The importance of customer interests in embedded insurance

9 December 2025

In this News Update, we discuss the following: an AFM report with recommendations on embedded insurance.; the amended bill for the CCD II implementing Act that is currently before the Council of State and the EU supervisory authorities’ designation of a number of critical ICT third-party suppliers under DORA.

Key contacts

Berry van Wijk
Berry van Wijk
Attorney-at-law | Partner
Juan Vervuurt
Juan Vervuurt
Attorney-at-law | Counsel
Lisanne Haarman
Lisanne Haarman
Attorney-at-law | Counsel
Gijs Hamelijnck
Gijs Hamelijnck
Attorney-at-law | Senior Associate

On this page

The importance of customer interests in embedded insurance

The Dutch Authority for the Financial Markets (the “AFM“) has published a report about safeguarding customer interests in embedded insurance, emphasising that strong safeguards are necessary to prevent less well-considered choices, overinsurance and underinsurance. The key message is that customer interests must demonstrably come first in licensing, product development, information provision and management. The report offers providers and platforms guidance on how to set up embedded insurance sustainably and in the interest of customers. The AFM stresses the importance of safeguarding customer interests in various phases and gives a number of recommendations.

Embedded insurance creates opportunities to further personalise insurance policies. For the product development phase, the AFM recommends personalising products to promote customer interests. Customers are guided in their choice by the environment in which they are presented with the options. Guiding choice environments can tempt customers to make unwise financial decisions. For the orientation phase, the AFM therefore recommends considering the guiding effect of the choice environment and designing it carefully, while measuring whether the chosen design also has the desired effect on customer behaviour.

When taking out insurance, it is important that customers receive the right information. The AFM therefore gives three recommendations on this point: (1) include all relevant information on the insurance in the choice environment to make it easier for customers to determine the terms and conditions of the product, (2) balance the convenience of taking out insurance with ensuring that customers are still adequately informed about the product’s features, and (3) inform customers how the embedded insurance product fits in with traditional insurance policies they may already have.

Embedded insurance services are typically integrated into a digital environment, where there is a physical distance between customers and the provider or platform. This distance can be bridged by good service. For the management phase, the AFM therefore recommends determining whether the service in this phase is in line with the way the product is distributed and meets customers’ expectations. In addition, the AFM recommends informing customers clearly and in a timely manner about the expiry date of the insurance.

CCD II implementing Act has been tightened

The bill for the Act Implementing the Revised Consumer Credit Directive (Implementatiewet herziene richtlijn consumentenkrediet) has been shared with the Council of State, in amended form after the internet consultation this past spring. In our previous blogpost of 16 May 2025, we discussed the outlines of the consultation proposal. While the essence has remained the same, the recently published version includes some refinements and shifts in emphasis. Set out below are a number of key changes to the consultation proposal.

Stricter regime for foreign online credit providers (amendment of Article 1:16 FSA)

In Article 1:16 of the Financial Supervision Act (the “FSA“), the list of national provisions that also apply to providers providing online credit from another Member State has been considerably expanded. Specifically, this means that foreign online credit providers operating in the Netherlands must meet Part 1 of the FSA, including the new product intervention provision of Article 1:77q FSA. In addition, they will be required, for example, to register with the Credit Registration Agency (the “BKR“) (Article 4:32 FSA), to perform creditworthiness assessments in accordance with Dutch lending standards (Articles 4:34 and 4:34a FSA) and to respect the Dutch maximum loan charge (Article 4:35 FSA in conjunction with the Cost of Credit (Loans) Decree (Besluit kredietvergoeding)). This amendment reinforces the level playing field between domestic and foreign online providers.

AFM’s product intervention powers explicitly laid down (new Article 1:77q FSA)

The proposal’s Article 1:77q FSA lays down explicit product intervention powers for consumer credit. The AFM can impose a ban or restriction on certain credit products or product features and on certain market practices if they give significant cause for concern regarding consumer protection and other supervisory tools are insufficient or disproportionate. These product intervention powers partly align with the AFM’s current product intervention powers ensuing from the Markets in Financial Instruments Directive (“MiFID II“).

Minors and ‘buy now, pay later’ (“BNPL“): emphasis on age verification

The proposal confirms that providers cannot provide credit to minors unless they have express consent from a legal representative. In addition, offering minors credit in the form of deferred payment (BNPL and similar arrangements) is always prohibited. The proposal emphasises the fact that providers must have adequate age verification processes in place. According to the Explanatory Memorandum, age verification could become part of the know-your-customer process, which providers are required to perform under the Money Laundering and Terrorist Financing (Prevention) Act (Wet ter voorkoming van witwassen en financieren van terrorisme).

Use of data, social media and AI further delineated

These focus areas were already outlined during the consultation, but have now been specified in more detail. The rules on creditworthiness assessments have been tightened further in the new text. The new Article 4:34a FSA prohibits the use of data from digital social networks for credit assessment purposes and lays down strict requirements on the processing of special personal data (such as religion or health), including a separation of functions and a right for consumers to access their data before the data are used in the assessment. Article 4:34 FSA itself has also been tightened. The new text explicitly states that credit providers can only process information that is “necessary and proportionate to the nature, duration, value and risks of the credit to the consumer.” The revised Article 7:60 of the Dutch Civil Code furthermore expressly provides that consumers must be informed if personalised offers are made through automated processing, without prejudice to the General Data Protection Regulation.

Mandatory identification and referral to debt counselling

While the consultation proposal mostly presented an outline, the regime for consumers with payment difficulties is now more clearly defined. Article 4:35b FSA requires credit providers to identify payment difficulties at an early stage and to refer the consumers in question to debt advisory services.

EU supervisory authorities designate critical ICT service providers under DORA

On 18 November 2025, the European financial supervisory authorities European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA) (together: the “ESAs“) published a list of ICT service providers that qualify as critical ICT service providers within the meaning of the Digital Operational Resilience Act (“DORA“), an EU Regulation aimed at enhancing digital operational resilience in the financial sector. Under Article 31 DORA, the ESAs are authorised to designate critical ICT service providers and publish a list of critical ICT service providers once a year. Additional requirements apply to these critical ICT service providers under DORA.

The list of critical ICT service providers is available here and includes parties such as Amazon Web Services EMEA Sarl, Equinix (EMEA) BV, Microsoft Ireland Operations Limited, Oracle Nederland BV and SAP SE.
Under Article 8 DORA and Commission implementing regulation (EU) 2024/2956, each financial entity must prepare and update a register of information and submit it to the competent national supervisory authority every year. These registers of information specify, in a standardised manner, all ICT services purchased by the financial entities, and contain detailed information for each ICT service.

In consultation with the national supervisory authorities, the ESAs have made a selection of critical ICT service providers by analysing the data in all registers of information of European financial entities. Whether an ICT service provider is critical must be assessed by the ESAs on the basis of criteria including the systemic impact of an ICT service’s unavailability, the scale of financial entities that depend on a specific ICT service and the degree of substitutability of a particular ICT service.

While DORA primarily creates obligations for EU financial entities within scope, Section II of DORA enables the ESAs to exercise additional supervision over critical ICT service providers, for example on aspects like risk management, physical safety, and ICT risk monitoring and reporting. ESAs can also impose orders subject to penalty payments on critical ICT service providers if they persistently fail to perform their obligations under DORA.

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.