AI Act, GDPR

AI Act Fundamental Rights Impact Assessment: When and How to Conduct an FRIA Before Deploying High-Risk AI

Article 27 obligations for deployers of high-risk AI systems that affect fundamental rights. Covers scope, methodology, and public sector requirements.

Export PDF (Pro)
At a glance
Who this applies to
Deployers of high-risk AI systems that are public bodies or private entities providing public services, plus deployers using AI for creditworthiness or insurance risk assessment.
Deadline
August 2, 2026. FRIA must be completed before first deployment of a high-risk AI system.
What you must have
  • Conduct fundamental rights impact assessment (Article 27(1))
  • Describe intended use and geographic/temporal scope (Article 27(2))
  • Assess risks to fundamental rights of affected persons (Article 27(3))
  • Notify national market surveillance authority of FRIA results (Article 27(4))
63
days until AI Act FRIA deadline
2026-08-02
Not sure if your AI system is high-risk? Take the 5-minute diagnostic
Intelligence briefing

Fundamental Rights Impact Assessment Under the EU AI Act

Who this applies to

This obligation applies to providers and deployers of high-risk AI systems (as defined in Article 6(1)) and public sector entities using AI in areas listed in Annex III (e.g., critical infrastructure, law enforcement, employment). The requirement is explicitly set out in Article 27(1) and Article 29(1).

What is required

  • Conduct a Fundamental Rights Impact Assessment (FRIA) before placing a high-risk AI system on the market or putting it into service, as mandated by Article 27(1).
  • Document the assessment in a detailed, written report, including:
- The purpose and intended use of the AI system (Article 27(2)(a)). - An analysis of potential impacts on fundamental rights (e.g., non-discrimination, privacy, freedom of expression) (Article 27(2)(b)). - Mitigation measures to address identified risks (Article 27(2)(c)). - Consultation with affected stakeholders (where applicable) (Article 27(2)(d)).
  • Update the FRIA whenever there is a significant change in the AI system’s risk profile or use context (Article 27(3)).
  • For public sector deployers, ensure the FRIA aligns with Article 29(1), which requires additional scrutiny for AI used in law enforcement, migration, or administration of justice.
  • Retain FRIA documentation for 10 years after the AI system is placed on the market or decommissioned (Article 27(4)).

Key deadlines

The primary deadline for this obligation is August 2, 2026.

Enforcement patterns

AI Act enforcement begins August 2, 2026. No precedent currently exists. This page will be updated as enforcement cases emerge.

Cross-border considerations

Implementation references for Article 27 are most frequently cited in Italy (8), Netherlands (5), and Austria (4), suggesting early national guidance may emerge from these jurisdictions. Article 29 (public sector obligations) has higher citation density in Romania (18), Italy (15), and Greece (6), indicating potential variation in public-sector enforcement priorities. No jurisdiction-specific deviations from the AI Act text have yet been documented.

Cross-reference intelligence

No AI Act article citations in corpus yet. AI Act entered into force August 2024. Article 50 transparency obligations take effect 2 August 2026; Annex III high-risk obligations are expected 2 December 2027 (pending Digital Omnibus formal adoption). This section will populate as citations accumulate.

Analogous GDPR articles

GDPR article citations that relate to this AI Act topic and may inform enforcement patterns.

ArticleCitationsTop CountriesMost Co-Cited
GDPR Art. 27 25 IT (8), NL (5), AT (4) GDPR Art. 13, GDPR Art. 14, GDPR Art. 5(1)(a)
GDPR Art. 29 48 RO (18), IT (15), GR (6) GDPR Art. 28, GDPR Art. 32, GDPR Art. 13
Regulatory framework
AI Act: AI i den offentlige sektor — krav til kommuner og regioner
EU · ai_office · 2026-03-24 · aio-ai-offentlig-sektor
AI Act: AI i den offentlige sektor — krav til kommuner og regioner sektor AI-forord
AI Act: Implementation timeline — key dates for compliance
EU · ai_office · 2026-03-24 · aio-implementation-timeline
AI Act: Implementation timeline — key dates for compliance AI Act implementati
AI Act: Prohibited AI practices (Article 5) — effective from February 2025
EU · ai_office · 2026-03-24 · aio-prohibited-practices
AI Act: Prohibited AI practices (Article 5) — effective from February 2025 Practices
AI Act: Requirements for high-risk AI systems (Articles 8-15)
EU · ai_office · 2026-03-24 · aio-high-risk-requirements
AI Act: Requirements for high-risk AI systems (Articles 8-15) Requirements High-ris
EU AI Act — Regulation (EU) 2024/1689 on Artificial Intelligence
EU · ai_office · 2026-03-24 · aio-ai-act-overview
EU AI Act — Regulation (EU) 2024/1689 on Artificial Intelligence Act The EU AI Act (Regulation 2024/1689) is the worl
Cross-regulatory overlap
EDPB Opinion 28/2024 on certain data protection aspects related to the processing of personal data i
EU · edpb · 2026-03-18 · Opinion 28/2024
EDPB Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models EDPB Opinion 28/2024 on
ENISA Sectorial Threat Landscape - Public Administration
EU · enisa · 2026-03-24 · enisa-enisa-sectorial-threat-landscape-public-administration
ENISA Sectorial Threat Landscape - Public Administration ENISA: ENISA Sectorial Threat Landscape - Public Administration
ENISA: AI and Cybersecurity — Securing Artificial Intelligence Systems
EU · enisa · 2026-03-23 · enisa-ai-cybersecurity
ENISA: AI and Cybersecurity — Securing Artificial Intelligence Systems ENISA: AI and Cybersecurity — Securing Artificial Intelligence Systems Category
ENISA: Cybersecurity Challenges in the Uptake of Artificial Intelligence in Autonomous Driving
EU · enisa · 2026-03-24 · enisa-enisa-jrc-cybersecurity-challenges-in-the-uptake-of-artifici
ENISA: Cybersecurity Challenges in the Uptake of Artificial Intelligence in Autonomous Driving ENISA: Cybersecurity Challenges in the Uptake of Artifi
ENISA: Cybersecurity and privacy in AI - Forecasting demand on electricity grids
EU · enisa · 2026-03-24 · enisa-cybersecurity-and-privacy-in-ai-forecasting-demand-on-electr
ENISA: Cybersecurity and privacy in AI - Forecasting demand on electricity grids ENISA: Cybersecurity and privacy in AI - Forecasting demand on electr
ENISA: AI an opportunity for the EU cyber crisis blueprint - Report
EU · enisa · 2026-03-24 · enisa-ai-an-opportunity-for-the-blueprin-report
ENISA: AI an opportunity for the EU cyber crisis blueprint - Report ENISA: AI an opportunity for the EU cyber crisis blueprint - Report
Sources (13)

Get the complete AI Act, GDPR compliance checklist as a PDF

Mapped to enforcement precedents and cross-referenced against 1.2 million regulatory citations. Free.

We'll email you the PDF. No spam. Unsubscribe anytime.

Get unlimited briefings on Fontvera Pro — or browse all intelligence briefings
This is a research tool, not legal advice. Always verify sources and consult a qualified legal professional.
Privacy · Terms · About
🇪🇺 100% European infrastructure · Helsinki 🇫🇮 · Berlin 🇩🇪 · Paris 🇫🇷 · Your data never leaves Europe