KI-loven is Norway's expected domestic implementation of the EU AI Act through the EEA Agreement, enforced by Finanstilsynet. It brings the same high-risk classification framework, Article 14 human oversight obligations, and conformity assessment requirements as the EU Act. The transposition timeline is not yet confirmed. The obligations are known. Insurers treating legislative uncertainty as a reason to wait are accumulating a compliance gap that only grows harder to close.
The Question the Board Asked on a Monday Morning
It is 09:15 on a Monday morning at a Norwegian insurer's compliance function. The Head of Compliance has just come out of the quarterly board risk committee, where a non-executive director asked a question that was not on the agenda: "When KI-loven comes into force, which of our AI systems will be classified as high-risk, and are we ready?"
The Head of Compliance gave the honest answer: she does not yet know the precise transposition timeline, the classification of two of their underwriting models is genuinely uncertain, and the technical documentation required for the conformity assessment has not been started. The board noted the answer. The audit committee chair asked for a written update within 60 days.
This is the situation most Norwegian insurers find themselves in as of 2025. The EU AI Act entered into force in August 2024. Norway, as an EEA member, is expected to incorporate it through KI-loven. The legislative timeline is not yet final. But the direction is unambiguous, the core obligations are known, and the insurers who treat the uncertainty as a reason to wait are accumulating a compliance gap that will take longer to close the longer it grows. The 60-day board update is a reasonable deadline. The preparation it requires should already be under way.
Key Figures
| Figure | What it means |
|---|---|
| August 2026[1] | Target date by which EU member states must have high-risk AI system compliance in place. Norway's KI-loven transposition timeline is expected to align with this, subject to EEA legislative process completion. |
| €35m or 7%[1] | Maximum administrative fine for non-compliance with EU AI Act obligations for high-risk AI systems: €35 million or 7% of global annual turnover (approximately NOK 400 million at mid-2025 exchange rates), whichever is higher. |
| 68%[4] | Of EIOPA-surveyed insurers reported using AI in underwriting or claims decisions in 2024, but fewer than 30% had documented explainability and human oversight processes meeting the standard expected for high-risk AI use cases. |
| Art. 14[1] | EU AI Act Article 14 requires that high-risk AI systems be designed to allow effective human oversight, including the ability to understand, monitor, intervene, override, and halt the system. This is a design requirement, not just a governance policy. |
| 58%[5] | Of EU insurance firms surveyed in 2024 had not yet completed a Data Protection Impact Assessment for their AI-assisted underwriting or claims systems, a GDPR obligation already in force in Norway through the EEA Agreement. |
What KI-loven Means for Norwegian Insurers
KI-loven, Norway's forthcoming AI regulation, is the domestic legislative vehicle for incorporating the EU AI Act into Norwegian law through the EEA Agreement. For insurers operating in Norway, KI-loven compliance will follow the same structure as EU AI Act compliance: a risk-based classification framework, specific obligations for high-risk AI systems, and supervisory enforcement through Finanstilsynet, the Norwegian Financial Supervisory Authority. The precise transposition timeline is not yet confirmed as of mid-2025, and specific regulatory interpretations for Norwegian-market insurers should be verified with qualified Norwegian legal counsel.
What is already clear is the direction. Norway has been an enthusiastic adopter of EU financial services regulation through the EEA Agreement, and the EU AI Act is the most significant AI governance framework in force anywhere in the world. Norwegian insurers that deploy AI in underwriting, claims, pricing, or risk assessment are operating systems that will almost certainly fall within the high-risk classification. The obligations that attach to high-risk systems — documented human oversight, technical documentation, conformity assessment, and post-market monitoring — are substantial and cannot be compressed into a few weeks before a compliance deadline.
How the EU AI Act Framework Applies to Norwegian Insurers
The EEA Agreement and Norway's position
Norway participates in the EU Single Market through the EEA Agreement. EU legislation relevant to the single market is incorporated through a Joint Committee decision, following which Norway implements through domestic law. The EU AI Act was adopted in June 2024 and entered into force in August 2024.[1] The EEA Joint Committee process and the subsequent KI-loven legislative process are both ongoing as of mid-2025.
