✅ 5 concrete tasks a Luxembourg insurance brokerage can delegate to a private AI without crossing article 300 of the Luxembourg Insurance Act of 7 December 2015 or AI Act Annex III 5(c).
✅ ACA Gen AI Survey 2025: 64% of Luxembourg companies already use third-party generative AI tools in operations (101 respondents, 74 from the financial sector, source: aca.lu).
✅ EIOPA Opinion of 6 August 2025: EU interpretive framework for AI governance in insurance, aligned with Solvency II, IDD, DORA and GDPR.
✅ AI Act red line: risk scoring and pricing in life and health insurance are high-risk (Annex III 5(c)), fully applicable on 2 August 2026.
By LetzAgents, sovereign AI team Luxembourg. Published on 9 June 2026.
Introduction: why the question matters in 2026
You run an insurance brokerage in Luxembourg and you are navigating three simultaneous pressures: full applicability of the AI Act on 2 August 2026 for high-risk systems (Annex III), the EIOPA Opinion of 6 August 2025 on AI governance in insurance, and the recent modernisation of article 300 of the Luxembourg Insurance Act of 7 December 2015.
The ACA Gen AI and Data Use in Luxembourg Survey 2025 quantifies the current trajectory: 64% of Luxembourg companies already use third-party generative AI tools in operations, across 101 respondents of which 74 are from the financial sector (source: aca.lu).
This article lays out the 5 concrete tasks an LU insurance brokerage can delegate to a private AI agent without compromising client data, without breaching professional secrecy, and without crossing the high-risk boundary. With, for each task, the safeguard to set in the contract and in the architecture.
1. Qualifying inbound prospects and eligibility filtering
Professional secrecy criticality: low to medium (pre-contractual, but personal data already in circulation). A multilingual chatbot and an AI phone agent take calls outside office hours, qualify the request (LU resident or not, IBIP or non-life, approximate volume), and identify formal administrative eligibility (professional or retail client, FATCA or CRS documentation). Escalation to the team member with a structured brief. See our prospect qualification use cases, AI phone reception and our article on the AI phone agent and the data path.
The AI does not rate the risk profile, does not recommend a product, does not provide personalised advice. The duty to advise remains the broker's (IDD article 20 and CAA regulation 19/01). Safeguard: EU-hosted, dedicated instance, provider not subject to the Cloud Act, no-training clause. For cross-cutting selection criteria, see how to choose an AI solution for customer service.
2. Assisting risk report drafting
Criticality: high (named client file). The broker documents the need and product suitability (IDD article 20, Luxembourg law of 10 August 2018, CAA regulation 19/01) from 5 to 10 source documents: client file, medical questionnaire for IBIP, company articles, financial statements, claims history. The AI performs document extraction with OCR, proposes a structured report draft and annotates critical clauses. The AI prepares, the broker signs. This use case overlaps with the "smart underwriting" cases identified by the ACA Gen AI Survey 2025 (source: aca.lu). See our AI document processing use case.
The AI does not replace risk assessment. Autonomous generation of a report in life or health insurance falls within the high-risk scope of AI Act Annex III 5(c), applicable on 2 August 2026.
💡 Good to know: no consumer-grade LLM should read client file documents. ChatGPT, Copilot or Gemini consumer retain prompts, and their US publisher remains subject to the Cloud Act. On the interplay between GDPR, Cloud Act and AI Act, see our legal comparison. This use case requires a private AI by design, hosted in the EU.
3. Claims follow-up and client file chasers
Criticality: high (claims data covered by article 300). Claims follow-up is time-consuming, repetitive, sensitive, but neither a scoring nor a pricing matter. The AI handles automated step tracking (opening, investigation, expert assessment, settlement), scheduled client reminders, polite follow-ups with the carrier when deadlines slip, and weekly summaries to the broker batched by file. See our use cases AI phone reception and document processing.
The AI does not negotiate, does not qualify a disputed claim, does not make a rejection or acceptance decision. Vincent Arnal, CIO of Lalux Assurances, phrases the boundary in Delano: "digital tools cannot replace humans in claims follow-up, client relations and advice" (source: delano.lu). This is the human oversight principle adopted by EIOPA. Safeguard: private instance, logging, isolation from the provider's other customers.
