Article 27: Fundamental rights impact assessment for high-risk AI systems

The FRIA is primarily a deployer obligation, but providers must supply the information deployers need to conduct their FRIA.

As a public organisation or provider of public services, you must conduct a FRIA before deploying high-risk AI. Use our FRIA Generator to get started.

The FRIA obligation primarily applies to public organisations. As an SME deployer in the private sector, you are not required to, but it is best practice.

The FRIA is mandatory for you. Combine it with the IAMA you may already be conducting. Publish the results and update when significant changes occur.

A Fundamental Rights Impact Assessment (FRIA) assesses the impact on fundamental rights. It is mandatory for public organisations and organisations providing public services before deploying high-risk AI.

A FRIA must describe the intended use, affected persons, specific risks to fundamental rights, mitigating measures, and oversight mechanisms.

Article 27 of the AI Act does not provide a general exemption for SMEs. However, the AI Act includes supportive measures and potentially lighter obligations for small and medium-sized enterprises, depending on their role in the AI value chain.

Article 27 of the AI Act complements the GDPR. While the GDPR protects personal data, the AI Act focuses on the safety and trustworthiness of AI systems. Organisations must comply with both regulations when their AI system processes personal data.

The AI Act follows a phased implementation. Prohibited AI practices apply from February 2025, obligations for high-risk AI systems from August 2026, and other provisions take effect gradually. The specific deadline for Article 27 depends on the category of the obligation.

Yes, Article 27 of the AI Act may also be relevant when you purchase AI systems. As a deployer, you have your own obligations under the AI Act, regardless of whether you developed the system yourself or purchased it from a provider.

Under Article 27 of the AI Act, the provider is the entity that develops or places the AI system on the market, while the deployer is the entity that uses the system under its own authority. Both roles carry different obligations.

Article 27 of the AI Act requires that relevant documentation is maintained as part of the compliance process. This may include technical documentation, instructions for use, logs or declarations of conformity, depending on the classification of the AI system.

A FRIA (fundamental rights impact assessment, Article 27) focuses on the impact of AI on all fundamental rights, while a DPIA (data protection impact assessment, GDPR Article 35) specifically focuses on privacy and data protection. Both are mandatory when conditions are met and they complement each other.

The FRIA is mandatory for deployers that are public bodies, or private entities providing public services. This includes government agencies, banks and insurers (for credit assessment), and providers of essential services. The first FRIA must be completed before the first use of the high-risk AI system.

The AI Office is required to develop a template (questionnaire) for the FRIA under Article 27(5). Additionally, organisations such as ECNL and the Danish Institute for Human Rights have already published practical FRIA templates that can serve as guidance.

Yes, Article 27(3) requires deployers to notify the market surveillance authority of the FRIA results by submitting the filled-out template. Additionally, a summary must be registered in the EU database as per Annex VIII, Section C.