Fundamental Rights Impact Assessment (FRIA) Guide

A Fundamental Rights Impact Assessment (FRIA) is a structured evaluation of the potential impact of a high-risk AI system on the fundamental rights guaranteed by the EU Charter of Fundamental Rights and the European Convention on Human Rights. Article 27 of the EU AI Act requires deployers — not providers — to conduct and document a FRIA before deploying certain high-risk AI systems. The FRIA obligation applies to: public authorities deploying high-risk AI systems; private organisations deploying high-risk AI systems for the provision of essential private services such as banking, insurance, and healthcare; and organisations deploying AI systems in domains directly affecting individuals' rights and freedoms at scale.

The FRIA must assess the impact of the AI system on the fundamental rights protected by the EU Charter of Fundamental Rights. The rights most commonly implicated by high-risk AI systems include: Human Dignity (Article 1), the Right to Non-Discrimination (Article 21), the Right to Privacy (Article 7), the Protection of Personal Data (Article 8), the Right to an Effective Remedy (Article 47), the Rights of the Child (Article 24), and the Rights of Persons with Disabilities (Article 26). For AI systems operating in specific domains, additional rights become relevant — for example, the Right to Work (Article 15) for employment AI, or the Right to Education (Article 14) for educational AI systems.

A robust FRIA follows a structured five-phase process that produces a documented assessment capable of withstanding regulatory scrutiny. Phase 1 — System Description: Document the AI system's purpose, capabilities, and the population of persons it will affect, both directly (users) and indirectly (third parties affected by decisions). Phase 2 — Rights Mapping: Identify all Charter rights potentially affected by the system, and for each right, identify the specific mechanism by which the AI system could impact it. Phase 3 — Risk Assessment: For each identified rights impact, assess the likelihood (how probable is the impact occurring?) and severity (if it occurs, how serious is the harm to the individual's rights?). Phase 4 — Mitigation Measures: For each identified risk, document the specific technical and organisational measures you will implement to mitigate the risk to an acceptable level. Phase 5 — Residual Risk Evaluation: After mitigation measures are applied, assess the residual risk. If residual risk remains significant, you must either implement additional measures or consider whether deployment is appropriate.

Article 27 requires the FRIA to be registered in the EU database for high-risk AI systems established under Article 71. This creates a public accountability mechanism for high-risk AI deployment by public authorities and certain private sector deployers. The FRIA document must include: a description of the processes in which the AI system will be used; the period and frequency of use; the specific categories of natural persons and groups that are likely to be affected; the specific risks of harm to those persons; the human oversight measures and other measures taken to address these risks; a description of the mechanisms for allowing individuals to exercise their rights.