When a customer types a detailed life situation into ChatGPT or Claude and receives a concrete insurance recommendation — a specific tariff, with a named insurer, justified by an apparent needs analysis — the natural reflex among industry observers is to ask whether the model now needs a licence. A German intermediary association approached the supervisors this week with exactly that argument, drawing on documented test conversations in which leading language models produced precisely this kind of individualised recommendation.
The question is right. The reflex to answer it through an AI-specific extension of the national licensing regime is wrong — not because that regime cannot be adapted, but because the right instrument for this question already exists at the European level.
Three stages, one of which is contested
It helps to separate three things that “AI advising on insurance” can mean.
The first is information. “Berufsunfähigkeitsversicherungen protect against the financial consequences of being unable to work due to illness or accident.” No intermediation, no licence required. Every encyclopaedia does this. So does every model.
The second is individual recommendation. “In your situation as a 34-year-old software developer with pre-existing condition X, you should consider tariff Y from insurer Z.” This is the contested zone. The Bundesgerichtshof established in its Tchibo decision in 2013 that even facilitating a specific contract conclusion can trigger the intermediation requirement under § 34d Gewerbeordnung — the contract itself need not be concluded by the recommender. Models that produce this output today are operating in regulatory territory that was drawn for humans.
The third is agentic conclusion. The agent fills the application, signs on behalf of the customer, optimises across providers, transmits to insurers. This is clearly intermediation under any reading of existing law. It is not yet how most consumer AI works, but it will be — on a horizon shorter than the regulatory response cycle.
The current concern is about stage two. Stage three is coming. Stage one is fine. Any regulatory response needs to be precise about which of these it addresses.
National licensing law could be adapted — but it shouldn’t be the primary answer
The first instinct is to extend § 34d Gewerbeordnung to cover AI providers offering individualised insurance recommendations. This fits the existing legal architecture, the existing supervisory structure, the existing enforcement muscle.
It would be possible. With sufficient adaptation, § 34d could be drawn over AI providers: through an addressee designation regime analogous to GDPR Article 27, through a threshold definition between information and recommendation, through audit-based supervision rather than transcript-by-transcript adjudication. OpenAI and Anthropic both established German subsidiaries in 2025, both in Munich. Either could be designated as the responsible entity, hold the licence, carry the professional indemnity insurance. And established digital comparison portals show empirically that scalable digital intermediation under § 34d works — the IDD-derived obligations including ongoing customer relationship management, documentation, professional indemnity, and demands-and-needs analysis are demonstrably implementable at consumer scale.
The honest question is therefore not whether § 34d could be applied. It can. The honest question is whether the German legislature should build a parallel AI-specific track inside national intermediary law — or whether the EU AI Act already covers the AI-specific dimension of this question, leaving § 34d to keep doing what it has always done.
The AI Act covers it. Three reasons support using it as the AI-specific layer rather than building parallel structures inside § 34d.
First, the addressee question is already solved. Article 3(3) of the AI Act defines the provider independently of seat or legal form. Any AI provider placing a system on the EU market is captured. A § 34d extension would have to build a comparable regime from scratch — and would still leave open how it interacts with parallel regimes in 26 other Member States. Why upgrade the national norm when the fitting instrument already exists at European level?
Second, the AI Act is harmonised across the EU. A § 34d-style extension would be only one of potentially 27 national answers. If every Member State adapts its intermediary law independently for AI, the result is 27 designation regimes, 27 threshold definitions, 27 supervisory approaches.
A candid note is in order here, because the obvious counter-argument from inside the industry is unspoken but real. From a pure incumbent-interest perspective, regulatory fragmentation is actually helpful — it slows agentic competitors, protects established distribution structures. That is true in the short run. But it is not an argument that should be made in public. And in the medium run it is wrong anyway, because fragmentation eventually catches up with insurers themselves once they build their own AI-based distribution channels.
Third, the obligations fit the actual risk. IDD obligations were written for a specialised human profession — fiduciary relationship, commission structures, qualification examinations, continuing education. AI Act Annex III obligations are written for the AI architecture: risk management, data governance, human oversight, logging, transparency. The latter addresses the specifically algorithmic risk — recommendation without contextual understanding, without grasp of consequences — more precisely than the human-centred IDD obligations.
This is not a question of “AI Act instead of § 34d”. Under current law, anyone engaged in intermediation falls under § 34d. Anyone providing AI systems falls under the AI Act. Both regimes apply in parallel and cover different dimensions. The question is only whether intermediary law needs an additional AI-specific extension on top — or whether the AI Act adequately covers that dimension.