In practice, Norwegian insurers face a brief period of uncertainty on the precise national timeline, but no uncertainty about the substantive obligations. Finanstilsynet has signalled that it expects Norwegian financial institutions to be preparing for AI Act-equivalent compliance regardless of the domestic legislative timeline.[3]
Which AI systems are likely to be classified as high-risk
Annex III of the EU AI Act lists the AI application categories classified as high-risk. For Norwegian insurers, two categories are directly applicable. First: AI systems used for risk assessment and pricing in relation to natural persons in life and health insurance, covering underwriting models, risk scoring systems, and automated pricing engines. Second: AI systems used to evaluate the creditworthiness of natural persons, which regulators are likely to interpret as including affordability and premium payment risk assessments tied to policy issuance or renewal.[1]
Claims AI systems that produce decisions with significant legal effects — including coverage denials and material settlement decisions — are not listed in Annex III but are likely to require high-risk treatment under GDPR Article 22, which applies in Norway through the EEA Agreement.[2] General-purpose AI tools used for document drafting or internal knowledge management are not high-risk. Insurers should not over-classify, but neither should they under-classify systems that handle personal data at scale in consequential decision workflows.
What High-Risk Classification Requires in Practice
Four article-level obligations define the core compliance burden for high-risk AI systems in the Norwegian insurance context.
Technical documentation
High-risk AI systems require a technical file documenting the system's design, development methodology, training data characteristics, performance metrics, and known limitations. For insurers using vendor-supplied AI models, the deployer must also complete documentation: vendor contracts should require the model provider to supply the documentation needed for the insurer's conformity assessment.
Human oversight
Article 14 requires that high-risk AI systems allow effective oversight by a designated individual with the authority and competence to understand outputs, monitor for anomalous behaviour, and intervene, override, or halt the system.[1] The override mechanism must be technically implemented in the workflow, not just described in a policy document. Every override must be logged and aggregate override rates reviewed periodically to identify model drift.
Logging and post-market monitoring
High-risk AI systems must automatically log events relevant to operation throughout their lifecycle: every decision contributed to, the inputs that drove it, the confidence score where applicable, and any human override. Article 12 specifies at least six months' retention for most high-risk systems; sector-specific insurance requirements under Finanstilsynet's guidance may require longer.
Transparency and notification
Deployers of high-risk AI systems must inform individuals when they are subject to a decision made or significantly influenced by a high-risk AI system. For Norwegian insurers, this means updating privacy notices, policy documents, and decision letters to disclose the use of AI, describe the logic accessibly, and explain the individual's rights including the right to contest an automated decision under GDPR Article 22.
Where the Genuine Grey Areas Are for Norwegian Insurers
KI-loven transposition timeline
The EEA Joint Committee process can take longer than the EU legislative process, and the precise date from which KI-loven obligations will be enforceable in Norway is not yet confirmed. Insurers should not use this uncertainty as a reason to defer preparation, but they should monitor legislative progress and adjust their compliance timeline accordingly. Finanstilsynet's published guidance should be treated as the working standard in the interim.[3]
Classification of AI-assisted claims systems
The Annex III list does not explicitly include claims processing AI, but regulators are expected to interpret the list broadly for systems that produce significant effects. Norwegian insurers with AI-assisted claims denial or reserve-setting systems should seek legal advice on whether those systems require high-risk treatment before the compliance deadline.
Interaction with Solvency II and internal model requirements
Norwegian insurers using AI models within their internal capital models or risk management functions face a potential overlap between AI Act conformity requirements and the Solvency II internal model validation framework. Finanstilsynet has not yet published guidance on how the two frameworks should be reconciled. This should be flagged in the DPIA and the board risk register.
