Who needs a Fundamental Rights Impact Assessment (FRIA)?

Under Article 27 of the EU AI Act, deployers of high-risk AI systems must conduct a FRIA when they are public bodies, private entities acting on behalf of public bodies, or providers of essential private services such as banking, insurance, credit scoring, health insurance, and AI used in migration or public assistance.

Is the FRIA mandatory for all AI systems?

No. The FRIA is only mandatory for deployers of high-risk AI systems in the specific contexts listed in Article 27. Minimal-risk and limited-risk AI systems do not require a FRIA, though a voluntary assessment is still good practice.

What is the difference between a FRIA and a DPIA?

A DPIA (Data Protection Impact Assessment) under GDPR Article 35 focuses exclusively on data protection risks. A FRIA under the AI Act covers the full spectrum of EU Charter fundamental rights — including dignity, non-discrimination, freedom of expression, access to justice, and social protection. Both assessments are often required simultaneously and are complementary, not substitutes.

What is the penalty for not conducting a required FRIA?

Failure to conduct a required FRIA is a Tier 2 violation under the EU AI Act, carrying fines of up to €15 million or 3% of global annual turnover, whichever is higher.

When must the FRIA be completed?

The FRIA must be completed before the high-risk AI system is put into use. Results must be notified to the relevant market surveillance authority before deployment.

EU AI Act Guide

Fundamental Rights Impact Assessment (FRIA)

Article 27 of the EU AI Act requires certain deployers of high-risk AI systems to conduct a Fundamental Rights Impact Assessment before putting the system into use. The FRIA evaluates the potential impact on the fundamental rights of persons affected by the system.

Last updated: March 2026·Reviewed by the ActLoom Compliance Team·Official EU AI Act text (Regulation 2024/1689)

Why the FRIA matters

The FRIA is distinct from a Data Protection Impact Assessment (DPIA). While a DPIA focuses on data processing risks, the FRIA addresses the broader spectrum of fundamental rights: dignity, non-discrimination, freedom, access to justice, social protection, and more.

Failure to conduct a required FRIA is a Tier 2 violation: up to €15 million or 3% of global turnover. The FRIA must be completed before the system is put into use, and results must be notified to the market surveillance authority.

The FRIA is closely linked to the Annex IV technical documentation (which providers must prepare) and to incident reporting obligations — if a rights-impacting incident occurs after deployment, the FRIA is key evidence in the response.

Who must conduct a FRIA?

Not all high-risk AI system deployers must conduct a FRIA. Article 27 applies specifically to deployers in these contexts:

Public bodies or private entities acting on behalf of public bodies
Providers of essential private services: banking, insurance, credit scoring
Health and life insurance providers using AI for risk assessment or pricing
Entities using AI for creditworthiness evaluation or credit scoring
AI systems used in migration, asylum, and border control (by deployers)
AI systems used to evaluate eligibility for public assistance benefits

FRIA vs DPIA: key differences

Aspect	FRIA (Article 27)	DPIA (GDPR Article 35)
Scope	All fundamental rights (EU Charter)	Data protection only
Trigger	Deploying high-risk AI in specified contexts	High-risk data processing
Legal basis	EU AI Act	GDPR
Notification	Market surveillance authority	Supervisory authority (if high residual risk)
Both needed?	Often yes — they are complementary, not substitutes

How to prepare a FRIA: step by step

1. Describe the AI system and its context

Document the system's intended purpose, the deployment context, the categories of natural persons and groups likely to be affected, and the geographic and temporal scope of use.

2. Identify affected fundamental rights

Map the system's potential impact on rights from the EU Charter: dignity, non-discrimination, privacy, data protection, freedom of expression, right to an effective remedy, rights of the child, worker protections, and access to public services.

3. Assess the likelihood and severity of impact

For each identified right, evaluate the probability of adverse impact and the severity of harm. Consider whether effects are direct or indirect, reversible or permanent, and whether they disproportionately affect vulnerable groups.

4. Identify mitigation measures

Document specific technical, organisational, and governance measures to reduce identified risks: human oversight protocols, appeal mechanisms, bias monitoring, data quality controls.

5. Plan monitoring and review

Define how you will monitor the system's impact on fundamental rights during operation, how often the FRIA will be reviewed, and under what conditions it must be updated.

6. Engage affected stakeholders

Where appropriate, involve representatives of affected groups, data protection officers, equality bodies, or civil society organisations in the assessment process.

7. Notify the market surveillance authority

After completing the FRIA, notify the relevant national market surveillance authority of the results. This notification must be submitted before the system is put into use.

Common mistakes

Confusing the FRIA with a DPIA — the FRIA specifically addresses fundamental rights beyond data protection.
Performing the FRIA after deployment instead of before putting the system into use.
Limiting the analysis to direct users and ignoring indirect effects on third parties and communities.
Not involving affected stakeholder groups in the assessment process.
Treating the FRIA as a one-time exercise — it must be updated when circumstances change significantly.

How ActLoom supports FRIA preparation

Guided FRIA workflow — step-by-step wizard that walks your team through each assessment phase with contextual prompts and examples.
Rights mapping— automatically identifies which fundamental rights may be affected based on your system's classification and deployment context.
Export-ready reports — generate compliant FRIA reports ready for market surveillance authority notification.
Review scheduling — automated reminders to reassess the FRIA when system or context changes occur.

Related resources

AI Risk Classification Guide Annex IV Documentation AI Incident Reporting (Article 73)FRIA in EU AI Act Glossary

Frequently asked questions

Who needs a Fundamental Rights Impact Assessment (FRIA)?: Under Article 27, deployers of high-risk AI systems must conduct a FRIA when they are public bodies, private entities acting on behalf of public bodies, or providers of essential private services such as banking, insurance, credit scoring, and health insurance.
Is the FRIA mandatory for all AI systems?: No. The FRIA is only mandatory for deployers of high-risk AI systems in the specific contexts listed in Article 27. Minimal-risk and limited-risk AI systems do not require a FRIA, though a voluntary assessment is still good practice.
What is the difference between a FRIA and a DPIA?: A DPIA (GDPR Article 35) focuses exclusively on data protection risks. A FRIA covers the full spectrum of EU Charter fundamental rights — dignity, non-discrimination, freedom of expression, access to justice, and social protection. Both are often required simultaneously and are complementary.
What is the penalty for not conducting a required FRIA?: Failure to conduct a required FRIA is a Tier 2 violation: fines of up to €15 million or 3% of global annual turnover, whichever is higher.
When must the FRIA be completed?: The FRIA must be completed before the high-risk AI system is put into use. Results must be notified to the relevant market surveillance authority before deployment.

Prepare your FRIA with guided workflows

ActLoom walks your team through each FRIA step, maps affected rights automatically, and generates export-ready reports.

Start free assessment