FRIA: Guide to Fundamental Rights Impact Assessment
A Fundamental Rights Impact Assessment (FRIA) is mandatory for certain deployers of high-risk AI. Here we explain everything you need to know โ from legal requirements to practical implementation.
Last updated: March 14, 2026
What is a FRIA?
A FRIA (Fundamental Rights Impact Assessment) is an impact assessment that analyses how a high-risk AI system may affect individuals' fundamental rights. The concept is introduced in Article 27 of the EU AI Act (Regulation 2024/1689).
Unlike a standard risk analysis, FRIA focuses specifically on human rights โ not technical risks. The purpose is to identify, assess, and mitigate potential negative consequences before the AI system is put into service.
FRIA is part of the broader compliance framework for high-risk AI and must be carried out before the system is used in operations, not after deployment.
Important: FRIA does not replace the Data Protection Impact Assessment (DPIA) required under GDPR. The two assessments complement each other โ DPIA focuses on personal data, FRIA on fundamental rights.
Why does Article 27 require an impact assessment?
Article 27 of the EU AI Act establishes that certain deployers of high-risk AI systems must conduct a FRIA before the system is put into service. The requirement exists because AI systems classified as high-risk by definition can have significant impact on people's rights.
The EU legislator recognises that traditional risk analyses do not capture all dimensions of impact that AI systems can have on individuals and groups. A FRIA forces the organisation to systematically think through the consequences from a rights perspective.
The assessment must be documented, kept up to date, and made available to the supervisory authority upon request. It must also take into account the provider's instructions for use and the specific context in which the system is used.
Deadline: The FRIA requirement applies from August 2, 2026 for AI systems falling under Annex III. Organisations using high-risk AI need to have completed their FRIA before this date.
Who must conduct a FRIA?
Under Article 27, the following categories of deployers must conduct a FRIA before putting a high-risk AI system into service:
- Public bodies (government agencies, municipalities, regions)
- Private entities providing public services
- Organisations using AI systems for credit scoring or creditworthiness assessment of natural persons
- Organisations using AI systems for risk assessment and pricing of life and health insurance
- All other deployers of high-risk AI systems who assess that a FRIA is needed based on the system's impact
Note that organisations that do not fall under the mandatory categories may choose to conduct a FRIA voluntarily โ it is considered best practice and can strengthen the organisation's compliance position.
Which fundamental rights are assessed?
FRIA must assess the AI system's potential impact on the rights protected by the EU Charter of Fundamental Rights. The most important rights to assess in AI use are:
Human dignity (Article 1)
Does the AI system risk treating individuals in a way that violates their dignity? Example: automated decisions that reduce people to scores or categories without the possibility of individual assessment.
Non-discrimination (Article 21)
Could the system systematically disadvantage individuals based on gender, ethnicity, age, disability, religion, or other protected grounds? This is often the most important right to assess in AI use.
Protection of personal data (Article 8)
How does the AI system handle personal data? Even though GDPR compliance is handled separately, FRIA should assess the broader impact on the right to data protection, including transparency and control.
Freedom of expression (Article 11)
Could the system restrict or affect individuals' freedom of expression? Relevant for AI systems that moderate content, filter information, or influence what information reaches users.
Right to an effective remedy (Article 47)
Do individuals affected by the AI system's decisions have the ability to appeal or request a review? The system must enable meaningful human oversight and appeal mechanisms.
Right to work and social protection (Articles 15, 34)
For AI systems in recruitment and workforce management: could the system affect access to employment, working conditions, or social protection in a negative way?
How to conduct a FRIA โ step by step
The process for conducting a FRIA may vary depending on the AI system's complexity and use case. Here are the fundamental steps:
- Identify the AI system and its purpose. Describe the system, its intended use, and the context in which it will be deployed. Include the provider's instructions for use.
- Map affected individuals and groups. Which people are affected by the system's decisions or outputs? Include both directly and indirectly affected parties.
- Assess impact on fundamental rights. Go through each relevant right systematically and assess how the system may affect it โ positively and negatively.
- Identify risk mitigation measures. For each identified risk, define concrete measures to reduce or eliminate the negative impact.
- Define monitoring processes. Describe how the organisation will monitor the system's actual impact on rights during operation.
- Document and archive. Compile the assessment into a structured document that can be presented to the supervisory authority upon request.
- Update regularly. FRIA must be kept up to date โ especially when there are significant changes to the system, new use cases, or new information about risks.
How we help you with FRIA
Our FRIA tool guides you through the entire process with AI support:
- Structured questionnaire โ Answer targeted questions about your AI system and its impact on fundamental rights.
- Automatic rights mapping โ The tool identifies which rights are most relevant based on your system's use case.
- Mitigation suggestions โ Get concrete suggestions for risk mitigation measures based on industry practice and EU guidelines.
- Export and archiving โ Generate a complete FRIA report in PDF format, ready for review and archiving.
Need technical documentation as well? Read our Annex IV guide for a complete walkthrough.
See all deadlines in our EU AI Act timeline.
Frequently asked questions about FRIA
What is the difference between FRIA and DPIA?
DPIA (Data Protection Impact Assessment) is required under GDPR and focuses on the protection of personal data. FRIA (Fundamental Rights Impact Assessment) is required under the EU AI Act and focuses on fundamental rights broadly โ including discrimination, dignity, and access to remedies. The two assessments complement each other.
Must all deployers of high-risk AI conduct a FRIA?
No, Article 27 specifies that the requirement applies to public bodies, private entities providing public services, and organisations using AI for credit scoring or insurance pricing. However, other organisations are recommended to conduct a FRIA voluntarily.
When must the FRIA be completed?
FRIA must be completed before the high-risk AI system is put into service. The requirement applies from August 2, 2026 for systems falling under Annex III. This means organisations should start the work well in advance of the deadline.
How often does the FRIA need to be updated?
FRIA should be updated when there are significant changes to the AI system, new use cases, or new information about the system's impact on fundamental rights. There is no fixed interval, but an annual review is recommended as a minimum.
What happens if you don't conduct a FRIA?
Failure to comply with Article 27 can result in fines. The EU AI Act prescribes fines of up to 15 million euros or 3% of global annual turnover for failure to meet deployer requirements for high-risk AI systems.
Conduct your FRIA with our tool
Our AI-powered tool guides you through the entire impact assessment โ step by step. Structured, complete, and exportable.
Get early access