for incident reporting to reduce variance and misinterpretation.
• Ensure transparent stakeholder participation in the development of any future certification schemes.

The Overlap between the Cyber Resilience Act (CRA) and DORA

The overlap between the horizontal Cyber Resilience Act (CRA) and the sector‑specific DORA creates redundant obligations and contradicts the goal of regulatory coherence. Financial services are already subject to DORA's comprehensive, stringent, and lifecycle‑based requirements for ICT systems.

The primary recommendation is to issue a clear exemption from the CRA measures for financial entities that are already subject to DORA.

Improving the Digital Operational Resilience Act (DORA)

DORA is the central piece of cybersecurity legislation for the financial sector. However, its initial implementation has revealed areas of disproportionate burden that require simplification and increased proportionality.

Streamline DORA Reporting:

• Reduce the administrative burden of cyber incident reporting by raising the thresholds for classifying a major incident (e.g., to EUR 100,000).
• Focus reporting on system‑critical incidents and allow the use of estimates in interim reports to ensure crisis management remains the top priority.
• Create a single European cyber incident reporting template compatible with all regimes (e.g., DORA, GDPR) to eliminate manual re‑entry.
• Simplify the "registers of information" (ROI) by eliminating non‑essential fields, allowing multi‑value data fields (e.g., for country of storage), and standardizing templates.
• Streamline the validation and submission process to avoid duplicative reviews when reporting to multiple national and European authorities.
• Establish a centralized EU‑level repository of subcontractor information to enhance transparency and streamline due diligence.

Ensure a More Proportional and Efficient DORA Application:

• Ensure undertakings with a low‑risk profile face reduced, risk‑based requirements.
• Refine and clarify the definition of ‘ICT services' to ensure consistent interpretation across jurisdictions.
• Address and reduce the duplication of requirements for intra‑group IT service providers who are also subject to NIS2.
• Clarify that sole proprietorships or individuals under "body leasing" agreements should not be considered ICT providers, avoiding unnecessary burden.
• Enable the more efficient use of recognized certifications and the audit results of critical ICT providers to avoid the need for each financial entity to conduct its own separate audit.

6. Enhancing Clarity for Data Use and Innovation

To enable data‑driven innovation, the EU must improve the coherence of its legislative framework, particularly the interplay between the GDPR, AI Act, and Data Act.

Automated Decision‑Making under GDPR

A narrow interpretation of Article 22 of the GDPR is hindering the use of beneficial and efficient automated processes in insurance. Some authorities claim that automated decisions are not permissible simply because a human could have performed the task, which stifles digitalization. For instance, an insurance company may offer online motor insurance through a mobile phone app where a consumer obtains coverage by sending a picture of their car. In this scenario, the premium is automatically calculated, and the contract is formed upon payment. This is a clear example of solely automated decision‑making that benefits the consumer through speed and convenience.

The recommendation is to clarify that Article 22 should be treated as a data subject's right to obtain human intervention and contest a decision, not as an upfront prohibition on automated decision‑making, provided appropriate safeguards are in place.

Interaction Between GDPR and the AI Act

The concurrent application of the GDPR and the AI Act has created overlaps and inconsistencies. A prime example is the requirement for both a Data Protection Impact Assessment (DPIA) under the GDPR and a Fundamental Rights Impact Assessment (FRIA) under the AI Act. This is not just a duplication; it is an extension of obligations, as the FRIA imposes a reporting requirement not present in the DPIA, creating additional burdens.

• The relevant insurance supervisory authority should remain in charge of supervising the application of the AI Act for the sector to ensure consistent oversight.
• Streamline overlapping obligations by either removing the FRIA requirement from the AI Act or closely aligning its requirements with the existing DPIA.
• Develop clear European‑level guidance on these regulations to prevent fragmented and conflicting national interpretations.

Legal Basis for AI Training and Data Anonymisation

Two final data‑related challenges impede innovation. First, there is a lack of a clear legal basis for using special categories of personal data for AI training, which is crucial for building fair and unbiased models. Second, significant legal uncertainty remains around when data is considered sufficiently anonymised.

• Introduce a specific, narrowly scoped legal basis to allow the use of special categories of personal data for AI development and testing, subject to strict safeguards.
• Provide methodological clarification on anonymisation, adopting a "relative approach." This would mean that pseudonymised data is not considered personal data in the hands of a recipient who has no reasonable means of re‑identifying the individuals.

7. Conclusion: A Call for Coherent, Future‑Proof Regulation

Simplifying Europe's digital rules is not merely an administrative exercise; it is essential to enabling the insurance sector to invest confidently in digital innovation, support its customers, and contribute to the continent's economic resilience. The upcoming Digital Omnibus package offers a pivotal moment to address the overlaps, inconsistencies, and disproportionate burdens identified here. We call on EU policymakers to seize this opportunity to implement these recommendations and build a more streamlined, coherent, and effective regulatory framework for the digital age.