Liability for vendor AI
Where an insurer deploys an AI system developed by a third-party vendor, the AI Act's obligations are shared between developer and deployer, but the allocation depends on the contractual relationship and the degree to which the insurer customised or adapted the system. Norwegian insurers should review vendor contracts against the AI Act's deployer obligations before those contracts come up for renewal.
Finanstilsynet is already reviewing AI governance as part of standard supervision. Governance gaps identified under normal supervision can become enforcement issues before KI-loven is formally in force. Regulated AI practice does not begin when the law is enforced.
Finanstilsynet · Expectations for the Use of AI in Financial Services [3]What Norwegian Insurers Should Do Now
The table below summarises the preparation areas, their content, and the urgency level for Norwegian insurers as of mid-2025. The urgency ratings reflect the risk of accumulating a compliance gap, not a legal opinion on enforcement timing. Specific timelines should be confirmed with qualified Norwegian legal counsel.
| Preparation area | What it involves | Urgency |
|---|---|---|
| AI system inventory | Catalogue every AI system in use, its decision types, and its data inputs | High — required before classification assessment can begin |
| High-risk classification review | Assess each system against EU AI Act Annex III criteria, with legal review | High — classification determines the full compliance burden |
| DPIA completion | Complete or update Data Protection Impact Assessments for high-risk AI systems | High — GDPR obligation already in force; gaps carry immediate risk |
| Human oversight design | Document and technically implement Article 14-compliant human oversight for high-risk systems | High — required from EU AI Act application date |
| Technical documentation | Prepare the technical file required for high-risk AI systems under Article 11 | Medium — required before first use after compliance deadline |
| Transparency notices | Update privacy notices, policy documents, and decision letters to disclose AI use and logic | Medium — GDPR Article 13/14 obligations apply now; AI Act adds requirements |
| Post-market monitoring | Implement logging, override rate tracking, and periodic performance review for deployed AI | Medium — required on an ongoing basis after deployment |
| Conformity assessment | For high-risk systems: complete conformity assessment and register in EU AI database | Medium-high — required before compliance deadline; timeline depends on KI-loven transposition |
Frequently Asked Questions
When will KI-loven come into force in Norway?+
As of mid-2025, the precise transposition timeline for KI-loven is not confirmed. The EU AI Act entered into force in August 2024, with high-risk AI system obligations applying from August 2026 for EU member states. Norway's incorporation through the EEA Agreement and subsequent KI-loven legislative process may result in a slightly different domestic timeline. Norwegian insurers should monitor Finanstilsynet's published guidance and the progress of the EEA Joint Committee process, and treat the EU AI Act application dates as the working planning assumption. Specific timeline advice should come from qualified Norwegian legal counsel.[1][3]
Which of our AI systems are likely to be classified as high-risk?+
AI systems used for risk assessment and pricing in life and health insurance are explicitly listed in Annex III and are almost certainly high-risk. AI systems used in creditworthiness or affordability assessment tied to insurance are also likely to qualify. AI-assisted claims systems that produce significant effects, including coverage denials, are likely to require high-risk treatment under GDPR Article 22 even if they fall outside the Annex III list. Document triage and internal knowledge management tools with no binding decision output are generally not high-risk. Classification should be reviewed with legal counsel.[1][2]
We use a vendor-supplied AI model for underwriting. Who is responsible for compliance?+
The EU AI Act allocates obligations between the AI system developer and the deploying organisation. As a deployer, the Norwegian insurer is responsible for using the system within its intended purpose, implementing human oversight, maintaining logs, monitoring performance, and reporting incidents. The developer is responsible for the technical documentation and conformity assessment, but the insurer must verify that this documentation exists and is adequate before deployment. Review your vendor contract to confirm the allocation of AI Act obligations and obtain the technical documentation needed for your own compliance records.[1]
