--- title: "EU AI Act FRIA for high-risk AI systems: Article 27 scope and evidence" canonical_url: "https://www.sorena.io/artifacts/eu/artificial-intelligence-act/fria-and-high-risk-impact-assessments" source_url: "https://www.sorena.io/artifacts/eu/artificial-intelligence-act/fria-and-high-risk-impact-assessments" author: "Sorena AI" description: "Source-grounded guide to EU AI Act Article 27 fundamental rights impact assessments: who must run a FRIA, Article 6(2) triggers, Annex III carveouts, DPIA overlap, notification, and registration evidence." published_at: "2026-05-09" updated_at: "2026-05-17" keywords: - "EU AI Act Article 27" - "FRIA" - "fundamental rights impact assessment" - "high-risk AI systems" - "Article 6(2)" - "Annex III" - "AI Act registration" - "DPIA" - "EU AI Act" - "Article 27 FRIA" - "AI system registration" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU AI Act FRIA for high-risk AI systems: Article 27 scope and evidence Source-grounded guide to EU AI Act Article 27 fundamental rights impact assessments: who must run a FRIA, Article 6(2) triggers, Annex III carveouts, DPIA overlap, notification, and registration evidence. *Article 27 Guide* *EU AI Act* ## EU AI Act FRIA and high-risk impact assessments A practical guide to when Article 27 requires a fundamental rights impact assessment for high-risk AI systems and what evidence the deployer should be ready to show. Covers Article 6(2) and Annex III classification, the critical-infrastructure carveout, deployer categories, DPIA overlap, authority notification, and EU database registration records. Under EU AI Act Article 27, a FRIA is not a generic AI risk memo. It is a pre-deployment fundamental rights impact assessment for specific deployers using high-risk AI systems covered by Article 6(2), with a carveout for Annex III point 2 critical infrastructure systems. The assessment must describe the actual deployment context, affected people, likely fundamental-rights harms, human oversight, mitigation, governance, and complaint routes. ## When Article 27 requires a FRIA Article 27 is triggered before deployment of a high-risk AI system referred to in Article 6(2), meaning an AI system listed in Annex III. The article excludes high-risk AI systems intended for the critical-infrastructure area listed in Annex III point 2. The deployer must be in one of the covered categories: a body governed by public law, a private entity providing public services, or a deployer of Annex III point 5(b) or 5(c) systems. Point 5(b) covers systems used to evaluate the creditworthiness of natural persons or establish a credit score, except systems used to detect financial fraud. Point 5(c) covers risk assessment and pricing for natural persons in life and health insurance. - Start with the Article 6(2) question: is the system listed in Annex III rather than only product-safety high-risk under Article 6(1)? - Check the Annex III point: point 2 critical infrastructure is carved out of Article 27 and has national-level registration treatment under Article 49. - Identify the deployer category: public-law body, private public-service provider, creditworthiness or credit-score deployer, or life/health insurance risk-pricing deployer. - Treat the FRIA as a pre-deployment requirement for the first use of the covered high-risk AI system, not as a post-launch audit. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Supports the Article 27 trigger, the Article 6(2) link to Annex III, and the Annex III point 2 critical-infrastructure carveout. - [AI Act Service Desk - Article 27 fundamental rights impact assessment](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-27?ref=sorena.io) - Commission Service Desk presentation of Article 27, including deployer categories and the assessment summary. ## How Article 6(2), Article 6(3), and Annex III affect the assessment Article 6(2) says AI systems referred to in Annex III are high-risk. Article 6(3) then creates a route for an Annex III system not to be treated as high-risk where it does not pose a significant risk of harm to health, safety, or fundamental rights, including by not materially influencing decision-making. That Article 6(3) route is evidence-heavy. The provider must document the assessment before the system is placed on the market or put into service and is subject to Article 49(2) registration. A system listed in Annex III remains always high-risk when it performs profiling of natural persons. - Record the exact Annex III area and subpoint, such as education, employment, essential services, law enforcement, migration, justice, or democratic processes. - If relying on Article 6(3), keep the provider's documented non-high-risk assessment and the Article 49(2) registration evidence. - Do not use Article 6(3) to downgrade an Annex III system that performs profiling of natural persons. - For Annex III point 2 critical infrastructure, keep the classification evidence even though Article 27 FRIA and EU database registration under Article 49 use different treatment. