FRIA: when must I run a fundamental-rights impact assessment (Art. 27)?
Adopted 2026-06-16 ยท ≈ 2 min read ยท 
edited by Dirk Baaijen
If you deploy high-risk AI as a public body, a provider of public services, or for creditworthiness or life- and health-insurance pricing, Art. 27 AI Act requires a fundamental-rights impact assessment (FRIA) before use.
Short answer: Not every user of high-risk AI has to run a fundamental-rights impact assessment (FRIA). Article 27 of the AI Act imposes that duty only on specific deployers: public bodies, private parties that provide public services, and those using high-risk AI to assess creditworthiness or for risk assessment and pricing in life and health insurance. The FRIA must be completed before first use.
Who must run the FRIA
Article 27 of Regulation (EU) 2024/1689 addresses the deployer, not the provider. The duty applies when using a high-risk AI system within the meaning of Annex III, and only for:
- Bodies governed by public law, or private parties that provide public services;
- use to evaluate creditworthiness or establish a credit score (with an exception for detecting financial fraud);
- use for risk assessment and pricing in life and health insurance.
Other deployers of high-risk AI are in principle not caught by the FRIA duty. A purely private company running a high-risk planning system without a public-service context or a credit or insurance purpose, for example, need not run a FRIA โ though other high-risk obligations may still apply.
What the assessment must contain
The FRIA describes how the system is actually used and what that means for fundamental rights. Specifically:
- the processes in which the system will be used, in line with its intended purpose;
- the period and frequency of use;
- the categories of persons likely to be affected;
- the specific risks to the fundamental rights of those persons;
- the human-oversight measures in line with the instructions for use;
- the mitigation measures for when risks materialise, including complaint and governance arrangements.
Once drawn up, you notify the result to the market surveillance authority via the designated template. Update the assessment when the relevant factors change materially.
Relation to the GDPR DPIA
The FRIA and the GDPR data-protection impact assessment (DPIA) can partly overlap. Where you already carry out a DPIA, the FRIA complements it: it does not replace the DPIA, but you need not reproduce information you have already gathered. Treat them as complementary checks โ the DPIA looks at data processing, the FRIA more broadly at the impact on fundamental rights.
Read more: AI Act: timeline of obligations. Take the scan.
Sources
- https://eur-lex.europa.eu/eli/reg/2024/1689/oj
Regulation (EU) 2024/1689 (AI Act), Art. 27: fundamental rights impact assessment.
Read next
DPIA for HR AI: when is it mandatory and how do you combine it with the FRIA?
A DPIA (Art. 35 GDPR) is mandatory for large-scale, systematic monitoring and for high-risk AI in HR. This article explains what it must contain and how to combine the DPIA with the FRIA (fundamental rights assessment, Art. 27 AI Act) into one process. With a practical step plan.
Right to explanation of an AI decision: what Article 86 of the AI Act gives you
If you are affected by a decision based (in part) on a high-risk AI system, Article 86 of the AI Act gives you the right to a clear explanation of the AI system's role and the main elements of the decision โ from the deployer, on top of your GDPR rights.
AI for strategic workforce planning: usually not high-risk, as long as it does not become individual
AI for strategic workforce planning and skills forecasting at organisation level is usually not high-risk under the AI Act. But once it steers individual decisions, it can tip over. Data quality, governance and transparency remain crucial.