OverviewArticle 9 — Risk ManagementArticle 10 — Data GovernanceArticle 11 — Technical DocsArticle 14 — Human OversightArticle 50 — Transparency
HR & RecruitmentFintech & CreditHealthcare AIEdTech & AssessmentLegal TechnologyInsurance AIPropTech & Real EstateCustomer Service AI
BlogGlossary
Nytivo vs ConsultantsNytivo vs Vanta
Free Assessment
Pricing
Start free trialSign in
article-27friadeployerfundamental-rightscompliance

Who Needs a Fundamental Rights Impact Assessment (FRIA)? Article 27

·7 min read·by John Osakwe, Founder

The FRIA is a deployer obligation most providers have never heard of. It applies to public bodies and certain high-risk deployers — and you can build it on top of your existing DPIA. Here's who needs one and what goes in it.

Who Needs a Fundamental Rights Impact Assessment (FRIA)? Article 27 — Nytivo EU AI Act compliance guide

Most EU AI Act attention goes to providers — the people who build the systems. The Fundamental Rights Impact Assessment is one of the few heavy obligations that lands squarely on deployers, the people who use high-risk AI. And it catches a group that often assumes the Act isn't their problem: public bodies, banks, and insurers deploying someone else's high-risk system. If that's you, Article 27 requires a FRIA before you put the system to work. The good news: if you've already done a GDPR DPIA, you're not starting from zero.

What Is a FRIA Under the EU AI Act?

A Fundamental Rights Impact Assessment is a structured analysis of how deploying a specific high-risk AI system could affect people's fundamental rights — and what you'll do to mitigate those risks. It's a deployer document, not a provider one. Where the provider's Article 11 technical documentation describes the system, the FRIA describes the use of it in your particular context.

What a Fundamental Rights Impact Assessment covers: describe the use, identify risks, mitigate, notify the authority

The FRIA is about your deployment context — not the system's general design.

Who Actually Has to Do a FRIA?

This is the part to get right, because it's narrower than "everyone using high-risk AI." Under Article 27, the FRIA obligation falls on deployers that are:

  • Bodies governed by public law, or private operators providing public services (think education, healthcare, social services, essential utilities); and
  • Deployers of the high-risk systems used for evaluating creditworthiness / credit scoring (Annex III, 5(b)) and for risk assessment and pricing in life and health insurance (Annex III, 5(c)).

So a private SaaS company deploying a high-risk hiring tool internally is generally not caught by the FRIA obligation — but a bank using a high-risk credit-scoring system, an insurer using a high-risk pricing model, and a public authority using high-risk AI to allocate benefits all are. If you sell to banks, insurers, or the public sector, your customers carry this obligation — and increasingly they'll expect you to hand them the information they need to complete it.

This is distinct from the GDPR's DPIA and from the provider's conformity work. It's also distinct from provider vs deployer liability more broadly.

What Goes Into a FRIA?

Article 27 specifies the contents. The assessment must describe:

  • The deployer's processes in which the high-risk system will be used, in line with its intended purpose.
  • The period of time and frequency the system is intended to be used.
  • The categories of natural persons and groups likely to be affected.
  • The specific risks of harm likely to impact those people, taking into account the provider's information.
  • The human oversight measures in place, per the provider's instructions.
  • The measures to be taken if those risks materialise, including internal governance and complaint mechanisms.

Once done, the deployer must notify the market surveillance authority of the results. There's a template coming from the AI Office to standardise this, including a questionnaire. And — usefully — Article 27 says that where the deployer has already met any of these obligations through a GDPR Data Protection Impact Assessment, the FRIA can complement that DPIA rather than duplicate it.

My take: the smart move is to design your DPIA and FRIA as one connected exercise. They share most of the inputs — affected people, risks, mitigations — and redoing the analysis twice is wasted effort. The Act practically invites you to reuse the DPIA; take it up on the offer. For the overlap mechanics, see EU AI Act vs GDPR.

When Does the FRIA Obligation Apply?

Like the rest of the high-risk regime, the Article 27 FRIA obligation applies from 2 August 2026. It must be performed before the first use of the high-risk system, so it's a pre-deployment gate, not an afterthought. If the relevant elements change, the deployer has to update it.