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Supports Article 6(2), Article 6(3), the documentation requirement for non-high-risk conclusions, and the profiling exception. - [European Commission - AI Act regulatory framework](https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai?ref=sorena.io) - Provides Commission context for the AI Act's risk-based approach and examples of high-risk use cases. ## What the Article 27 FRIA must contain The FRIA should be written around the deployer's real process, not around the vendor's general product description. Article 27 requires the deployer to assess the impact on fundamental rights that the use of the high-risk system may produce in the specific deployment context. The required record should connect provider information under Article 13 with deployer facts: where the system is used, how often, who is affected, what harms may occur, how human oversight operates, and what happens if a risk materialises. - Describe the deployer's process in which the high-risk AI system will be used, aligned to the system's intended purpose. - State the period of time and frequency with which each high-risk AI system is intended to be used. - Identify the categories of natural persons and groups likely to be affected in the specific context. - Describe specific risks of harm to those people or groups, taking into account the provider information given under Article 13. - Describe implementation of human oversight measures according to the instructions for use. - Define measures for materialised risks, including internal governance and complaint mechanisms. Sources for this answer: - [AI Act Service Desk - Article 27 fundamental rights impact assessment](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-27?ref=sorena.io) - Lists the Article 27 assessment contents for use, duration, affected groups, risks, oversight, and mitigation. - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Primary legal text for the six Article 27 FRIA content elements and the link to Article 13 provider information. ## DPIA overlap, notification, and updates Article 27 does not supersede a data protection impact assessment. If an Article 27 obligation is already met through a DPIA under GDPR Article 35 or Law Enforcement Directive Article 27, the FRIA must complement that DPIA. After completing the FRIA, the deployer must notify the market surveillance authority of the results by submitting the filled-out Article 27 template. Article 27 also limits the obligation to the first use, while requiring updates when relevant assessment elements have changed or are no longer current. - Reuse DPIA analysis only for obligations it actually satisfies; keep separate FRIA coverage for fundamental-rights impacts beyond data protection. - Keep the DPIA summary, FRIA summary, Article 13 provider information, instructions for use, oversight design, and complaint mechanism together. - Submit the filled-out Article 27 template to the market surveillance authority unless a specific Article 46(1) exemption applies. - Set update triggers for changes to process, use period or frequency, affected groups, risk profile, oversight measures, governance, or complaint mechanisms. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Supports the Article 27 first-use rule, update rule, notification requirement, and DPIA complement rule. - [AI Act Service Desk - Article 27 fundamental rights impact assessment](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-27?ref=sorena.io) - Confirms the Service Desk summary that the assessment is required for first use, must be updated if changes occur, and complements existing DPIAs. ## Registration evidence to keep with the FRIA FRIA evidence and registration evidence should be tied together because Article 49 and Annex VIII require registration information for certain high-risk AI systems and deployer uses. Public authorities, Union institutions, bodies, offices or agencies, and persons acting on their behalf must register before putting into service or using an Annex III high-risk AI system, except Annex III point 2 critical infrastructure systems. Annex VIII Section C specifies deployer registration information, including the deployer's details, the submitter's details, the provider's EU database entry URL, a summary of the FRIA findings, and a summary of the DPIA where applicable. - For provider-side registration, keep the provider's EU database entry, intended-purpose description, status, Member States, declaration of