EU insurers need data sovereignty, not promises about data sovereignty
GDPR, the EU AI Act, and the Insurance Distribution Directive create the most complex regulatory framework for insurance in the world. Regure provides GDPR-compliant insurance document orchestration with guaranteed EU data residency, automated Article 17 erasure, and AI Act compliance for underwriting models.
The European insurance market demands data sovereignty — not just data security
The European Union insurance market generates over €1.2 trillion in gross written premium annually, making it the world's second-largest insurance market after the United States. Germany (€255B), France (€247B), Italy (€157B), and the Netherlands (€85B) represent the four largest national markets, with significant cross-border operations facilitated by the EU's single market passporting framework.
For EU insurers, data sovereignty is the foundational concern that underpins every technology decision. The General Data Protection Regulation (GDPR) — the world's most influential data protection law — requires that personal data of EU residents be processed lawfully, transparently, and with documented legal basis. For insurance operations that process sensitive categories of data (health data, financial data, biometric data), the requirements are even more stringent under GDPR Article 9.
But GDPR is only the beginning. The EU AI Act — which entered into force in August 2024, with full application beginning February 2025 — imposes new requirements on insurers using AI for underwriting, claims assessment, and pricing. The Insurance Distribution Directive (IDD) mandates disclosure and documentation standards for product sales. The Sustainable Finance Disclosure Regulation (SFDR) requires ESG reporting. And the EU Digital Identity Regulation is transforming how insurers verify policyholder identity.
Regure is GDPR-compliant insurance document orchestration built for this layered regulatory environment. EU customer data resides exclusively in EU data centres (AWS eu-central-1 Frankfurt and eu-west-1 Dublin). AI document processing is designed to comply with EU AI Act transparency requirements. Automated IDD disclosures and SFDR reporting reduce the compliance burden that drains operational capacity.
Unlike US-headquartered SaaS platforms that offer EU hosting as an option, Regure's EU deployment is architecturally isolated — with no data flows to non-EU infrastructure, no US-based personnel access to EU data, and no dependency on non-EU cloud services for core functionality.
GDPR Article 17 Right to Erasure and data subject rights automation
Data subject rights are not optional — they're legally enforceable within strict timelines. Regure automates DSAR response, Right to Erasure, data portability, and consent management for insurance operations processing millions of personal data records.
The General Data Protection Regulation grants EU residents specific rights over their personal data: the right to access (Article 15), rectification (Article 16), erasure (Article 17), restriction (Article 18), data portability (Article 20), and the right to object to processing (Article 21). Insurance operations must be able to fulfil these rights within one calendar month — or face enforcement from national Data Protection Authorities.
For insurance companies, fulfilling these rights is operationally complex. A single policyholder's data may be spread across claims files, policy documents, premium records, communication logs, underwriting notes, and third-party correspondence. Identifying all instances of a person's data across these sources — and determining which data must be retained for legal obligation versus which can be erased — requires systematic data mapping that most insurers lack.
Regure solves this with automated data subject rights workflows:
- Article 15 — Right of Access: Generate complete data export packages for any individual in machine-readable format, including all claims, documents, communications, and processing records
- Article 17 — Right to Erasure: Automated identification of all data related to an individual, legal basis assessment for retention exceptions (Article 17(3)), secure deletion with cryptographic certificates of destruction
- Article 20 — Data Portability: Export personal data in structured, commonly used, machine-readable format (JSON, CSV) for transfer to another controller
- Article 21 — Right to Object: Processing suspension workflows with automated notification to relevant departments and data processors
- Consent Management: Granular consent tracking for marketing, cross-selling, profiling, and third-party data sharing — with automated withdrawal mechanisms
All data subject rights actions are logged in immutable audit trails, providing evidence of compliance for DPA investigations. Response timelines are tracked with automated alerts as the 30-day deadline approaches.
EU AI Act compliance for insurance underwriting and claims assessment
The EU AI Act classifies AI systems used in insurance underwriting as "high-risk" under Annex III. Regure's AI document processing and classification systems are designed to meet these requirements from day one.
High-Risk AI Classification
Under the EU AI Act, AI systems used to evaluate insurance applications, assess claims, or make pricing decisions are classified as high-risk under Annex III, Category 5(b) — "AI systems intended to be used to evaluate the creditworthiness of natural persons or establish their credit score, with the exception of AI systems used for the purpose of detecting financial fraud."
High-risk classification triggers comprehensive requirements: technical documentation, risk management systems, data governance, human oversight, accuracy monitoring, and post-market surveillance. Regure's AI systems are built with these requirements as design constraints, not retrofitted compliance layers.
Transparency Requirements
Article 13 of the EU AI Act requires that high-risk AI systems are "designed and developed in such a way to ensure that their operation is sufficiently transparent to enable deployers to interpret the system's output and use it appropriately." For insurance AI, this means explainable decisions.
