Pricing
    About UsCareersContactPartnersPressStatus
    Start FreeLog in
    FRIA
    5 min readUpdated 2025-01-27

    When is FRIA Required?

    Understand the triggers and requirements for conducting a Fundamental Rights Impact Assessment under Article 27.

    Fundamental Rights Impact Assessment (FRIA)

    Article 27 of the EU AI Act requires certain deployers to conduct a Fundamental Rights Impact Assessment before deploying high-risk AI systems.

    Who Must Conduct a FRIA?

    FRIA is required when all of the following conditions are met:

  1. You are a deployer (not just a provider)
  2. The AI system is classified as high-risk (Annex III)
  3. You fall into one of these categories:

    4. - Public body / body governed by public law

    - Private entity providing public services

    - Deployer of certain Annex III systems (credit scoring, insurance, emergency services)

    Specific Triggers

    #### Public Authorities

    Any public body deploying high-risk AI must conduct a FRIA.

    Examples:

  4. Government agencies
  5. Municipalities
  6. Public hospitals
  7. State universities
  8. Regulatory bodies

    9. #### Private Entities Providing Public Services

    Private organizations performing public functions:

    Examples:

  9. Private hospitals under public contracts
  10. Utility companies
  11. Public transport operators
  12. Social service providers

    13. #### Specific Annex III Use Cases

    Regardless of public/private status, FRIA is required for:

  13. Credit scoring (essential services access)
  14. Life/health insurance risk assessment
  15. Emergency services dispatch prioritization

    16. FRIA Timing

    ScenarioWhen to Conduct FRIA
    First deploymentBefore putting the system into use
    Material changesBefore implementing significant changes
    New use caseBefore extending to new applications
    Periodic reviewAs defined in your governance policy

    What FRIA Must Include

    Article 27 specifies six mandatory elements:

    (a) Process Description

  16. How the deployer uses the AI system
  17. Intended purpose in operations
  18. Decision points affected

    19. (b) Time Period & Frequency

  19. Duration of intended use
  20. How often it will be used
  21. Scale of affected individuals

    22. (c) Affected Categories

  22. Natural persons/groups likely affected
  23. Vulnerable group identification
  24. Geographic scope

    25. (d) Specific Risks to Fundamental Rights

  25. Right-by-right risk analysis
  26. Harm categories
  27. Severity and likelihood assessment

    28. (e) Human Oversight Measures

  28. Oversight design
  29. Competence requirements
  30. Intervention authority

    31. (f) Mitigation & Governance

  31. Risk mitigation measures
  32. Governance arrangements
  33. Complaint mechanism
  34. Monitoring plan

    35. Notification Requirements

    After completing your FRIA:

  35. Notify the market surveillance authority (unless exempt)
  36. Use the prescribed template (when available)
  37. Update when circumstances change

    38. Exemptions

    You may be exempt from notification (not from conducting FRIA) if:

  38. National security exemption applies
  39. Military/defense context
  40. Research-only use (not affecting people)

    41. Integration with DPIA

    If you've already conducted a DPIA (Data Protection Impact Assessment) under GDPR, you can:

  41. Reference and build upon the DPIA
  42. Reuse relevant risk analyses
  43. Extend rather than duplicate

    44. However, FRIA has broader scope than DPIA:

    AspectDPIAFRIA
    FocusPersonal data protectionAll fundamental rights
    TriggerHigh-risk data processingHigh-risk AI deployment
    RightsPrivacy & data protectionDignity, non-discrimination, safety, etc.