Fundamental Rights Impact Assessment Under the EU AI Act
Who this applies to
This obligation applies to providers and deployers of high-risk AI systems (as defined in Article 6(1)) and public sector entities using AI in areas listed in Annex III (e.g., critical infrastructure, law enforcement, employment). The requirement is explicitly set out in Article 27(1) and Article 29(1).What is required
- Conduct a Fundamental Rights Impact Assessment (FRIA) before placing a high-risk AI system on the market or putting it into service, as mandated by Article 27(1).
- Document the assessment in a detailed, written report, including:
- Update the FRIA whenever there is a significant change in the AI system’s risk profile or use context (Article 27(3)).
- For public sector deployers, ensure the FRIA aligns with Article 29(1), which requires additional scrutiny for AI used in law enforcement, migration, or administration of justice.
- Retain FRIA documentation for 10 years after the AI system is placed on the market or decommissioned (Article 27(4)).
Key deadlines
Under Article 113 as written, the primary deadline for this obligation is August 2, 2026. The Digital Omnibus provisional agreement of 7 May 2026 moves Annex III high-risk obligations to 2 December 2027, pending formal adoption; until Official Journal publication, the original date remains law.Enforcement patterns
AI Act Article 50 transparency obligations take effect 2 August 2026. Annex III high-risk obligations are expected 2 December 2027, pending formal adoption of the Digital Omnibus (political agreement of 7 May 2026). No AI Act enforcement precedent currently exists. This page will be updated as enforcement cases emerge.Cross-border considerations
Implementation references for Article 27 are most frequently cited in Italy (8), Netherlands (5), and Austria (4), suggesting early national guidance may emerge from these jurisdictions. Article 29 (public sector obligations) has higher citation density in Romania (18), Italy (15), and Greece (6), indicating potential variation in public-sector enforcement priorities. No jurisdiction-specific deviations from the AI Act text have yet been documented.Fontvera also analyses closely related obligations, including [AI Act Article 70 for the Commission](/intelligence/ai-act-art-70-commission-obligations), [AI Act general-purpose AI FAQ](/intelligence/ai-act-faq-general-purpose-ai), and [AI Act timeline FAQ](/intelligence/ai-act-faq-timeline).
Related: [high-risk classification under Article 6](/intelligence/ai-act-high-risk-classification)