AI, DIGITAL AND DATA
FUELLED BY DATA
A cloud of regulation
How the EU’s Digital Rulebook is rewriting the insurance forecast
Peter Kerstens
Advisor for Digitalisation, Technological Innovation and Cybersecurity at DG FISMA in the European Commission
Let’s be honest: no one gets into insurance for the adrenaline. The thrill of spreadsheets, the quiet rustle of compliance manuals – these are the humble pleasures of the trade.
Lately, the world of measured risk and actuarial prudence is hit by new excitement: the European Union’s fast-unfurling digital finance strategy.
The EU, never one to under-regulate an opportunity, has in recent years been pushing out digital finance legislation like a bakery on deadline. From the Digital Operational Resilience Act (DORA) to the Markets in Crypto-Assets Regulation (MiCA), from the AI Act to the Data and Financial Data (FIDA) Act, the EU is laying down a vision of a digitised, interconnected financial system. Insurance is very much in the splash zone. And that is a good thing.
In fact, for those in the risk business, these changes aren't just background noise. They’re reshaping the very terrain the industry is supposed to navigate. So, let’s take a short tour of this brave new regulatory world and what it means when your business model is built on calculating – and managing – risk.
DORA: turning the IT department into the front line
Think of DORA as the insurance industry’s version of a fire drill – except now your C-suite and your regulators need to see your evacuation plan, your smoke detector installation guide, and a signed affidavit from the guy who checked the batteries.
At its heart, DORA is about ensuring digital operational resilience across the financial sector. That means that insurers must now treat their information and communication technology (ICT) systems not as humble back-office tools, but as critical pillars of financial stability. If your underwriting or claims processing system goes down, that’s not just a nuisance, it’s a resilience concern.
From third-party risk management to incident reporting, DORA forces insurers to ask tough questions about their digital dependencies.
Are you sufficiently in control of your tech providers or are you rather at their mercy? Do you have contingency plans in case your systems and data get sucked into a Blue Screen of Death paralysis?
DORA is not a compliance exercise. It is more a lifestyle change. It’s Marie Kondo for your IT infrastructure: do your ICT, your processes and the people operating them spark resilience?
MiCA: crypto comes to the party
Then there’s MiCA, the EU’s attempt to lasso the wild mustangs of the crypto world and bring them into the stables of mainstream finance.
Sure, it’s mostly aimed at crypto-asset service providers, but let’s not forget: some insurers are dipping their toes in the blockchain waters, whether through crypto custody services, insuring digital wallets, or offering coverage for smart contracts gone stupid.
Under MiCA, these ventures now come with a compliance price tag. Crypto bros and well-headed financial pros alike need to navigate disclosure requirements, governance obligations, and even capital rules that supposedly were invented for everything that crypto was not, at least not to Satoshi.
There’s also real potential here. As crypto matures into a more regulated asset class, insurers may finally have a clear framework for pricing risk – something that’s been largely guesswork in the crypto insurance market until now. Think of MiCA as a kind of orthodontics for crypto: a retainer, but in the end, a straighter smile and fewer compliance cavities.
AI Act: the algorithm gets a performance review
Meanwhile, the AI Act is making sure your robot underwriters don’t turn into rogue sci-fi villains. It’s the first attempt to put guardrails around artificial intelligence, and it’s likely to hit insurers where it matters most.
Many insurers already use AI for everything from fraud detection to dynamic pricing. But under the AI Act, certain high-risk applications – like personalising health or life insurance premiums – trigger strict requirements. Transparency, data quality, human oversight – suddenly, your AI system needs to be more than just cool, impressive or accurate: it needs to be fair and explainable.
Think of it like taking your algorithm to therapy. Why did it deny that claim? Why did it raise that premium? The AI Act demands not just answers, but documentation, governance structures, and risk mitigation plans. And if your AI starts acting up, you could face penalties that would make even your reinsurance provider sweat.
The Data Act: the Great Unbundling and the proposed Financial Data Access (FIDA) Regulation
If data is indeed the new oil, the Data Act is the EU’s attempt to stop everyone from drilling willy-nilly. It’s all about giving users more control over their data, promoting interoperability, and ensuring fair access to data.
For insurers, it could open up access to a treasure trove of third-party data – from connected cars to smart homes to wearable tech. On the other hand, it also means you may have to share more of your own data with competitors or policyholders, often in real-time, and in machine-readable formats that make the likes of Excel blush.
FIDA is a financial sector specific data access proposal, that will require data holders in the financial sector to provide access to data users, if the data subject or owner consents. This data access needs to be provided through performant and secure automated means. Looking at FIDA only as a requirement to give access to data you hold is bound to be a losing proposition. But if insurers don themselves data user shoes, and any modern data driven insurer should, FIDA becomes an opportunity not to be missed.
Either way, it’s clear that the age of data hoarding is over. The EU is about data access, fairness, and user empowerment. It’s like a digital version of a potluck: you get to try anything on the table, but you have to bring your own dish as well.
What does the EU Digital Finance Strategy mean for insurers?
So where does all this leave insurers? In a word: exposed. Exposed to risk: policy, regulatory and compliance risk… but more importantly… exposed to opportunity.
The EU’s digital finance rules provide a platform enabling and forcing insurers to become more digitally literate, operationally resilient, and data-savvy. Technology and data rule. And your CIO and CTO may become the most important people in the building, that is if you will still have one in the future.
Adaptation won’t be easy. The sector will need to invest in upskilling, rethink digital strategies, and embrace greater transparency. In a world where your AI has to file paperwork and your servers have to practice mindfulness, the bar for digital competence just got a whole lot higher.
But let’s not panic. Insurance is, after all, the business managing and adapting to uncertainty, to calculate risk and allow society to confront it, knowing there is cover. If any sector can navigate this challenge and seize this opportunity, it is insurance. You have survived plagues, wars, and the invention of actuarial science. You can and will survive “Brussels”.
There used to be a time that finance and insurance were mainly about money. Money still matters a great deal, but increasingly finance and insurance are about data and technology, not just money. Our policies, regulation and business strategies must reflect this.
With the right investments and mindset, you will not just survive – you will thrive, confirming Europe’s global leading role in insurance. In times where strategic autonomy is a policy buzz word, we should remind ourselves that European insurers are a global powerhouse, the envy of the world. The EU’s digital finance rules are a blueprint for modernising creaky legacy systems and maintaining leadership in a fast-moving world.
So roll up your sleeves, audit your data lakes, befriend your AI models, and check your ICT providers’ resilience protocols.
The future is digital. The rules are European. And for the insurance sector, the premium for complacency is going up.