What does Finanstilsynet expect from insurers on AI governance right now?+
Finanstilsynet has published guidance signalling that Norwegian financial institutions should be preparing for AI Act-equivalent compliance regardless of the domestic KI-loven legislative timeline. This includes conducting AI system inventories, completing DPIAs for high-risk processing, documenting human oversight mechanisms, and reviewing vendor contracts for AI Act compliance provisions. Finanstilsynet has also indicated it will assess AI governance as part of its regular supervisory review of insurers, meaning governance gaps identified under normal supervision can become enforcement issues before KI-loven is formally in force.[3]
We have not started our AI system inventory. Where should we begin?+
Start with a structured catalogue of every AI system currently in use across underwriting, claims, pricing, customer service, and fraud detection. For each system, document: the decision types it supports or makes, the data inputs it uses, the vendor or developer, whether personal data is processed, and any existing governance documentation. This inventory is the prerequisite for the classification review and the DPIA. It is also the document your board and Finanstilsynet will ask for first. A spreadsheet maintained by the compliance function is sufficient at the inventory stage; the technical file and DPIA come after classification.[1][5]
What are the consequences of non-compliance when KI-loven comes into force?+
The EU AI Act provides for administrative fines of up to €35 million or 7% of global annual turnover for non-compliance with obligations for high-risk AI systems, whichever is higher. At mid-2025 exchange rates, €35 million is approximately NOK 400 million. KI-loven is expected to mirror these penalty provisions. Finanstilsynet will also have independent supervisory powers to require corrective action, suspend AI system use, and publish enforcement decisions. Non-compliant automated decisions may additionally be challengeable by affected policyholders under GDPR's individual rights provisions, creating civil liability exposure alongside regulatory penalties.[1][3]
This blog provides general information only and does not constitute legal or regulatory advice. Insurers should consult qualified counsel for guidance specific to their jurisdiction and operations. KI-loven transposition details and Finanstilsynet guidance should be monitored for updates.
References
All sources from primary legislation, regulatory publications, and verified 2024 industry surveys. Links verified 2026. Click any citation to jump to its source.
KI-loven is Norway's expected domestic implementation of the EU AI Act through the EEA Agreement, enforced by Finanstilsynet. It brings the same high-risk classification framework, Article 14 human oversight obligations, and conformity assessment requirements as the EU Act. The transposition timeline is not yet confirmed. The obligations are known. Insurers treating legislative uncertainty as a reason to wait are accumulating a compliance gap that only grows harder to close.
The Question the Board Asked on a Monday Morning
It is 09:15 on a Monday morning at a Norwegian insurer's compliance function. The Head of Compliance has just come out of the quarterly board risk committee, where a non-executive director asked a question that was not on the agenda: "When KI-loven comes into force, which of our AI systems will be classified as high-risk, and are we ready?"
The Head of Compliance gave the honest answer: she does not yet know the precise transposition timeline, the classification of two of their underwriting models is genuinely uncertain, and the technical documentation required for the conformity assessment has not been started. The board noted the answer. The audit committee chair asked for a written update within 60 days.
This is the situation most Norwegian insurers find themselves in as of 2025. The EU AI Act entered into force in August 2024. Norway, as an EEA member, is expected to incorporate it through KI-loven. The legislative timeline is not yet final. But the direction is unambiguous, the core obligations are known, and the insurers who treat the uncertainty as a reason to wait are accumulating a compliance gap that will take longer to close the longer it grows. The 60-day board update is a reasonable deadline. The preparation it requires should already be under way.
