Key facts

  • FRIA applies to specific deployers of high-risk AI, not all organisations using AI.
  • It focuses on impact to individuals' fundamental rights, not just technical risk.
  • Must be completed before the high-risk AI system is deployed.
  • Overlaps with, but is distinct from, a data protection impact assessment (DPIA).
  • Use the free AI risk register template to track FRIA obligations alongside other AI risk.

Who must carry out a FRIA

The EU AI Act requires a FRIA from certain deployers of high-risk AI systems, including public authorities and bodies governed by public law, private entities providing certain public services, and deployers using high-risk AI for creditworthiness assessment or life and health insurance risk pricing.

What a FRIA assesses

A FRIA looks specifically at the AI system's impact on individuals' fundamental rights — such as non-discrimination, privacy and access to essential services — rather than purely technical or operational risk. It requires describing the deployment context, the individuals likely affected, and the specific risks to their rights.

FRIA vs DPIA

A FRIA overlaps with a data protection impact assessment (DPIA) under GDPR but is not identical — a DPIA focuses on personal data protection risk, while a FRIA focuses more broadly on fundamental rights impact. Where both are required, they can often be conducted as a combined exercise to avoid duplication.

When it must be done

A FRIA must be completed before the high-risk AI system is deployed, not retrospectively. Where the deployment context changes materially, the assessment should be revisited.

Frequently asked questions

What is a Fundamental Rights Impact Assessment (FRIA)?

An EU AI Act requirement for certain deployers of high-risk AI to assess impact on individuals' fundamental rights before deployment.

Who has to carry out a FRIA?

Certain deployers of high-risk AI, including public bodies, private providers of certain public services, and those using AI for creditworthiness or insurance risk pricing.

Is a FRIA the same as a DPIA?

No — they overlap but are distinct. A DPIA focuses on data protection risk; a FRIA focuses more broadly on fundamental rights impact.

When must a FRIA be completed?

Before the high-risk AI system is deployed, and revisited if the deployment context changes materially.

Does a FRIA apply to all high-risk AI users?

No — it applies to specific categories of deployer defined in the EU AI Act, not to every organisation using high-risk AI.

Related pages

Sources

Last updated 19 June 2026.