Who actually needs a FRIA? The narrow scope of Article 27
Who needs a FRIA? Article 27 binds public bodies, public-service providers, credit scoring and life/health insurance — due before first use, by 2 December 2027.
Under Article 27 of Regulation (EU) 2024/1689, the EU AI Act, the Fundamental Rights Impact Assessment (FRIA) binds a narrow set of deployers. It is a deployer obligation, never a provider obligation as such, and it catches only three categories of deployer: bodies governed by public law, private entities providing public services, and any deployer of Annex III credit-scoring or life and health insurance systems. Each must complete the assessment before first use of the high-risk system.
Everyone else deploying Annex III high-risk AI, including most private companies, owes the Article 26 deployer duties but no FRIA. The obligation tracks the Annex III timeline: 2 August 2026 in the statute as published, deferred to 2 December 2027 under the Digital Omnibus agreement of May 2026, which is agreed but not yet law. This chapter sets out the three triggers, the carve-out, the six required contents, the timing rules and a decision table to run your AI inventory through.
The short answer: a narrow set of organisations
A deployer obligation, not a provider obligation — Article 3(4)
Article 27 addresses deployers. Under Article 3(4), a deployer is any natural or legal person, public authority, agency or other body using an AI system under its authority, outside personal non-professional use. Providers as such are never caught. The FRIA assesses the deployment context, which the provider cannot know in advance.
The only way a provider owes a FRIA is by also being a deployer. A public body that builds an eligibility-scoring system in-house and runs it on its own citizens wears both hats, and the deployer hat carries the FRIA. For the statutory text, see Article 27 in full. This chapter assumes your system is already classified high-risk under Article 6(2) and Annex III.
Three triggers, one carve-out — Article 27(1)
Article 27(1) names exactly three trigger categories, all tied to high-risk systems referred to in Article 6(2):
- bodies governed by public law deploying any Annex III system;
- private entities providing public services deploying any Annex III system;
- any deployer, public or private, of Annex III point 5(b) credit-scoring systems or point 5(c) life and health insurance risk-assessment and pricing systems.
There is a built-in carve-out. Systems intended to be used as safety components in critical infrastructure (Annex III point 2) are excluded from the FRIA duty, even when the deployer is a public body. So most private-sector Annex III deployments trigger nothing here. A private company running recruitment-screening AI under Annex III point 4(a) owes the full set of Article 26 deployer duties, but no FRIA.
The three Article 27 triggers in detail
Bodies governed by public law
The first trigger covers the public sector in the broad EU sense: ministries, municipalities, regional authorities, executive agencies, courts, public universities and public hospitals. If such a body deploys any Annex III high-risk system, whether exam scoring, welfare-benefits eligibility or migration case triage, the FRIA is owed before first use. The only exception is the Annex III point 2 carve-out above.
Private entities providing public services — Recital 96
The second trigger reaches private organisations delivering services of a public nature. The operative text does not exhaustively define public services. Recital 96 is the best interpretive anchor, pointing to education, healthcare, social services, housing and the administration of justice. A privately owned clinic delivering publicly funded care, a private operator allocating social housing, a contractor running administrative-justice workflows: all sit within the FRIA's rationale despite private ownership.
There is a real grey zone here, because the operative text leaves the term open and national practice may vary at the margins. If your model sits near the boundary (privately delivered, publicly funded, essential to access), plan for the FRIA rather than against it.
Credit scoring and life/health insurance — Annex III points 5(b) and 5(c)
The third trigger is sector-based, not status-based. Any deployer of an Annex III point 5(b) system, meaning creditworthiness evaluation and credit scoring of natural persons, with an express exception for financial-fraud detection, owes a FRIA. So does any deployer of a point 5(c) system for risk assessment and pricing of natural persons in life and health insurance. A fully private bank or insurer is caught on this ground alone. The guide to credit scoring AI walks the 5(b) boundary in detail.
Point 5(c) has a clear limit: it covers life and health insurance only. Motor, property or liability pricing is outside point 5(c) and does not trigger Article 27 on this ground.
Who needs a FRIA: the decision table
How to read the table
Run every Annex III system in your inventory through the three triggers, then apply the point 2 carve-out. Only the hits go on the FRIA calendar. The misses stay on your Article 26 checklist.
| Deployer | System and Annex III point | Trigger | FRIA required? |
|---|---|---|---|
| Ministry | Welfare-benefits eligibility AI — point 5(a) | Body governed by public law | Yes |
| Municipality | Exam-scoring AI — point 3 | Body governed by public law | Yes |
| Private clinic, publicly funded care | Emergency patient-triage AI — point 5(d) | Private entity providing public services | Yes |
| Private bank | Credit-scoring AI — point 5(b) | Sector trigger — any deployer | Yes |
| Insurer | Life/health risk-assessment and pricing AI — point 5(c) | Sector trigger — any deployer | Yes |
| Private company | Recruitment-screening AI — point 4(a) | None — Article 26 duties still apply | No |
| Insurer | Motor or property pricing AI | Outside point 5(c) | No |
| SaaS vendor selling, not deploying | Any high-risk system | Provider role only | No |
| Grid operator, even a public body | Critical-infrastructure safety AI — point 2 | Express carve-out in Article 27(1) | No |
Edge cases the table resolves
Three rows settle the most common confusion. The recruitment row confirms that high-risk classification alone never creates a FRIA duty for an ordinary private deployer. The SaaS row confirms that selling a system is not deploying it. The grid-operator row confirms the carve-out beats the public-body trigger: Annex III point 2 systems are FRIA-exempt even in public hands.
