EIOPA GenAI Survey: Two-Thirds of 347 European Insurers Deploy Generative AI, but Half Still Lack Governance

From comparing regulatory AI assessments across the NAIC, EIOPA, and IAIS over the past 18 months, one pattern stands out: European regulators are the only ones producing quantitative adoption baselines that will later be used as compliance benchmarks. The rest of the world's insurance supervisors publish principles, issue guidance, and launch pilots, but none have fielded a structured survey across hundreds of regulated entities to measure where AI adoption actually stands. EIOPA's Generative AI Market Survey, published in February 2026 under reference EIOPA-BoS-25-679, fills that gap with responses from 347 insurance undertakings across 25 EU and EEA countries, covering an estimated 80% of total gross written premiums in the European market.

The headline finding: roughly two-thirds of surveyed undertakings actively use generative AI. That number sounds like broad adoption until you read the next line: most deployments remain at proof-of-concept stage. The governance picture is equally split. Dedicated AI policies have doubled from 25% of undertakings in 2023 to 49% in the current survey, a meaningful acceleration, but that still leaves more than half of European insurers without a formal AI governance framework less than two months before the EU AI Act's high-risk provisions take effect on August 2, 2026.

This article examines what the EIOPA dataset reveals about European insurer GenAI adoption, where use cases concentrate, how governance has evolved, what the EU AI Act deadline means for insurers in the survey's bottom half, and how the European baseline compares with U.S. adoption patterns measured through a fundamentally different regulatory lens.

What EIOPA Measured and Why the Sample Matters

EIOPA launched its GenAI survey in May 2025, collecting responses through the second half of the year and publishing results on February 2, 2026. The 347 responding undertakings span life, non-life, and composite insurers across 25 countries, making it the largest regulator-administered AI adoption survey conducted anywhere in the global insurance sector. By comparison, the NAIC's 12-state AI Evaluation Tool pilot covers a fraction of that population and focuses on governance review rather than adoption measurement.

The survey's coverage, representing approximately 80% of European market GWP, gives it statistical weight that consulting firm surveys cannot match. When Celent surveys global insurers or EY polls insurance executives, the samples are self-selecting and typically range from 100 to 200 respondents. EIOPA's survey operates through national competent authorities, which gives it regulatory reach into undertakings that would never respond to a voluntary industry questionnaire. That distinction matters for interpreting the results: the 347 respondents include not just the technology leaders who attend conferences and publish press releases, but also mid-tier and smaller insurers who represent the actual breadth of the European market.

The survey instrument covered adoption status, use case deployment, governance frameworks, risk perception, third-party dependency, and future planning. EIOPA designed it as a follow-up to its 2024 Report on the Digitalisation of the European Insurance Sector, which found that 50% of non-life insurers and 24% of life insurers were already using AI in some form across the value chain. The GenAI-specific survey narrows the lens to generative AI tools specifically, tracking how the ChatGPT-era wave has propagated through European insurance operations.

Adoption: Two-Thirds Active, Most at Proof-of-Concept

The survey's central adoption finding is that approximately 65% of the 347 undertakings actively use generative AI in some capacity. EIOPA characterizes this as "swift but cautious adoption," and both adjectives matter. The uptake speed is notable for an industry where technology adoption cycles historically run five to seven years from pilot to broad deployment. GenAI went from virtually no presence in European insurance operations in early 2023 to two-thirds penetration within roughly two years.

The caution is equally evident. EIOPA reports that most deployments remain at proof-of-concept stage rather than full production. This mirrors the pattern documented in U.S. adoption data, where Celent finds 48% of global insurers running at least one GenAI use case in production but Sedgwick measures only 7% achieving scalable success. The European data suggests a similar gap between initial experimentation and operational integration, though EIOPA's survey does not provide the same granular maturity segmentation that would allow a precise comparison.

The proof-of-concept concentration creates a specific supervisory challenge. Insurers at the experimentation stage may not have built the governance infrastructure needed to comply with the EU AI Act's high-risk requirements by August 2, 2026. A proof-of-concept that touches underwriting or claims data may already fall within the Act's high-risk classification under Annex III, even if the insurer considers it a pilot rather than a production system.