Key Figures
| Figure | What it means |
|---|---|
| August 2026[1] | Target date by which EU member states must have high-risk AI system compliance in place. Norway's KI-loven transposition timeline is expected to align with this, subject to EEA legislative process completion. |
| €35m or 7%[1] | Maximum administrative fine for non-compliance with EU AI Act obligations for high-risk AI systems: €35 million or 7% of global annual turnover (approximately NOK 400 million at mid-2025 exchange rates), whichever is higher. |
| 68%[4] | Of EIOPA-surveyed insurers reported using AI in underwriting or claims decisions in 2024, but fewer than 30% had documented explainability and human oversight processes meeting the standard expected for high-risk AI use cases. |
| Art. 14[1] | EU AI Act Article 14 requires that high-risk AI systems be designed to allow effective human oversight, including the ability to understand, monitor, intervene, override, and halt the system. This is a design requirement, not just a governance policy. |
| 58%[5] | Of EU insurance firms surveyed in 2024 had not yet completed a Data Protection Impact Assessment for their AI-assisted underwriting or claims systems, a GDPR obligation already in force in Norway through the EEA Agreement. |
What KI-loven Means for Norwegian Insurers
KI-loven, Norway's forthcoming AI regulation, is the domestic legislative vehicle for incorporating the EU AI Act into Norwegian law through the EEA Agreement. For insurers operating in Norway, KI-loven compliance will follow the same structure as EU AI Act compliance: a risk-based classification framework, specific obligations for high-risk AI systems, and supervisory enforcement through Finanstilsynet, the Norwegian Financial Supervisory Authority. The precise transposition timeline is not yet confirmed as of mid-2025, and specific regulatory interpretations for Norwegian-market insurers should be verified with qualified Norwegian legal counsel.
What is already clear is the direction. Norway has been an enthusiastic adopter of EU financial services regulation through the EEA Agreement, and the EU AI Act is the most significant AI governance framework in force anywhere in the world. Norwegian insurers that deploy AI in underwriting, claims, pricing, or risk assessment are operating systems that will almost certainly fall within the high-risk classification. The obligations that attach to high-risk systems — documented human oversight, technical documentation, conformity assessment, and post-market monitoring — are substantial and cannot be compressed into a few weeks before a compliance deadline.
How the EU AI Act Framework Applies to Norwegian Insurers
The EEA Agreement and Norway's position
Norway participates in the EU Single Market through the EEA Agreement. EU legislation relevant to the single market is incorporated through a Joint Committee decision, following which Norway implements through domestic law. The EU AI Act was adopted in June 2024 and entered into force in August 2024.[1] The EEA Joint Committee process and the subsequent KI-loven legislative process are both ongoing as of mid-2025.
In practice, Norwegian insurers face a brief period of uncertainty on the precise national timeline, but no uncertainty about the substantive obligations. Finanstilsynet has signalled that it expects Norwegian financial institutions to be preparing for AI Act-equivalent compliance regardless of the domestic legislative timeline.[3]
Which AI systems are likely to be classified as high-risk
Annex III of the EU AI Act lists the AI application categories classified as high-risk. For Norwegian insurers, two categories are directly applicable. First: AI systems used for risk assessment and pricing in relation to natural persons in life and health insurance, covering underwriting models, risk scoring systems, and automated pricing engines. Second: AI systems used to evaluate the creditworthiness of natural persons, which regulators are likely to interpret as including affordability and premium payment risk assessments tied to policy issuance or renewal.[1]
Claims AI systems that produce decisions with significant legal effects — including coverage denials and material settlement decisions — are not listed in Annex III but are likely to require high-risk treatment under GDPR Article 22, which applies in Norway through the EEA Agreement.[2] General-purpose AI tools used for document drafting or internal knowledge management are not high-risk. Insurers should not over-classify, but neither should they under-classify systems that handle personal data at scale in consequential decision workflows.
What High-Risk Classification Requires in Practice
Four article-level obligations define the core compliance burden for high-risk AI systems in the Norwegian insurance context.
Technical documentation
High-risk AI systems require a technical file documenting the system's design, development methodology, training data characteristics, performance metrics, and known limitations. For insurers using vendor-supplied AI models, the deployer must also complete documentation: vendor contracts should require the model provider to supply the documentation needed for the insurer's conformity assessment.