conformity, instructions for use, and certificate details where applicable. - For deployer-side registration, keep the deployer contact details, submitter details, provider database URL, FRIA findings summary, and DPIA summary where applicable. - For law enforcement, migration, asylum, and border-control systems in Annex III points 1, 6, and 7, note that Article 49 uses a secure non-public section of the EU database. - For Annex III point 2 critical infrastructure systems, Article 49 says registration is at national level rather than the EU database route described for other Annex III systems. Sources for this answer: - [AI Act Service Desk - Article 49 registration](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-49?ref=sorena.io) - Supports Article 49 registration duties, the Annex III point 2 exception, secure non-public sections, and national-level registration for critical infrastructure systems. - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Primary legal text for Article 49 and Annex VIII registration fields, including deployer FRIA and DPIA summaries. *Recommended next step* *Placement: before sources* ## Build a source-linked FRIA record for high-risk AI use Sorena can help translate Article 27 scope, Article 6(2) classification, DPIA overlap, notification, and registration evidence into a deployer-ready assessment pack. - [Open Research Copilot for EU AI Act](/solutions/research-copilot.md): Ask source-linked questions about Article 27 FRIA scope, Annex III classification, DPIA overlap, and registration evidence using the cited sources on this page. - [Review an Article 27 FRIA workflow](/contact.md): Check whether your high-risk AI deployment record has the required FRIA contents, update triggers, authority notification, and registration evidence. ## Primary sources - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/eli/reg/2024/1689/oj?ref=sorena.io) - Primary legal text used for Article 6 high-risk classification, Annex III categories, Article 27 FRIA duties, Article 49 registration, and Annex VIII registration fields. - Quote: "Fundamental rights impact assessment for high-risk AI systems" - [AI Act Service Desk - Article 27 fundamental rights impact assessment](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-27?ref=sorena.io) - Commission Service Desk article page used for the Article 27 FRIA trigger, required contents, update rule, notification, and DPIA relationship. - Quote: "The assessment complements existing data protection impact assessments." - [AI Act Service Desk - Article 49 registration](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-49?ref=sorena.io) - Commission Service Desk article page used for provider and deployer registration duties and the Annex III critical-infrastructure registration carveout. - Quote: "Providers must register themselves and their systems in the EU database" - [European Commission - AI Act regulatory framework](https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai?ref=sorena.io) - Commission policy page used for public context on the AI Act's risk-based approach and high-risk AI use-case examples. - Quote: "The AI Act defines 4 levels of risk for AI systems" ## Related Topic Guides - [Are industry AI use cases high-risk under EU AI Act Annex III?](/artifacts/eu/artificial-intelligence-act/faq/annex-iii-industry-use-cases.md): FAQ answer on when an industry AI use case falls under EU AI Act Annex III, how Article 6 classification works, when Article 6(3) can support a non-high-risk conclusion, and what evidence providers should keep. - [EU AI Act AI System Classification Edge Cases FAQ](/artifacts/eu/artificial-intelligence-act/faq/ai-system-classification-edge-cases.md): Answers for EU AI Act edge cases: AI system definition, inference versus simple rules, GPAI models, embedded products, territorial scope, roles, and classification evidence. - [EU AI Act Applicability and Roles: Scope, Actor Map, and Evidence](/artifacts/eu/artificial-intelligence-act/applicability-and-roles.md): Determine whether the EU AI Act applies to an AI system or GPAI model, map provider, deployer, importer, distributor, and product manufacturer roles, and record evidence for classification. - [EU AI Act applicability test: scope, role, and risk classification](/artifacts/eu/artificial-intelligence-act/applicability-test.md): Stepwise EU AI Act applicability test for AI-system status, exclusions, territorial scope, operator role, prohibited uses, high-risk systems, GPAI models, transparency duties, and evidence records. - [EU AI Act Article 5 Prohibited AI Practices Screening Guide](/artifacts/eu/artificial-intelligence-act/prohibited-ai-practices.md): Screen AI systems against the EU AI Act Article 5 prohibitions, including manipulation, exploitation, social