Use Case Distribution: Backend Dominates, Customer-Facing Lags

EIOPA breaks GenAI use cases into two categories that reveal where insurers are placing their initial bets.

Backend productivity tools account for 64% of use cases. This category includes data extraction from invoices, audio recordings, and medical reports; content generation for emails, contracts, and marketing materials; coding assistance for development teams; and underwriting support tools that augment actuarial and underwriting workflows. These applications share a common characteristic: they operate behind the scenes, with human review as a standard checkpoint before outputs reach customers or influence coverage decisions.

Customer-facing applications account for the remaining 36%. Chatbots, voice assistants, and automated response systems dominate this category. EIOPA notes that while the development pipeline for customer-facing GenAI is active, most of these applications remain at proof-of-concept stage. The regulatory sensitivity is higher for customer-facing tools because they directly affect the policyholder experience and may generate advice or commitments that create contractual obligations under the Insurance Distribution Directive.

Use Case Category	Share of Reported Applications	Maturity
Backend productivity (data extraction, content generation, coding, underwriting support)	64%	Mixed; some in production, many at PoC
Customer-facing (chatbots, voice assistants, automated responses)	36%	Mostly proof-of-concept

The 64/36 split aligns with a pattern visible globally: insurers deploy GenAI internally first, where the risk of customer harm is lower and human oversight is easier to maintain, before extending to policyholder-facing applications. WTW's analytical companion to the EIOPA survey, published in April 2026, frames this as a deliberate sequencing strategy rather than a limitation. Insurers build internal confidence with lower-risk applications, develop governance processes, and accumulate evidence of accuracy and reliability before exposing GenAI outputs to customers.

Specific use cases identified in the survey span the insurance value chain:

• Claims and fraud detection: Analyzing claims files, police reports, video, and images for irregularities and predicting fraud likelihood.
• Underwriting augmentation: Enriching customer application data with underwriting guidelines and rules to support actuarial risk assessment.
• Customer service automation: Classifying, interpreting, and drafting responses to incoming emails, with human validation before dispatch.
• Document processing: Extracting structured data from medical reports, invoices, and policy documents.
• Internal knowledge management: Building AI-assisted search and retrieval across internal policy wordings, technical guidelines, and regulatory texts.

Governance: Doubled but Still Below Half

The governance finding is the survey's most consequential data point for regulatory strategy. In 2023, only 25% of European insurers had developed dedicated AI policies. By the time of the current survey, that figure had risen to 49%. The doubling is encouraging as a trend, but the absolute level is alarming given the regulatory calendar.

The EU AI Act's high-risk provisions, which classify AI systems used for life and health insurance underwriting and pricing under Annex III, take effect on August 2, 2026. Insurers deploying high-risk AI systems after that date must comply with Articles 9 through 17 (for providers) and Article 26 (for deployers), including conformity assessments, fundamental rights impact assessments under Article 27, human oversight protocols, and comprehensive documentation.

For the 51% of surveyed undertakings that still lack dedicated AI governance frameworks, the timeline is extremely compressed. Building a governance structure that satisfies the AI Act's requirements is not a documentation exercise; it requires establishing risk classification procedures, implementing monitoring systems, training staff, and creating audit trails. Carriers that began this work in early 2026 have a viable, if tight, path to August compliance. Those starting now face a practical impossibility of building compliant governance from scratch in under two months.

EIOPA's own August 2025 Opinion on AI Governance and Risk Management, published six months before the GenAI survey results, laid out supervisory expectations for how existing insurance sector legislation (including the Insurance Distribution Directive and Solvency II) applies to AI systems. The Opinion does not create new requirements but clarifies that insurers must develop risk-based governance covering fairness, data governance, documentation, transparency, human oversight, accuracy, robustness, and cybersecurity. It applies a proportionality principle: stronger controls for systems processing sensitive data or affecting critical client decisions, simplified procedures for lower-risk applications.

