HUDERIA and the COBRA model: the Council of Europe gives its AI treaty a method

The Council of Europe's Framework Convention on AI is the first legally binding international AI instrument, but it shares a weakness with every treaty: it prescribes what, not how. Article 16 obliges parties to carry out a risk and impact assessment of AI systems for human rights, democracy and the rule of law — without saying what such an assessment looks like. HUDERIA is the answer to that gap, and in 2026 it acquired its practical toolkit.

One name, two layers

HUDERIA stands for Human Rights, Democracy and the Rule of Law Risk and Impact Assessment. It comes in two layers, both developed by the Council of Europe's Committee on Artificial Intelligence (CAI), the methodology co-authored with the UK's Alan Turing Institute.

The first layer is the HUDERIA Methodology, adopted by the CAI on 28 November 2024: the conceptual framework setting out the steps an assessment runs through. The second is the HUDERIA Model, approved by the Committee of Ministers on 25 February 2026 at the 1551st meeting of the Ministers' Deputies in Strasbourg. The model is not new theory but an implementation kit: flexible tools, illustrative resources and scalable recommendations that make the methodology usable.

COBRA: from context to risk

The pivot of the model is COBRA — Context-Based Risk Analysis. COBRA is the first of four elements that together make up the assessment:

1. Context-Based Risk Analysis (COBRA) — systematically mapping an AI

system's context, design and deployment to identify the risks it could pose to human rights, democracy and the rule of law.

1. Stakeholder Engagement Process — drawing in those affected as a source of

evidence that a purely technical analysis misses.

1. Risk and Impact Assessment — weighing severity and likelihood against

settled measures (scale, scope, probability, reversibility).

1. Mitigation Plan — the governance measures and accountability mechanisms

that translate the assessment into action.

The approach is deliberately socio-technical: HUDERIA treats the whole life cycle of an AI system as the product of technology, human choices and social structures, not as an isolated model problem.

Non-binding — and usable for that very reason

HUDERIA is standalone, legally non-binding guidance. The Convention requires an assessment; HUDERIA is an offered way to do it, which parties are free to use or adapt. That freedom is not a weakness but the design: the Council of Europe spans states with very different legal systems, and a mandatory template would only complicate ratification. The model therefore supplies a common language and sequence, not a straitjacket.

HUDERIA alongside the AI Act's FRIA

For those who know the EU, the comparison with the fundamental rights impact assessment (FRIA) of Article 27 of the AI Act is obvious — but the two are not interchangeable. The FRIA is binding but narrow: it applies only to certain deployers of high-risk AI and focuses on fundamental rights. HUDERIA is non-binding but broad: it spans human rights, democracy and the rule of law, covers the full life cycle, and is tied to a treaty that reaches beyond the EU. For an organisation caught by both the AI Act and a ratified Framework Convention, HUDERIA is the instrument that connects them: a FRIA built along the HUDERIA steps will, in practice, satisfy both obligations.

What it means

The significance of 25 February 2026 is not that a new rule arrived — none did — but that the only binding international AI treaty now has a finished, published method for discharging its core obligation. That shifts HUDERIA from academic framework to reference instrument: just as the NIST AI Risk Management Framework became the US reference, HUDERIA is likely to become the default route for the human-rights assessment across the dozens of states ratifying the Framework Convention. Organisations now building an AI impact assessment would do well to take the four HUDERIA steps as the backbone — it is the structure regulators will point to.