Human oversight
Article 14 requires that high-risk AI systems allow effective oversight by a designated individual with the authority and competence to understand outputs, monitor for anomalous behaviour, and intervene, override, or halt the system.[1] The override mechanism must be technically implemented in the workflow, not just described in a policy document. Every override must be logged and aggregate override rates reviewed periodically to identify model drift.
Logging and post-market monitoring
High-risk AI systems must automatically log events relevant to operation throughout their lifecycle: every decision contributed to, the inputs that drove it, the confidence score where applicable, and any human override. Article 12 specifies at least six months' retention for most high-risk systems; sector-specific insurance requirements under Finanstilsynet's guidance may require longer.
Transparency and notification
Deployers of high-risk AI systems must inform individuals when they are subject to a decision made or significantly influenced by a high-risk AI system. For Norwegian insurers, this means updating privacy notices, policy documents, and decision letters to disclose the use of AI, describe the logic accessibly, and explain the individual's rights including the right to contest an automated decision under GDPR Article 22.
Where the Genuine Grey Areas Are for Norwegian Insurers
KI-loven transposition timeline
The EEA Joint Committee process can take longer than the EU legislative process, and the precise date from which KI-loven obligations will be enforceable in Norway is not yet confirmed. Insurers should not use this uncertainty as a reason to defer preparation, but they should monitor legislative progress and adjust their compliance timeline accordingly. Finanstilsynet's published guidance should be treated as the working standard in the interim.[3]
Classification of AI-assisted claims systems
The Annex III list does not explicitly include claims processing AI, but regulators are expected to interpret the list broadly for systems that produce significant effects. Norwegian insurers with AI-assisted claims denial or reserve-setting systems should seek legal advice on whether those systems require high-risk treatment before the compliance deadline.
Interaction with Solvency II and internal model requirements
Norwegian insurers using AI models within their internal capital models or risk management functions face a potential overlap between AI Act conformity requirements and the Solvency II internal model validation framework. Finanstilsynet has not yet published guidance on how the two frameworks should be reconciled. This should be flagged in the DPIA and the board risk register.
Liability for vendor AI
Where an insurer deploys an AI system developed by a third-party vendor, the AI Act's obligations are shared between developer and deployer, but the allocation depends on the contractual relationship and the degree to which the insurer customised or adapted the system. Norwegian insurers should review vendor contracts against the AI Act's deployer obligations before those contracts come up for renewal.
Finanstilsynet is already reviewing AI governance as part of standard supervision. Governance gaps identified under normal supervision can become enforcement issues before KI-loven is formally in force. Regulated AI practice does not begin when the law is enforced.
Finanstilsynet · Expectations for the Use of AI in Financial Services [3]What Norwegian Insurers Should Do Now
The table below summarises the preparation areas, their content, and the urgency level for Norwegian insurers as of mid-2025. The urgency ratings reflect the risk of accumulating a compliance gap, not a legal opinion on enforcement timing. Specific timelines should be confirmed with qualified Norwegian legal counsel.
