Key facts
- FRIA applies to specific deployers of high-risk AI, not all organisations using AI.
- It focuses on impact to individuals' fundamental rights, not just technical risk.
- Must be completed before the high-risk AI system is deployed.
- Overlaps with, but is distinct from, a data protection impact assessment (DPIA).
- Use the free AI risk register template to track FRIA obligations alongside other AI risk.
Who must carry out a FRIA
The EU AI Act requires a FRIA from certain deployers of high-risk AI systems, including public authorities and bodies governed by public law, private entities providing certain public services, and deployers using high-risk AI for creditworthiness assessment or life and health insurance risk pricing.
What a FRIA assesses
A FRIA looks specifically at the AI system's impact on individuals' fundamental rights — such as non-discrimination, privacy and access to essential services — rather than purely technical or operational risk. It requires describing the deployment context, the individuals likely affected, and the specific risks to their rights.
FRIA vs DPIA
A FRIA overlaps with a data protection impact assessment (DPIA) under GDPR but is not identical — a DPIA focuses on personal data protection risk, while a FRIA focuses more broadly on fundamental rights impact. Where both are required, they can often be conducted as a combined exercise to avoid duplication.
When it must be done
A FRIA must be completed before the high-risk AI system is deployed, not retrospectively. Where the deployment context changes materially, the assessment should be revisited.
Frequently asked questions
What is a Fundamental Rights Impact Assessment (FRIA)?
An EU AI Act requirement for certain deployers of high-risk AI to assess impact on individuals' fundamental rights before deployment.
Who has to carry out a FRIA?
Certain deployers of high-risk AI, including public bodies, private providers of certain public services, and those using AI for creditworthiness or insurance risk pricing.
Is a FRIA the same as a DPIA?
No — they overlap but are distinct. A DPIA focuses on data protection risk; a FRIA focuses more broadly on fundamental rights impact.
When must a FRIA be completed?
Before the high-risk AI system is deployed, and revisited if the deployment context changes materially.
Does a FRIA apply to all high-risk AI users?
No — it applies to specific categories of deployer defined in the EU AI Act, not to every organisation using high-risk AI.
Related pages
Sources
Last updated 19 June 2026.