4. Contract summary and critical clause annotation
Criticality: medium to high (public documents, but cross-referenced with client file). The broker compares general terms from several carriers (life, non-life, health, professional liability, cyber) across 20 to 80 page documents, often in 3 languages. The AI reads the general terms automatically, extracts critical clauses (exclusions, caps, deductibles, waiting periods, termination conditions) and produces a comparative table. Use case overlapping with the "smart underwriting" and "personalised client journeys" cases of the ACA Gen AI Survey 2025 (source: aca.lu). See our use cases document processing and AI knowledge base.
The AI does not recommend the product to the client (duty to advise, IDD article 20), does not negotiate clauses. General terms are public, but as soon as they are cross-referenced with a client file, article 300 applies: private AI required.
The 5 AI tasks for an LU insurance brokerage, ranked by criticality under article 300:
|
Task |
Professional secrecy criticality |
Private AI required? |
|---|---|---|
|
1. Qualification and eligibility |
Low to medium |
Recommended |
|
2. Risk report assistance |
High |
Mandatory |
|
3. Claims follow-up |
High |
Mandatory |
|
4. Contract summary and clauses |
Medium to high |
Mandatory as soon as cross-referenced with client |
|
5. Market and regulatory watch |
Low (public sources) |
Recommended |
The 5 AI tasks for a Luxembourg insurance brokerage, ranked by criticality under article 300 of the Luxembourg Insurance Act of 7 December 2015.
The 5 tasks ranked by criticality under professional secrecy.
5. Continuous market and regulatory watch
Criticality: low (public sources). High regulatory density in 2025-2026: modernisation of the Luxembourg Insurance Act of 7 December 2015, CAA regulations 19/01, 20/01 and 19/03, DORA applicable since 17 January 2025, AI Act applicable to high-risk systems on 2 August 2026, revised Solvency II, FIDA on open finance. A working broker cannot read all of it. A regulatory watch agent scans public sources (caa.lu, cnpd.public.lu, eiopa.europa.eu, legilux.public.lu, EUR-Lex, apcal.lu, aca.lu), summarises developments and flags what impacts the firm. A market watch agent tracks new products, trends (unit-linked IBIP, cyber, ESG insurance), Paperjam and Delano. See our regulatory watch use case.
The AI does not produce legal advice, does not make strategic decisions. Safeguard: public sources only, no client data. Staff understand it is an AI summary to be verified (AI literacy, AI Act article 4, enforceable since 2 February 2025). For the AI Act SME checklist, see our AI Act SME Luxembourg 100-day guide.
6. What AI does NOT do in LU brokerage in 2026
The five tasks above were chosen because they keep the AI Act high-risk boundary at arm's length. Three adjacent use cases fall under a much more constraining regime and do not belong in a standard deployment picture.
Autonomous pre-underwriting risk scoring. AI Act Annex III point 5(c) classifies risk assessment and pricing systems in life and health as high-risk (source: artificialintelligenceact.eu). Reinforced obligations applicable on 2 August 2026: EU registry, conformity assessment, formalised human oversight, transparency, logging.
Autonomous drafting of a risk report or product recommendation. AI can assist, not replace. The personalised duty to advise is set by IDD article 20 and CAA regulation 19/01: the recommendation rests with the broker, who signs and bears professional liability.
Dynamic pricing. This is not a broker's business (actuarial work sits with the carrier) and falls within the same Annex III 5(c) high-risk scope.
For definitions of the texts cited, see our legal glossary for AI in Luxembourg companies.
7. The CAA, AI Act, IDD and DORA framework in 2026: the red line not to cross
Four frameworks stack up for an LU insurance brokerage deploying AI. All four are enforceable.
Article 300 of the Luxembourg Insurance Act of 7 December 2015. Professional secrecy in the insurance sector, criminally sanctioned under article 458 of the Criminal Code. 2024 reform: controlled opening of outsourcing to DORA critical ICT providers, explicit client consent in life insurance (sources: Elvinger Hoss, Philippe & Partners).
AI Act Annex III point 5(c). High-risk for risk assessment and pricing systems in life and health, full applicability on 2 August 2026 (source: artificialintelligenceact.eu).
EIOPA Opinion of 6 August 2025. EU interpretive framework aligned with Solvency II, IDD, DORA and GDPR. Six principles: data governance, record-keeping, fairness, cybersecurity, explainability, human oversight (sources: eiopa.europa.eu, DLA Piper).
IDD article 20, CAA regulations 19/01, 20/01 and 19/03. Personalised duty to advise. AI assists, does not replace. The 20/01 amends the 19/01, the 19/03 frames out-of-court complaints (source: caa.lu).
