EU AI Act FRIA Guide: Fundamental Rights Impact Assessment Explained

What is a Fundamental Rights Impact Assessment?

A Fundamental Rights Impact Assessment (FRIA) is a structured evaluation required under Article 27 of the EU AI Act for certain deployers of high-risk AI systems. The FRIA examines how an AI system's deployment may affect the fundamental rights of individuals and groups, as enshrined in the EU Charter of Fundamental Rights. These rights include human dignity, non-discrimination, privacy and data protection, freedom of expression, access to an effective remedy, and the rights of the child.

The FRIA is not a general risk assessment — it specifically focuses on the impact on people's fundamental rights. While technical risk assessments evaluate system performance, reliability, and security, the FRIA asks different questions: Who is affected by this AI system's decisions? Could certain groups be disproportionately impacted? What safeguards exist to prevent rights violations? How can affected individuals seek redress?

The concept draws on established practices in human rights due diligence and data protection impact assessments (DPIAs) under the GDPR, but with specific adaptations for AI systems. The FRIA recognises that AI systems can affect fundamental rights in ways that are subtle, systemic, and difficult for individuals to detect or challenge — making proactive assessment essential rather than waiting for harm to occur.

When is a FRIA Required?

Article 27 of the EU AI Act mandates FRIAs for deployers of high-risk AI systems when those deployers are bodies governed by public law, private entities providing public services, or specific categories of private deployers using AI in sensitive domains. Specifically, FRIAs are required when deploying high-risk AI systems for evaluating creditworthiness or establishing credit scores of natural persons, for risk assessment and pricing in life and health insurance, and for evaluating and classifying emergency calls in law enforcement.

Beyond these explicit requirements, any deployer using high-risk AI in employment decisions (hiring, promotion, performance evaluation, termination), education (admission, assessment, progression), essential private services (banking, insurance, housing), and social services should strongly consider conducting FRIAs even where not strictly mandated. The Act's recitals indicate that the FRIA obligation may be interpreted broadly, and deployers who proactively assess fundamental rights impacts demonstrate the responsible AI use that regulators expect.

The FRIA must be completed before the high-risk AI system is put into use. It is not a retrospective exercise. If an organisation is already using a high-risk AI system without having conducted a FRIA, it should conduct one immediately and document it as part of its compliance remediation efforts. FRIAs should be updated whenever there is a significant change in the AI system's functionality, the context of its use, or the affected population.

How to Conduct a Fundamental Rights Impact Assessment

A comprehensive FRIA follows a structured methodology across five stages. Stage one is Scoping: identify the AI system, its purpose, the decisions it influences, and the individuals and groups affected. Define the scope of the assessment — which fundamental rights could potentially be impacted? For an AI hiring tool, relevant rights include non-discrimination, privacy, fair working conditions, and access to employment. For an AI credit scoring system, relevant rights include non-discrimination, privacy, property rights, and consumer protection.

Stage two is Stakeholder Identification and Consultation. Who is affected by the AI system's decisions? This includes direct subjects (job applicants, loan applicants, insurance customers), indirect subjects (families, communities), and groups that may be disproportionately affected (ethnic minorities, people with disabilities, elderly individuals). Where practical, consult with representatives of affected groups to understand their concerns and perspectives.

Stage three is Impact Analysis. For each identified fundamental right, assess the likelihood and severity of negative impacts. Consider both individual and collective impacts, direct and indirect effects, and cumulative impacts when combined with other systems or processes. Document specific scenarios where rights violations could occur and evaluate the adequacy of existing safeguards.

Stage four is Mitigation Planning. For each identified risk, define specific mitigation measures. These might include human oversight at decision points, appeal mechanisms for affected individuals, regular bias audits, data quality controls, or restrictions on the AI system's authority. Prioritise mitigations based on the severity and likelihood of the identified impacts.

Stage five is Documentation and Review. Record all findings, consultations, and decisions in a structured report that can be presented to regulators if requested.

Documentation Requirements and Evidence

The FRIA documentation must be thorough enough to demonstrate to regulators that a genuine, rigorous assessment was conducted. At minimum, the documentation should include a description of the deployer's processes in which the high-risk AI system will be used, the period of time within which and frequency with which the system is intended to be used, the categories of natural persons and groups likely to be affected, the specific risks of harm likely to impact those categories, a description of the implementation of human oversight measures, and the measures to be taken in the case of materialisation of identified risks.

Beyond the regulatory minimum, best practice documentation includes the methodology used for the assessment, records of stakeholder consultations conducted, the data and evidence base for impact assessments, a risk matrix showing likelihood and severity ratings for each identified impact, detailed mitigation measures with assigned ownership and implementation timelines, criteria for triggering a FRIA review or update, and sign-off from appropriate governance authorities within the organisation.

Maintain version control of your FRIA documents. As the AI system evolves, the FRIA should be updated to reflect changes. Keep previous versions as part of your compliance record — they demonstrate the evolution of your assessment and the continuous attention to fundamental rights impacts.

The FRIA should be cross-referenced with other compliance documentation including the AI system's risk classification rationale, the deployer obligations checklist under Article 26, data protection impact assessments under GDPR, and any conformity assessment documentation from the AI provider. Together, these documents form a comprehensive compliance package that demonstrates responsible and lawful AI deployment.