--- title: "EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification" canonical_url: "https://www.sorena.io/artifacts/eu/artificial-intelligence-act/faq/fria" source_url: "https://www.sorena.io/artifacts/eu/artificial-intelligence-act/faq/fria" author: "Sorena AI" description: "Source-grounded FAQ on when Article 27 requires a fundamental rights impact assessment, which deployers are covered, what the FRIA must contain, and how it relates to DPIAs and registration." published_at: "2026-05-09" updated_at: "2026-05-17" keywords: - "EU AI Act" - "Article 27" - "FRIA" - "fundamental rights impact assessment" - "Article 6" - "Annex III" - "high-risk AI" - "DPIA" - "AI Act" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification Source-grounded FAQ on when Article 27 requires a fundamental rights impact assessment, which deployers are covered, what the FRIA must contain, and how it relates to DPIAs and registration. *FAQ* *EU* ## EU AI Act FRIA FAQ Article 27 does not make every high-risk AI deployer run a FRIA. It targets specified deployers before the first use of Article 6(2) Annex III high-risk systems, with the Annex III point 2 critical-infrastructure area carved out. Use this page to check the trigger, covered deployer types, assessment contents, DPIA link, notification step, update triggers, and evidence records. A FRIA is the EU AI Act Article 27 fundamental rights impact assessment for certain uses of high-risk AI systems. The key question is not simply whether the system is high-risk, but whether the system is an Article 6(2) Annex III high-risk system, whether the Annex III critical-infrastructure carve-out applies, and whether the deployer is one of the deployer categories named in Article 27. ## When does Article 27 require a FRIA? Article 27 requires the assessment before deployment of a high-risk AI system referred to in Article 6(2), which points to the Annex III high-risk areas. The rule expressly excludes high-risk AI systems intended to be used in the area listed in point 2 of Annex III, the critical-infrastructure area. The trigger then depends on the deployer. A FRIA is required for deployers that are bodies governed by public law, private entities providing public services, and deployers of high-risk systems in Annex III points 5(b) and 5(c), which cover creditworthiness or credit scoring and risk assessment or pricing for life and health insurance. - Start with Article 6(2): confirm that the system is an Annex III high-risk AI system. - Check the carve-out: Annex III point 2 critical-infrastructure systems are excluded from Article 27 FRIA, even though they may still be high-risk and are registered at national level under Article 49(5). - Check the deployer category: public-law bodies, private entities providing public services, and deployers using Annex III point 5(b) or 5(c) systems are the Article 27 categories. - Do not treat a provider's high-risk classification memo as a FRIA; Article 27 is a deployer-side assessment of the specific use. Sources for this answer: - [Regulation (EU) 2024/1689, Article 27](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Supports the Article 27 trigger, covered deployer categories, critical-infrastructure carve-out, first-use rule, notification duty, DPIA complement rule, and FRIA content list. - [AI Act Service Desk - Article 27](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-27?ref=sorena.io) - Commission-hosted AI Act Explorer page for Article 27 used to cross-check the FRIA article citation and official article title. - [Regulation (EU) 2024/1689, Article 49 and Annex VIII](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Supports registration details, including deployer EU database registration for public authorities, national registration for Annex III point 2 systems, and the Annex VIII requirement to keep FRIA and DPIA summaries up to date where applicable. ## What must the FRIA contain? Article 27 gives a concrete assessment list. The record should describe the deployer's process in which the high-risk AI system will be used, the intended period and frequency of use, the categories of natural persons and groups likely to be affected, and the specific risks of harm for those groups. The FRIA also needs the human oversight implementation described according to the