DORA (EU regulation 2022/2554). Applicable since 17 January 2025. Supervision of critical ICT providers, direct impact on AI vendor selection. For the GDPR, Cloud Act and AI Act interplay, see our legal comparison.
The CAA has listed more than 100 brokerage firms on its public register (source: caa.lu). APCAL represents more than 80% of the active market and has placed AI regulation among the structuring topics of its 11th Brokerage Day on 9 October 2025 (source: apcal.lu).
The 4 regulatory frameworks stacked for an LU insurance brokerage deploying AI in 2026: article 300 of the Luxembourg Insurance Act of 7 December 2015, AI Act Annex III 5(c), EIOPA Opinion 2025, IDD article 20 and DORA.
The 4 regulatory frameworks stacked for LU brokerage in 2026.
📞 Explore our offer for insurance brokers to set these frameworks into a concrete architecture.
8. Where to start: 3 actions before August 2026
Action 1. Map AI usage already in place, including shadow IT. A staff member using consumer ChatGPT to summarise general terms already creates risk. See our article on ChatGPT at the office and enterprise risk.
Action 2. Start with lower-criticality tasks. Regulatory watch (task 5) and inbound qualification (task 1) deploy without direct contact with sensitive client data. Document tasks 2, 3 and 4 come next, on private AI.
Action 3. Plan SME Package AI funding. Available via guichet.public.lu for SMEs, including brokerage firms: free pre-analysis by the House of Entrepreneurship, reimbursement up to 70% of eligible projects between 3,000 and 25,000 euros excluding tax (source: guichet.public.lu). For the cost framing of a private AI for an LU SME, see how much a private AI costs for a Luxembourg SME.
AI for a Luxembourg insurance brokerage in 2026 is useful, compatible with professional secrecy and with the AI Act, provided you pick the right tasks, the right architecture and the right vendor.
📞 Discuss your use case with our team, or explore our offer for insurance brokers.
FAQ: your questions on AI in LU insurance brokerage
Can an LU broker use ChatGPT to work on a client file?
No, not the consumer version. ChatGPT consumer retains prompts to retrain its model, exposing data covered by article 300 of the Luxembourg Insurance Act of 7 December 2015 (criminally sanctioned under article 458 of the Criminal Code). Use becomes possible on a private architecture hosted in the EU, with a no-training clause and a provider not subject to the Cloud Act.
Which AI tasks are high-risk under the AI Act for a broker?
Risk assessment and pricing systems in life and health, classified as high-risk by AI Act Annex III point 5(c), fully applicable on 2 August 2026. Autonomous pre-underwriting scoring, autonomous report drafting and dynamic pricing in life or health fall within this scope. The 5 MOFU tasks in this article stay outside the scope provided human oversight is maintained.
Does EIOPA authorise generative AI in brokerage?
Yes, under conditions. The EIOPA Opinion of 6 August 2025 lays out an EU interpretive framework aligned with Solvency II, IDD, DORA and GDPR, and retains six principles: data governance, record-keeping, fairness, cybersecurity, explainability, human oversight. These are the minimum foundations for any AI deployment at an LU broker.
What is a private AI for a Luxembourg insurance brokerage?
An AI system deployed for the firm with five cumulative guarantees: documented EU hosting, contractual no-training clause, logical isolation from the provider's other customers, access logging, provider not subject to the Cloud Act. These guarantees make the use compatible with article 300, CAA regulations 19/01 and 20/01 and the EIOPA Opinion.
Will AI replace the insurance broker's role?
No. Vincent Arnal, CIO of Lalux Assurances, phrases it in Delano: digital tools cannot replace humans in claims follow-up, client relations and advice. AI delegates the repetitive task, not the decision. The personalised duty to advise remains the broker's (IDD article 20, CAA regulation 19/01) and professional liability is not outsourceable.
LetzAgents, sovereign AI team Luxembourg, supports Luxembourg SMEs and regulated organisations in deploying private AI architectures compliant with GDPR, AI Act and DORA. This article is based on the Luxembourg Insurance Act of 7 December 2015 (article 300), article 458 of the Criminal Code, CAA regulations 19/01, 20/01 and 19/03, the EIOPA Opinion of 6 August 2025, AI Act Annex III 5(c), IDD article 20 and its transposition by the law of 10 August 2018, the ACA Gen AI Survey 2025, and work by Elvinger Hoss, Philippe & Partners and DLA Piper.
