FRIA Template: Fundamental Rights Impact Assessment for EU AI Act Compliance

What is a Fundamental Rights Impact Assessment (FRIA)?

A Fundamental Rights Impact Assessment is a systematic evaluation process designed to identify, assess, and mitigate potential adverse impacts of high-risk AI systems on individuals' fundamental rights. Mandated under Article 27 of the EU AI Act, the FRIA represents the world's first legally binding impact assessment specifically focused on AI and fundamental rights.

The FRIA examines potential impacts across the full spectrum of rights protected under the EU Charter of Fundamental Rights, including human dignity (Article 1), right to life and integrity (Articles 2-3), respect for private and family life (Article 7), protection of personal data (Article 8), non-discrimination (Article 21), equality between women and men (Article 23), rights of the child, elderly, and persons with disabilities (Articles 24-26), freedom of expression (Article 11), and right to an effective remedy and fair trial (Article 47).

The assessment serves as a proactive measure, helping organizations identify and address potential harms before they occur. When properly conducted, a FRIA not only ensures regulatory compliance but also provides ethical assurance and a defensible position with regulators and courts.

FRIA vs. DPIA: Understanding the Key Differences

Many organizations mistakenly assume that a FRIA is simply a new name for the Data Protection Impact Assessment (DPIA) already required under the GDPR. While both assessments evaluate risk and share methodological similarities, they differ substantially in scope and focus.

The DPIA under GDPR Article 35 is primarily focused on data protection and privacy (Articles 7-8 of the Charter), triggered by high-risk processing of personal data, with the data controller as responsible party. The FRIA under AI Act Article 27 covers all fundamental rights in the EU Charter, triggered by deployment of high-risk AI systems, with the deployer as responsible party - and applies regardless of whether personal data is involved.

The EU AI Act explicitly acknowledges this complementary relationship. Article 27(4) states that if obligations under the FRIA are already met through a DPIA conducted under the GDPR, the FRIA should complement that assessment. In practice, organizations will often conduct both assessments concurrently and may consolidate them into a single integrated report - but the FRIA scope is fundamentally broader.

A crucial methodological difference is that the FRIA requires evaluation by fundamental right. It is not permissible to offset a negative impact on one right (such as non-discrimination) with a positive impact on another right (such as operational efficiency). Each right must be assessed independently.

When is FRIA Required Under the EU AI Act?

The obligation to conduct a FRIA does not apply to every deployer of a high-risk AI system. Article 27 establishes specific categories of deployers who must complete this assessment.

Public bodies governed by public law must conduct a FRIA before deploying high-risk AI systems listed in Annex III. Such bodies are established to meet needs in the general interest, have legal personality, are financed mainly by the state or public authorities, or are subject to management supervision by public authorities.

Private entities providing public services also fall within scope. This includes entities operating in education, healthcare, social services, housing, and administration of justice. The broad term "public services" without defining criteria suggests legislative intent to cover any deployer whose services reasonably affect the public interest.

Regardless of public or private status, deployers must conduct FRIAs for AI systems intended to evaluate creditworthiness or establish credit scores (except those used for detecting financial fraud), and AI systems for risk assessment and pricing in life and health insurance.

• Public bodies using high-risk AI for public services
• Private entities providing essential services (education, healthcare, social services, housing)
• All deployers using AI for creditworthiness evaluation or credit scoring
• All deployers using AI for life and health insurance risk assessment and pricing

High-Risk AI Categories Subject to FRIA

For public bodies and private entities providing public services, FRIAs are required for AI systems across most Annex III categories.

Category 1 (Biometrics) covers remote biometric identification systems, biometric categorization based on sensitive attributes, and emotion recognition systems. Category 3 (Education) includes systems determining access or admission to educational institutions, evaluating learning outcomes, assessing appropriate education levels, and monitoring prohibited behavior during tests.

Category 4 (Employment) covers recruitment and selection systems, systems affecting work-related decisions (promotion, termination, task allocation), and performance monitoring and evaluation systems. Category 5 (Essential Services) includes systems evaluating eligibility for public assistance benefits, creditworthiness evaluation, life and health insurance risk assessment, and emergency call classification and dispatch.

Category 6 (Law Enforcement) covers victim risk assessment, polygraph-type systems, evidence reliability evaluation, offending risk assessment, and profiling systems. Category 7 (Migration) includes risk assessment systems, asylum and visa application examination, and identification systems. Category 8 (Justice) covers systems assisting judicial authorities and alternative dispute resolution.

One notable exemption: AI systems used as safety components in critical digital infrastructure, road traffic, or utility supply are not subject to FRIA requirements.

FRIA Template: Key Sections

Article 27(1) specifies the mandatory elements that every FRIA must contain. The AI Office is developing an official template questionnaire to facilitate compliance, but organizations should structure their assessments around these required components.

Section 1 covers System Description and Intended Purpose. Document the deployer's processes in which the AI system will be used, aligned with its intended purpose as defined by the provider. Required information includes name and version of the AI system, provider contact information, clear description of intended purpose, specific use cases within your organization, operational context and environment, and technical specifications relevant to rights impacts.

Section 2 covers Duration and Frequency of Use. Document planned deployment start date, expected duration (indefinite, fixed term, pilot), frequency of system use (continuous, periodic, event-triggered), volume metrics (number of decisions per day/week/month), and geographic scope.

Section 3 covers Categories of Affected Persons. Identify direct users, individuals subject to AI-driven decisions, third parties indirectly affected, and specific demographic groups. Vulnerable populations requiring special attention include children, elderly, persons with disabilities, socioeconomically disadvantaged groups, minority ethnic or religious groups, non-native language speakers, and individuals with limited digital literacy.

