The EU AI Act and
your insurance tower.

Regulation (EU) 2024/1689 — the AI Act — entered force on 1 August 2024. Its prohibitions on unacceptable-risk systems took effect six months later. Its obligations on general-purpose AI models followed in August 2025. Its principal weight, the requirements on high-risk systems under Article 6 and Annex III, lands on 2 August 2026. By the time this note is published, that date is two weeks away. The compliance posture of every company deploying AI inside the Union, or shipping a system whose output reaches the Union, is now a matter of public record.

The Act is not the only instrument. The revised Product Liability Directive (Directive (EU) 2024/2853) was adopted in late 2024 and brings software, including AI systems, within the scope of strict liability for defective products. The AI Liability Directive, still moving through the legislative pipeline at time of writing, would lower the burden of proof for victims of AI-caused harm through a rebuttable presumption of causality. The three instruments interlock. The first defines the obligations. The second defines who pays when the obligations are missed. The third defines how easy it is for the victim to reach the second.

Most corporate insurance towers were not built for this. They were built for a world in which "software" was a covered peril somewhere and "regulatory" was a thin sublimit elsewhere. This memo is a working note for general counsels and chief risk officers preparing their towers for August. It walks the Act's architecture, the trap inside Article 25 that converts deployers into providers, and the three layers of the tower where affirmative AI coverage now has to sit.

Part IThe Architecture of the Act

The AI Act sorts systems by risk into four tiers. Unacceptable-risk systems are prohibited outright under Article 5 — social scoring by public authorities, untargeted facial-image scraping, certain biometric categorization, real-time remote biometric identification in public spaces. There is no compliance pathway. There is no insurance product. The category exists to be avoided.

High-risk systems are the centre of gravity. Article 6 defines them in two ways. First, by reference to Union product-safety legislation listed in Annex I — machinery, medical devices, toys, lifts, civil aviation, automotive. An AI system that is itself a safety component of one of these products, or that is required to undergo a third-party conformity assessment under that legislation, is high-risk by construction. Second, by reference to Annex III, which enumerates standalone use cases. Biometrics. Critical infrastructure. Education. Employment and worker management. Access to essential services — including credit scoring and the risk assessment and pricing of life and health insurance. Law enforcement. Migration. Administration of justice and democratic processes.

A high-risk system carries obligations that read like an aerospace audit. Risk management. Data governance. Technical documentation. Record-keeping. Transparency to deployers. Human oversight. Accuracy, robustness, and cybersecurity. A quality management system. Conformity assessment before placing on the market. Registration in an EU database. Post-market monitoring. Serious-incident reporting within fifteen days, or two days for a widespread infringement. None of these are aspirational. Each has been mapped to a notified body and a harmonized standard.

Limited-risk systems — chatbots, emotion-recognition systems, biometric categorization not otherwise high-risk, and the generation of synthetic content — carry transparency obligations under Article 50. Deployers must disclose AI use to natural persons. Synthetic audiovisual content must be marked. The Act calls these obligations light. The plaintiff's bar will read them differently.

Penalties under Article 99 are administrative, calibrated to global turnover, and large. Prohibited-AI infringements: up to €35 million or 7 %. High-risk and most other obligations: up to €15 million or 3 %. Supplying misleading information to a national competent authority: up to €7.5 million or 1.5 %. SMEs and start-ups get the lower of the two figures, not the higher. These ceilings sit at the same magnitude as the maximum fines under the General Data Protection Regulation, and they are subject to the same enforcement enthusiasm. They are also, in almost every existing insurance tower, uninsurable as a matter of public policy.

Part IIThe Provider / Deployer Trap

The Act divides operators into providers and deployers. A provider develops a high-risk system or has one developed and places it on the market under its own name. A deployer uses a high-risk system under its own authority. The obligations on the two roles diverge sharply. Providers carry the conformity-assessment burden, the quality-management system, the post-market monitoring. Deployers carry instructions for use, human oversight, log retention, fundamental-rights impact assessment for public-sector deployers, and the duty to inform affected persons.

Article 25 is the trap. It states that any deployer, distributor, importer, or other third party that puts its name or trademark on a high-risk system already placed on the market — or that makes a substantial modification — is thereafter considered a provider for the purposes of the Act. The provider's full obligation stack transfers with the badge. "Substantial modification" is defined to capture changes that affect compliance with the Act's requirements or alter the intended purpose. Fine-tuning a vendor base model on internal data is, on a permissive reading, a substantial modification. Wrapping a third-party model in a retrieval pipeline that meaningfully changes its risk profile is, on any reading, a substantial modification.

The practical effect is that a company that thought it was a deployer — that thought it had bought a system from a provider and was simply using it — can find itself a provider by Wednesday lunchtime. The conformity assessment it never performed. The technical documentation it never filed. The EU database registration it never made. None of which the procurement contract with the upstream vendor will help with, because the vendor's obligations were discharged when the original system was placed on the market.

