Art. 27 EU AI Act: Fundamental Rights Impact Assessment (FRIA)

Updated: June 2026

Introduction: fundamental rights at the center of AI governance

Article 27 of the EU AI Act requires public authorities and certain other deployers to conduct a Fundamental Rights Impact Assessmentfundamental rights impact assessmentAn assessment that certain deployers of high-risk AI must perform to identify and mitigate the system's risks to people's fundamental rights.Open full entry → (FRIAFRIAFundamental Rights Impact Assessment — required of public bodies and certain private deployers before using some high-risk AI systems under the EU AI Act.Open full entry →) before deploying high-riskriskIn the EU AI Act's terms, the combination of the probability that a harm occurs and the severity of it if it does. The link between a principle (via the harm that would breach it) and a control (the measure that reduces it). Naming the harm and assessing its risk is required by Art. 9 before any mitigation measure is chosen. See harm, control, residual risk.Open full entry → AI systems. The FRIA is not a technical document, it is a governancegovernanceThe system through which an organization steers itself: corporate governance, risk management, compliance, lines of accountability, risk appetite, and the operating model. It exists across everything the organization does, before and beyond AI. AI governance is this same system extended for AI. See AI governance, governance design, execution level.Open full entry → instrument that requires organizations to explicitly evaluate the impact of AI deployment on the fundamental rights guaranteed by the EU Charter of Fundamental Rights and applicable national law.

The requirement reflects a core principleprincipleOne of the seven responsible-AI values a governed system should live up to (fairness, safety and reliability, privacy, security and robustness, transparency and explainability, accountability, human oversight). A principle is abstract: it states an outcome, not a lever you can pull. It becomes governable by naming the harm that would breach it, assessing the risk that harm carries, and placing controls against that risk. When GovCompass holds a principle this way it calls it a pillar. See pillar, harm, risk.Open full entry → of the EU AI Act: AI governance is not purely a technical compliance exercise. The highest-stakes AI decisions, those made by public authorities that affect people's access to services, benefits, and justice, demand a structured fundamental rights analysis before deployment.

Who must conduct a FRIA?

Art. 27.1 requires a FRIA from:

• Public authorities deploying high-risk AI systems
• Bodies operating in the public interest (e.g. public hospitals, universities, social housing organizations)
• Private entities providing services in the public interest that are directly regulated or publicly funded

Pure private sector deployers are not directly obliged by Art. 27, though best practice, and increasingly, procurement requirements from public clients, is driving FRIA adoption more broadly.

Which fundamental rights are assessed?

A FRIA must assess potential impacts on all applicable fundamental rights. Key rights in AI contexts include:

• Dignity (Art. 1 Charter): Does the AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry → treat individuals with respect and without degradation?
• Non-discrimination (Art. 21 Charter): Does the AI system risk producing discriminatory outcomes based on race, gender, religion, disability, age, sexual orientation, or other protected characteristics?
• Privacy and data protection (Art. 7–8 Charter): Linking to the GDPR DPIADPIAData Protection Impact Assessment — required before likely-high-risk processing (systematic profiling with significant effects, large-scale special categories, public monitoring); AI development triggers it constantly.Open full entry → obligation
• Right to a fair hearing (Art. 47 Charter): For AI used in administrative decisions, is there a genuine right to challenge AI-assisted outcomes?
• Freedom of expression and information (Art. 11 Charter): For AI affecting content moderation or information access
• Children's rights (Art. 24 Charter): Heightened scrutiny for AI systems affecting minors
• Rights of the elderly and disabled (Art. 25–26 Charter): Accessibility and equal treatment considerations

The FRIA process: six steps

Step 1: scoping

Define the AI system being assessed, its intended purpose, the categories of individuals it affects, and the decisions it informs or makes. A scoping document should be produced at the outset.

Step 2: stakeholder identification

Identify all groups whose rights could be affected: direct users of the AI system's outputs, individuals whose data is processed, vulnerable groups with heightened risk, and public interests (e.g. democratic accountabilityaccountabilityThe principle that a named human or organization answers for an AI system's outcomes, through ownership, documentation, audit trails and redress — never the system itself.Open full entry →).

Step 3: rights mapping

For each identified stakeholder group, map the specific rights at risk. This is not a checklist exercise, it requires substantive analysis of how the AI system's functioning could interfere with or threaten specific rights.

Step 4: risk assessment

For each identified rights risk: assess the probability of occurrence, the severity of potential harmharmThe concrete damage an AI system can do that a responsible-AI principle exists to prevent: in the EU AI Act's terms, harm to a person's health, safety, or fundamental rights. Harm is the bridge between an abstract principle and a governable risk; governance becomes operational the moment an organization names the specific harms it wants to prevent. For fairness, a harm is a group receiving systematically worse outcomes because of a characteristic that should not have counted. See principle, risk.Open full entry →, and the breadth of impact. Produce a risk matrix that prioritizes the most significant risks for mitigation.

Step 5: mitigation measures

For each significant risk: document the specific technical, organizational, or procedural measures that will reduce or eliminate the risk. Mitigation measures must be concrete and verifiable, not vague commitments to "take care" of the issue.

Step 6: residual risk assessment and sign-off

After mitigation, assess residual risks. If residual risks remain significant, the deployerdeployerAn organization using an AI system under its own authority in its activities — carrying operator duties: use per instructions, oversight, input relevance, monitoring, notices.Open full entry → must decide whether to proceed with deployment, subject to additional safeguards, or to decline deployment. Sign-off should be at senior management level (typically the AI Officer or DPO).

FRIA documentation

The FRIA must be documented and submitted to the market surveillance authoritymarket surveillance authorityThe national body that enforces the AI Act in a member state, with powers to investigate, order corrective action and apply penalties.Open full entry → upon request. Required elements: scoping documentation, rights mapping, risk assessment matrix, mitigation measures, residual riskresidual riskThe risk that remains after controls have reduced it. No control reduces a risk to zero, and not every control is worth its cost, so a deliberate judgment is made: whether the cost of further control is justified by the reduction it would buy, and whether the remaining risk is acceptable against the organization's risk appetite. This is a design-level judgment, where execution reports back up and governance accepts the residual risk, calls for more control, or declines the use case. EU AI Act Art. 9(5) requires it to be judged acceptable per hazard and overall. See risk, control, risk appetite.Open full entry → assessment, and sign-off record.

Compliance checklist

1. Has your organization determined whether it is a public authority or body operating in the public interest under Art. 27?
2. For each high-risk AI system: has a FRIA been conducted before deployment?
3. Does the FRIA cover all applicable fundamental rights (not just privacy/data protection)?
4. Are mitigation measures concrete, verifiable, and assigned to responsible persons?
5. Has the FRIA been reviewed by the DPO and/or legal counsel?
6. Is the FRIA documented and available for supervisory review?
7. Is there a process for reviewing the FRIA when the AI system or its context changes?