What the FRIA must contain: six required elements
The six elements — Article 27(1)(a)–(f)
The FRIA is not free-form. Article 27(1) prescribes six elements:
- a description of the deployer's processes in which the high-risk system will be used, in line with its intended purpose;
- the period of time and the frequency with which the system is intended to be used;
- the categories of natural persons and groups likely to be affected in the specific context of use;
- the specific risks of harm likely to have an impact on those categories, taking into account the information the provider supplies in the Article 13 instructions for use;
- a description of how the human oversight measures will be implemented, again following the instructions for use;
- the measures to be taken if those risks materialise — including the internal governance arrangements and complaint mechanisms.
Element four carries most of the analytical weight: it converts the provider's general risk disclosures into deployment-specific exposure for the people your system actually touches.
Using the AI Office template — Article 27(5)
Article 27(5) tasks the AI Office with developing a template questionnaire, including an automated tool, to ease the burden on deployers. You do not need to wait for it. The FRIA template gives you a working structure mapped element-by-element to Article 27(1)(a)–(f), ready to populate from your provider's instructions for use.
Timing: before first use, then keep it current
First use, not every use — Article 27(1) and (2)
The FRIA must be performed before the system is first used. It applies to that first use. In similar cases, Article 27(2) lets the deployer rely on a previously conducted FRIA, or on an existing impact assessment carried out by the provider, rather than rebuilding from scratch for every roll-out.
Update and notification duties — Article 27(2) and (3)
The duty continues after day one. If any of the six elements changes during use, such as a new affected group, a different frequency or revised oversight, the deployer must update the assessment. Once the FRIA is performed, Article 27(3) requires the deployer to notify the market surveillance authority of the results, submitting the filled-out template. A narrow exemption from notification exists for the urgent-deployment scenario of Article 46(1).
Which deadline applies — the 2 December 2027 caveat
The statute as published applies Annex III high-risk obligations from 2 August 2026. The Digital Omnibus (provisional political agreement of 6–7 May 2026, COREPER text confirmed around 13 May 2026) agreed to defer that date to 2 December 2027. As of June 2026 the deferral is agreed but not yet law: the European Parliament plenary vote, formal Council adoption and Official Journal publication are all outstanding. The new date is a fixed calendar date. The standards-contingent stop-the-clock approach was rejected, so do not plan around harmonised-standards availability.
Calendar each FRIA against the first use of the triggering system, not the regulatory deadline, because first use may come earlier.
The DPIA bridge: build on GDPR Article 35, don't duplicate
What you can reuse from an existing DPIA — Article 27(4)
Where any FRIA obligation is already met through a data protection impact assessment conducted under GDPR Article 35, or under Article 27 of Directive (EU) 2016/680 for law-enforcement processing, Article 27(4) provides that the FRIA complements that DPIA. Reuse the affected-persons mapping, the risk identification and the mitigation inventory you already hold, and document the deltas.
Where the FRIA goes further than data protection
The FRIA's scope is wider than personal data. It covers the full spread of fundamental rights, including non-discrimination, access to essential services, consumer protection and the right to an effective remedy, not just privacy. The FRIA builds on but does not replace the DPIA, and both can be required in parallel for the same system. See FRIA vs DPIA for the element-by-element comparison and the DPIA for AI systems for the GDPR side of the workflow. The efficient sequence starts from the existing DPIA, maps its sections to the six Article 27(1) elements, and writes only what is missing. That is gap mapping, not duplicated assessments.
Enforcement: what skipping the FRIA costs
The Article 99 fine tiers
Article 99(4) sets fines up to EUR 15 million or 3% of total worldwide annual turnover, whichever is higher. It expressly lists deployer obligations under Article 26 and does not expressly enumerate Article 27. Enforcement of the FRIA therefore runs primarily through the corrective powers of market surveillance authorities rather than through a named fine tier.
That is not a licence to skip it. The Article 27(3) notification duty makes omissions visible, and a missing FRIA notification is one of the easiest gaps for an authority to detect. Supplying incorrect, incomplete or misleading information to authorities, including in the FRIA notification, risks fines up to EUR 7.5 million or 1% of total worldwide annual turnover under Article 99(5). The third tier is 1%, not the higher figure some secondary commentary cites. For SMEs and start-ups, Article 99(6) caps each fine at whichever of the stated percentage or amount is lower.
