Free template — Article 27

Free FRIA Template

An editable Fundamental Rights Impact Assessment covering every section required by Article 27 of the EU AI Act — no sign-up, no consultant fees, no guesswork.

Aligned with

SMEs save consultant fees; the template covers all eight mandatory sections and cites the relevant Article 27 subparagraphs inline.

Generate FRIA onlineDownload template

Who must complete a FRIA?

Article 27(1) limits the FRIA obligation to specific deployer categories — you only need one to apply.

  • Deployers that are public authorities or bodies governed by public law
  • Deployers that are private entities providing public services
  • Deployers of high-risk AI systems listed in Annex III point 5(b) — creditworthiness evaluation or credit scoring
  • Deployers of high-risk AI systems listed in Annex III point 5(c) — life and health insurance risk assessment and pricing

If none of these apply, a FRIA is not mandatory — but you may still be subject to other Article 26 deployer obligations.

What the template includes

Eight structured sections, one-to-one with the subparagraphs of Article 27(1)(a)–(f) plus the DPIA and authority-notification requirements in Article 27(3) and (4).

  1. Process description

    Art. 27(1)(a)

    Deployment context, intended purpose, operational environment and the types of decisions the system supports.

  2. Usage timeline and frequency

    Art. 27(1)(b)

    Start date, planned duration, usage cadence, expected decision volume and review schedule.

  3. Affected categories of persons

    Art. 27(1)(c)

    Primary affected groups, vulnerable groups, geographic scope and indirectly affected parties.

  4. Specific risks of harm

    Art. 27(1)(d)

    Likelihood, severity, discrimination and privacy risks — incorporating the provider's Article 13 information.

  5. Human oversight measures

    Art. 27(1)(e)

    Oversight roles, intervention mechanisms, escalation procedures, override capability and monitoring frequency.

  6. Mitigation measures and governance

    Art. 27(1)(f)

    Preventive and corrective measures, complaint mechanism, governance structure and review triggers.

  7. DPIA integration

    Art. 27(4)

    How the FRIA complements an existing GDPR Article 35 Data Protection Impact Assessment.

  8. Authority notification

    Art. 27(3)

    Procedure for notifying the market surveillance authority when a risk cannot be mitigated.

Download or preview

Open the template in your browser to preview it, print it straight to PDF from the browser menu, or save it locally to edit offline.

Download FRIA templateOpen in browser

HTML template, approximately 12 kB. Prints cleanly to PDF via your browser.

Upgrade path

The online generator beats a static template

The downloadable template gets you started. The guided FRIA generator inside Witness takes you the rest of the way.

AI prefill from your classifier answers

Answers from the AI System Classifier flow into the FRIA sections so you start from an 80 percent draft, not a blank page.

Legal citations on every field

Each question links to the exact Article 27 subparagraph it implements, with EUR-Lex references available inline.

Word and PDF export after completion

Submit the completed FRIA and download a formatted deliverable ready to share with auditors or the market surveillance authority.

Open the online FRIA generator

Requires a Witness account with Professional access and active annual maintenance.

Frequently asked questions

Who must complete a FRIA?

Per Article 27(1), deployers must complete a FRIA before first use of the high-risk AI system if they are a public authority or body governed by public law, a private entity providing public services, or a deployer of high-risk AI systems listed in Annex III point 5(b) (creditworthiness and credit scoring) or point 5(c) (life and health insurance risk assessment and pricing).

When must the FRIA be completed?

Article 27(1) requires the assessment to be conducted before the high-risk AI system is put into use for the first time. It must be updated when any of its elements change materially — for example, a new deployment context, new affected groups, or substantive new risks.

What happens if we skip the FRIA?

Failure to conduct a required FRIA is non-compliance with Article 27 and may trigger administrative fines under Article 99. Fines for non-compliance with obligations other than prohibited practices can reach up to 15,000,000 EUR or 3 percent of worldwide annual turnover, whichever is higher.

Is this template legally binding?

No. The template is a structured starting point aligned with Article 27. The legal obligation is to produce a complete assessment covering Article 27(1)(a) to (f); using this particular template is not required by law. Witness does not warrant that filling in this template alone is sufficient to discharge the FRIA obligation.

Can I edit the template?

Yes. The template is a plain HTML file — you can edit it in any browser, word processor or text editor and save it as PDF or DOCX. If you want guided completion with AI prefill, inline legal citations and a formatted export, use the online FRIA generator instead.

How is the FRIA different from a DPIA?

A DPIA is a Data Protection Impact Assessment required by Article 35 of the GDPR and focuses on data-protection risks to personal data. A FRIA is required by Article 27 of the EU AI Act and addresses fundamental-rights impacts from a high-risk AI system. Article 27(4) says the two can complement each other: if a DPIA already exists, the FRIA should build on it rather than duplicate it.