Article 27 — Fundamental Rights Impact Assessment (FRIA)
Last updated: 24 May 2026 · 6 min read
Certain deployers of high-risk AI systems must conduct a FRIA before deployment. Audact's planned Assurance Pack Generator is designed to auto-create draft FRIA documentation.
Required FRIA before first deployment
Applies to in-scope deployers only; document scope, risks and mitigations.
Public-sector + designated private deployers
Includes credit, insurance, education, employment.
FRIA Auto-Generator (patent-pending)
Planned: pre-filled per vertical and jurisdiction.
Assurance Pack Generator (roadmap)
Planned PDF export for DPA submission.
What is a FRIA?
A Fundamental Rights Impact Assessment is a structured analysis a deployer must produce before placing a high-risk AI system in use. The assessment describes the system's intended purpose, context of use, categories of persons likely to be affected, specific risks of harm to fundamental rights (including discrimination, privacy, dignity and access to services), the mitigations in place, and the human-oversight arrangements.
The output must be notified to the relevant market surveillance authority on deployment and re-run whenever there is a material change in purpose, scope or risk profile.
Who must complete a FRIA
Article 27 applies to public-sector deployers and to private entities providing public services. It also reaches certain high-impact private deployments — including credit scoring, insurance underwriting, employment and access to essential services — when those uses are listed in Annex III as high-risk. Even where Article 27 itself does not bite, Article 26 deployer obligations and an underlying DPIA (GDPR Article 35) frequently do.
How Audact covers FRIA
- Auto-generated from configuration— the planned Assurance Pack Generator is designed to turn your policy bundle, vertical, and jurisdiction into a draft FRIA pre-filled with affected persons, risk categories and standard mitigations.
- Tied to live evidence— risk indicators are designed to link to actual incident records, policy verdicts and disclosure attestations from the evidence chain — not aspirational claims.
- PDF-ready for DPA submission— final FRIA exports are planned to include cryptographic checksums so the authority can verify integrity of the underlying evidence.
Frequently asked questions
What is a Fundamental Rights Impact Assessment?
Article 27 of the EU AI Act requires certain deployers of high-risk AI systems to conduct a Fundamental Rights Impact Assessment (FRIA) before putting the system into use, covering the system's purpose, affected persons, risks to fundamental rights and mitigation measures.
Who must carry out a FRIA?
Public-sector deployers and private entities providing public services, plus certain categories of private deployers using high-risk AI systems (e.g. credit-scoring, insurance pricing). The data protection authority must be notified of the outcome.
Does Audact generate FRIA documentation?
On the roadmap: the planned Assurance Pack Generator is designed to produce a FRIA template pre-filled from the deployer's policy configuration, vertical, jurisdiction and evidence chain — exportable as a PDF for DPA submission.
When does the FRIA obligation apply?
Article 27 applies from 2 August 2026, alongside the rest of the EU AI Act high-risk regime. FRIA must be completed before first use of the AI system and updated whenever the use case materially changes.
Next steps
Generating a sample FRIA from a sandbox deployment is on the roadmap. Read the Assurance Pack product overview, or talk to us about early access.
Disclaimer:This page is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for your specific compliance obligations.