Who must complete a FRIA under the EU AI Act? Deployers, providers, and exemptions

A common misconception is that providers (developers) of high-risk AI systems must conduct the FRIA. In fact, Article 27 assigns the obligation to deployers — the organisations that use the system in a real-world context. This distinction matters because the same AI system may require different FRIAs depending on the deployment context, affected population, and organisational setting.

Specifically, the obligation applies to deployers that are bodies governed by public law, private entities providing public services, and deployers of certain high-risk AI systems listed in Annex III points 5(b) (creditworthiness) and 5(c) (insurance risk assessment). If your organisation deploys a high-risk AI system in any of these categories, a FRIA is mandatory before first use.

SMEs deploying high-risk AI systems outside the categories listed above are not required to conduct a FRIA under Article 27 — but may still choose to do so as best practice. Additionally, if a DPIA under GDPR Article 35 has already been completed, the FRIA can build upon it rather than starting from scratch (Article 27(4)).

Military and national security uses are exempt from the entire Regulation (Article 2(3)), so no FRIA is required. Law enforcement deployers have specific carve-outs but still face FRIA requirements for biometric identification systems used in publicly accessible spaces.

The FRIA must describe the deployer's processes using the AI system, the period and frequency of use, the categories of persons and groups likely to be affected, the specific risks of harm considering the deployment context, and the human oversight measures in place. Results must be notified to the relevant market surveillance authority.

Unlike a DPIA, the FRIA focuses specifically on fundamental rights — not just data protection. It should address discrimination risk, access to essential services, and impacts on vulnerable groups. ActLoom's FRIA module walks deployers through each required element and generates a compliant report linked to the system's risk classification.