Insurance regulation: what new requirements will need to be observed in 2025

Sustainability regulation: ESRS, CSRD and the Taxonomy Regulation

Insurance companies are likely to have been dealing with the Taxonomy Regulation in recent years. This requires key figures on the sustainability of their own economic activity as well as their investments. The Corporate Sustainability Reporting Directive (CSRD), which came into force in January 2023, now significantly expands this reporting requirement and brings with it the European Sustainability Reporting Standards (ESRS). It is to be applied for the first time by many insurance companies for the 2024 financial year.

This requires significant amounts of key figures and descriptive texts to be determined, aggregated, compiled, reconciled and published. Many companies have decided to do this manually at the beginning because the regulatory requirements were still unclear and volatile. However, as the requirements become more specific and experience is gained, extensive automation makes sense. This is a job for my colleagues from our Green Insurance Team.

Regulation for resilience: DORA

With the Digital Operational Resilience Act (DORA), the EU has created a financial sector-wide regulation for the topics of cyber security, ICT risks and digital operational resilience. This regulation is intended to strengthen the European financial market against cyber risks and incidents in information and communication technology (ICT).

Banks, insurance companies and their service providers have been dealing intensively with the DORA regulation for at least a year now, because BaFin has already announced that it will put the topic of ICT service providers on the audit agenda at the beginning of the year. The current date set for submission of the DORA information register is 30 April 2025.

Regulation for responsible AI: EU AI Act

The Regulation on AI (EU AI Act) was adopted in May 2024 and will be applied for most of its provisions from August 2026. However, the provisions on prohibited AI practices have been applicable since February 2025, and the obligations regarding general-purpose AI models have been applicable since August 2025.

The basic idea here is that the application of AI is categorised according to risk classes. Appropriate measures must then be taken to ensure personal freedoms and data protection. I would like to draw particular attention to the exorbitantly high fines that may be imposed for violations. While we were already shocked by the GDPR's four per cent of group turnover, here the figure is seven per cent.

Although there is still some time before the regulation comes into force, the topic of AI is developing rapidly and should therefore be addressed at an early stage. In doing so, insurance companies should also take into account the latest decision of the European Data Protection Board (EDPB). In this context, the board has clearly stated the conditions under which ‘legitimate interest’ can be used as a basis for AI processing.

AI is one of the core topics that adesso has been working on in recent years, both in terms of implementation and design and in terms of regulation. Our white paper on AI governance provides an overview of the EU AI ACT, the different risk classes, as well as deadlines and sanctions.

Regulation for easy payment: SEPA instant payments

The topic of SEPA instant payments is only likely to be relevant for insurance companies if they have a company with a banking licence that offers payment services. From January 2025, payment service providers will be obliged to receive instant payments, and from October 2025 they will also have to be able to send them.

It's a good thing that my colleagues from the business line banking can also provide support here and that we at adesso work hand in hand across industries. You can find out more about our services in the banking sector on our website.

Equal opportunities regulation: accessibility

What has long been mandatory for public institutions is now also becoming mandatory for private companies: accessibility. In June 2025, the Accessibility Strengthening Act will come into force. This aims to enable people with disabilities and older people to access digital services more easily through digital accessibility. Specific requirements are described in an associated statutory instrument.

Information should always be perceivable by two senses. For insurance companies, this will particularly affect websites and customer portals with digital offers and contracts, but also claims notifications and electronic communication.

Data protection regulations: GDPR

Finally, the General Data Protection Regulation (GDPR) remains an important topic, even seven years after it came into force. On the one hand, customers and the press have become more sensitive to data protection issues. On the other hand, the GDPR often becomes the subject of disputes with customers, brokers or other partners that are actually of a different nature.

Even after this time, in my practice I still see companies that are only half-hearted in their implementation of the GDPR, only delete data ‘logically’, or have a very narrow focus on which data may fall under the GDPR. Requests for information are also often only half-heartedly perceived and the ‘information on data protection’ does not meet the requirements for transparency. In view of the threatened fines, I see a high and increasing risk here. But here, too, we provide support and advice.

There is still time – let's tackle it together

As with every year, 2025 is also packed with exciting new topics. Even if regulation only contributes indirectly to corporate success, insurers should not put off implementing the requirements. Experience shows that time lost at the beginning cannot be made up twice at the end. adesso supports companies as a strong partner with industry experience and the necessary pragmatism.