A practical guide to when Article 27 requires a fundamental rights impact assessment for high-risk AI systems and what evidence the deployer should be ready to show.
Covers Article 6(2) and Annex III classification, the critical-infrastructure carveout, deployer categories, DPIA overlap, authority notification, and EU database registration records.
Structured answer sets in this page tree.
Cited legal and guidance references.
Under EU AI Act Article 27, a FRIA is not a generic AI risk memo. It is a pre-deployment fundamental rights impact assessment for specific deployers using high-risk AI systems covered by Article 6(2), with a carveout for Annex III point 2 critical infrastructure systems. The assessment must describe the actual deployment context, affected people, likely fundamental-rights harms, human oversight, mitigation, governance, and complaint routes.
Article 27 is triggered before deployment of a high-risk AI system referred to in Article 6(2), meaning an AI system listed in Annex III. The article excludes high-risk AI systems intended for the critical-infrastructure area listed in Annex III point 2.
The deployer must be in one of the covered categories: a body governed by public law, a private entity providing public services, or a deployer of Annex III point 5(b) or 5(c) systems. Point 5(b) covers systems used to evaluate the creditworthiness of natural persons or establish a credit score, except systems used to detect financial fraud. Point 5(c) covers risk assessment and pricing for natural persons in life and health insurance.
Article 6(2) says AI systems referred to in Annex III are high-risk. Article 6(3) then creates a route for an Annex III system not to be treated as high-risk where it does not pose a significant risk of harm to health, safety, or fundamental rights, including by not materially influencing decision-making.
That Article 6(3) route is evidence-heavy. The provider must document the assessment before the system is placed on the market or put into service and is subject to Article 49(2) registration. A system listed in Annex III remains always high-risk when it performs profiling of natural persons.
The FRIA should be written around the deployer's real process, not around the vendor's general product description. Article 27 requires the deployer to assess the impact on fundamental rights that the use of the high-risk system may produce in the specific deployment context.
The required record should connect provider information under Article 13 with deployer facts: where the system is used, how often, who is affected, what harms may occur, how human oversight operates, and what happens if a risk materialises.
Article 27 does not supersede a data protection impact assessment. If an Article 27 obligation is already met through a DPIA under GDPR Article 35 or Law Enforcement Directive Article 27, the FRIA must complement that DPIA.
After completing the FRIA, the deployer must notify the market surveillance authority of the results by submitting the filled-out Article 27 template. Article 27 also limits the obligation to the first use, while requiring updates when relevant assessment elements have changed or are no longer current.
FRIA evidence and registration evidence should be tied together because Article 49 and Annex VIII require registration information for certain high-risk AI systems and deployer uses. Public authorities, Union institutions, bodies, offices or agencies, and persons acting on their behalf must register before putting into service or using an Annex III high-risk AI system, except Annex III point 2 critical infrastructure systems.
Annex VIII Section C specifies deployer registration information, including the deployer's details, the submitter's details, the provider's EU database entry URL, a summary of the FRIA findings, and a summary of the DPIA where applicable.
No. Article 27 applies to covered deployers before using a high-risk AI system referred to in Article 6(2), with an express exception for Annex III point 2 critical infrastructure systems. It does not apply merely because a system is high-risk under Article 6(1).
Only partly. Article 27 says obligations already met through a DPIA under GDPR Article 35 or Law Enforcement Directive Article 27 do not need to be duplicated, but the FRIA must complement the DPIA for the remaining fundamental-rights assessment.
The deployer should have the completed Article 27 template, deployment-process description, use period and frequency, affected categories of people, harm-risk analysis, human oversight description, mitigation and complaint arrangements, and any linked DPIA summary.
Sorena can help translate Article 27 scope, Article 6(2) classification, DPIA overlap, notification, and registration evidence into a deployer-ready assessment pack.
Ask source-linked questions about Article 27 FRIA scope, Annex III classification, DPIA overlap, and registration evidence using the cited sources on this page.
Check whether your high-risk AI deployment record has the required FRIA contents, update triggers, authority notification, and registration evidence.
"must be updated if changes occur"
"Certain high-risk AI systems used in the area of critical infrastructure are registered at the national level."
"AI use cases that can pose serious risks to health, safety or fundamental rights"
"A summary of the findings of the fundamental rights impact assessment"