Digital sovereignty in the insurance industry – with cloud infrastructure and AI

In an industry that is increasingly under pressure from direct digital offerings, regulatory requirements and fluctuating claims volumes, technical decision-makers face major challenges. Insurance IT not only has to scale, it also has to think for itself. At the same time, digital sovereignty must be ensured. Artificial intelligence (AI) offers companies the opportunity to develop cloud infrastructures from a passive operating resource into an active, learning platform. If a few guidelines are followed, they remain independent and ‘on the safe side’.

Cloud and AI – Whoever suffers the loss...

In the cloud environment, AI models can not only optimise resource consumption, but also anticipate seasonal fluctuations in claims and automatically prepare for peak loads, for example. In conjunction with historical performance data, capacities can be allocated in a forward-looking manner. For example, data shows that with the start of the cycling season in spring, the number of bicycle accidents in Germany increases: According to the Federal Statistical Office, most bicycle accidents occur between May and September.

In addition to intelligent IT resource provision, AI can also help to identify patterns in claims reports and automate processes. For example, claims reports can be automatically categorised and prioritised, leading to more efficient processing. But how can an agile, scalable and flexible IT infrastructure be created that forms the basis for greater operational efficiency and thus significant cost savings?

The basic requirements are clear business objectives, the active involvement and training of employees, transparent governance and security standards, and an adaptable and, above all, reliable technical platform. Established cloud frameworks such as the AWS Well-Architected Framework, the Microsoft Cloud Adoption Framework, and the Google Cloud Architecture Framework also describe best practices for building secure, resilient, and efficient cloud architectures.

Guidelines for cloud sovereignty and security

Such an infrastructure cannot be established overnight. It entails sovereignty and security requirements whose implementation affects the entire company. Insurers can use a number of guidelines to help them navigate this process.

Insurers with a cloud infrastructure should:

• Avoid dependencies, ensure efficiency: Multi-cloud or hybrid models can help reduce dependence on individual providers. At the same time, care should be taken to avoid unnecessary cross-platform interactions – processes must remain as lean and smooth as possible.
• Introduce data classification to control whether data is allowed in the cloud and, if so, in which cloud.
• Regularly review the security and compliance standards of providers: This applies in particular to third-party providers. After all, the insurer remains responsible for the use of services. Risk analyses, contracts with control rights, SLA monitoring and exit strategies are mandatory.
• Integrate scalability and cost control into planning from the outset (rightsizing, monitoring).
• Use proven reference architectures – such as those from the AWS Well-Architected Framework – for security designs, data mesh strategies and lakehouse environments. This ensures smooth implementation, commissioning and maintenance.

Guidelines for dealing with AI

When dealing with AI, insurers should:

• Ensure transparency: Results must be traceable and explainable (explainable AI).
• Prioritise quality over quantity: AI may accelerate processes, but not at the expense of validation, reviews and test coverage.
• Define governance: Establish guidelines for the responsible use of AI (e.g. fairness, bias control, data quality).
• Empower employees: Train developers and specialist departments so that they can understand AI models and use them safely.

Overall, it should be noted that technologies such as cloud and AI should be used consciously and competently. They must not become a black box, but must be understood, controlled and anchored in the company through targeted training and clear responsibilities.

Digital sovereignty in practice: efficiency versus control

A common compromise in cloud strategy is to combine proprietary technologies from providers with open, platform-independent solutions. For example, infrastructure management can be done using open-source tools such as Terraform and Packer, rather than relying exclusively on proprietary services such as AWS CloudFormation. This approach increases flexibility and facilitates migration to other cloud providers if necessary – with minimal customisation effort and without deep dependence on a single ecosystem. This is a significant advantage for forward-looking insurance companies.

In addition, a multi-cloud strategy is often cited as a means of avoiding vendor lock-in by deliberately distributing workloads across multiple providers. Multi-cloud also offers a number of other advantages: greater reliability through redundancy, a better negotiating position with providers, the ability to select the best service for specific workloads, and compliance with regulatory requirements in different regions.

On closer inspection, many of the often-cited advantages of multi-cloud strategies are put into perspective. A complete failure of a large cloud provider is extremely unlikely, as hyperscalers operate highly redundant architectures. Those who follow the providers' emergency recommendations – for example, through multi-AZ or multi-region deployments – already achieve a very high level of resilience. In this respect, the risk of a total failure rarely justifies the considerable additional costs incurred when workloads are distributed across multiple providers.

The often-cited price leverage through changing providers is also limited in practice: the massive discounts that can be achieved through long-term commitments with one provider usually exceed the advantage of a theoretical switching option. Furthermore, and above all, the multi-cloud approach is not without its challenges: multi-cloud approaches significantly increase complexity and require additional governance, security policies and expertise, which can drive up operating costs. In addition, a certain degree of dependency remains, for example through API-specific implementations or integration solutions.

The compromise: somewhere between vendor lock-in and resilience

At the same time, however, it would be simplistic to portray the hype surrounding multi-cloud approaches as completely unfounded. As is so often the case, the truth lies somewhere in the middle and is reflected in the fact that the optimal strategy depends heavily on the individual company's situation. Regulatory requirements are an important factor here: regulations such as DORA make it clear that companies – especially in critical sectors – must have exit strategies and measures in place to reduce concentration risks.

A pragmatic approach can therefore be to efficiently operate the majority of workloads in a primary cloud and supplement this with a secondary or hybrid cloud solution as a backup or emergency strategy. This allows legal requirements to be met without the complexity and costs of a complete multi-cloud architecture. The crucial question remains: is maximum independence worth the extra effort, or is a controlled lock-in with a complementary resilience strategy the better choice?

Conclusion

Regardless of which cloud strategy and AI models you ultimately choose, the right expertise is crucial for successful implementation while maintaining digital sovereignty. As one of the leading IT service providers in the German-speaking region, adesso supports insurers with its many years of experience, in-depth expertise and a clear understanding of regulatory requirements and technological complexity. Feel free to contact us – together we can make your IT future-proof, scalable and sovereign.

Contact us now without obligation