The WTW analysis adds a workforce dimension to the governance gap. EIOPA's survey highlights a talent shortage in AI skills across the European insurance sector. WTW reframes this not as a headcount deficit but as a skills transformation challenge: the insurance analysts of the future need domain expertise plus AI fluency, not data science credentials alone. Until that workforce transition advances, governance frameworks will lack the in-house expertise needed to operate them effectively.

Risk Perception: Hallucinations Top the List

EIOPA asked respondents to rank the risks they associate with generative AI deployment. The results reveal where European insurers see the greatest operational and regulatory exposure.

Risk Category	Ranking	Regulatory Nexus
Hallucinations / inaccurate outputs	1 (most cited)	EU AI Act accuracy requirements; Solvency II ORSA
Cybersecurity threats	2	DORA (effective Jan 2025); AI Act robustness
Data protection risks	3	GDPR; AI Act data governance
Regulatory compliance challenges	4	EU AI Act; IDD; Solvency II

Hallucinations ranked as the single most significant concern, and for good reason. In an insurance context, a hallucinated output in underwriting could produce an incorrect risk assessment; in claims, it could generate a fabricated coverage interpretation; in customer service, it could communicate policy terms that do not exist. Each of these scenarios creates financial exposure and regulatory liability. The IFoA's June 2026 report on GenAI risks in insurance reaches a parallel conclusion: the core risks of generative AI in insurance are structural features of the technology rather than governance gaps that better frameworks can eliminate.

Cybersecurity ranks second, reflecting the operational reality that GenAI deployment expands the attack surface. Insurers integrating third-party LLMs into their operations create new data pathways that must be secured. The Digital Operational Resilience Act (DORA), which took effect in January 2025, already requires financial entities including insurers to maintain ICT risk management frameworks covering third-party service providers. GenAI vendors fall squarely within DORA's scope.

Data protection concerns at rank three reflect the tension between GenAI's training data requirements and GDPR's data minimization principles. Insurers using pre-trained models from external providers face questions about whether policyholder data processed through those models complies with GDPR's purpose limitation and storage requirements. The survey data indicates that most European insurers purchase off-the-shelf solutions or build on pre-trained external models rather than developing proprietary systems, which concentrates this data protection risk on the vendor relationship.

Third-Party Dependency and Vendor Concentration

EIOPA's finding that insurers "heavily depend on external providers and pre-trained models" aligns with a pattern that U.S. survey data also documents. European insurers are not building GenAI from scratch; they are integrating vendor-provided tools into existing workflows. This creates a vendor concentration risk that EIOPA explicitly flags as a supervisory concern.

The 2024 Digitalisation Report found that 66% of AI use cases were developed in-house while 34% were outsourced to third-party providers. For generative AI specifically, the balance appears to have shifted further toward external providers, reflecting the prohibitive cost and technical complexity of training large language models internally. Only the largest European insurers (Allianz, AXA, Zurich, Generali) have the scale to justify proprietary GenAI development; mid-tier and smaller undertakings necessarily rely on vendor solutions.

This dependency creates a cascading regulatory problem. Under the EU AI Act, an insurer deploying a vendor's GenAI model in a high-risk context (such as underwriting or claims adjudication) bears deployer obligations under Article 26 even though the insurer did not build the system. The vendor bears provider obligations under Articles 9 through 17. Both sets of requirements apply simultaneously, and the insurer cannot delegate its deployer responsibilities by pointing to the vendor's compliance. For actuaries involved in model governance, this means that ASOP No. 56 responsibilities now extend to understanding and documenting the vendor's model architecture, training data provenance, and output validation procedures, even when the insurer has limited visibility into those details.

EIOPA identifies DORA and the AI Act as the two primary regulatory tools for managing this third-party risk. DORA requires contractual assurance from ICT service providers; the AI Act requires deployers to verify that high-risk systems have undergone conformity assessment. Together, they create a dual compliance layer that European insurers must navigate for every GenAI vendor relationship.

The EU AI Act Deadline: What August 2, 2026 Means for the Survey Population

The EIOPA survey was designed, whether intentionally or by timing, to establish a pre-compliance baseline. When European supervisors begin measuring AI Act compliance after August 2, 2026, this dataset is the starting point they will reference. The survey tells us several things about the population's readiness.

