French deployers reach the EU AI Act Article 27 Fundamental Rights Impact Assessment (FRIA, in French analyse d'impact sur les droits fondamentaux) from a familiar starting point: a mature data-protection practice built around CNIL's analyse d'impact relative à la protection des données (AIPD), the French name for the GDPR DPIA. This guide adapts the generic FRIA template to the French context. It covers how Article 27(4) lets you reuse an AIPD as input, what CNIL's published AI guidance provides and where it stops, and which French authority receives the Article 27(3) notification once designations are settled. The binding preparation date is 2 August 2026. The Digital Omnibus (provisionally agreed ~7 May 2026) would defer stand-alone Annex III high-risk obligations, including the Article 27 FRIA, to 2 December 2027, but it is not yet law, so keep preparing on the 2 August 2026 basis. You can draft a structured assessment with the free FRIA generator.
The FRIA in France: an Article 27 duty read through CNIL
The FRIA is a deployer obligation under Article 27 of the EU AI Act, and it reaches French organisations in two ways. Bodies governed by public law and private entities providing public services must conduct a FRIA before deploying any Annex III high-risk system. In France that group includes organismes de sécurité sociale, public hospitals, schools and universities, social-housing operators, and concession-holders running public services. Separately, regardless of public or private status, any deployer using AI to evaluate creditworthiness or set credit scores falls in scope under Annex III point 5(b), with a carve-out for AI used to detect financial fraud, and so does any deployer using AI for risk assessment and pricing in life and health insurance under Annex III point 5(c).
The obligation sits with the deployer, the organisation that puts the system into use under its own authority. The provider supplies the inputs the deployer needs under Articles 11 to 13 (Annex IV technical documentation, instructions for use, and the known risks and limitations of the system), and the deployer builds the FRIA on top of that material. The deployer also owns the Article 27(3) notification. For a French deployer the practical consequence is that the duty cannot be delegated to the AI vendor.
Most high-risk deployments that already trigger a FRIA in France also process personal data, so they already require an AIPD under GDPR Article 35. Benefit-eligibility scoring, credit scoring, and life and health insurance pricing all involve large-scale processing of personal data about identifiable people, frequently including vulnerable groups. That overlap is why the French route into the FRIA runs through the AIPD. To confirm whether a given system is high-risk in the first place, work through the high-risk classification guide; for the data-protection layer, see our companion on DPIAs for AI systems.
Reuse your AIPD: Article 27(4) and the CNIL DPIA methodology
Article 27(4) is the load-bearing provision for French deployers. It provides that where any of the Article 27 obligations are already met through a data protection impact assessment conducted under Article 35 of Regulation (EU) 2016/679 (the GDPR) or Article 27 of Directive (EU) 2016/680, the fundamental rights impact assessment under paragraph 1 "shall complement that data protection impact assessment." The practical reading is that an existing AIPD is reused as input to the FRIA. It does not discharge the FRIA, which still has to address every relevant Charter right.
France has unusually deep DPIA infrastructure to draw on. CNIL has published a PIA methodology since 2015, made up of three guides (a method, templates, and a knowledge base), alongside free open-source PIA software. A DPIA is mandatory under GDPR Article 35 where a processing is likely to result in a high risk to the rights and freedoms of natural persons, which covers the high-risk AI systems in scope for a FRIA. The AIPD you produce with that methodology becomes the substrate the FRIA extends.
The map below shows which Article 27(1) elements an AIPD typically already covers and what the FRIA still has to add. The pattern is consistent: the AIPD handles the data-protection layer well and the system context partially, while the rights-specific analysis covering non-discrimination, good administration, and social rights is where the FRIA does most of its own work. The DPIA-to-FRIA generator is built around exactly this reuse.