A €35 million administrative penalty is not insurable. The litigation it triggers is.

The civil track runs in parallel. The revised Product Liability Directive imposes strict liability on the manufacturer of a defective product, with software and AI systems now squarely within scope. "Defective" includes a failure to provide the safety a person is entitled to expect, having regard to the system's reasonably foreseeable use and the moment at which it was placed on the market or substantially modified. The AI Liability Directive, when adopted, will introduce a rebuttable presumption of causality between non-compliance with the AI Act and damage suffered by the claimant, provided the non-compliance is established and the damage is of a type the breached obligation aimed to prevent. The two instruments compound. A regulator's finding under the AI Act becomes a near-automatic civil exposure under the Liability Directive. A bind-date conformity-assessment file becomes the centre of gravity of every subsequent case.

Part IIIWhat the Tower Now Has to Absorb

A standard large-corporate liability tower stacks general liability, professional indemnity, cyber, product liability, employment practices liability, directors and officers, and a series of excess layers above them. Each of these towers was constructed at a moment when AI exposure was a future tense. Since 2024 the constituent policies have moved in unison. Cyber underwriters added AI exclusions to ringfence the line against silent exposure. Professional indemnity carriers attached affirmative AI exclusions on renewal. General liability never affirmatively covered software defect to begin with. Product liability covered hardware defect, with AI carried only when bundled into the regulated product.

The result is that an AI-caused loss now has to navigate a corridor of declinations before it reaches a paying policy. Cyber excludes it because the cause was AI, not unauthorized access. Professional indemnity excludes it because the AI component is carved out. General liability excludes it because the loss is not bodily injury or tangible property damage. Product liability covers the hardware fault but not the model that drove the hardware. D&O picks up only the derivative claim against directors for failure of oversight, after the operating loss has already landed in the operating company's retained-risk layer.

Affirmative AI liability is not a thirteenth layer added to a tower of twelve. It is the medium in which the tower has to be re-read. Castra writes affirmative AI primary that responds to a defined AI peril — model error, retrieval failure, drift, substantial-modification exposure, transparency-obligation breach. It writes regulatory defense as a carved-out coverage rather than a sublimit, because investigations under the AI Act will run for years rather than months and a sublimit exhausts before a fundamental-rights impact assessment is complete. It writes excess at the same attachment points as the existing tower so that the affirmative cover sits where the silent exposure used to be.

Three instruments deserve specific attention as a tower is rebuilt for the August date:

1. An inventory of substantial modifications. Every system in production needs to be classified against Article 6 and Annex III, and every modification — fine-tunes, prompt rewrites, retrieval-pipeline changes, tool additions — needs to be logged with a date, an author, and a one-line theory of why it was not substantial. That log is the defense exhibit when a regulator asks how a deployer became a provider. It is also the underwriting file Castra binds against.
2. A regulatory defense coverage carved out of the AI tower, not the cyber tower. Cyber regulatory defense, where it exists, was scoped for GDPR investigations of finite duration. AI Act investigations have a different rhythm. Conformity-assessment reviews, post-market-monitoring audits, and serious-incident inquiries can run in parallel across member-state authorities and the AI Office. The defense cover has to be sized for a multi-jurisdiction, multi-year engagement, with panel counsel that has the harmonized-standards vocabulary.
3. An evidentiary recording posture. The Act's record-keeping obligation, the AI Liability Directive's disclosure regime, and the Product Liability Directive's defective-state-at-placing-on-the-market test all converge on the same artifact: a defensible, timestamped record of what the system was at every moment after it was placed on the market or substantially modified. Castra requires it as a precondition of cover. It is also what makes coverage portable when the policyholder later changes carriers.

CodaThe Question to Ask the Broker

We are sometimes asked what the single most useful question is for a general counsel to put to her broker in the run-up to August. The answer is unromantic. Pull the AI exclusion language from every primary and excess layer in the tower. Read them next to one another. Map each exclusion to the corresponding article of the AI Act — Article 5, Article 6, Article 25, Article 50, Article 99. Identify the loss scenarios that fall through every layer simultaneously. Then commission an affirmative AI quote that responds to exactly that gap. The exercise takes a fortnight. The premium it justifies is small relative to the penalty it forestalls.

The Act is not a discontinuity that requires a new theory of risk. It is the formalization, in administrative law, of a risk surface that the industry has been declining to write for two years. The work of the next eighteen months is to convert that surface from an exclusion into a coverage line, with deductibles, attachment points, and the documentary discipline that any specialty placement requires. That work is what the Roman engineers would have called vallum — the rampart that lets the camp do its work. The Act builds the rampart from the outside. The tower has to meet it from within.