instructions for use, plus the measures to take if the risks materialise. Those measures include internal governance and complaint mechanisms, so the evidence should reach beyond legal sign-off into operating procedures. - Process evidence: workflow map, intended purpose, provider instructions for use, and the deployer's use case. - Use evidence: expected start, duration or period of use, frequency, countries or operating units, and whether this is a first use or a similar case relying on an earlier assessment. - Affected-person evidence: natural-person categories, affected groups, dependency or vulnerability factors, and the decision or service the AI output influences. - Risk evidence: specific fundamental-rights harms, provider Article 13 information considered, residual risks, and escalation criteria. - Control evidence: human oversight procedure, complaint route, internal governance owner, operational playbook for risk materialisation, and approval record. Sources for this answer: - [Regulation (EU) 2024/1689, Article 27](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Supports the required FRIA contents: deployer process, period and frequency, affected persons and groups, specific risks, human oversight, and measures for risk materialisation. - [Regulation (EU) 2024/1689, Article 13](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Supports the need to use provider instructions and information about intended purpose, performance limitations, foreseeable risks, and output interpretation when assessing deployer-side risk. - [Regulation (EU) 2024/1689, Annex VIII Section C](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Supports the practical evidence fields for deployer registration, including FRIA findings and DPIA summary fields that must be provided and kept up to date where Article 49(3) registration applies. ## How does FRIA connect to DPIA, notification, and registration? The FRIA is not a replacement for a GDPR or law-enforcement data protection impact assessment. Article 27 says that where Article 27 obligations are already met through a DPIA under GDPR Article 35 or Directive (EU) 2016/680 Article 27, the FRIA complements that DPIA. After performing the FRIA, the deployer must notify the market surveillance authority of the results by submitting the filled-out template referred to in Article 27. Separately, Article 49 requires public authorities, Union bodies, agencies, offices, or persons acting on their behalf to register their use of Annex III high-risk systems in the EU database, except Annex III point 2 systems, which are registered nationally. - Link the DPIA and FRIA where personal-data risk and fundamental-rights risk overlap, but do not assume one automatically covers the other. - Keep the market-surveillance authority notification proof with the completed Article 27 template once the FRIA is performed. - For public-authority deployers, confirm Article 49 registration before putting the Annex III high-risk system into service or use. - For law enforcement, migration, asylum, and border-control Annex III systems, expect restricted EU database registration rules under Article 49(4). - For Annex III point 2 critical-infrastructure systems, route registration evidence to the national-level process described in Article 49(5). Sources for this answer: - [Regulation (EU) 2024/1689, Article 27](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Supports the FRIA notification duty, DPIA complement rule, first-use rule, update rule, and AI Office template requirement. - [Regulation (EU) 2024/1689, Article 49](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Supports the EU database registration obligations for public-authority deployers, restricted sections for certain Annex III areas, and national registration for Annex III point 2 systems. - [Regulation (EU) 2024/1689, Article 6 and Annex III](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Supports the difference between Article 6(1) product-safety high-risk systems and Article 6(2) Annex III high-risk systems, including the Annex III areas relevant to FRIA scope. ## Primary sources - [Regulation (EU) 2024/1689, Article 27](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Primary legal source for Article 27 FRIA scope, assessment contents, first-use