Skip to content
Confir.
Free trial
Glossary

What Is a Fundamental Rights Impact Assessment (FRIA)?

Definition18 June 2026· 6 min read

A Fundamental Rights Impact Assessment (FRIA) is an EU AI Act Article 27 duty: certain deployers assess high-risk AI rights harms before first use. Who, what.

A Fundamental Rights Impact Assessment (FRIA) is the assessment that certain deployers of a high-risk AI system must complete, before first putting it into use, of the risks the system poses to people's fundamental rights in their specific context of use. It is introduced by Article 27 of Regulation (EU) 2024/1689 — the EU AI Act — and it is a deployer-side duty, not a provider duty.

"Fundamental rights" here tracks the EU Charter of Fundamental Rights: non-discrimination, human dignity, access to essential public and private services, privacy, fair process and effective remedy. That is broader than data protection alone.

This entry defines the term, says who owes one, lists what it must contain, and distinguishes it from a conformity assessment and a DPIA. For depth, follow the links to the full Article 27 guide and the step-by-step template.

Who must complete a FRIA?

Article 27(1) limits the duty to specific deployers. It does not apply to every deployer of high-risk AI. The narrowness is the point.

Two groups owe a FRIA:

  • Public-character deployers. Bodies governed by public law, plus private entities providing public services — a municipality, a public benefits agency, or a private operator delivering an essential public service — deploying any Annex III high-risk system.
  • Two private, sector-specific cases regardless of public character. Deployers of Annex III point 5(b) creditworthiness assessment and credit scoring (fraud detection excluded), and deployers of Annex III point 5(c) risk assessment and pricing in life and health insurance.

Most private-sector deployers — general marketing, adtech, internal logistics, route optimisation — do not owe a standalone FRIA. A FRIA only ever attaches to a system that is high-risk under Article 6. If the system is not high-risk, there is no FRIA duty at all. The two private cases above are the narrow exception: they are the only Annex III categories Article 27 names regardless of whether the deployer performs a public function.

Company size is irrelevant to the trigger. A small lender using an Annex III credit-scoring model owes a FRIA exactly as a large one does; SME or start-up status affects only the penalty cap, never whether the duty applies. Nor does buying the system off the shelf remove the duty — the FRIA attaches to the deployer's own context of use, which the provider cannot have assessed in advance. For the underlying roles, see deployer and high-risk AI system.

What a FRIA must contain

Article 27(1)(a)-(f) fixes six mandatory content elements. The deployer must assess and document each one — the list is not a menu to pick from.

ElementWhat it requires
27(1)(a)A description of the deployer's processes in which the high-risk AI system will be used, in line with its intended purpose.
27(1)(b)The period of time and the frequency over which the system is intended to be used.
27(1)(c)The categories of natural persons and groups likely to be affected in the specific context of use.
27(1)(d)The specific risks of harm likely to affect those persons or groups, taking into account the provider's information.
27(1)(e)The human oversight measures, according to the instructions for use.
27(1)(f)The measures to take if those risks materialise, including internal governance and complaint mechanisms.

The assessment is forward-looking and context-specific: it asks what this system, in this deployer's processes, could do to the rights of the people it touches — not whether the model is technically sound, which is the provider's question. Element 27(1)(d) explicitly draws on the information the provider supplies, so a FRIA is built on top of the provider's documentation rather than in place of it.

Under Article 27(3), once the FRIA is done the deployer notifies the market surveillance authority of the results — using the template the AI Office is to provide — and keeps the assessment up to date when any element changes. A material change to the processes, the affected groups, or the period of use reopens the FRIA. The how-to belongs to a step-by-step FRIA template.

How a FRIA differs from a conformity assessment and a DPIA

The FRIA is routinely confused with two neighbouring duties. They are distinct.

FRIA vs conformity assessment

A conformity assessment under Article 43 is a provider duty, done before the system is placed on the market, to prove it meets the technical requirements of Articles 9-15. A FRIA is a deployer duty, done before first use, to assess rights harms in the actual context of use. Different party, different stage, different question. Completing one does not discharge the other.

FRIA vs DPIA

A DPIA under Article 35 of Regulation (EU) 2016/679 (GDPR) is data-centric: it assesses risks to personal data and privacy. A FRIA covers the wider set of fundamental rights — discrimination, access to services, dignity, fair process. Article 27(4) lets a FRIA complement an existing DPIA where the elements overlap, but a DPIA does not satisfy the FRIA duty, and a FRIA does not satisfy Article 35 GDPR. For the full side-by-side, see how a FRIA differs from a DPIA.

One point on enforcement, so the term is self-contained: failing the Article 27 FRIA duty is a deployer-obligation breach under Article 99(4), up to €15 million or 3% of total worldwide annual turnover, whichever is higher. For SMEs and start-ups, Article 99(6) caps the fine at the lower of the two.

When the FRIA duty applies

Article 27 has no separate FRIA date; it tracks the high-risk Annex III timeline. As enacted, stand-alone high-risk Annex III obligations under Article 6(2) apply from 2 August 2026.

The Digital Omnibus reached provisional political agreement on 6-7 May 2026 (COREPER confirmed the text around 13 May 2026), agreeing to defer stand-alone high-risk Annex III to 2 December 2027. But as of June 2026 it is not yet law — it still needs a European Parliament plenary vote, formal Council adoption, and publication in the Official Journal. Until then the statute legally still reads 2 August 2026. The deferral is fixed calendar dates; the standards-contingent "stop the clock" variant was rejected. Plan against 2 August 2026 until the deferral is enacted.

How Confir helps

Confir's classification workflow asks a structured set of plain-English questions about how your organisation uses each AI system, then derives whether the Article 27 FRIA duty applies to you and which of the six Article 27(1)(a)-(f) elements you still owe. Where a FRIA is required it generates the assessment record, flags overlap with an existing DPIA, and tracks the notification to the market surveillance authority. The engine is deterministic and rule-based — no model inference, no hallucination. Same intake, same finding, every time.

Related terms

Manage your EU AI Act compliance in one place

Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.

Start free trial →

Related guides

Definition

AI Literacy Under the EU AI Act: Definition, Obligation, and What It Requires

AI literacy is defined in Article 3(56) of the EU AI Act. Article 4 has been mandatory since 2 February 2025 — for all AI systems, not just high-risk.

Definition

AI System: Definition under the EU AI Act

What counts as an AI system under Regulation (EU) 2024/1689? Article 3 definition, key features, boundary cases, and why it matters for compliance.

Definition

Authorised Representative Under the EU AI Act

Article 3(5) definition, when Article 22 and Article 54 require one, what the representative does, and why non-EU providers must appoint before market access.