EU AI Act Article 27: What Is a Fundamental Rights Impact Assessment (FRIA) and Who Needs One?

The August 2026 deadline for high-risk AI deployers is approaching quickly, and most organizations haven't started yet.

A bank deploys an AI model to evaluate loan applications. It processes thousands of decisions a week. Productivity improves. The team is satisfied.

Eighteen months later, an internal audit flags something no one programmed or approved. Applicants from certain postal codes are being declined at a rate far above the statistical baseline. The pattern looks, unmistakably, like indirect discrimination.

Here is what makes this scenario so dangerous: the data processing was compliant. The model documentation was current. Every DPIA box was checked. The organization believed it had done everything right.

But it hadn't, because there is a category of risk their DPIA was never designed to catch. Under the EU AI Act, that gap has a name, a legal deadline, and a significant financial penalty attached to it called the Fundamental Rights Impact Assessment (FRIA).

What Is a Fundamental Rights Impact Assessment (FRIA)?

A Fundamental Rights Impact Assessment (FRIA) is a structured pre-deployment review required under Article 27 of the EU AI Act for certain deployers of high-risk AI systems. It goes live on August 2, 2026.

Where a Data Protection Impact Assessment (DPIA) focuses on data (what you collect, how you store it, and whether processing is lawful), a FRIA focuses on people: whether your system treats them fairly, whether it creates systemic disadvantage, and whether those affected by its decisions have a meaningful path to challenge them.

A FRIA requires you to answer five questions that your DPIA doesn’t:

1. Which fundamental rights does this AI system affect?

2. How might it compromise dignity, equality, privacy, or access to legal remedy?

3. What happens to specific individuals when the system is wrong?

4. Who is accountable for those outcomes, and what oversight exists?

5. How can an affected person challenge a decision made about them?

These are the questions your customers, regulators, and board will ask after something goes wrong. The FRIA is where you prepare the answers before you need them.

Who Is Subject to Article 27?

The FRIA obligation applies to:

• Public bodies deploying high-risk AI systems

• Private organizations delivering public services, such as utilities, transport, or public infrastructure

• Companies operating in regulated high-risk domains, including creditworthiness evaluation and life and health insurance pricing

If your organization falls into one of these categories and deploys a high-risk AI system as defined under Annex III of the EU AI Act, Article 27 applies to you.

FRIA vs. DPIA: Understanding the Difference

Most compliance teams assume their existing DPIA covers the territory. It covers part of it, and that assumption is precisely where the gap opens.

The bank in our opening scenario almost certainly had a compliant data processing record. The discrimination pattern its AI created had nothing to do with data storage and everything to do with what the model was optimizing for. A DPIA would not have caught it. A FRIA would have.

The EU AI Act permits deployers to combine a FRIA with an existing DPIA where there is overlap, but the FRIA must still address rights that a DPIA was never scoped to evaluate: non-discrimination, freedom of expression, access to justice, and the right to good administration.

A system can satisfy every data protection requirement and still produce outcomes that harm people in ways your existing compliance framework was never designed to detect.

The Cost of Non-Compliance

Regulators across Europe are building audit capacity to match the Act's enforcement timeline. The figures are not theoretical.

Non-compliance with Article 27 exposes organizations to fines of up to €30 million or 6% of global annual turnover, whichever is greater.

Beyond the financial penalty, regulators can order a system suspended pending remediation. For any organization where that system underpins a core business process, the operational disruption can significantly exceed the fine itself.

Organizations with documented FRIA processes will move through regulatory conversations quickly. Those without them will spend the first week of any inquiry explaining why the documentation does not exist.

Beyond Compliance: Why FRIAs Improve AI Systems

Most compliance teams treat the FRIA as a checkbox on a deployment checklist. That framing leaves significant value untouched.

A rigorous FRIA forces legal, HR, product, data science, and risk functions to sit in the same room and agree on what the system does, who it affects, and what acceptable risk looks like. That conversation surfaces assumptions teams have been carrying separately. It identifies edge cases that the technical team missed because they were evaluating performance, and nobody asked them to evaluate human impact.

Organizations that run FRIAs consistently report the same outcome: the process improves the AI system itself. Constraints get added before launch. Objective functions get adjusted. Oversight mechanisms are built in at the design stage rather than retrofitted under pressure.

The AI Act encourages stakeholder involvement, including affected groups, independent experts, and civil society, where appropriate. The organizations extracting the most value from FRIAs are treating this not as a documentation exercise but as a design review.

What You Need to Do Before August 2026

Article 27 takes effect on August 2, 2026, less than five months away. The AI Office will publish a FRIA template to support deployers, and organizations can draw on assessments already conducted by providers and combine FRIAs with existing DPIAs where genuine overlap exists.

The structural framework for compliance is already in place. The question is whether your team builds the process now, with sufficient runway to do it properly, or completes templates under regulatory pressure weeks before the deadline.

A practical starting point:

• Identify which of your AI deployments fall under Annex III high-risk categories

• Map the fundamental rights potentially affected by each system

• Establish cross-functional ownership: legal, data science, HR, risk, and product

• Review whether your existing DPIA documentation can serve as a foundation

• Document your assessment, your findings, and your mitigations before go-live

Organizations that begin now will have something the others will not: a governance record that predates regulatory pressure. That matters more than most compliance teams currently appreciate.

Build Your FRIA Process with Archer

Archer helps organizations design FRIA processes that integrate with their broader AI governance and risk management frameworks, turning a regulatory requirement into a repeatable, auditable capability.

Learn more about Archer AI Governance →

Talk to our team about AI governance for your organization →

FAQs