EU Regulatory Intelligence — by YRproject

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NL·EN
Explainer

FRIA: fundamental rights impact assessment in the public sector

Adopted 2026-06-29 · ≈ 2 min read · Dirk Baaijen

Public authorities and private providers of public services must conduct a Fundamental Rights Impact Assessment (FRIA) before first deploying a high-risk AI system and must notify the results to the market surveillance authority.

Short answer: Article 27 of Regulation (EU) 2024/1689 (the EU AI Act) requires public authorities and private entities providing public services to conduct a Fundamental Rights Impact Assessment (FRIA) before first deploying a high-risk AI system. The FRIA must map risks to all rights protected by the EU Charter of Fundamental Rights and be notified to the national market surveillance authority. The obligation applies from 2 August 2026.

Who is obliged?

Article 27 targets three categories of deployers. First: public authorities and other bodies governed by public law that deploy high-risk AI systems. Second: private organisations providing public services — such as education, healthcare, social security, housing, or the administration of justice. Third: all deployers, regardless of legal form, using AI systems for creditworthiness assessment or risk pricing in life and health insurance. Systems falling under point 2 of Annex III (safety components of critical digital infrastructure, road traffic management, water and energy supply) are explicitly excluded from the FRIA obligation.

What must a FRIA contain?

The regulation prescribes six mandatory elements:

  1. A description of the deployer's processes in which the high-risk AI system will be used, in line with its intended purpose.
  2. The duration and frequency of the intended use.
  3. The categories of natural persons and groups likely to be affected.
  4. The specific risks of harm to those categories, including risks of discrimination or violation of privacy.
  5. How human oversight is implemented in accordance with the provider's instructions for use.
  6. Measures to address materialised risks, including complaint mechanisms and governance arrangements.

Notification requirement and relation to the DPIA

Upon completion, the deployer must notify the results to the competent market surveillance authority. The European AI Office is developing a standardised questionnaire template for this purpose. The FRIA is complementary to — and does not replace — the Data Protection Impact Assessment (DPIA) required under Article 35 GDPR: both instruments may be required simultaneously. The FRIA covers the full EU Charter of Fundamental Rights; the DPIA is limited to privacy and personal data.

Timeline

The obligations for high-risk AI systems, including Article 27, apply from 2 August 2026. The FRIA must be carried out before first deployment; for repeated use in comparable contexts, a previously conducted assessment may be relied upon provided it is kept up to date.

Sources

  1. https://eur-lex.europa.eu/legal-content/NL/TXT/?uri=CELEX:32024R1689
    Regulation (EU) 2024/1689, the EU AI Act — official consolidated text on EUR-Lex
  2. https://artificialintelligenceact.eu/article/27/
    Full text of Article 27 of the AI Act, including scope and content requirements
  3. https://securiti.ai/eu-ai-act/article-27/
    Analysis of Article 27: deployer categories, Annex III delineation, and notification obligation

Share on LinkedIn

Read next

U

The Algorithm Register for Dutch public authorities

The Dutch Algorithm Register (algoritmes.overheid.nl) is the central public platform where government organisations voluntarily publish information about the algorithms they use; registration in the Dutch register is not legally mandatory, but public authorities deploying high-risk AI systems…

U

Government Algorithm Transparency

The EU AI Act (2024/1689) requires public authorities deploying high-risk AI systems to register them in an EU database, document their operation transparently, and notify affected individuals; the Netherlands leads with a voluntary Algorithm Register expected to become legally mandatory.

A

DPIA for HR AI: when is it mandatory and how do you combine it with the FRIA?

A DPIA (Art. 35 GDPR) is mandatory for large-scale, systematic monitoring and for high-risk AI in HR. This article explains what it must contain and how to combine the DPIA with the FRIA (fundamental rights assessment, Art. 27 AI Act) into one process. With a practical step plan.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject — programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method →

A project or programme? Work with YRproject →

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.