Definition & Explanation
An assessment that certain deployers of high-risk AI systems must perform to determine the impact on fundamental rights before the system is put into use. Required under Article 27 EU AI Act for bodies governed by public law, private organizations providing public services, and deployers using AI for creditworthiness assessment or risk assessment in life and health insurance.
Article 27 EU AI Act requires the FRIA to be carried out before the first use of the high-risk AI system. The assessment describes the processes in which the system will be used, the period and frequency of use, the categories of persons affected, the specific risks of harm to fundamental rights, the human oversight measures, and the measures taken if those risks materialize. The outcome is notified to the market surveillance authority. An existing DPIA may serve as a starting point: the FRIA complements it for fundamental rights that fall outside data protection.
A municipality wants to deploy an AI system that prioritizes signals of potential benefits misuse. Before first use, the municipality maps which groups of citizens are affected, whether the system can discriminate indirectly (for example via postcode or household composition acting as a proxy), how a case worker substantively reviews every signal before any action is taken, and how citizens can object. That analysis, including mitigating measures and residual risks, together forms the FRIA.
The FRIA is not the same as a DPIA, and it does not apply to every organization. A DPIA under the GDPR looks at risks to the protection of personal data; a FRIA looks more broadly at all fundamental rights, such as non-discrimination, human dignity, and access to essential services. Moreover, the FRIA obligation only applies to the categories of deployers listed in Article 27, not to every user of high-risk AI. Organizations outside those categories are often still well advised to run a comparable assessment as part of their AI governance.