| FRIA element (Article 27(1)) | Covered by the CNIL AIPD/DPIA? | What the FRIA must still add |
|---|---|---|
| (a) System description & intended purpose | Partly — the AIPD describes the processing | Deployer-side process framing plus the provider's intended purpose (Annex IV and Article 13 inputs) |
| (b) Duration & frequency of use | Mostly — the AIPD context section | Decision volume, geographic scope, and deployment cadence |
| (c) Categories of affected persons | Partly — the AIPD lists data subjects | Indirectly affected third parties and vulnerable groups (Charter Art 24 to 26) |
| (d) Specific risks to fundamental rights | Partly — the AIPD assesses risks to rights and freedoms, but through a data-protection lens | All non-data-protection Charter rights: non-discrimination, good administration, social security |
| (e) Human oversight measures | Lightly — the AIPD security and measures section | Article 14-aligned oversight roles, intervention powers, and training |
| (f) Measures if risks materialise and complaints | Partly — the AIPD has measures and redress | Rights-specific safeguards, complaint and redress, and the Article 27(3) authority notification |
CNIL's published AI guidance, and what it leaves to the AI Office
CNIL has built its AI work on the GDPR. Since 2023 it has issued a sequence of recommendations and how-to sheets (fiches pratiques) that explain how data-protection law applies to AI development and deployment. None of them is an Article 27 FRIA template.
On 7 February 2025 CNIL published two recommendations: one on informing data subjects when their data is used to train AI models, and one on facilitating the exercise of data-subject rights (access, rectification, objection, and deletion) in AI systems.
On 22 July 2025 CNIL finalised three further recommendations, on determining when the GDPR applies to AI models, on data annotation, and on secure AI system development, together with a summary sheet and a downloadable compliance checklist. CNIL also announced sector-specific guidance to come, covering education, health, and employment, and work on the responsibilities of actors across the AI value chain.
CNIL also publishes a self-assessment guide for AI systems, an analysis grid of seven fact sheets for assessing an AI system's GDPR maturity: proportional integration of AI with a clear objective, building a quality training dataset in line with the GDPR, developing and training the algorithm, guaranteeing the system's quality and transparency in use, securing the processing, transparency and rights for end-users, and assigning responsibilities and documenting the processing.
All of this material is genuinely useful for the data-protection layer of a French AI deployment. It does not include an Article 27 FRIA template. Under Article 27(5) that template, including an automated tool, is the European AI Office's responsibility, and as of June 2026 it had not been published. French deployers should structure the FRIA around the six Article 27(1) elements and treat CNIL's AIPD material as the data-protection input.
Who supervises the AI Act in France, and who you notify under Article 27(3)
France has not yet formally designated its national competent authorities and market-surveillance authorities under the AI Act, and it has not notified them to the Commission. It missed the 2 August 2025 deadline for doing so, and is among the member states that have not formalised their designations. Until a designation is enacted, CNIL, the ACPR, and the other candidate bodies act on a de-facto basis without formal AI Act status.
A government governance schema published on 9 September 2025 proposes a sector split. It is a proposal awaiting parliamentary adoption and has not been enacted. Under it, the DGCCRF would be the coordinating market-surveillance authority and the Article 70 single point of contact; the DGE would hold the liaison office and France's seat on the European AI Board; the CNIL would lead for personal-data and biometric AI, plus employment, law enforcement, border control, and biometric identification (around fifteen use cases); the ACPR would cover financial-services AI; Arcom would handle audiovisual content and deepfakes; ANSSI and PEReN would pool technical expertise; and HAS and ANSM would cover health and medical-device AI.
The designation provisions were carried in, and then withdrawn from, the DDADUE bill (loi portant diverses dispositions d'adaptation au droit de l'Union européenne) in the Assemblée nationale, and the schema is still awaiting parliamentary adoption. Separately, CNIL has publicly argued that data-protection authorities should be designated as market-surveillance authorities for a number of high-risk AI systems, citing their fundamental-rights expertise and the need to keep the GDPR and the AI Act coherent.
The table below summarises the proposed assignment. Read every row as a proposal.
| AI domain (France) | Proposed authority (9 Sep 2025 schema) | Status |
|---|---|---|
| Single point of contact / coordinating MSA (Art 70) | DGCCRF | Proposed; not yet enacted |
| France seat on the European AI Board / liaison office | DGE | Proposed; not yet enacted |
| Personal-data & biometric AI (and employment, law enforcement, border, biometric ID) | CNIL (de-facto lead) | Proposed; CNIL acts de facto |
| Financial-services AI (incl. credit) | ACPR | Proposed; not yet enacted |
| Audiovisual / deepfakes / content | Arcom | Proposed; not yet enacted |
| Pooled technical expertise | ANSSI + PEReN | Proposed; not yet enacted |
| Health & medical-device AI | HAS / ANSM | Proposed; not yet enacted |
What the unsettled designation means for your notification
For a French deployer the practical consequence is concrete. The Article 27(3) notification recipient is not yet formally fixed, so you cannot file the notification to a designated authority today. Keep a complete Article 27(1) dossier ready to submit, monitor the designation decree, and file once the recipient authority is named. The binding obligation is to prepare the dossier; the filing destination is still being settled.