rule, updates, authority notification, DPIA complement rule, and AI Office template. - Quote: "Fundamental rights impact assessment for high-risk AI systems" - [AI Act Service Desk - Article 27](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-27?ref=sorena.io) - Commission-hosted AI Act Explorer page used to verify the public Article 27 page and official article heading. - Quote: "Article 27: Fundamental rights impact assessment for high-risk AI systems" - [Regulation (EU) 2024/1689, Article 6 and Annex III](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Primary legal source for Article 6(2) high-risk classification, Article 6(3) non-high-risk derogation, and the Annex III areas referenced by the FRIA trigger. - Quote: "High-risk AI systems referred to in Article 6(2)" - [Regulation (EU) 2024/1689, Article 49 and Annex VIII](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Primary legal source for EU database and national registration rules, including deployer registration fields for FRIA and DPIA summaries. - Quote: "Information to be submitted by deployers of high-risk AI systems" ## Topic Guides - [Are industry AI use cases high-risk under EU AI Act Annex III?](/artifacts/eu/artificial-intelligence-act/faq/annex-iii-industry-use-cases.md): FAQ answer on when an industry AI use case falls under EU AI Act Annex III, how Article 6 classification works, when Article 6(3) can support a non-high-risk conclusion, and what evidence providers should keep. - [EU AI Act AI System Classification Edge Cases FAQ](/artifacts/eu/artificial-intelligence-act/faq/ai-system-classification-edge-cases.md): Answers for EU AI Act edge cases: AI system definition, inference versus simple rules, GPAI models, embedded products, territorial scope, roles, and classification evidence. - [EU AI Act Applicability and Roles: Scope, Actor Map, and Evidence](/artifacts/eu/artificial-intelligence-act/applicability-and-roles.md): Determine whether the EU AI Act applies to an AI system or GPAI model, map provider, deployer, importer, distributor, and product manufacturer roles, and record evidence for classification. - [EU AI Act applicability test: scope, role, and risk classification](/artifacts/eu/artificial-intelligence-act/applicability-test.md): Stepwise EU AI Act applicability test for AI-system status, exclusions, territorial scope, operator role, prohibited uses, high-risk systems, GPAI models, transparency duties, and evidence records. - [EU AI Act Article 5 Prohibited AI Practices Screening Guide](/artifacts/eu/artificial-intelligence-act/prohibited-ai-practices.md): Screen AI systems against the EU AI Act Article 5 prohibitions, including manipulation, exploitation, social scoring, biometric and law-enforcement exceptions. - [EU AI Act Article 50 transparency disclosures FAQ](/artifacts/eu/artificial-intelligence-act/faq/article-50-transparency-disclosures.md): Article 50 FAQ for EU AI Act transparency duties covering chatbot notices, synthetic content marking, biometric and emotion notices, deepfakes, public-interest text, timing, accessibility, and exceptions. - [EU AI Act Article 50 transparency, labeling, and user disclosures](/artifacts/eu/artificial-intelligence-act/transparency-labeling-and-user-disclosures.md): Source-grounded guide to EU AI Act Article 50 duties for user interaction notices, synthetic content marking, deepfake labels, emotion recognition notices, biometric categorisation notices, and related high-risk AI instructions for use. - [EU AI Act Article 73 serious incident FAQ](/artifacts/eu/artificial-intelligence-act/faq/serious-incidents.md): FAQ on EU AI Act serious incident handling for high-risk AI systems, including Article 73 reporting, deployer escalation, corrective action, and GPAI systemic-risk distinctions. - [EU AI Act Compliance Checklist by Risk Class](/artifacts/eu/artificial-intelligence-act/checklist.md): A practical EU AI Act checklist for classifying AI systems, assigning operator roles, screening prohibited practices, and collecting evidence for high-risk, GPAI, transparency, monitoring, and incident duties. - [EU AI Act Compliance Program: roles, high-risk evidence, GPAI and incidents](/artifacts/eu/artificial-intelligence-act/compliance.md): Build an EU AI Act compliance program around