Two sharpenings available in current consultations
The Commission published draft guidelines on Article 50 of the AI Act in early May, with consultation currently open and the obligations taking effect on 2 August 2026. The current draft already covers AI agents: a system designed to interact with natural persons must disclose its artificial nature when interaction with a natural person is likely. The obligation, sharpened in the consultation, could go further — requiring an agent operating in a regulated domain to disclose not only that it is artificial but what it is not: not a licensed intermediary, not subject to the duty of care framework, not covered by professional indemnity, not a contracting party. A user told this explicitly, at the start of a conversation about insurance recommendations, is in a fundamentally different epistemic position than a user who is not.
This costs essentially nothing to implement. It is the minimum-viable regulatory response, available within months.
The Commission published draft guidelines on Annex III a few days ago, also currently in consultation. Annex III today classifies as high-risk certain AI systems used for risk assessment and pricing in life and health insurance. It does not cover AI agents used in consumer-facing intermediation. That is a gap, and it is the appropriate gap to close. Adding consumer-facing financial-services AI agents to the high-risk list would impose substantive obligations on the AI providers themselves — risk management, data governance, human oversight, logging, transparency — at the place in the value chain where the risk is actually generated. The obligations would apply EU-wide, harmonised, to providers regardless of where they are established.
Beyond these two sharpenings, the medium-term work for the Insurance Distribution Directive and its national transpositions — including § 34d and the VVG — will involve adapting to non-human intermediation as it actually emerges in the market. But sector law moves slowly, and it should. The IDD is a careful balance of consumer protection, market access, and supervisory cooperation across Member States. Rushing this layer is how regulatory fragmentation gets locked in. The right sequencing is AI Act first, sector law after — informed by what the AI Act layer has clarified.
Why this is pro-innovation, not against
The objection I anticipate from colleagues who follow my writing is the obvious one. I am usually the voice arguing against the reflex to encrust every new technology with compliance obligations before it has had room to develop. Why argue for a sharpened Article 50 and an Annex III extension now?
Because the position has not changed. The argument was never “less regulation is always better.” The argument was that regulation belongs where it adds clarity, not where it adds noise. And in this specific case, three observations point in the same direction.
The first is competitive structure. The current situation — human intermediaries operating under § 34d, the IDD, mandatory documentation, professional indemnity insurance; AI systems operating in the same recommendation space with none of these obligations — is not a free market. It is regulatory arbitrage. The losers are not just licensed intermediaries; they are the rule-following participants in a market structure where rule-following becomes a disadvantage. Fair competitive conditions are an aggregate welfare question, not a sectoral lobbying point.
The second is legal certainty. Serious AI providers entering the European market need to know what their obligations are. The current grey zone — where individualised recommendations might or might not be intermediation, depending on how a future supervisory letter reads, in 27 Member States with potentially diverging answers — is not a friendly environment for investment. A clearly defined high-risk regime with transparent obligations is the precondition for confident market entry. Regulation is not the opposite of innovation here. The absence of regulation is.
The third is the fragmentation point made earlier in this essay, returning now from the other direction. If the European level does not provide an answer, 27 national answers will emerge. This is not a regulatory environment that scales AI investment in Europe — it is one that drives it elsewhere. And while short-term incumbent interests may find this fragmentation beneficial, the harmonised EU instrument is the better answer over the longer arc, including from the insurance industry’s own perspective once it operates its own AI-based distribution channels.
The harmonised EU instrument is not the heavier option. It is the lighter one.
Three principles, repeated
The argument compresses to three principles.
Regulate the AI-specific dimension at the AI-specific layer. The risk in this case is generated by the AI provider’s design choice — to produce individual recommendations in a regulated domain without the safeguards that historically accompany such recommendations. The level where that risk is generated is the AI Act, not a special AI-specific extension of the national intermediary register. § 34d continues to do its job for human and digital intermediaries who structure themselves as such. The AI Act handles the new layer.
Lightest viable instrument first. A sharpened Article 50 transparency obligation, requiring disclosure of regulatory status alongside disclosure of artificial origin, is implementable in months, costs essentially nothing, and changes the user’s epistemic position fundamentally. It is the right first move. The substantive Annex III extension, and eventually sector law adaptation, follow in the right order.
Harmonisation as innovation strategy — including for insurers. Twenty-seven national answers to the same question is not a market. One EU-wide answer, even an imperfect one, is the structural precondition for AI investment in Europe — and for insurers’ own AI-based distribution models when they arrive.
The question whether AI systems giving individual insurance recommendations should be regulated is a real question. The answer is yes. The more important question is where that regulation should sit. Reaching for an AI-specific extension of the national licensing regime, because it is the closest at hand, is the wrong answer to the right question.