Worked example: a French public body scoring benefit eligibility
Consider a French public social-protection fund, an organisme de sécurité sociale such as a family-allowance or social-benefits fund, that deploys an AI system to score beneficiaries for control review. The system flags households for an overpayment or eligibility re-check. This is Annex III point 5(a): AI used by or on behalf of public authorities to evaluate eligibility for, or to grant, reduce, revoke, or reclaim, essential public assistance benefits and services. As a public body deploying an Annex III high-risk system, the fund must conduct an Article 27 FRIA before first use. It already runs a CNIL AIPD on the same processing, so this case shows the Article 27(4) reuse in practice.
One legal hook deserves attention. If the score drives a reduction or suspension of benefits with no meaningful human involvement, it is a solely automated decision producing legal or similarly significant effects, which GDPR Article 22(1) prohibits unless an Article 22(2) exception applies. For a public benefits decision the usual route is Article 22(2)(b), authorisation by Union or Member State law that lays down suitable safeguards. The cleaner control is to keep a human meaningfully in the loop with authority to override, so the decision is not solely automated, and to give the recipient the right to express a view and to contest the outcome. That requirement belongs in both the AIPD and the FRIA.
Each risk in the register is rated on likelihood and severity, and the two ratings combine into a single risk level using the scoring matrix in the FRIA template. Recording the reasoning behind each rating matters as much as the rating itself.
The risk register for the benefit-scoring FRIA
The register below is Section 4 of the FRIA (Article 27(1)(d)) for this deployment. It is the level of specificity a French market-surveillance authority and a court would expect, and the kind of output the FRIA generator produces.
| Fundamental right | Harm scenario | Likelihood | Severity | Risk | Mitigation | Residual |
|---|---|---|---|---|---|---|
| Non-discrimination (Charter Art 21) | Proxy variables (place of residence, household composition, frequency of prior contact) correlate with protected characteristics, so single parents, disabled and foreign-born recipients are flagged for control at disproportionate rates. | Likely | Major | High | Quarterly disparate-impact testing across protected groups; remove or transform proxy features; independent algorithmic audit; publish the scoring methodology and selection criteria. | Medium |
| Private life & data protection (Charter Art 7-8; GDPR) | Cross-matching multiple administrative databases to build the score is intrusive and exceeds what is necessary. | Possible | Major | High | Data-minimisation and necessity test carried over from the CNIL AIPD/DPIA; restrict the databases cross-matched; document lawful basis; CNIL PIA software for the data-protection layer. | Medium |
| Good administration & effective remedy (general principle of good administration; Charter Art 47) | An opaque score triggers a benefit suspension the recipient cannot understand or contest. | Possible | Major | High | Mandatory human review before any suspension; individualised, intelligible reasons for an adverse decision; accessible appeal channel; the score never auto-terminates a benefit. | Low |
| Social security; child & disability rights (Charter Art 34, 24, 26) | An erroneous flag cuts essential subsistence income for a dependent household. | Unlikely | Catastrophic | High | Hardship safeguard with no suspension pending review; expedited manual pathway; continuous monitoring of false-positive and error rates by group. | Medium |
| GDPR Article 22 (solely automated decisions) | The score determines reduction or suspension with no meaningful human involvement, making it an unlawful solely automated decision with legal or similarly significant effect. | Possible | Major | High | Keep meaningful, non-rubber-stamp human review with authority to override so the decision is not solely automated; where an Article 22(2) exception is relied on, implement the required safeguards (meaningful human intervention, the right to express a view and to contest the decision); keep the AIPD and FRIA in one integrated file. | Medium |
A France-specific FRIA checklist
The French route into the FRIA has a natural order. Start from the AIPD, extend to the full set of Charter rights, then assemble the notification dossier so it is ready when the recipient authority is named.
- Run or refresh the AIPD first. Use CNIL's PIA methodology and free PIA software to document the data-protection layer: lawful basis, necessity, proportionality, data minimisation, security, and data-subject rights. This is the Article 27(4) input.
- Confirm the trigger. Check the system against Article 6 and Annex III with the high-risk classification guide, and confirm your deployer category.
