Fundamental Rights Impact Assessment (FRIA)

EU AI Act, Article 27 — Template for deployers of high-risk AI systems

Who must complete a FRIA. Under Article 27(1) of Regulation (EU) 2024/1689, this assessment must be conducted before first use by (a) deployers that are public bodies or private entities providing public services, and (b) deployers of high-risk AI systems listed in Annex III point 5(b) (creditworthiness / credit scoring) or point 5(c) (life and health insurance risk assessment and pricing).

Organisation details

Organisation name
AI system name
Deployer type: (public body / private entity providing public services / high-risk Annex III 5(b) / Annex III 5(c))
Assessment owner
Date of assessment
Version

1. Process description — Art. 27(1)(a)

Describe the deployer's processes in which the high-risk AI system will be used, in line with its intended purpose.

Cover deployment context, intended purpose, operational environment and the types of decisions the system supports.

2. Usage timeline and frequency — Art. 27(1)(b)

For how long and how frequently will the system be used?

Include start date, planned duration, usage cadence, expected decision volume and review schedule.

3. Affected categories of persons — Art. 27(1)(c)

Which categories of natural persons and groups are likely to be affected by the system's use?

Identify primary affected groups, vulnerable groups, geographic scope, estimated number of affected persons and indirectly affected parties.

4. Specific risks of harm — Art. 27(1)(d)

What specific risks of harm are likely to impact the identified groups?

Consider the provider's Article 13 information. Document likelihood, severity, cumulative effects, discrimination and privacy risks.

5. Human oversight measures — Art. 27(1)(e)

Describe the human oversight measures that will be implemented in accordance with the instructions for use.

Cover oversight roles, intervention mechanisms, escalation procedures, override capability and monitoring frequency.

6. Mitigation measures and governance — Art. 27(1)(f)

What measures will be taken when the identified risks materialise, including governance and complaint-handling arrangements?

Describe preventive measures, corrective measures, complaint mechanism, governance structure, review triggers and the notification plan.

7. DPIA integration — Art. 27(4)

Have you conducted a GDPR Article 35 Data Protection Impact Assessment (DPIA)? If yes, how does this FRIA complement it?

Reference the DPIA, note the areas it covers and explain the additional fundamental-rights impacts addressed here.

8. Authority notification — Art. 27(3)

If a risk identified under section 4 cannot be mitigated, describe how the relevant market surveillance authority will be notified without undue delay.

Include the responsible role, reporting channel and information to be provided.