Section 4 covers Specific Risks to Fundamental Rights. For each potentially affected right, evaluate likelihood (rare to almost certain), severity (negligible to catastrophic), reversibility (easily reversible to irreversible), and scale of affected population (individual to society-wide).

Section 5 covers Human Oversight Measures. Document designated individuals responsible for oversight, qualifications and training requirements, intervention capabilities, escalation procedures, monitoring protocols, and documentation requirements.

Section 6 covers Risk Mitigation Measures. Include technical measures (bias testing, accuracy thresholds, data quality controls, logging), organizational measures (governance structures, policies, training, review cycles), and procedural safeguards (right to human review, complaint mechanisms, accessible redress channels, fallback procedures).

How to Conduct a FRIA: Step-by-Step Guide

Step 1: Determine FRIA Applicability. Confirm that a FRIA is required by checking if your AI system is classified as high-risk under Article 6 and Annex III, whether your organization is a public body or private entity providing public services, or whether the AI system falls under Annex III point 5(b) or (c) for credit or insurance assessment.

Step 2: Gather Information from the AI Provider. The FRIA process depends heavily on information that providers are required to supply under Articles 11-13, including technical documentation per Annex IV, instructions for use, system capabilities and limitations, known risks and mitigation measures, and data about training datasets and potential biases.

Step 3: Assemble Your Assessment Team. FRIAs require diverse expertise including legal/compliance professionals, data protection officers, technical experts, domain experts (HR, healthcare, finance), representatives who understand affected communities, and risk management professionals.

Step 4: Map Affected Individuals and Rights. List all categories of individuals who interact with or are affected by the system, identify which fundamental rights could be impacted for each category, and consider both direct and indirect impacts.

Step 5: Conduct the Risk Assessment. For each identified right-at-risk, describe the potential harm scenario, assess likelihood and severity, assign a risk level, and document your reasoning and evidence.

Step 6: Design Mitigation Measures. For each identified risk, propose specific measures, assess feasibility, evaluate residual risk after mitigation, document responsibility for implementation, and establish monitoring mechanisms.

Steps 7-10: Document human oversight arrangements, establish complaint and redress mechanisms, obtain review and approval from legal counsel and organizational leadership, and notify the market surveillance authority after completion.

FRIA Examples by Industry

Financial Services Credit Scoring Example: A bank deploying AI for creditworthiness assessment must identify affected groups (loan applicants, with higher risk to historically underserved populations), primary rights at risk (non-discrimination, right to property, access to essential services), risk factors (training data may reflect historical biases, proxy variables could correlate with protected characteristics), and implement mitigation measures including regular bias audits, alternative assessment pathways, human review for borderline cases, and clear explanations of decision factors.

Healthcare AI Triage Example: A hospital emergency department using AI to prioritize patient care must address affected groups (all emergency patients, with heightened concern for elderly, disabled, non-native speakers), primary rights (right to life, healthcare access, human dignity, non-discrimination), risk factors (potential bias in symptom recognition across demographic groups), and ensure AI serves as decision support only with mandatory human clinical assessment.

HR Recruitment Screening Example: A corporation using AI to screen CVs must consider affected groups (all applicants, particularly those with non-traditional backgrounds, career gaps, foreign qualifications), primary rights (non-discrimination, right to work, equality between women and men), risk factors (historical hiring data may encode biases), and implement measures including anonymization of protected characteristics, regular bias testing, and human review of rejected applications in underrepresented groups.

Integrating FRIA with Other Compliance Requirements

Alignment with GDPR DPIA: When an AI system processes personal data, you likely need both a DPIA and a FRIA. Strategies include conducting concurrently, building on existing DPIA and extending to additional rights, using consistent risk assessment frameworks, consolidating documentation, and coordinating oversight measures.

Connection to Annex IV Technical Documentation: Deployers conducting FRIAs should request Annex IV documentation from providers, use provider risk assessments as input, verify that provider-documented measures are implemented in your deployment context, and document any deployment-specific risks not covered by provider documentation.

Relationship to Conformity Assessment: While conformity assessment is primarily a provider obligation, deployers should verify the AI system has completed conformity assessment, understand what it covered, and recognize that conformity assessment addresses technical requirements while FRIA addresses deployment-specific fundamental rights impacts.

EU Database Registration: High-risk AI systems must be registered in the EU database under Article 71. Ensure your system is properly registered by the provider and that registration information is consistent with your FRIA documentation.

Penalties and Enforcement

Non-compliance with FRIA requirements exposes organizations to significant penalties under the EU AI Act enforcement framework: fines up to EUR 15 million or 3% of total worldwide annual turnover for violations of deployer obligations, including FRIA requirements. Market surveillance authorities have power to investigate and require corrective actions.

Beyond formal penalties, failing to conduct proper FRIAs creates reputational risk from fundamental rights violations, legal liability if harms materialize, and operational risk if authorities require system modifications or discontinuation.

Timeline and Next Steps

Key dates: August 2, 2025 for prohibited AI practices, August 2, 2026 for Article 27 FRIA requirements, and August 2, 2027 extended deadline for certain public sector AI systems.

12+ months before deadline: Inventory all AI systems, classify by risk level, identify which require FRIAs, begin collecting information from providers, establish governance structures.

6-12 months before deadline: Develop FRIA templates and procedures, train personnel, conduct pilot FRIAs, establish relationships with market surveillance authorities, implement technical measures for human oversight.

3-6 months before deadline: Complete FRIAs for all in-scope systems, document mitigation measures and verify implementation, establish complaint and redress mechanisms, prepare notification submissions.

Ongoing after compliance: Monitor AI systems for changes requiring FRIA updates, track regulatory guidance from AI Office, conduct periodic reviews, maintain documentation and audit trails.