There is a question that European insurance regulators have started asking that almost no insurer can answer cleanly. The question is some variation of: "On any given Tuesday, can you prove that the data feeding your technical provisions, your reserving, and your model decisions is appropriate, complete, and accurate?"
The honest answer at most insurers is no. Not because the data is bad. Because the proof is annual. Or quarterly. Or audit-driven. The reporting submission lands on time, the actuarial sign-off happens, the auditor leaves satisfied, and in between, the data foundation is governed by spreadsheets, tribal knowledge, and the institutional memory of a few senior people in the actuarial and risk teams. That used to be enough. It is no longer enough.
The bar has moved
Solvency II Article 82 has required appropriateness, completeness, and accuracy of data used in technical provisions since 2016. That has not changed. What has changed is what supervisors expect to see when they ask about it. EIOPA's Guidelines on the Valuation of Technical Provisions codified sixteen specific data quality expectations on the Actuarial Function. The ACPR in France has tightened its posture and now asks the actuarial, risk, and internal audit functions to demonstrate traceability, alerts, and evidence. Directive (EU) 2025/2, the first comprehensive revision of Solvency II since the framework came into force, transposes into member state law by January 2027. It changes governance, supervision, reporting, and proportionality across all three pillars.
DORA, in force since January 2025, named data integrity as an ICT security obligation in its own right. Article 9(2) requires financial entities to maintain availability, authenticity, integrity, and confidentiality of data at rest, in use, and in transit. Article 35 puts teeth on the framework: penalties of up to 1% of average daily worldwide turnover for critical ICT third-party providers, with the first oversight cycles maturing through 2026 and 2027.
In the UK, Solvency UK replaced Solvency II in December 2024 under PRA PS15/24. The new Bank of England Insurance Taxonomy v2.0.2 goes live for year-end 2025 reporting. In the US, the NAIC's Model Bulletin on AI has been adopted in roughly half of the states. Colorado Regulation 10-1-1 expanded in October 2025 to cover auto and health insurers, with compliance due July 2026, and requires a documented governance framework over the external data and algorithms feeding pricing models.
These are different regulations in different jurisdictions, but they describe the same demand. Regulators no longer accept evidence that was reconstructed after the fact. They want continuous, auditable proof that the data feeding capital, reserving, disclosure, and AI is sound. This is, at its core, a data governance problem that has outgrown the tools most insurers built to manage it.
What that demand means operationally
Four things:
The data feeding regulated outputs has to be continuously monitored, not assessed annually. The lineage from policy administration and claims systems through every transformation into the actuarial model has to be visible, not reconstructed. When something goes wrong, the incident has to be documented end to end: cause, impact, remediation, time to resolution. The same evidence has to exist for the data feeding AI and ML pricing models, because the algorithm is now in scope of the same governance regime as the rest of the regulated stack.
On that last point: AI governance and data governance are not the same thing, but they are inseparable in a regulated environment. Data governance manages inputs. AI governance controls behavior. If the inputs are ungoverned, the behavior cannot be trusted, and under DORA and the NAIC AI Bulletin, "cannot be trusted" is no longer a tolerable answer.
That is not a reporting tool problem. It is not a governance committee problem. It is not a data quality dashboard a junior analyst checks once a week. It is a continuous control problem, and the data infrastructure most insurers operate on, built across decades and acquisitions and overlapping platforms, was never designed for it.
Why this is now non-negotiable
For years, insurers could treat the gap between what regulators wanted and what existing infrastructure could produce as a process problem. Hire more people. Run more reconciliations. Document more carefully. That worked when the bar moved every five years.
The bar is now moving every quarter. Solvency II 2.0 transposes in 2027. DORA penalties begin invocation in 2026 and 2027. Colorado 10-1-1 hits a compliance date in July 2026. IFRS 17 disclosure granularity has been live since 2023 and auditors are increasingly asking to see the lineage behind the numbers. The Solvency II amending Delegated Regulation is in consultation. The next wave of EIOPA technical standards is expected through 2026.
Each one alone is manageable. Together, they describe a regulatory environment in which the data foundation of the insurance business is permanently under examination. No team of senior actuaries and risk professionals can manually evidence continuous control across this surface area, no matter how good they are. The only way through is to make the evidence continuous by design.
What Sifflet is doing about it
Sifflet is the control plane for Data and AI. That means one platform that gives the Actuarial Function, the CRO, the CDO, and the auditor a single, regulator-ready record of data quality, lineage, and incidents across the entire regulated stack.
We do the four things regulators are now demanding:
We continuously monitor the data feeding capital, reserving, pricing, and AI models. We provide automated, end-to-end lineage from source systems through every transformation. We give the Actuarial Function, the CRO, and the auditor a single, regulator-ready record of every data incident and its remediation. We extend that same control plane over the inputs to algorithmic and AI systems so model decisions inherit the same governance as the rest of the regulated stack.
The platform answers EU, UK, and US regulators with the same architecture, because the underlying paradigm is the same. Solvency II, Solvency UK, NAIC ORSA, RBC, DORA, the NAIC AI Bulletin, Colorado 10-1-1: different rules, different speeds, same operational demand.
The choice insurers are making right now
Every insurer leadership team has the same conversation in front of it. Either we keep building manual evidence for a regulatory environment that has moved past annual cycles, or we make the evidence continuous and turn the regulatory burden into a system. The first path scales by hiring. The second path scales by design.
Sifflet was built for the second path. The CDOs and Chief Actuaries we work with chose it because they read the regulatory direction correctly and refused to pretend that another year of spreadsheets would be enough. The bar has moved. The infrastructure has to move with it.
-p-500.png)
