Vertex Insurance based in Munich, uses an automated system to calculate life insurance premiums.

The scenario clearly distinguishes between data protection compliance and AI system lifecycle governance , which are governed by different regulatory frameworks. While GDPR focuses on personal data protection principles such as consent, purpose limitation, and DPIA, it does not mandate a full engineering lifecycle Quality Management System (QMS) or continuous post-market monitoring of AI systems.

The key requirement described—ongoing monitoring of model performance, bias, and drift, along with the implementation of a formal QMS—aligns with the EU Artificial Intelligence Act (EU AI Act) . This regulation introduces a risk-based framework for AI systems, particularly for high-risk applications such as insurance underwriting.

Under the EU AI Act, organizations must implement:

A Quality Management System (QMS) covering the entire AI lifecycle

Post-market monitoring to track system performance and risks after deployment

Continuous logging, documentation, and risk management processes

Mechanisms to detect and mitigate bias, errors, and model drift over time

HIPAA and CCPA focus on data privacy within healthcare and consumer data contexts, respectively, and do not impose comprehensive AI lifecycle governance requirements. GDPR, while relevant to data handling, does not extend to operational AI system monitoring and lifecycle quality controls in the same structured manner.

Therefore, the correct answer is EUAI , as it explicitly requires post-deployment monitoring and a formal QMS for AI systems beyond initial data protection compliance.