65% use GenAI, but most are at proof-of-concept. Proof-of-concept deployments that touch high-risk use cases (underwriting, claims) may already fall within scope of the AI Act's high-risk classification. Insurers operating GenAI pilots in these areas without governance frameworks face a classification question they may not have addressed: is this a "high-risk AI system" under Annex III, and if so, do the provider and deployer obligations apply even during pilot stage?

49% have AI governance policies, but 51% do not. The AI Act does not distinguish between insurers with and without existing governance. On August 2, every deployer of a high-risk AI system must comply. The 51% without dedicated frameworks represent the compliance gap that national supervisors will confront in the first examination cycle.

Hallucination risk is the top concern, but the AI Act requires accuracy. Article 15 of the AI Act requires high-risk AI systems to achieve "appropriate levels of accuracy, robustness and cybersecurity" and to be "resilient against errors, faults or inconsistencies." For generative AI systems, where hallucinations are a structural property rather than a bug to be fixed, meeting this standard requires documented accuracy benchmarks, monitoring systems, and human oversight protocols. The survey suggests most European insurers recognize the risk but have not yet built the infrastructure to demonstrate compliance.

The Fundamental Rights Impact Assessment required under Article 27 adds another layer. Deployers of high-risk AI systems must assess the system's potential impact on fundamental rights before deployment. For insurance underwriting, this means evaluating whether the AI system could produce discriminatory outcomes based on protected characteristics, a particular concern for GenAI systems whose training data provenance may be opaque even to the deployer.

European vs. U.S. Adoption: Different Regulators, Different Baselines

The EIOPA survey invites comparison with U.S. adoption data, but the comparison requires careful framing because the two regulatory systems measure different things.

Dimension	EIOPA (Europe)	NAIC / U.S. Surveys
Survey authority	Regulatory (through NCAs)	Voluntary (industry/consulting)
Sample size	347 undertakings, 25 countries	Varies: 100-200 (Celent, EY); 152 (Covenir)
Market coverage	~80% of EU GWP	No comparable coverage metric
Active GenAI use	~65%	48% in production (Celent); 70% with AI in operations (Covenir)
Governance frameworks	49% with dedicated AI policies	24% confident in 90-day audit (Grant Thornton)
Regulatory timeline	EU AI Act high-risk: Aug 2, 2026	NAIC 12-state pilot: Jan-Sep 2026

Several contrasts emerge. First, the European 65% "active use" rate and the U.S. 48% "in production" rate are not directly comparable. EIOPA counts any active use including proof-of-concept; Celent counts at least one use case in production. The actual gap may be narrower than the headline numbers suggest, as many European "active use" cases are still experimental.

Second, the governance measurement differs structurally. EIOPA's 49% measures whether an insurer has a dedicated AI policy. Grant Thornton's 24% measures whether an insurer could pass an independent AI governance audit within 90 days. These test different things: having a policy document is necessary but insufficient for audit readiness. The European figure likely overstates operational governance maturity, while the U.S. figure measures a harder standard.

Third, the regulatory environments create different incentive structures. European insurers face a hard compliance deadline on August 2, 2026, with the AI Act's penalties reaching up to 3% of annual worldwide turnover for high-risk violations. U.S. insurers face a softer regulatory landscape: the NAIC's 12-state pilot is evaluative rather than punitive, and the Model Bulletin adopted by 23 states plus D.C. clarifies existing law rather than creating new obligations. The March 2026 NAIC AI Issue Brief explicitly states that AI "does not alter insurers' legal obligations" under existing state insurance laws.

For multinational carriers operating in both markets, the EU AI Act's extraterritorial reach under Article 2 means that GenAI systems deployed by European subsidiaries of U.S. carriers must comply with the full AI Act framework, regardless of whether the parent company faces comparable requirements domestically. This creates an asymmetric compliance burden that will likely propagate governance standards from European operations to U.S. headquarters over time.