| Preparation area | What it involves | Urgency |
|---|---|---|
| AI system inventory | Catalogue every AI system in use, its decision types, and its data inputs | High — required before classification assessment can begin |
| High-risk classification review | Assess each system against EU AI Act Annex III criteria, with legal review | High — classification determines the full compliance burden |
| DPIA completion | Complete or update Data Protection Impact Assessments for high-risk AI systems | High — GDPR obligation already in force; gaps carry immediate risk |
| Human oversight design | Document and technically implement Article 14-compliant human oversight for high-risk systems | High — required from EU AI Act application date |
| Technical documentation | Prepare the technical file required for high-risk AI systems under Article 11 | Medium — required before first use after compliance deadline |
| Transparency notices | Update privacy notices, policy documents, and decision letters to disclose AI use and logic | Medium — GDPR Article 13/14 obligations apply now; AI Act adds requirements |
| Post-market monitoring | Implement logging, override rate tracking, and periodic performance review for deployed AI | Medium — required on an ongoing basis after deployment |
| Conformity assessment | For high-risk systems: complete conformity assessment and register in EU AI database | Medium-high — required before compliance deadline; timeline depends on KI-loven transposition |
Frequently Asked Questions
When will KI-loven come into force in Norway?+
As of mid-2025, the precise transposition timeline for KI-loven is not confirmed. The EU AI Act entered into force in August 2024, with high-risk AI system obligations applying from August 2026 for EU member states. Norway's incorporation through the EEA Agreement and subsequent KI-loven legislative process may result in a slightly different domestic timeline. Norwegian insurers should monitor Finanstilsynet's published guidance and the progress of the EEA Joint Committee process, and treat the EU AI Act application dates as the working planning assumption. Specific timeline advice should come from qualified Norwegian legal counsel.[1][3]
Which of our AI systems are likely to be classified as high-risk?+
AI systems used for risk assessment and pricing in life and health insurance are explicitly listed in Annex III and are almost certainly high-risk. AI systems used in creditworthiness or affordability assessment tied to insurance are also likely to qualify. AI-assisted claims systems that produce significant effects, including coverage denials, are likely to require high-risk treatment under GDPR Article 22 even if they fall outside the Annex III list. Document triage and internal knowledge management tools with no binding decision output are generally not high-risk. Classification should be reviewed with legal counsel.[1][2]
We use a vendor-supplied AI model for underwriting. Who is responsible for compliance?+
The EU AI Act allocates obligations between the AI system developer and the deploying organisation. As a deployer, the Norwegian insurer is responsible for using the system within its intended purpose, implementing human oversight, maintaining logs, monitoring performance, and reporting incidents. The developer is responsible for the technical documentation and conformity assessment, but the insurer must verify that this documentation exists and is adequate before deployment. Review your vendor contract to confirm the allocation of AI Act obligations and obtain the technical documentation needed for your own compliance records.[1]
What does Finanstilsynet expect from insurers on AI governance right now?+
Finanstilsynet has published guidance signalling that Norwegian financial institutions should be preparing for AI Act-equivalent compliance regardless of the domestic KI-loven legislative timeline. This includes conducting AI system inventories, completing DPIAs for high-risk processing, documenting human oversight mechanisms, and reviewing vendor contracts for AI Act compliance provisions. Finanstilsynet has also indicated it will assess AI governance as part of its regular supervisory review of insurers, meaning governance gaps identified under normal supervision can become enforcement issues before KI-loven is formally in force.[3]
We have not started our AI system inventory. Where should we begin?+
Start with a structured catalogue of every AI system currently in use across underwriting, claims, pricing, customer service, and fraud detection. For each system, document: the decision types it supports or makes, the data inputs it uses, the vendor or developer, whether personal data is processed, and any existing governance documentation. This inventory is the prerequisite for the classification review and the DPIA. It is also the document your board and Finanstilsynet will ask for first. A spreadsheet maintained by the compliance function is sufficient at the inventory stage; the technical file and DPIA come after classification.[1][5]
What are the consequences of non-compliance when KI-loven comes into force?+
The EU AI Act provides for administrative fines of up to €35 million or 7% of global annual turnover for non-compliance with obligations for high-risk AI systems, whichever is higher. At mid-2025 exchange rates, €35 million is approximately NOK 400 million. KI-loven is expected to mirror these penalty provisions. Finanstilsynet will also have independent supervisory powers to require corrective action, suspend AI system use, and publish enforcement decisions. Non-compliant automated decisions may additionally be challengeable by affected policyholders under GDPR's individual rights provisions, creating civil liability exposure alongside regulatory penalties.[1][3]
This blog provides general information only and does not constitute legal or regulatory advice. Insurers should consult qualified counsel for guidance specific to their jurisdiction and operations. KI-loven transposition details and Finanstilsynet guidance should be monitored for updates.
References
All sources from primary legislation, regulatory publications, and verified 2024 industry surveys. Links verified 2026. Click any citation to jump to its source.
KI-loven and insurance