provider, deployer, importer, distributor, high-risk, GPAI, transparency, monitoring, and incident evidence duties. - [EU AI Act conformity assessment and notified bodies for high-risk AI](/artifacts/eu/artificial-intelligence-act/conformity-assessment-and-notified-bodies.md): Grounded guide to EU AI Act high-risk AI conformity assessment routes, provider evidence, EU declaration of conformity, CE marking, and notified body involvement. - [EU AI Act deadlines and compliance calendar | Article 113 dates](/artifacts/eu/artificial-intelligence-act/deadlines-and-compliance-calendar.md): source-linked EU AI Act compliance calendar for Article 113 staged application dates, Article 111 transitions, GPAI, prohibited practices, AI literacy, and high-risk AI planning. - [EU AI Act FAQ: scope, roles, high-risk AI, GPAI, FRIA, and dates](/artifacts/eu/artificial-intelligence-act/faq.md): Grounded EU AI Act FAQ covering scope, provider and deployer roles, prohibited practices, high-risk classification, GPAI duties, transparency notices, FRIAs, EU database registration, serious incidents, and staged application dates. - [EU AI Act FRIA for high-risk AI systems: Article 27 scope and evidence](/artifacts/eu/artificial-intelligence-act/fria-and-high-risk-impact-assessments.md): Source-grounded guide to EU AI Act Article 27 fundamental rights impact assessments: who must run a FRIA, Article 6(2) triggers, Annex III carveouts, DPIA overlap, notification, and registration evidence. - [EU AI Act GPAI and Systemic-Risk Duties: Article 53 and 55 FAQ](/artifacts/eu/artificial-intelligence-act/faq/gpai-and-systemic-risk-duties.md): FAQ on EU AI Act duties for general-purpose AI model providers, including Article 53 documentation, copyright and training-summary duties, Article 55 systemic-risk duties, serious incidents, cybersecurity, and staged enforcement. - [EU AI Act GPAI evidence pack checklist for Article 53 and 55](/artifacts/eu/artificial-intelligence-act/gpai-evidence-pack-workflow.md): Build a source-grounded evidence pack for EU AI Act GPAI model obligations: technical documentation, downstream information, copyright policy, training-content summary, and systemic-risk records where applicable. - [EU AI Act GPAI Provider Obligations: Articles 53 and 55](/artifacts/eu/artificial-intelligence-act/gpai-and-foundation-model-obligations.md): Grounded guide to EU AI Act duties for general-purpose AI model providers: Article 53 documentation, copyright policy, training-content summary, downstream information, and Article 55 systemic-risk controls. - [EU AI Act High-Risk AI Requirements: Articles 8-16 and 26](/artifacts/eu/artificial-intelligence-act/requirements.md): Map the EU AI Act requirements for high-risk AI systems: risk management, data governance, technical documentation, logs, transparency, human oversight, accuracy, robustness, cybersecurity, and deployer duties. - [EU AI Act high-risk AI use cases by industry | Article 6 and Annex III guide](/artifacts/eu/artificial-intelligence-act/high-risk-ai-use-cases-by-industry.md): Industry-by-industry guide to EU AI Act high-risk classification under Article 6, Annex III, Annex I product safety routes, exclusions, and provider/deployer boundaries. - [EU AI Act high-risk conformity assessment route selector](/artifacts/eu/artificial-intelligence-act/high-risk-conformity-route-selector-workflow.md): Select the EU AI Act Article 43 conformity assessment route for a high-risk AI system, including Annex I product legislation, Annex III categories, notified body triggers, standards, declaration, CE marking, registration, and evidence. - [EU AI Act high-risk requirements checklist: Articles 8-15](/artifacts/eu/artificial-intelligence-act/high-risk-requirements-checklist.md): Checklist for EU AI Act high-risk AI system requirements in Articles 8-15: risk management, data governance, documentation, logs, transparency, human oversight, accuracy, robustness, and cybersecurity. - [EU AI Act penalties and fines: Article 99 tiers and GPAI exposure](/artifacts/eu/artificial-intelligence-act/penalties-and-fines.md): EU AI Act penalties explained: Article 99 fine tiers, prohibited-practice exposure, incorrect information, SME caps, Member State rules, and GPAI model fines. - [EU AI Act post-market monitoring and serious incident