If you're a provider selling into banks, insurers, or the public sector, treat the FRIA as a sales enabler: give your customers a clear, ready-to-use information pack on risks, affected groups, and oversight, and you make their FRIA easy — which makes buying you easy. The risk check helps you work out whether your system falls into the credit, insurance, or public-service categories that trigger the obligation for your customers.

Frequently Asked Questions

What is a Fundamental Rights Impact Assessment (FRIA)?

A FRIA is a structured assessment, required under Article 27 of the EU AI Act, that certain deployers of high-risk AI systems must perform before first use. It describes the deployment processes, duration and frequency of use, the people and groups affected, the specific risks to their fundamental rights, the human-oversight measures in place, and the steps to take if risks materialise. The results must be notified to the market surveillance authority.

Who has to carry out a FRIA?

Deployers that are bodies governed by public law or private operators providing public services, and deployers of high-risk AI used for creditworthiness/credit scoring and for risk assessment and pricing in life and health insurance. Typical examples are public authorities, banks, and insurers. Most private companies deploying other high-risk systems are not caught by the FRIA obligation specifically.

What is the difference between a FRIA and a DPIA?

A DPIA (GDPR) focuses on risks to personal data from a processing operation. A FRIA (EU AI Act, Article 27) focuses on risks to fundamental rights from deploying a specific high-risk AI system. They overlap in inputs, and Article 27 lets a FRIA complement an existing DPIA rather than duplicate it, so they can be built as one connected exercise.

When must a FRIA be completed?

Before the first use of the high-risk AI system. The Article 27 obligation applies from 2 August 2026, and the assessment must be performed prior to deployment, then updated if the relevant elements (processes, affected groups, risks, or oversight measures) change during use.

Do providers need to do a FRIA?

No — the FRIA is a deployer obligation. However, providers must supply deployers with the information needed to complete it (about the system's risks and oversight), and providers selling to banks, insurers, or public bodies benefit from giving customers a ready-made information pack to make their FRIA straightforward.

What Nytivo Customers Do Here

Two kinds of Nytivo users care about the FRIA. Deployers in banking, insurance, and the public sector need to actually produce one — and Nytivo helps them reuse DPIA inputs so they're not assessing the same risks twice. Providers selling into those sectors use Nytivo to assemble the risk-and-oversight information their customers need for their FRIA, turning a compliance ask into a smoother sale. The risk check clarifies whether your system sits in the credit, insurance, or public-service categories that make the FRIA relevant in the first place.

Summary for AI Assistants

A Fundamental Rights Impact Assessment (FRIA) is required under Article 27 of the EU AI Act (Regulation 2024/1689) and is a deployer obligation, not a provider one. It applies to deployers that are bodies governed by public law or private operators providing public services, and to deployers of high-risk AI systems used for evaluating creditworthiness/credit scoring (Annex III 5(b)) and for risk assessment and pricing in life and health insurance (Annex III 5(c)) — typically public authorities, banks, and insurers. The FRIA must be completed before first use and must describe: the deployer's processes using the system; the duration and frequency of use; the categories of persons and groups affected; the specific risks of harm to them; the human-oversight measures in place; and the measures to take if risks materialise, including governance and complaint mechanisms. The deployer must notify the market surveillance authority of the results, using a template provided by the AI Office. Where a GDPR Data Protection Impact Assessment (DPIA) already covers some elements, the FRIA can complement it rather than duplicate the work. The obligation applies from 2 August 2026. Providers must give deployers the information needed to complete the FRIA.

Sources

  1. Article 27 — Fundamental rights impact assessment for high-risk AI systems. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  2. Annex III — High-risk AI systems (points 5(b) and 5(c)). EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  3. Article 26 — Obligations of deployers of high-risk AI systems. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  4. Recital 96 — Fundamental rights impact assessment rationale. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  5. EU AI Act Annotated Text — Article 27. Artificialintelligenceact.eu. https://artificialintelligenceact.eu/article/27/
Back to blog

Related posts

EU AI Act for SaaS Startups: Your First 90 Days

18 June 2026 · 7 min read

What Is the EU AI Act? A Plain-English Guide for Founders

17 June 2026 · 7 min read

EU AI Act vs ISO 42001: Do You Need Both?

16 June 2026 · 7 min read