scoring, biometric and law-enforcement exceptions. - [EU AI Act Article 50 transparency disclosures FAQ](/artifacts/eu/artificial-intelligence-act/faq/article-50-transparency-disclosures.md): Article 50 FAQ for EU AI Act transparency duties covering chatbot notices, synthetic content marking, biometric and emotion notices, deepfakes, public-interest text, timing, accessibility, and exceptions. - [EU AI Act Article 50 transparency, labeling, and user disclosures](/artifacts/eu/artificial-intelligence-act/transparency-labeling-and-user-disclosures.md): Source-grounded guide to EU AI Act Article 50 duties for user interaction notices, synthetic content marking, deepfake labels, emotion recognition notices, biometric categorisation notices, and related high-risk AI instructions for use. - [EU AI Act Article 73 serious incident FAQ](/artifacts/eu/artificial-intelligence-act/faq/serious-incidents.md): FAQ on EU AI Act serious incident handling for high-risk AI systems, including Article 73 reporting, deployer escalation, corrective action, and GPAI systemic-risk distinctions. - [EU AI Act Compliance Checklist by Risk Class](/artifacts/eu/artificial-intelligence-act/checklist.md): A practical EU AI Act checklist for classifying AI systems, assigning operator roles, screening prohibited practices, and collecting evidence for high-risk, GPAI, transparency, monitoring, and incident duties. - [EU AI Act Compliance Program: roles, high-risk evidence, GPAI and incidents](/artifacts/eu/artificial-intelligence-act/compliance.md): Build an EU AI Act compliance program around provider, deployer, importer, distributor, high-risk, GPAI, transparency, monitoring, and incident evidence duties. - [EU AI Act conformity assessment and notified bodies for high-risk AI](/artifacts/eu/artificial-intelligence-act/conformity-assessment-and-notified-bodies.md): Grounded guide to EU AI Act high-risk AI conformity assessment routes, provider evidence, EU declaration of conformity, CE marking, and notified body involvement. - [EU AI Act deadlines and compliance calendar | Article 113 dates](/artifacts/eu/artificial-intelligence-act/deadlines-and-compliance-calendar.md): source-linked EU AI Act compliance calendar for Article 113 staged application dates, Article 111 transitions, GPAI, prohibited practices, AI literacy, and high-risk AI planning. - [EU AI Act FAQ: scope, roles, high-risk AI, GPAI, FRIA, and dates](/artifacts/eu/artificial-intelligence-act/faq.md): Grounded EU AI Act FAQ covering scope, provider and deployer roles, prohibited practices, high-risk classification, GPAI duties, transparency notices, FRIAs, EU database registration, serious incidents, and staged application dates. - [EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification](/artifacts/eu/artificial-intelligence-act/faq/fria.md): Source-grounded FAQ on when Article 27 requires a fundamental rights impact assessment, which deployers are covered, what the FRIA must contain, and how it relates to DPIAs and registration. - [EU AI Act GPAI and Systemic-Risk Duties: Article 53 and 55 FAQ](/artifacts/eu/artificial-intelligence-act/faq/gpai-and-systemic-risk-duties.md): FAQ on EU AI Act duties for general-purpose AI model providers, including Article 53 documentation, copyright and training-summary duties, Article 55 systemic-risk duties, serious incidents, cybersecurity, and staged enforcement. - [EU AI Act GPAI evidence pack checklist for Article 53 and 55](/artifacts/eu/artificial-intelligence-act/gpai-evidence-pack-workflow.md): Build a source-grounded evidence pack for EU AI Act GPAI model obligations: technical documentation, downstream information, copyright policy, training-content summary, and systemic-risk records where applicable. - [EU AI Act GPAI Provider Obligations: Articles 53 and 55](/artifacts/eu/artificial-intelligence-act/gpai-and-foundation-model-obligations.md): Grounded guide to EU AI Act duties for general-purpose AI model providers: Article 53 documentation, copyright policy, training-content summary, downstream information, and Article 55 systemic-risk controls. - [EU AI Act High-Risk AI Requirements: Articles 8-16 and 26](/artifacts/eu/artificial-intelligence-act/requirements.md): Map the EU AI Act requirements for high-risk AI systems: risk management, data governance, technical documentation, logs, transparency, human oversight, accuracy, robustness, cybersecurity, and deployer duties. - [EU AI Act high-risk AI use cases by industry | Article 6 and Annex III guide](/artifacts/eu/artificial-intelligence-act/high-risk-ai-use-cases-by-industry.md): Industry-by-industry guide to EU AI Act high-risk classification under Article 6, Annex III, Annex I product safety routes, exclusions, and provider/deployer boundaries. - [EU AI Act high-risk conformity