Article 27 of the EU AI Act: FRIA Explained
Article 27 introduces the Fundamental Rights Impact Assessment (FRIA) — a document certain deployers of high-risk AI must complete before first use, to surface and mitigate risks to people's rights.
What Article 27 requires
The FRIA describes the deployment process and intended purpose, the period and frequency of use, the categories of people affected, the specific risks of harm to those people, the human-oversight measures, and the steps to take if risks materialise. Where a DPIA already exists, the FRIA can complement it.
Who it binds
Deployers that are public bodies or private operators providing public services, and deployers using high-risk systems for creditworthiness/credit scoring or life and health insurance risk assessment.
Key points
- Required before first use, by specific deployers only.
- Distinct from a GDPR DPIA, though the two can be aligned.
- Focuses on impact to people's fundamental rights.
FAQ
Who has to do a FRIA?
Public bodies and private providers of public services deploying high-risk AI, plus deployers using high-risk AI for credit scoring or life/health insurance risk assessment.
Related articles
Run the free 2-minute checker — deterministic, no sign-up.