Compliance-ready AI hosting for a life insurer

Starting point

A German life insurer wanted to integrate an AI platform for case processing into its operations. The regulatory landscape was complex: DORA requires ICT risk management for outsourced services, BaFin supervisory practice demands proven cloud governance, the EU AI Act sets requirements for audit trails and human oversight, and GDPR Article 9 determines the architecture for medical data. The central question was not only technical — it was regulatory: which operating model satisfies all five frameworks simultaneously without compromising time-to-market?

What we did

We evaluated three operating models for the AI platform: external data centre, dedicated cloud environment, and client-owned cloud tenant. For each model, we produced a full assessment across five regulatory frameworks — DORA, BSI C5, GDPR, EU AI Act, and ISO 27001. The core deliverable was a compliance inheritance analysis: a systematic mapping of which regulatory evidence obligations are covered by the infrastructure platform and which remain with the insurer and the operator. This was accompanied by a hosting recommendation, cost structure, and a responsibility delineation within the shared-responsibility model. Team: 2 people over 6 weeks. Disciplines: cloud architecture, regulatory analysis, compliance documentation.

Results

What we learned

Most insurers underestimate how much regulatory groundwork a well-chosen infrastructure eliminates. Compliance inheritance is not a marketing term — it is an operational lever. Choose the right platform and you reduce the scope of your own evidence obligations by 60–70% at infrastructure level. Ultimate regulatory responsibility stays with you — but the burden of proof shifts.