- Extend to all Charter rights. Add the non-data-protection rights the AIPD does not reach: non-discrimination (Article 21), good administration (a general principle of EU law) and an effective remedy (Charter Article 47), and social rights (Articles 34, 24, 26). Document human oversight under Article 14.
- Map obligations to controls and evidence. Use control mapping to tie each Article 27 requirement to a concrete control and a piece of evidence.
- Assemble the notification dossier. Document all six Article 27(1) elements so the file is ready to submit under Article 27(3) once France names the recipient authority.
- Watch the moving parts. Track the designation decree and the Digital Omnibus status, and revisit the EU AI Act overview for the current deadline picture.
Two companion guides
Two companion guides go deeper on adjacent questions. For a full worked credit-scoring FRIA, including the Annex III 5(b) fraud-detection carve-out and the GDPR Article 22 interaction, see the credit-scoring FRIA example. For how France is approaching the EU AI Act harmonised standards, see the France and prEN 18286 debate.
Frequently Asked Questions
Is the CNIL the competent authority for the FRIA in France?
Not formally yet. France has not enacted its AI Act authority designations and missed the 2 August 2025 deadline. A 9 September 2025 government schema proposes the DGCCRF as the Article 70 single point of contact, the CNIL as de-facto lead for personal-data and biometric AI, and the ACPR for financial-services AI, but the designation provisions stalled in the DDADUE bill in Parliament. Until a decree is adopted, the Article 27(3) notification recipient is not formally fixed, so keep your Article 27(1) documentation ready to file.
Can a French AIPD (DPIA) replace the FRIA?
No. Article 27(4) provides that the FRIA complements a DPIA conducted under GDPR Article 35; it does not replace it. You reuse the parts the AIPD already covers, such as data, security, and some risks, and the FRIA additionally assesses every relevant EU Charter right, including non-discrimination, good administration, and social rights, beyond data protection alone.
Does the CNIL provide a FRIA template?
No. CNIL publishes GDPR-focused material — AI recommendations and how-to sheets, a self-assessment guide for AI systems, and DPIA (AIPD) methodology with free open-source PIA software — without an Article 27 FRIA template. The official FRIA template is the European AI Office's responsibility under Article 27(5), and it had not been published as of June 2026.
Which French authorities will supervise high-risk AI systems?
Under the proposed 9 September 2025 schema, the DGCCRF coordinates as single point of contact, the CNIL leads personal-data and biometric AI (and employment, law enforcement, and biometric identification), the ACPR covers finance, Arcom covers audiovisual content and deepfakes, and ANSSI with PEReN provide technical support. These remain proposals awaiting parliamentary adoption.
Does CNIL's AI guidance cover the EU AI Act?
CNIL recommendations are grounded in the GDPR. They interpret how data-protection law applies to AI development and deployment. CNIL coordinates with the AI Act in practice and has publicly argued that data-protection authorities should be designated as market-surveillance authorities for high-risk AI systems that affect fundamental rights, to keep the GDPR and the AI Act coherent.
Which French deployers must run a FRIA?
Public-law bodies and private entities providing public services that deploy Annex III high-risk AI, plus, regardless of public or private status, any deployer using AI for creditworthiness or credit scoring under Annex III 5(b) (except fraud detection) or for life and health insurance risk assessment and pricing under Annex III 5(c).
After the FRIA, what do I notify, and to whom, in France?
Article 27(3) requires the deployer to notify the market-surveillance authority of the FRIA results, using the AI Office's Article 27(5) template once it exists. Because France has not yet formally designated that authority, keep a complete Article 27(1) dossier ready to file. The binding preparation date remains 2 August 2026 unless and until the Digital Omnibus is published in the Official Journal, which would move it to 2 December 2027.
Key Takeaways
A French FRIA is most efficient when it starts from work you already have. Run or refresh the CNIL AIPD, reuse it as the Article 27(4) input, then extend the assessment to every relevant Charter right and assemble the Article 27(1) dossier so it is ready to notify once France names the recipient authority. The binding preparation date is 2 August 2026, and the Digital Omnibus would move it to 2 December 2027 only once it is published in the Official Journal, so the practical course is the same either way: prepare now. You can draft a structured assessment with the free FRIA generator, and to see how this maps to a live deployment, book a demo. This article is for general information only and is not legal advice; confirm your obligations under Article 27 with qualified counsel, and re-check the regulatory status — French authority designations and the Digital Omnibus are both still moving — before relying on any deadline or notification route.