What is a Fundamental Rights Impact Assessment (FRIA)?
A Fundamental Rights Impact Assessment (FRIA) is the new assessment introduced by the EU AI Act (Article 27) requiring deployers of certain high-risk AI systems to assess the potential impact on fundamental rights before putting the system into use. FRIA is the AI Act’s parallel to GDPR’s DPIA: a structured, documented analysis of risks that the AI system poses to natural persons, with mitigation measures.
When FRIA is required
- Bodies governed by public law deploying high-risk AI systems listed in Annex III.
- Private entities providing public services deploying these high-risk systems.
- Banks and insurance companies using high-risk AI for credit scoring or risk assessment.
FRIA required content
- Description of the deployer’s processes in which the AI system is used.
- Period and frequency of system use.
- Categories of natural persons and groups likely to be affected.
- Specific risks of harm to those categories.
- Description of human oversight measures.
- Measures to be taken if those risks materialise, including governance.
FRIA vs. DPIA
- DPIA (GDPR Article 35): data protection focus; required when processing creates high risk to data subject rights.
- FRIA (AI Act Article 27): broader fundamental rights focus; specific to AI Act high-risk systems used by certain deployers.
- Both can coexist; many organisations will conduct combined fundamental rights + data protection assessment.
FRIA: the AI Act’s rights check, distinct from a DPIA
A Fundamental Rights Impact Assessment is an obligation introduced by the EU AI Act for certain deployers of high-risk AI systems. Before putting such a system into use, the deployer must assess how it could affect people’s fundamental rights — covering who is affected, the categories of risk (discrimination, access to services, due process), the human-oversight measures in place, and what happens when something goes wrong. It overlaps with but is not the same as a DPIA: a DPIA focuses on personal-data risks under data-protection law, while a FRIA looks more broadly at fundamental rights under the AI Act. Organisations deploying high-risk AI — including non-EU companies whose systems are used in the EU — should plan to run the two assessments together, since the underlying analysis and evidence substantially overlap.