FRIA Explained: A Step-by-Step Fundamental Rights Impact Assessment (Article 27)
DOCUMENTATION10 min

FRIA Explained: A Step-by-Step Fundamental Rights Impact Assessment (Article 27)

A practical step-by-step guide to the EU AI Act's Fundamental Rights Impact Assessment (Article 27): who must complete a FRIA, the six required elements, when it is due, how it relates to the GDPR DPIA, and what you do with the result.

V
Veritome Team6 June 2026

Key Takeaways

  • 1A FRIA is a structured assessment of how a high-risk AI system could affect people's fundamental rights — privacy, non-discrimination, dignity and more.
  • 2It is a deployer obligation under Article 27, not a provider one — required of public bodies, private providers of public services, and deployers of certain Annex III §5 systems (credit scoring and life/health insurance).
  • 3The FRIA must be completed before the system's first use, and updated when any of its underlying factors change.
  • 4Article 27(1) sets out six elements every FRIA must contain — from the categories of people affected to the measures taken if a risk materialises.
  • 5You can build on an existing GDPR DPIA: Article 27(4) lets the FRIA complement it rather than duplicate it.
  • 6Deployers must notify the market surveillance authority of the FRIA result using the template the AI Office provides.

What a FRIA is — and who has to do one

A Fundamental Rights Impact Assessment (FRIA) is the EU AI Act's mechanism for making deployers think, on paper and before deployment, about how a high-risk AI system could affect the people subject to it. It sits alongside the provider's technical conformity work and asks a different question: not 'is the system built correctly?' but 'what could it do to someone's rights, and what will we do about it?'

It is not required of everyone. Article 27 applies to deployers that are bodies governed by public law or private entities providing public services, and to deployers of the Annex III §5(b) and §5(c) systems — creditworthiness and credit scoring, and risk assessment and pricing in life and health insurance. If you are a private-sector deployer outside those categories, you generally will not owe a FRIA, though Article 26 still applies.

When you must complete it

The FRIA must be done before the high-risk system is put into use. It is not a launch-week formality: it is a pre-condition of lawful deployment for the deployers in scope. Where a similar assessment already exists for a comparable use, you can rely on it, but you must keep it current — if the system's purpose, the population affected, or the oversight arrangements change, the FRIA needs to be revisited.

The six things a FRIA must contain (Article 27(1))

Article 27(1) is unusually concrete about what a FRIA has to cover. A complete assessment addresses all six points:

  • (a) A description of the deployer's processes in which the high-risk AI system will be used, in line with its intended purpose.
  • (b) The period of time and frequency over which the system is intended to be used.
  • (c) The categories of natural persons and groups likely to be affected by its use.
  • (d) The specific risks of harm likely to impact those persons or groups, taking the provider's instructions for use into account.
  • (e) A description of the human oversight measures, per the instructions for use.
  • (f) The measures to take if those risks materialise — including internal governance and complaint mechanisms.

Step by step: running your first FRIA

In practice, a defensible FRIA follows a predictable arc. Start by scoping the deployment precisely — which process, which decisions, which population. Pull the provider's instructions for use, because Article 27 expects you to reason from them. Then map the affected groups and the concrete harms each could face: discrimination, loss of access to a service, erosion of privacy, or a decision a person cannot contest.

For each material risk, record the human oversight measure that catches it and the fallback if it fails — who is alerted, how a person complains, and when you would pause the system. Finally, assign an owner and a review date. Veritome structures the FRIA as a guided form mapped to the six Article 27 elements, so the output is a complete record rather than a blank document.

FRIA vs DPIA: how they fit together

If the system processes personal data, you may already owe a Data Protection Impact Assessment under GDPR Article 35 — and the two assessments overlap on affected individuals and risk. Article 27(4) recognises this directly: where a DPIA already exists, the FRIA complements it, and you should not duplicate the analysis you have already done.

The practical move is to treat the DPIA as an input. Reuse the data-flow and affected-persons analysis, then extend it to the fundamental-rights questions the DPIA does not ask — non-discrimination, access to essential services, and the human-oversight and remedy measures specific to the AI system.

What you do with the result

A FRIA is not a drawer document. Under Article 27(3), once the assessment is complete, the deployer must notify the market surveillance authority of its results, submitting the filled-out template that the AI Office makes available for the purpose. Keep the FRIA, its evidence and its review history together — if a regulator asks, you want to produce the reasoning and the date it was signed, not reconstruct it.

That auditability is the point of doing the FRIA inside a system rather than a word processor: every element is timestamped, owned and re-openable, and it links to the obligations and oversight measures it references.

Frequently Asked Questions

What is a FRIA under the EU AI Act?

A Fundamental Rights Impact Assessment (FRIA) is a structured assessment, required by Article 27, of how a high-risk AI system could affect people's fundamental rights. It documents the deployment context, the people affected, the specific risks of harm, the human oversight measures, and what the deployer will do if a risk materialises.

Who has to complete a FRIA?

FRIAs are a deployer obligation. They apply to deployers that are public bodies or private entities providing public services, and to deployers of the Annex III §5 systems for creditworthiness/credit scoring and for risk assessment and pricing in life and health insurance. Providers do not complete the FRIA — though they supply the instructions for use it relies on.

When does the FRIA need to be done?

Before the high-risk AI system is first used. It must be kept current and revisited if the system's purpose, the affected population, or the oversight arrangements change. For deployers in scope, completing the FRIA is a precondition of lawful deployment, not a post-launch task.

Is a FRIA the same as a GDPR DPIA?

No, but they overlap. A DPIA under GDPR Article 35 focuses on personal-data risk; a FRIA focuses on fundamental-rights risk from the AI system. Article 27(4) lets the FRIA complement an existing DPIA, so you reuse the shared analysis (data flows, affected persons) and extend it to fundamental-rights questions the DPIA does not cover.

What do I do with the FRIA once it is finished?

Under Article 27(3), the deployer notifies the market surveillance authority of the FRIA's results using the template provided by the AI Office. You should retain the assessment, its supporting evidence and its review history so it can be produced on request during an inspection.

Ready to Start Your Compliance Journey?

Veritome simplifies EU AI Act compliance for SMEs with intelligent tools.

Start free

Related Articles

The 2026 EU AI Act Shift: From One-Time Audits to Continuous Compliance
ENFORCEMENT

The 2026 EU AI Act Shift: From One-Time Audits to Continuous Compliance

The EU AI Act enforcement deadline is here. Static, one-time audits are no longer sufficient. This guide explains the shift to continuous AI oversight and the three pillars your organisation needs to establish before August 2026.

Read More
The EU AI Act Regulatory Sandbox: Your Strategic Fast-Track to Compliance
STRATEGY

The EU AI Act Regulatory Sandbox: Your Strategic Fast-Track to Compliance

Irish AI startups have a powerful but underutilised tool for navigating the EU AI Act: the Regulatory Sandbox. This guide explains what it is, how to qualify, and how to combine it with automated compliance to accelerate your go-to-market.

Read More