FRIA (Fundamental Rights Impact Assessment)

Fundamental Rights Impact Assessment pursuant to Article 27 EU AI Act

26 April 2026 · Category: EU AI Act · Compliance-Kit

Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.

TL;DR

A Fundamental Rights Impact Assessment (FRIA) is mandatory pursuant to Article 27 EU AI Act for deployers of high-risk AI systems in: public bodies, private entities performing public tasks, as well as Annex III No. 5(b) (credit scoring) and No. 5(c) (life/health insurance scoring). Contents: description of the AI use, affected persons, fundamental rights risks, mitigation measures.

What is a FRIA (Fundamental Rights Impact Assessment)?

The FRIA under Article 27 is NOT the DPIA under Article 35 GDPR - however, the two may be integrated (Article 26(9) EU AI Act). Obligated deployers:

All types of public bodies
Private bodies performing public tasks
Annex III No. 5(b): creditworthiness assessment (banks, credit scoring providers)
Annex III No. 5(c): life and health insurance scoring

Application date: 02 August 2026 - NOT affected by the Digital Omnibus proposal (19 November 2025). Notification obligation: the FRIA result must be reported to the market surveillance authority (Article 27(3)).

Practical example

Practical example: a savings bank deploys AI-based credit scoring. - Description: model for creditworthiness assessment of private customers - Affected persons: applicants (private customers) - Fundamental rights risks: discrimination (gender, origin), informational self-determination, right to explanation - Mitigation measures: bias tests, human final decision, explainability module, complaints channel - Notification to BaFin (sectoral supervision) + market surveillance

Frequently asked questions

Is a DPIA sufficient as a FRIA?

No, but integration is possible. The DPIA pursuant to Article 35 GDPR assesses data protection risks; the FRIA pursuant to Article 27 EU AI Act assesses ALL fundamental rights. Practice: integrated document covering both assessment dimensions.

When must the FRIA be carried out?

Before the first deployment of the high-risk AI system. Repeat upon substantial modification. Practice: annual review.

Who reviews the FRIA?

The FRIA itself is not subject to 'approval'. However, the market surveillance authority will, in the course of supervision, check whether a FRIA has been carried out and whether mitigation measures have been implemented.