Regure provides transparency documentation for every AI classification and extraction action: the model version used, the confidence score for each decision, the specific features that drove the classification, and the training data characteristics. This documentation is available in the audit trail for each processed document.
Human Oversight (Article 14)
The AI Act requires effective human oversight of high-risk AI systems. Regure implements this through configurable confidence thresholds: documents classified or extracted with confidence below a configurable threshold (default 95%) are automatically routed to human review.
Human reviewers can override any AI decision, and overrides are logged to improve model accuracy. The system never makes final decisions on claims without human validation — AI assists and accelerates, humans decide and approve.
Data Governance (Article 10)
Training data for AI models used in the EU must meet specific quality, representativeness, and bias-testing requirements. Regure documents training data provenance, tests for demographic bias in classification accuracy, and monitors model performance across different document types and languages to identify degradation or discriminatory patterns.
For insurers using Regure's AI for underwriting support, we provide the technical documentation required under Article 11 — including model architecture, training methodology, evaluation metrics, and known limitations.
Insurance Distribution Directive (IDD) automated disclosures and product governance
The IDD requires insurance distributors to provide standardised disclosures, conduct demands-and-needs assessments, and maintain product governance frameworks. Regure automates the document generation and evidence collection these obligations require.
The Insurance Distribution Directive (Directive 2016/97/EU) and its delegated regulations require insurance distributors across the EU to provide pre-contractual information to customers (IPID — Insurance Product Information Document), conduct demands-and-needs assessments, disclose conflicts of interest, and maintain ongoing product oversight and governance (POG) frameworks.
For insurers and intermediaries operating across multiple EU member states, these requirements are complicated by national implementation variations. Germany's IDD implementation under the Versicherungsvertriebsrichtlinie adds specific requirements. France's transposition through the Code des Assurances includes additional disclosure obligations. Each market has nuances.
Regure automates IDD compliance across EU markets:
- IPID Generation: Automated generation of standardised Insurance Product Information Documents per EU Commission Implementing Regulation 2017/1469
- Demands & Needs Assessment: Structured assessment workflows that document customer needs analysis and product recommendations with complete evidence trails
- Product Governance (POG): Product approval process documentation, target market definition, distribution strategy records, and regular product review scheduling
- Conflict of Interest Disclosure: Automated generation of intermediary remuneration disclosures and conflict-of-interest statements per IDD Article 19
- Cross-Selling Compliance: Documentation of suitability assessments when insurance is sold alongside other financial products per IDD Article 24
All IDD disclosures are stored with the associated policy and claim records, creating a complete compliance evidence package for each customer relationship. National supervisory authorities (BaFin, ACPR, IVASS, AFM) can access disclosure evidence within the response timelines they require.
EU data residency architecture with no data flows outside the European Union
Data sovereignty is not a hosting option — it's an architectural decision. Regure's EU deployment is isolated at the infrastructure level with no dependencies on non-EU services.
Primary: Frankfurt (eu-central-1)
Regure's primary EU deployment runs in AWS eu-central-1 (Frankfurt, Germany). All document storage, database operations, AI processing, and application logic execute within this region. The Frankfurt region is the preferred location for German, Austrian, Swiss, and Central European clients subject to BaFin, FMA, and FINMA oversight.
Secondary: Dublin (eu-west-1)
Cross-region replication to AWS eu-west-1 (Dublin, Ireland) provides disaster recovery and business continuity. For clients who prefer Irish hosting — including firms regulated by the Central Bank of Ireland or those with data processing agreements specifying Ireland — Dublin can be configured as the primary region.
Architectural Isolation
EU data does not flow to US, UK, or Middle East infrastructure. No US-based personnel have access to EU customer data. Encryption keys are managed in EU-based AWS KMS instances. DNS, CDN, and API gateway services are all EU-regional. This is not geo-fencing applied to a global platform — it's native EU architecture.
SFDR reporting and EU Digital Identity Regulation readiness
EU insurance regulation continues to evolve. Regure is designed to accommodate emerging requirements including sustainable finance disclosures and digital identity frameworks.
Sustainable Finance Disclosure Regulation (SFDR)
The SFDR requires financial market participants — including insurance companies offering investment-based products — to disclose sustainability risks and adverse impacts. For insurers with unit-linked products, pension products, or investment-linked policies, SFDR reporting requires structured data collection and disclosure generation.
Regure's workflow engine supports SFDR data collection workflows that gather environmental, social, and governance information from investment managers, create structured disclosure documents per SFDR Article 4, 6, 8, and 9 requirements, and generate pre-contractual and periodic disclosure templates.