Public-body accountability — Article 99(8)
For public-sector deployers, the largest FRIA constituency, Article 99(8) leaves each Member State to decide to what extent administrative fines can be imposed on its own public authorities and bodies. Accountability runs through national rules and administrative oversight rather than a uniform EU fine.
Your FRIA action plan before 2 December 2027
Five steps to calendar now
- Confirm classification. Verify each system is Annex III high-risk under Article 6(2). The draft Commission guidelines on high-risk classification under Article 6(5), published 19 May 2026, with a targeted consultation open until 23 June 2026 and a final version expected later in 2026, give practical in/out examples. They are not legally binding: authoritative interpretation rests with the Court of Justice of the EU, and the final text may change.
- Screen each deployment against the three Article 27 triggers and the Annex III point 2 carve-out, using the decision table above.
- Pull your existing GDPR Article 35 DPIAs as the foundation and map them to the six FRIA elements.
- Draft the FRIA with the FRIA template, covering processes, period and frequency, affected groups, specific risks, human oversight, and governance and complaint arrangements.
- Calendar completion before first use of each triggering system, diarise the market surveillance authority notification, and set a review trigger for any change to the six elements.
Where this chapter sits in the guide
Chapter 5 established which role you hold: provider, deployer or both. This chapter resolved whether that role carries a FRIA. Chapter 7 corrects the timeline that every deadline in this guide hangs on, including the one below.
The decision you need to make: identify which of your Annex III systems trigger Article 27, then calendar the FRIA before the first use of each one, against the agreed but not yet enacted 2 December 2027 high-risk date, with the 2 August 2026 statute text as the conservative fallback. If none of your systems trigger, your work continues under Article 26 deployer duties. If any do, the FRIA belongs at the front of your deployment plan, not the end.
How Confir helps
Confir's AITO module (Transparency and Human Oversight) runs the Article 27 workflow end to end. The intake first establishes whether you are caught at all. It screens each registered system against the three Article 27(1) triggers and the Annex III point 2 carve-out, so a FRIA only appears on your task list when the Regulation actually requires one. For qualifying deployments, the module walks you through the six mandatory elements, draws the risk inputs from the provider's Article 13 instructions for use on file, flags overlap with an existing GDPR Article 35 DPIA so you document deltas instead of duplicates, and produces a dated, structured FRIA ready for the market surveillance authority notification.
The engine is deterministic and rule-based. The same trigger answers produce the same scoping result and the same assessment structure every time, with no model inference and no hallucination. When the Digital Omnibus completes its legislative passage and the high-risk date formally moves to 2 December 2027, the rule set updates and every affected FRIA deadline in your workspace moves with it.
Frequently Asked Questions
Who needs a FRIA under the EU AI Act?
Deployers — not providers — of high-risk Annex III systems, and only in three cases: bodies governed by public law, private entities providing public services, and any deployer of credit-scoring systems (Annex III point 5(b)) or life and health insurance risk-assessment and pricing systems (point 5(c)). Article 27 requires the assessment before first use of the system.
Do private companies need a fundamental rights impact assessment?
Usually not. A private company deploying recruitment or employee-monitoring AI owes Article 26 deployer duties but no FRIA. Article 27 catches private deployers only if they provide public services — such as education, healthcare, social services or housing — or deploy credit-scoring or life and health insurance risk-assessment systems under Annex III points 5(b) and 5(c).
Is a FRIA the same as a DPIA?
No. A DPIA under GDPR Article 35 assesses risks to personal data; a FRIA under Article 27 assesses risks to all fundamental rights, including non-discrimination and access to services. Article 27(4) lets the FRIA complement an existing DPIA so deployers avoid duplicating the overlap, but neither replaces the other — both can be required in parallel.
When does a FRIA have to be completed?
Before the deployer first uses the high-risk system, under Article 27(1). It applies to first use; in similar cases deployers may rely on a previously conducted FRIA and must update it whenever any element changes. The obligation tracks the Annex III timeline: 2 August 2026 in the statute, deferred to 2 December 2027 under the agreed — not yet enacted — Digital Omnibus.
What must a fundamental rights impact assessment include?
Six elements under Article 27(1): the deployer's processes in which the system will be used in line with its intended purpose; the period and frequency of use; the categories of persons and groups likely affected; the specific risks of harm to them; the human oversight measures being implemented; and the measures, internal governance and complaint mechanisms if risks materialise.
Do providers of high-risk AI systems need a FRIA?
Not as providers. Article 27 binds deployers only. A provider completes conformity assessment, risk management and technical documentation before placing the system on the market; the FRIA assesses the deployment context the provider cannot know. A provider that also deploys its own system in a triggering context — for example a public body using in-house AI — owes a FRIA in its deployer role.
What happens if you don't do a FRIA?
Enforcement is less direct than for other duties: Article 99(4)'s EUR 15 million or 3% deployer tier expressly cites Article 26 rather than Article 27. But market surveillance authorities hold corrective powers, the Article 27(3) notification duty exposes omissions, and supplying incorrect or misleading information to authorities risks up to EUR 7.5 million or 1% under Article 99(5).