assessment route selector](/artifacts/eu/artificial-intelligence-act/high-risk-conformity-route-selector-workflow.md): Select the EU AI Act Article 43 conformity assessment route for a high-risk AI system, including Annex I product legislation, Annex III categories, notified body triggers, standards, declaration, CE marking, registration, and evidence. - [EU AI Act high-risk requirements checklist: Articles 8-15](/artifacts/eu/artificial-intelligence-act/high-risk-requirements-checklist.md): Checklist for EU AI Act high-risk AI system requirements in Articles 8-15: risk management, data governance, documentation, logs, transparency, human oversight, accuracy, robustness, and cybersecurity. - [EU AI Act penalties and fines: Article 99 tiers and GPAI exposure](/artifacts/eu/artificial-intelligence-act/penalties-and-fines.md): EU AI Act penalties explained: Article 99 fine tiers, prohibited-practice exposure, incorrect information, SME caps, Member State rules, and GPAI model fines. - [EU AI Act post-market monitoring and serious incident reporting](/artifacts/eu/artificial-intelligence-act/post-market-monitoring-and-serious-incidents.md): Grounded guide to EU AI Act Articles 72 and 73 for high-risk AI: monitoring plans, serious incident reporting, deployer escalation, corrective action, and GPAI distinctions. - [EU AI Act post-market monitoring FAQ for high-risk AI systems](/artifacts/eu/artificial-intelligence-act/faq/post-market-monitoring.md): Answer to how providers and deployers should handle EU AI Act post-market monitoring for high-risk AI systems under Article 72, with serious-incident, log, corrective-action, and lifecycle-change triggers. - [EU AI Act provider vs deployer role boundaries: Article 3 and Article 25 FAQ](/artifacts/eu/artificial-intelligence-act/faq/provider-and-deployer-role-boundaries.md): FAQ on EU AI Act provider, deployer, operator, importer, distributor, authorised representative, product manufacturer, downstream provider, and GPAI model provider boundaries. - [EU AI Act risk classification intake workflow](/artifacts/eu/artificial-intelligence-act/risk-classification-intake-workflow.md): A grounded intake structure for classifying EU AI Act scope, prohibited practices, high-risk routes, Annex III use cases, GPAI model status, roles, and reassessment triggers. - [EU AI Act serious incident reporting triage workflow: Article 73 and Article 55](/artifacts/eu/artificial-intelligence-act/serious-incident-reporting-triage-workflow.md): Triage EU AI Act serious incidents by definition, actor, reporting route, deadline, deployer escalation, corrective action, and separate GPAI systemic-risk reporting. - [EU AI Act Technical Documentation and Provider Evidence Templates](/artifacts/eu/artificial-intelligence-act/technical-documentation-and-provider-evidence-templates.md): Build AI Act evidence templates for high-risk AI providers: Article 11 technical documentation, Annex IV fields, quality management, conformity, CE marking, registration, logs, and post-market monitoring. - [EU AI Act technical documentation FAQ | Article 11 and Annex IV](/artifacts/eu/artificial-intelligence-act/faq/technical-documentation.md): What Article 11 and Annex IV require in high-risk AI technical documentation: system identity, intended purpose, architecture, data, testing, oversight, cybersecurity, conformity, and post-market monitoring. - [EU AI Act Timeline and Phasing Roadmap: practical obligations and evidence guide](/artifacts/eu/artificial-intelligence-act/timeline-and-phasing-roadmap.md): Practical EU AI Act guide to Timeline and Phasing Roadmap: scope, owners, evidence, edge cases, checklist steps, and external source-linked citations. - [EU AI Act vs ISO/IEC 42001: legal duties, controls, and evidence limits](/artifacts/eu/artificial-intelligence-act/eu-ai-act-vs-iso-42001.md): Compare the EU AI Act and ISO/IEC 42001 across legal status, risk classification, high-risk AI, GPAI, transparency, conformity, evidence, and assurance limits. - [EU AI Act vs NIST AI RMF: legal duties, risk controls, and evidence boundaries](/artifacts/eu/artificial-intelligence-act/eu-ai-act-vs-nist-ai-rmf.md): Compare the binding EU AI Act with the voluntary NIST AI RMF, including role classification, high-risk duties, GPAI, transparency, conformity evidence, and reuse limits. - [FAQ: EU AI Act conformity assessment procedures and notified body selection](/artifacts/eu/artificial-intelligence-act/faq/conformity-assessment-and-notified-bodies.md): source-linked FAQ on EU AI Act Article 43 conformity assessment routes, Annex VI internal control, Annex VII notified-body review, CE marking, declarations, and registration. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/artificial-intelligence-act/fria-and-high-risk-impact-assessments