The Autonomy Trajectory: From Assisted to Agentic

EIOPA's survey captures a moment where European insurers are beginning to contemplate the shift from human-assisted GenAI tools to semi-autonomous and eventually autonomous agentic systems. The survey data shows that current deployments overwhelmingly maintain human oversight, with employees reviewing GenAI outputs before they reach customers or influence decisions. But the direction of travel, as EIOPA notes, is toward more sophisticated and autonomous systems over the medium term.

This trajectory has direct actuarial implications. Human-in-the-loop GenAI tools change the speed and consistency of decisions but leave the ultimate judgment with a human professional. Agentic systems that autonomously execute multi-step workflows change the decision-making architecture itself. When an agentic claims system reads a submission, cross-references it against policy terms, estimates severity, flags fraud indicators, and routes the claim to a handler without human intervention at each step, the error profile changes fundamentally. Errors become systematic rather than idiosyncratic, faster to propagate, and harder to detect through traditional quality assurance sampling.

The Celent survey data shows 22% of global insurers planning agentic AI deployment by year-end 2026, with Celent projecting 70% adoption by 2028. European insurers moving along this trajectory will face a compounding regulatory question: each increase in autonomy triggers higher scrutiny under the AI Act's risk classification framework and requires more robust human oversight protocols, more detailed documentation, and more frequent conformity review.

Why This Matters for Actuaries

The EIOPA dataset has specific implications for actuarial work in both European and U.S. contexts.

European reserving actuaries face a documentation inflection point. If 65% of the undertakings in the survey are using GenAI and most are at proof-of-concept, a meaningful number of those experiments will enter production over the next 12 months. As they do, they will begin influencing claims handling speed, underwriting selection, and pricing model inputs. Reserving actuaries must track whether GenAI-assisted processes alter development patterns; a claims operation that triages faster or detects fraud earlier could compress reported development in initial evaluation periods.

The 49% governance figure sets a supervisory baseline. EIOPA and national competent authorities now have a quantitative starting point for measuring governance progress. When the next survey is conducted, any undertaking that still lacks a dedicated AI policy will face a clear follow-up question: why not? For Chief Actuaries and appointed actuaries in European carriers, the survey creates implicit pressure to ensure their undertaking falls on the governed side of the ledger.

Vendor due diligence becomes an actuarial responsibility. The third-party dependency documented in the survey, combined with the AI Act's deployer obligations, means that actuaries involved in model validation and governance must extend their review scope to vendor-provided GenAI tools. Under Solvency II's Own Risk and Solvency Assessment, the risk profile of GenAI systems, including hallucination rates, cybersecurity exposure, and data protection compliance, should be reflected in the ORSA. Actuaries who have not yet incorporated AI-specific risk assessment into their ORSA framework are behind the curve established by the survey's governance leaders.

The EU baseline informs global strategy for multinational carriers. For U.S.-based actuaries at carriers with European operations, the EIOPA survey data provides the competitive landscape their European colleagues operate within. The 65% adoption rate and 49% governance rate represent the market context for any EU AI Act compliance decisions. Carriers whose European operations lag both benchmarks face compound risk: falling behind competitors on capability while also falling below the supervisory baseline on governance.

Pricing actuaries should model regulatory compliance costs separately. The EU AI Act compliance burden falls disproportionately on insurers deploying AI in high-risk contexts. For European carriers, the cost of conformity assessments, fundamental rights impact assessments, ongoing monitoring, and documentation should be modeled as a discrete expense category in pricing analyses rather than absorbed into general technology overhead. The expense ratio projections that assume AI generates net savings need to account for the regulatory cost of deploying AI in a compliant manner, particularly for life and health insurers whose underwriting and pricing AI systems are explicitly classified as high-risk under Annex III.

The proof-of-concept concentration signals an accelerating deployment wave. If two-thirds of European insurers are experimenting with GenAI but most remain at proof-of-concept, the production deployment pipeline is large. As these experiments mature and move into production over the next 12 to 24 months, the operational impact on loss adjustment expenses, claims settlement patterns, and underwriting cycle times will accelerate. Reserving and pricing actuaries should prepare for a period where the data-generating processes underlying their models change faster than historical experience would suggest, and where the direction of change varies by carrier maturity level.