REGULATION 2026-04-14 · 6 min read

Fundamental Rights Impact Assessment (FRIA): EU AI Act Article 27 Explained

Article 27 of the EU AI Act introduces a pre-deployment fundamental rights assessment for certain deployers. It is not a GDPR DPIA, it is not optional for those in scope, and it must be notified to your national market surveillance authority. Here is what it requires.

Article 27 of EU AI Act Regulation 2024/1689 introduces a new mandatory assessment for certain deployers of high-risk AI systems: the Fundamental Rights Impact Assessment, or FRIA. It is one of the least understood obligations in the regulation, in part because it applies to deployers (not providers), and in part because the term "fundamental rights" is broader than most legal teams expect.

Who Must Conduct a FRIA

Not every deployer of a high-risk AI system is required to conduct a FRIA. The obligation applies to deployers that are either:

  • Public bodies -- any national, regional, or local authority, or a body governed by public law, deploying any high-risk AI system listed in Annex III; or
  • Private bodies deploying high-risk AI systems listed in specific points of Annex III: point 1 (biometric identification), point 6 (law enforcement), point 7 (migration and border control), or point 8 (administration of justice)

If you are a private company deploying an AI system for hiring decisions (Annex III, point 4), credit assessment (point 5), or education (point 3), you are not currently required to conduct a formal FRIA under Article 27 -- but you still carry all other deployer obligations under Article 26.

Note that this may change. The European Commission is required to review and potentially expand the FRIA scope.

What a FRIA Must Cover

Article 27(1) specifies that the FRIA must assess, prior to deployment, the impact on fundamental rights that the use of the high-risk AI system may produce. Specifically:

  1. A description of the deployer's processes in which the AI system will be used, including the purpose and conditions of use
  2. The period of time and geographic scope for which the system will be used
  3. The categories of natural persons and groups likely to be affected
  4. The specific risks of harm to fundamental rights, including dignity, privacy, non-discrimination, data protection, freedom of expression, and access to justice
  5. The human oversight measures taken and the technical and organisational measures to address identified risks
  6. A list of the relevant fundamental rights bodies or authorities that have been consulted, where applicable
The FRIA is not a GDPR DPIA. It covers a broader set of rights -- dignity, expression, access to justice, non-discrimination -- not just data protection. A DPIA does not substitute for a FRIA.

Key Differences from a GDPR DPIA

DimensionGDPR DPIA (Article 35)EU AI Act FRIA (Article 27)
TriggerHigh-risk data processingDeployment of specific high-risk AI systems
Who does itData controllerDeployer of the AI system
Scope of rightsData protection rightsAll fundamental rights (Charter of Fundamental Rights of the EU)
TimingBefore processing beginsBefore the AI system is put into use
OverlapAI systems processing personal data require bothIf personal data is involved, both a DPIA and a FRIA are required

Notification to Market Surveillance Authorities

Article 27(4) requires that deployers who have conducted a FRIA must notify the relevant national market surveillance authority of the results before putting the AI system into use. This is an active obligation, not a passive record-keeping one.

Practical Steps for Deployers

  1. Determine scope: Identify whether your deployment falls within the FRIA-required categories (public body deploying Annex III systems, or private body deploying Annex III points 1, 6, 7, or 8)
  2. Map affected groups: Document all categories of natural persons whose fundamental rights could be affected, including indirect effects
  3. Assess rights: Go beyond data protection -- consider non-discrimination (Article 21 EU Charter), freedom of expression (Article 11), right to an effective remedy (Article 47), and access to essential services
  4. Document mitigations: For each identified risk, document both the human oversight measure and the technical control
  5. Notify authority: Submit results to the relevant national supervisory authority before deployment
  6. Keep records: Maintain the FRIA in your technical documentation (Annex IV) and update it when the system changes materially

Interaction with the Classify Step

Before you can determine whether a FRIA is required, you need to know which Annex III point your AI system falls under. The Vigilens classifier identifies your system's Annex III category, prohibited-practice exposure, and GPAI applicability in six questions -- which is the prerequisite for determining your FRIA obligation.

Frequently Asked Questions

Is a GDPR DPIA sufficient to satisfy the EU AI Act FRIA requirement?

No. A GDPR DPIA covers data protection rights only. The EU AI Act FRIA covers the full range of fundamental rights under the EU Charter, including dignity, non-discrimination, freedom of expression, and access to justice. If your AI system processes personal data, you will need both a DPIA and a FRIA.

Do private companies need to conduct a FRIA for hiring AI?

Under current Article 27, private companies deploying AI for employment purposes (Annex III, point 4) are not explicitly required to conduct a formal FRIA. The FRIA obligation for private entities currently applies only to deployment of Annex III points 1, 6, 7, and 8. However, all deployers carry other Article 26 obligations including human oversight and monitoring.

Vigilens automates EU AI Act compliance -- turning Articles 9, 12, 13, and 14 into machine-executable controls with continuous evidence from your engineering tools.

CLASSIFY YOUR AI SYSTEM → GET EARLY ACCESS