EU AI Act vs US Rules for Digital Underwriting
A side-by-side comparison of EU AI Act insurance underwriting obligations and US state AI rules, with timelines for global carriers running digital underwriting.
A carrier writing life and health business on both sides of the Atlantic now operates under two regulatory philosophies that were built from opposite starting points. The European Union codified a single, prescriptive statute that names insurance pricing as a high-risk activity, while the United States layered AI expectations on top of existing market-conduct and unfair-discrimination law through a patchwork of state actions. For compliance and medical leadership trying to run one underwriting model across both markets, the gap between EU AI Act insurance underwriting requirements and the US approach is no longer academic. It determines documentation depth, governance staffing, and the timeline on which a digital underwriting program has to demonstrate conformity.
Under Annex III, point 5(c) of the EU AI Act, AI systems used for risk assessment and pricing in life and health insurance are explicitly classified as high-risk, and non-compliance can carry penalties of up to 30 million euros. Source: Regulation (EU) 2024/1689, European Union, 2024.
How EU AI Act insurance underwriting rules differ from US frameworks
The defining difference is statutory architecture. The EU AI Act, which entered into force on August 1, 2024, is a horizontal regulation that applies across sectors and assigns obligations based on risk tier. Insurance pricing and risk assessment for life and health products sit in the high-risk category by name, which triggers a defined set of provider and deployer duties: data governance and quality controls, technical documentation, logging, human oversight, transparency to affected persons, accuracy and robustness testing, and registration in an EU database. Deployers that are insurers must also conduct a Fundamental Rights Impact Assessment under Article 27 before putting a high-risk system into use.
The US has no equivalent federal statute. Instead, the National Association of Insurance Commissioners adopted a Model Bulletin on the Use of Artificial Intelligence Systems by Insurers in December 2023. The bulletin does not create new law. It reminds insurers that existing prohibitions on unfair trade practices and unfair discrimination apply to AI-driven decisions, and it asks carriers to maintain a written AI program with governance, risk management, and third-party vendor controls. By March 2025, roughly half of US states had adopted the bulletin, with most adoptions occurring during 2024. Colorado went further with Senate Bill 21-169, signed in July 2021, which requires life insurers using external consumer data and predictive models to test for and correct unfair discrimination, with an initial progress report due June 1, 2024 and a fuller compliance filing due December 1, 2024.
The practical consequence is that US insurance AI regulation is principles-based and enforced through existing supervisory channels, while the EU framework is conformity-based and enforced as product safety law. One asks carriers to prove fairness within established market-conduct expectations. The other asks them to prove a system meets a defined technical standard before deployment.
| Dimension | EU AI Act | US framework (NAIC bulletin + state laws) |
|---|---|---|
| Legal form | Single binding regulation across all sectors | Model bulletin plus state-by-state laws and existing statutes |
| How underwriting AI is classified | High-risk by name (Annex III, 5(c)) for life and health pricing | Governed under existing unfair-discrimination and trade-practice law |
| Core obligation | Conformity with technical, data, and oversight requirements before use | Written AI governance program and bias testing under state expectations |
| Impact assessment | Mandatory Fundamental Rights Impact Assessment (Article 27) | Encouraged risk management; bias testing required in some states |
| Registration | EU database registration for high-risk systems | No central registry; filings vary by state |
| Primary timeline | Most high-risk obligations from August 2, 2026, with proposed extension to December 2, 2027 for Annex III systems | NAIC adoptions through 2024-2025; Colorado life reports due 2024 |
| Penalties | Up to 30 million euros or a percentage of global turnover | State enforcement actions, fines, and license consequences |
| Geographic trigger | Applies to systems affecting persons in the EU regardless of provider location | Applies by state of business and residency of insured |
What each framework demands of a digital underwriting compliance program
The obligations converge more than the legal forms suggest, but the evidentiary bar differs. A carrier building one digital underwriting compliance program for both markets should expect the following recurring themes.
- Governance ownership. Both regimes expect a named, documented owner for AI risk. The EU formalizes this through provider and deployer roles; the NAIC bulletin expects a written program approved by senior management.
- Data quality and provenance. The EU AI Act sets explicit data governance requirements for training, validation, and testing datasets. US regulators reach the same concern through unfair-discrimination review of external data inputs.
- Bias and fairness testing. Colorado requires quantitative testing for life insurers. The EU requires accuracy, robustness, and non-discrimination controls as part of conformity.
- Human oversight. The EU mandates that high-risk systems be designed for meaningful human review. US market-conduct expectations push the same direction without a single statutory clause.
