Search pages, courses, and articles
Five questions that answer the most-asked EU AI Act compliance question: do you need a fundamental rights impact assessment under Article 27 before deploying your AI? Walks the public-body branch, the Annex III(5)(b)+(c) explicit branch, and the personal-guarantee carve-out for SME lending.
Source: Regulation (EU) 2024/1689 Article 27 on EUR-Lex. Self-assessment, not legal advice. Always consult a qualified lawyer in the relevant Member State before deployment.
Annex III covers biometrics, critical infrastructure, education, employment, essential services (credit, insurance, public benefits), law enforcement, migration, and justice. If your AI doesn't sit in any of these eight domains, Article 27 FRIA doesn't apply.
Article 27(1) sets a narrow scope. Two categories must run a FRIA before deploying a high-risk Annex III AI: (a) bodies governed by public law and private entities providing public services, and (b) deployers of Annex III(5)(b) creditworthiness AI or (5)(c) life/health insurance risk and pricing AI. HR AI under Annex III(4) is NOT directly in Article 27(1) scope unless you're also a public body or public-services provider, but Article 26 deployer obligations still apply.
Article 27(1) names six elements: the deployment context (intended purpose, frequency, duration), the categories of natural persons affected, the specific risks of harm to those persons, the human-oversight measures in place, the measures to be taken if risks materialise, and the mitigations beyond Article 26 baseline deployer obligations. The output is a written document signed off by the deployer and notified to the national market surveillance authority before deployment per Article 27(3).
A DPIA under GDPR Article 35 focuses on personal-data processing risks: data minimisation, security, retention, data-subject rights. A FRIA under EU AI Act Article 27 focuses on fundamental-rights risks more broadly: dignity, non-discrimination, fair trial, freedom of expression, worker rights, child rights. When an AI deployment triggers both, the assessments can run in parallel and share findings, but neither one substitutes for the other. The AI Office is expected to publish an aligned template that lets one document satisfy both regimes.
Article 27(2) requires the FRIA to be updated on any material change to the AI system or its deployment context. Material change includes a new training data source, a new affected user category, a new geographical scope, a change in the human-oversight model, or a vendor change. Material change is not just a model retraining of the same architecture on the same data. Light-touch monthly monitoring is good practice but not legally required.
Article 99(4) Tier 2 fines apply: up to EUR 15 million or 3% of global annual turnover, whichever is higher. National market surveillance authorities can also order the AI system off-market under Article 79 risk procedure. Civil liability under Member State law adds on top. The cleanest defensive move is: when in doubt about Article 27(1) scope, run the FRIA anyway. The work is largely useful documentation regardless.
The checker gives you the scope verdict. The article walks through the six things a FRIA must cover, how it differs from a GDPR DPIA, the Article 27(3) notification step, and how to scope a first FRIA without over-engineering it.
