Understanding the Implications of Europe’s Latest AI Regulatory Guidance for Credit Insurance and Surety
The insurance industry stands at a transformative crossroads as artificial intelligence reshapes everything from customer interactions to risk assessment. Against this backdrop, the European Insurance and Occupational Pensions Authority (EIOPA) published its opinion on AI governance and risk management in August 2025. While this opinion is formally addressed to insurance supervisors across the EU, (re)insurers should carefully read it given its likely impact on supervisory expectations and the use of AI systems in the insurance sector.
The opinion arrives as insurers increasingly deploy AI systems throughout the insurance value chain—from automated underwriting and claims management, to marketing and claims management. Rather than creating new requirements, the opinion clarifies how existing insurance legislation applies to AI systems in insurance, providing supervisors and insurers with practical guidance on interpreting requirements. Recent surveys of ICISA members show growing use of AI across TCI and surety, which an expectation of significant growth in its application in the coming years. As a result, this is a topic that our industry should pay close attention to.
Navigating the Regulatory Landscape
EIOPA’s guidance operates within the broader context of the EU AI Act while focusing specifically on AI systems that fall outside the Act’s “high-risk” and “prohibited” categories. The application of high-risk categorisation under the Act tends to apply in an insurance context to services provided to consumers, such as life and health. EIOPA explicitly states that its opinion does not alter or extend any existing requirements under the Act or elsewhere, but instead provides guidance on interpretation.
The framework builds upon existing sectoral legislation—including the Insurance Distribution Directive, Solvency II Directive, and the Digital Operational Resilience Act (DORA). These frameworks already establish important principles for governance and risk management applicable to insurers. However, the EIOPA opinion will be helpful to insurers in understanding expectations and the likely direction of conversations with regulators on the use of AI systems and the governance and risk management they are expected to have in place.
A Risk-Based Approach and Developing AI Governance Systems
EIOPA’s approach begins with a basic understanding: that insurers must assess the risk and impact of their AI systems and “…develop governance and risk management measures adequate and proportionate to the characteristics and risks of the specific use of AI systems at hand”. This assessment should be proportional, but should take into account risks to both customers and the insurer itself from the use of AI systems.
For customer impact, insurers should consider the scale of data processing, data sensitivity, number of affected customers, the AI system’s autonomy level, and whether it’s customer-facing or internal. The assessment must also weigh potential discrimination risks and the system’s role in financial inclusion or compulsory insurance lines.
Equally important are prudential considerations. Insurers must evaluate whether AI systems affect critical business activities, their potential impact on financial position (including claims volumes, contracts, and solvency ratios), and implications for business continuity. The opinion specifically highlights concerns about AI decision-making dominance and the reputational risks that could arise from AI system failures.
Based on these assessments, insurers should then implement proportionate governance measures which take into account the following areas:
- Fairness and Ethics – Customer-centric approaches preventing discrimination while maintaining ethical standards. This should be linked to an overarching corporate culture of fairness and good ethical practices.
- Data Governance – Ensuring data quality, completeness, and appropriate use while managing bias. This is important throughout the lifecycle of developing and using AI, including the information used to train AI, as well as ongoing decisions and actions related to underwriting, claims, or other key functions. The same level of governance and risk management should also apply to the use of third-party data – an important aspect for TCI and Surety.
- Documentation and Record Keeping – Maintaining comprehensive audit trails for reproducibility and accountability. Again, this should correspond to different stages in the lifecycle of the AI system and should be available when needed.
- Transparency and Explainability – Balancing meaningful explanations with practical limitations. Important within this context is the ability to explain specific, as well as general uses of AI and to avoid “black box” approaches where more transparent alternatives may be possible.
- Human Oversight – Clear governance structures with defined roles throughout the AI lifecycle and opportunities for human intervention throughout the process
- Accuracy, Robustness and Cybersecurity – Consistent performance and resilience across varying conditions. This will also take into account the application of DORA and other similar requirements, and equally has implications for the use of third-party information.
Practical Application for Trade Credit Insurance and Surety
AI System Impact Assessments
For trade credit and surety providers, there are a number of areas where the use of AI has grown, or is likely to become more prominent in the coming years. Risk assessments such as those described above will likely be beneficial to insurers to understand their own use-cases and limitations, as much as to manage and mitigate the sorts of risks listed in EIOPA’s opinion.
While “vulnerable customers” might seem less relevant in the B2B context of TCI and Surety, there are areas of application, including in some aspects of MSME or sole trader business, for example. The scale of AI systems and the potential impact on vulnerable customers is a particularly pertinent consideration for whole turnover TCI business. This kind of insurance has clear benefits to managing high-volume underwriting through AI and machine learning and thousands of automated decisions occur daily. The principles of good governance and risk management noted in the EIOPA opinion should be considered by insurers active in this line, even where there are minimal likely impacts on potentially vulnerable customers. The added complexity of TCI and Surety comes from the considering the impact of the insurer not only on the insured, but also (if not especially) on their counterparties – i.e. a commercial buyer or contractual obligor, where that entity may be considered vulnerable due to size.
Prudential considerations noted in the opinion are also relevant to trade credit insurance. Just as with any standard underwriting framework, where there is use of AI, this should be carefully managed to avoid concentration of risk exposures. This is where transparency of systems and the ability for human intervention throughout the lifecycle of the system are key. Business continuity concerns are also worth considering. Where reliance grows on such systems, it is important that vulnerabilities are managed carefully and the ability to recover from outages can happen quickly and without significant impact on policyholders.
Managing Interconnected Risks
Trade credit insurers face specific challenges given the importance of high volumes of business information. As this information often comes from external providers, insurers must ensure that not only their own systems are robust, but equally those of third-party providers which they rely upon. While the opinion notes that perfect transparency isn’t always achievable, this isn’t an excuse to avoid responsible governance.
As noted above, this should ensure that there is a clear audit trail, that there are significant opportunities for human intervention, and that there is a robust control and oversight of data. Insurers, should also expect the same high standards they apply to themselves from the vendors they utilise.
Leveraging Existing Frameworks
While the opinion sets out a number of important areas of action that insurers may want to consider, EIOPA also highlights that they can do this within existing governance structures without the need for wholly new process. These existing frameworks can be improved and updated to incorporate AI-specific considerations. While the risks associated with AI systems may be in some ways new, the principles of good governance and risk management which should have been central to all insurers can still apply with some adaptation.
The Road Ahead
EIOPA’s opinion provides valuable clarity on supervisory expectations, offering the trade credit and surety industry a clear guidance on responsible AI adoption. While each (re)insurer must develop governance approaches suited to their specific business model and risk management processes, the opinion provides a useful reminder of the core principles expected by supervisors. This can be valuable for insurers who are already advanced in implementation to challenge their own assumptions and ensure they are on the right path. However, it can also be a useful map for those starting out on the AI journey to remind them of the necessities outside of the purely technical considerations.
AI has already been a topic of significant conversation within ICISA and will continue to be for some time. Continuing discussions within the industry about AI development and risk management will be key to shaping better outcomes for insurers, reinsurers, policyholders, and buyers/obligors. By sharing best practice, lessons learned, and working to identify emerging risk, those involved in TCI and Surety can benefit from advances in technology safely and effectively, together.
EIOPA for its part will continue to monitor AI development over the coming years. It states its intention to follow up on this topic in two years to assess supervisory practices and convergence on important aspects at that point. It is also expected that EIOPA, alongside other key authorities in and beyond Europe, will continue to refine and develop supervisory approaches to this topic in the coming years. For that reason, it is important for insurers to keep abreast of those developments while they continue to invest in and implement new technologies.