- Transparency to applicants. The EU requires that affected persons receive information about high-risk AI use. US transparency derives from adverse-action and disclosure rules that vary by state and line of business.
Industry Applications
Cross-border life and health carriers
A reinsurer or multinational life carrier running a shared underwriting engine faces the strictest path: the EU framework reaches any system whose output affects a person in the EU, regardless of where the model is hosted. That extraterritorial reach means a US-built engine touching EU applicants inherits high-risk obligations. Medical directors validating contactless vitals or remote screening signals should assume the EU conformity standard becomes the global floor for shared infrastructure.
Insurtech vendors and managing general agents
For vendors supplying underwriting models, the EU AI Act assigns provider obligations that cannot be contracted away. An insurtech regulatory framework that ignores provider duties leaves carrier-deployers exposed. US carriers are increasingly pushing NAIC bulletin expectations into vendor contracts, requiring documentation, bias testing evidence, and audit rights as a condition of procurement.
Compliance and actuarial functions
The actuarial team that historically owned rate justification now shares accountability with model-risk and data-governance functions. Both frameworks reward carriers that can produce a living evidence trail rather than a static filing, which is why documentation depth has become the practical differentiator between the two regimes.
Current research and evidence
Legal and actuarial analysts have tracked the divergence closely. Commentary from Milliman in 2024 examined how the EU AI Act reshapes provider and deployer responsibilities for insurers and flagged the conformity assessment burden as the central operational change. Analysis from Pinsent Masons in 2024 detailed the high-risk classification mechanics under Annex III and the documentation and registration duties that follow. On the US side, McDermott Will and Emery reported in 2024 on the wave of states adopting the NAIC Model Bulletin, while Holistic AI documented Colorado's SB 21-169 framework for governance, bias testing, and decision documentation in life insurance.
A notable recent development comes from S&P Global, which reported in 2026 on a proposed EU amendment extending the compliance deadline for Annex III high-risk systems from August 2, 2026 toward December 2, 2027. For carriers, the extension changes the calendar but not the substance: the conformity obligations remain, and the longer runway favors organizations that treat readiness as a multi-year build rather than a filing sprint.
The combined evidence points to one finding for global carriers. Building to the EU conformity standard generally satisfies US principles-based expectations, but the reverse is rarely true. A program designed only for the NAIC bulletin will lack the technical documentation, impact assessment, and registration artifacts the EU requires.
The Future of cross-border digital underwriting regulation
Three trajectories are visible. First, the EU framework is likely to function as a de facto global benchmark, much as European data protection law did, because shared underwriting infrastructure makes it inefficient to maintain two standards. Second, US state activity will continue to expand, with more states adopting the NAIC bulletin and a subset following Colorado toward quantitative testing mandates, deepening the compliance burden even without federal legislation. Third, the documentation expectation will keep rising on both sides, pushing carriers toward continuous evidence systems that capture data lineage, model versions, oversight decisions, and fairness testing as operational byproducts rather than retrospective exercises.
The carriers best positioned are those treating the stricter standard as the design baseline and mapping a single control set to both regimes. That approach turns a fragmented obligation map into one auditable program.
Frequently asked questions
Does the EU AI Act apply to a US insurer that has no European offices? It can. The regulation applies to AI systems whose output affects persons located in the EU, regardless of where the provider or deployer is based. A US-hosted underwriting engine that evaluates EU applicants generally falls within scope and inherits high-risk obligations.
Is there a single US federal AI law for insurance underwriting? No. The US relies on the NAIC Model Bulletin adopted in December 2023, individual state laws such as Colorado's SB 21-169, and existing unfair-discrimination and trade-practice statutes. Requirements vary by state, which makes the US environment fragmented compared to the EU.
When do the main EU AI Act obligations take effect for insurance? Most high-risk obligations were set to apply from August 2, 2026, though a proposed amendment reported in 2026 would extend the deadline for Annex III high-risk systems toward December 2, 2027. The substantive obligations remain unchanged regardless of the final date.
Can one compliance program satisfy both frameworks? Generally yes, if it is built to the EU conformity standard. The EU's documentation, impact assessment, and oversight requirements typically cover US principles-based expectations, while a program designed only for US rules usually lacks the artifacts the EU requires.
Circadify is building regulatory technology for exactly this cross-border problem, helping carriers map one control set to both the EU AI Act and US state expectations. To assess your readiness across both frameworks, explore our compliance guides and regulatory insights at circadify.com/industries/payers-insurance.