EU Digital Identity Regulation (eIDAS 2.0)
The revised eIDAS Regulation (Regulation 2024/1183) introduces the European Digital Identity Wallet — a framework that will transform how insurers verify policyholder identity, sign contracts, and authenticate communications. By 2026, EU member states must provide Digital Identity Wallets to their citizens.
For insurers, this means new onboarding workflows that accept digital identity credentials, electronic signatures using qualified trust services, and age/identity verification for product eligibility. Regure's architecture is designed to integrate with eIDAS 2.0 identity providers as they become available across member states.
DORA (Digital Operational Resilience Act)
DORA (Regulation 2022/2554), applicable from January 2025, imposes ICT risk management, incident reporting, and third-party risk management requirements on financial entities including insurance companies. As a critical ICT third-party provider, Regure provides the transparency and contractual frameworks DORA requires.
Our enterprise security controls, documented incident response procedures, business continuity plans, and penetration testing reports support your DORA compliance assessment for ICT third-party risk management under Article 28.
Cross-Border Distribution
EU single market passporting allows insurance companies licensed in one member state to distribute products across the EU. Regure supports cross-border operations with multi-language document processing (German, French, Italian, Dutch, Spanish, Portuguese), jurisdiction-specific workflow configurations, and compliance evidence generation per national regulatory requirements.
Whether you're a German insurer distributing in France, a Dutch MGA with Polish coverholders, or a pan-European broker — Regure configures compliance workflows per jurisdiction while maintaining a single platform view of your operation.
What EU insurers ask about Regure
Does EU data ever leave the European Union?
No. Regure's EU deployment is architecturally isolated in AWS eu-central-1 (Frankfurt) and eu-west-1 (Dublin). No data flows to non-EU infrastructure. No US-based personnel have access to EU customer data. Encryption keys are managed in EU-based AWS KMS instances. This eliminates Schrems II cross-border transfer concerns.
How does Regure handle GDPR Article 17 Right to Erasure?
Regure automates the entire erasure workflow: identification of all data related to the individual across claims, documents, and communications; legal basis assessment for retention exceptions under Article 17(3); secure deletion of erasable data; and generation of certificates of destruction for compliance evidence. The process is tracked within the 30-day GDPR timeline.
Is Regure's AI compliant with the EU AI Act?
Yes. Regure's AI document classification and extraction systems are designed for EU AI Act compliance. We provide technical documentation per Article 11, transparency information per Article 13, human oversight mechanisms per Article 14, and data governance documentation per Article 10. Confidence thresholds ensure human review of low-confidence AI decisions.
Does Regure support IDD disclosure automation?
Yes. Regure generates IPID documents, demands-and-needs assessment records, POG documentation, and conflict-of-interest disclosures per the Insurance Distribution Directive requirements. Disclosures are linked to the associated policy and customer records in immutable audit trails.
Can Regure process documents in multiple EU languages?
Yes. Regure's AI document processing supports German, French, Italian, Dutch, Spanish, Portuguese, Polish, Czech, Swedish, Danish, Finnish, and Greek. For languages not yet supported, custom model training is available as part of Enterprise tier implementation — typically within 2-3 weeks of receiving sample documents.
Which EU national supervisory authorities has Regure been reviewed by?
Regure has been assessed during client procurement processes overseen by BaFin (Germany), ACPR (France), De Nederlandsche Bank/AFM (Netherlands), and the Central Bank of Ireland. Our security architecture documentation, GDPR compliance documentation, and EU AI Act transparency reports are available for supervisory review during your procurement process.
How does DORA affect our use of Regure?
Under DORA Article 28, insurance companies must manage ICT third-party risk. Regure provides the contractual provisions, audit rights, incident notification commitments, and business continuity documentation that DORA requires. Our security documentation, penetration testing results, and disaster recovery capabilities support your DORA compliance assessment.
What does pricing look like for EU insurers?
Regure pricing is per user per month in EUR. Professional tier at €140/user/month includes GDPR automation, EU AI Act documentation, IDD disclosure generation, and multi-language document processing. Enterprise tier at €210/user/month adds custom integrations, dedicated CSM, and on-premise deployment options. See full pricing.
Can we use Regure for cross-border EU operations?
Yes. Regure supports pan-European operations with jurisdiction-specific workflow configurations, multi-language processing, and compliance evidence generation per national regulatory requirements. Single market passporting operations can manage all EU markets from one Regure instance while maintaining per-jurisdiction compliance.
How long does implementation take for EU firms?
Standard implementation is 14 days for single-market operations. Multi-country deployments with cross-border workflow configurations typically require 3-5 weeks, including IDD disclosure template configuration per jurisdiction, multi-language model training, and national regulatory requirement mapping. DPO consultation is included in all EU implementations.
See how Regure delivers GDPR-compliant document orchestration
Book a 20-minute demo. We'll show you EU data residency, Article 17 erasure workflows, and AI Act transparency documentation — with your actual documents.