Art. 27 EU AI Act: Fundamental Rights Impact Assessment (FRIA)

Updated: June 2026 — full revision to Validai quality standard

Introduction: Fundamental Rights at the Centre of AI Governance

Article 27 of the EU AI Act requires public authorities and certain other deployers to conduct a Fundamental Rights Impact Assessment (FRIA) before deploying high-risk AI systems. The FRIA is not a technical document — it is a governance instrument that requires organisations to explicitly evaluate the impact of AI deployment on the fundamental rights guaranteed by the EU Charter of Fundamental Rights and applicable national law.

The requirement reflects a core principle of the EU AI Act: AI governance is not purely a technical compliance exercise. The highest-stakes AI decisions — those made by public authorities that affect people's access to services, benefits, and justice — demand a structured fundamental rights analysis before deployment.

Who Must Conduct a FRIA?

Art. 27.1 requires a FRIA from:

• Public authorities deploying high-risk AI systems
• Bodies operating in the public interest (e.g. public hospitals, universities, social housing organisations)
• Private entities providing services in the public interest that are directly regulated or publicly funded

Pure private sector deployers are not directly obliged by Art. 27, though best practice — and increasingly, procurement requirements from public clients — is driving FRIA adoption more broadly.

Which Fundamental Rights Are Assessed?

A FRIA must assess potential impacts on all applicable fundamental rights. Key rights in AI contexts include:

• Dignity (Art. 1 Charter): Does the AI system treat individuals with respect and without degradation?
• Non-discrimination (Art. 21 Charter): Does the AI system risk producing discriminatory outcomes based on race, gender, religion, disability, age, sexual orientation, or other protected characteristics?
• Privacy and data protection (Art. 7–8 Charter): Linking to the GDPR DPIA obligation
• Right to a fair hearing (Art. 47 Charter): For AI used in administrative decisions, is there a genuine right to challenge AI-assisted outcomes?
• Freedom of expression and information (Art. 11 Charter): For AI affecting content moderation or information access
• Children's rights (Art. 24 Charter): Heightened scrutiny for AI systems affecting minors
• Rights of the elderly and disabled (Art. 25–26 Charter): Accessibility and equal treatment considerations

The FRIA Process: Six Steps

Step 1: Scoping

Define the AI system being assessed, its intended purpose, the categories of individuals it affects, and the decisions it informs or makes. A scoping document should be produced at the outset.

Step 2: Stakeholder Identification

Identify all groups whose rights could be affected: direct users of the AI system's outputs, individuals whose data is processed, vulnerable groups with heightened risk, and public interests (e.g. democratic accountability).

Step 3: Rights Mapping

For each identified stakeholder group, map the specific rights at risk. This is not a checklist exercise — it requires substantive analysis of how the AI system's functioning could interfere with or threaten specific rights.

Step 4: Risk Assessment

For each identified rights risk: assess the probability of occurrence, the severity of potential harm, and the breadth of impact. Produce a risk matrix that prioritises the most significant risks for mitigation.

Step 5: Mitigation Measures

For each significant risk: document the specific technical, organisational, or procedural measures that will reduce or eliminate the risk. Mitigation measures must be concrete and verifiable — not vague commitments to "take care" of the issue.

Step 6: Residual Risk Assessment and Sign-Off

After mitigation, assess residual risks. If residual risks remain significant, the deployer must decide whether to proceed with deployment, subject to additional safeguards, or to decline deployment. Sign-off should be at senior management level (typically the AI Officer or DPO).

FRIA Documentation

The FRIA must be documented and submitted to the market surveillance authority upon request. Required elements: scoping documentation, rights mapping, risk assessment matrix, mitigation measures, residual risk assessment, and sign-off record.

Compliance Checklist

1. Has your organisation determined whether it is a public authority or body operating in the public interest under Art. 27?
2. For each high-risk AI system: has a FRIA been conducted before deployment?
3. Does the FRIA cover all applicable fundamental rights (not just privacy/data protection)?
4. Are mitigation measures concrete, verifiable, and assigned to responsible persons?
5. Has the FRIA been reviewed by the DPO and/or legal counsel?
6. Is the FRIA documented and available for supervisory review?
7. Is there a process for reviewing the FRIA when the AI system or its context changes?