FRIA: Fundamental Rights Impact Assessment
Article 27 requires certain deployers to assess AI impact on fundamental rights before use. Here's who needs one, what to include, and how to keep it current.
Who Needs a FRIA?
Not sure if you need a FRIA? Use our High-Risk Checker tool to assess your systems, then check if FRIA trigger conditions apply.
Run High-Risk CheckerThe Six Required Elements
Article 27 specifies six elements (a)–(f) that every FRIA must include:
(a) Process Description
Describe your organization's processes where the AI system will be used, including human oversight arrangements
(b) Duration & Frequency
Specify how long and how often the AI system will be used
(c) Affected Persons
Identify categories of people likely to be affected, including vulnerable groups
(d) Potential Harms
Assess risks to fundamental rights—non-discrimination, privacy, due process, access to services
(e) Human Oversight
Detail oversight design, competence requirements, and authority to intervene
(f) Mitigation & Governance
Describe mitigation measures, governance arrangements, and complaint mechanisms
Timing & Updates
Before First Use
The FRIA must be performed prior to putting the AI system into use. You cannot deploy first and assess later.
Ongoing Updates
The FRIA must be updated when appropriate—it's a living document, not a one-time checkbox.
Update Triggers
FRIA & DPIA: Working Together
Leverage Existing Work
Article 27 explicitly states that where a Data Protection Impact Assessment (DPIA) has already been carried out, the FRIA should complement it—you can use relevant information from the DPIA to avoid duplication.
This means your GDPR compliance work feeds directly into EU AI Act compliance. Klarvo links DPIA references directly to your FRIA workflow.
Notification Requirements
Market Surveillance Authority
In most cases, you must notify the relevant market surveillance authority of the FRIA results using a prescribed template. Some exemptions apply—check the specific requirements for your jurisdiction.
Get FRIA TemplateRelated Resources
FRIA Template
Downloadable template aligned with Article 27 requirements.
DownloadHigh-Risk Guide
Understand Annex III categories and deployer obligations.
Read GuideFRIA Software
Guided FRIA workflow with PDF export.
Learn MoreFrequently Asked Questions
What is a FRIA under the EU AI Act?
A Fundamental Rights Impact Assessment (FRIA) is required by Article 27 for certain deployers of high-risk AI systems. It assesses the impact on fundamental rights before the system is put into use and includes process description, affected persons, risks, oversight, and mitigation measures.
Who needs to conduct a FRIA?
Public bodies deploying high-risk AI, private entities providing public services with high-risk AI, and deployers of credit scoring or life/health insurance risk assessment systems must conduct FRIAs.
When must a FRIA be completed?
The FRIA must be completed prior to putting the high-risk AI system into use. It's not a one-time exercise—you must update it when relevant circumstances change.
Do we need to notify anyone of the FRIA results?
Yes, in most cases you must notify the market surveillance authority of the FRIA results using a prescribed template, unless an exemption applies.
How does FRIA relate to DPIA?
FRIA and DPIA (Data Protection Impact Assessment) are complementary. Article 27 explicitly allows leveraging relevant information from an existing DPIA to avoid duplication.
Conduct Your FRIA with Confidence
Klarvo's FRIA workflow guides you through all six elements and generates audit-ready PDF reports.