reporting](/artifacts/eu/artificial-intelligence-act/post-market-monitoring-and-serious-incidents.md): Grounded guide to EU AI Act Articles 72 and 73 for high-risk AI: monitoring plans, serious incident reporting, deployer escalation, corrective action, and GPAI distinctions. - [EU AI Act post-market monitoring FAQ for high-risk AI systems](/artifacts/eu/artificial-intelligence-act/faq/post-market-monitoring.md): Answer to how providers and deployers should handle EU AI Act post-market monitoring for high-risk AI systems under Article 72, with serious-incident, log, corrective-action, and lifecycle-change triggers. - [EU AI Act provider vs deployer role boundaries: Article 3 and Article 25 FAQ](/artifacts/eu/artificial-intelligence-act/faq/provider-and-deployer-role-boundaries.md): FAQ on EU AI Act provider, deployer, operator, importer, distributor, authorised representative, product manufacturer, downstream provider, and GPAI model provider boundaries. - [EU AI Act risk classification intake workflow](/artifacts/eu/artificial-intelligence-act/risk-classification-intake-workflow.md): A grounded intake structure for classifying EU AI Act scope, prohibited practices, high-risk routes, Annex III use cases, GPAI model status, roles, and reassessment triggers. - [EU AI Act serious incident reporting triage workflow: Article 73 and Article 55](/artifacts/eu/artificial-intelligence-act/serious-incident-reporting-triage-workflow.md): Triage EU AI Act serious incidents by definition, actor, reporting route, deadline, deployer escalation, corrective action, and separate GPAI systemic-risk reporting. - [EU AI Act Technical Documentation and Provider Evidence Templates](/artifacts/eu/artificial-intelligence-act/technical-documentation-and-provider-evidence-templates.md): Build AI Act evidence templates for high-risk AI providers: Article 11 technical documentation, Annex IV fields, quality management, conformity, CE marking, registration, logs, and post-market monitoring. - [EU AI Act technical documentation FAQ | Article 11 and Annex IV](/artifacts/eu/artificial-intelligence-act/faq/technical-documentation.md): What Article 11 and Annex IV require in high-risk AI technical documentation: system identity, intended purpose, architecture, data, testing, oversight, cybersecurity, conformity, and post-market monitoring. - [EU AI Act Timeline and Phasing Roadmap: practical obligations and evidence guide](/artifacts/eu/artificial-intelligence-act/timeline-and-phasing-roadmap.md): Practical EU AI Act guide to Timeline and Phasing Roadmap: scope, owners, evidence, edge cases, checklist steps, and external source-linked citations. - [EU AI Act vs ISO/IEC 42001: legal duties, controls, and evidence limits](/artifacts/eu/artificial-intelligence-act/eu-ai-act-vs-iso-42001.md): Compare the EU AI Act and ISO/IEC 42001 across legal status, risk classification, high-risk AI, GPAI, transparency, conformity, evidence, and assurance limits. - [EU AI Act vs NIST AI RMF: legal duties, risk controls, and evidence boundaries](/artifacts/eu/artificial-intelligence-act/eu-ai-act-vs-nist-ai-rmf.md): Compare the binding EU AI Act with the voluntary NIST AI RMF, including role classification, high-risk duties, GPAI, transparency, conformity evidence, and reuse limits. - [FAQ: EU AI Act conformity assessment procedures and notified body selection](/artifacts/eu/artificial-intelligence-act/faq/conformity-assessment-and-notified-bodies.md): source-linked FAQ on EU AI Act Article 43 conformity assessment routes, Annex VI internal control, Annex VII notified-body review, CE marking, declarations, and registration. *Recommended next step* *Placement: before sources* ## Use this EU AI Act FRIA FAQ as a cited implementation checklist Sorena can help map Article 27 scope, DPIA overlap, authority notification, registration evidence, and update triggers into reusable review steps for high-risk AI deployments. - [Open Research Copilot for EU AI Act](/solutions/research-copilot.md): Ask source-linked questions about Article 27 FRIA, Annex III scope, DPIA overlap, and evidence records using the cited sources on this page. - [Talk through implementation](/contact.md): Review your FRIA trigger analysis, authority notification evidence, and deployer workflow with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/artificial-intelligence-act/faq/fria