FRIA

like a DPIA but it also asks whether your AI might accidentally violate someone's human rights, which is apparently a question you're supposed to answer BEFORE deployment under the EU AI Act.

"we thought the DPIA covered everything. then someone read Article 27 and discovered we also need to assess impact on freedom of expression, non-discrimination, and human dignity. for a chatbot. that recommends shoes."
"our municipality deployed an AI system to prioritise housing applications. nobody asked whether ranking humans by algorithm might affect their right to non-discrimination. the ombudsman did though."
"i asked who was responsible for the FRIA. legal said it's a technical question. the AI team said it's a legal question. the ethics board said they're advisory only. the system went live while everyone was still pointing at each other."
Share this one
Canonical Definition

Fundamental Rights Impact Assessment. Required under EU AI Act Article 27 for deployers of high-risk AI systems that are public bodies, private entities providing public services, or entities deploying AI for credit scoring or life and health insurance. Evaluates impact on fundamental rights including non-discrimination, privacy, freedom of expression, human dignity, access to effective remedy, and rights of the child. Broader in scope than a DPIA: where a DPIA assesses data protection risk, a FRIA assesses the full spectrum of fundamental rights that may be affected by AI system deployment. Must be completed before the system is put into use and notified to the relevant market surveillance authority.

Why It Matters

The FRIA is the EU AI Act’s answer to a problem that existing regulation could not fully address: AI systems can violate fundamental rights in ways that do not involve personal data at all. A predictive policing algorithm that systematically over-patrols certain neighbourhoods may not process personal data in a way that triggers GDPR. But it affects freedom of movement, non-discrimination, and the presumption of innocence. A DPIA would not catch this. A FRIA is designed to.

The practical challenge is that fundamental rights assessments require expertise that most organisations do not have in-house. Data protection officers understand privacy. AI engineers understand models. But assessing whether an AI system might affect freedom of expression, access to justice, or the right to education requires a different analytical lens — one that looks at systemic effects, not individual data points.

The EU AI Act makes the FRIA mandatory for specified deployers, but even organisations not legally required to conduct one would benefit from the exercise. The fundamental rights lens reveals risks that risk registers built around confidentiality, integrity, and availability simply cannot see. It is the difference between asking “will this system break?” and asking “will this system harm?”

The Stress Test

Your municipality deploys an AI system to triage social services applications. The system prioritises cases based on urgency scores derived from historical data. A local advocacy group files a complaint alleging that the system systematically deprioritises applications from residents of specific postcodes — postcodes that correlate with ethnicity. The market surveillance authority asks for your FRIA.

You have a DPIA. It assessed the data protection aspects thoroughly. But it did not assess whether the urgency scoring model might produce discriminatory outcomes across protected characteristics. It did not evaluate whether the system’s deployment affects the right to equal treatment in social services. It did not consider whether individuals deprioritised by the algorithm have access to an effective remedy. The DPIA answered the data protection questions. The FRIA questions were never asked.

In the Wild

Systemic Failure — Netherlands, 2020
The Childcare Benefits Scandal: When Nobody Asked the Fundamental Rights Questions

The Dutch childcare benefits scandal (toeslagenaffaire) is the canonical case for why FRIAs matter. The tax authority’s fraud detection algorithm disproportionately flagged families with dual nationality for fraud investigation. Thousands of families were ordered to repay tens of thousands of euros in benefits, driving many into poverty and debt. The system had been operational for years. At no point did anyone formally assess whether the algorithm’s design and training data might produce discriminatory outcomes that violated the right to non-discrimination or the right to equal treatment.

The parliamentary inquiry concluded that there had been an “unprecedented injustice” and that institutional safeguards had failed at every level. The government resigned in January 2021.

A FRIA conducted before deployment would have required the question: “Does this system produce differential outcomes across protected characteristics?” The answer was yes. Nobody asked.

Emerging Practice — Canada, 2023
Canada's Algorithmic Impact Assessment: A FRIA Before It Had a Name

Canada’s Treasury Board Secretariat implemented the Algorithmic Impact Assessment (AIA) tool in 2019, requiring federal departments to assess the impact level of automated decision-making systems before deployment. The AIA evaluates systems across four impact levels based on factors including reversibility of decisions, impact on rights and freedoms, and the scope of affected populations. It is the closest operational precedent to the EU AI Act’s FRIA requirement. By 2023, over 200 federal AI projects had been assessed, with several high-impact systems requiring additional safeguards or being redesigned based on assessment results.

Canada proved that mandatory pre-deployment fundamental rights assessment is operationally feasible. The question for EU organisations is not whether it can be done, but whether they will be ready when it must be.

Guidance — FRA, 2024
EU Fundamental Rights Agency: FRIA Methodology for AI Systems

The EU Fundamental Rights Agency (FRA) published guidance on conducting fundamental rights assessments for AI systems, proposing a structured methodology that maps AI system characteristics to potentially affected rights under the EU Charter of Fundamental Rights. The methodology identifies 14 fundamental rights categories potentially affected by AI, provides assessment criteria for each, and recommends stakeholder consultation as a core component. The guidance emphasises that FRIAs must go beyond desk-based analysis to include consultation with affected communities — a requirement that significantly increases both the quality and the operational burden of the assessment.

The FRA methodology makes clear that a FRIA is not a form to fill in. It is a structured engagement with the people your system affects. That is why it works and why it is hard.

How to Govern It

A FRIA is not a compliance form. It is a structured confrontation with the question your organisation would rather not ask: could this system harm people?

Within the AI Control Index, FRIA governance operates across multiple layers and shields:

  • GRC (S1) — Evidence Factory manages the FRIA lifecycle: initial assessment, stakeholder consultation records, market surveillance authority notifications, periodic reviews, and version control. The FRIA is a living governance artifact.
  • Ethics & Fairness (L2) — Bias and fairness testing provides the quantitative inputs the FRIA needs. Contestability mechanisms ensure affected individuals can challenge AI decisions — operationalising the right to effective remedy.
  • Strategy (L1) — Gate controls prevent high-risk AI systems from progressing to deployment without a completed FRIA. The gate makes the FRIA mandatory in practice, not just in regulation.
  • Data (L6) — Data lineage and quality assessments feed the FRIA’s analysis of whether training data encodes historical biases that could produce discriminatory outcomes.
  • Observability (S4) — Post-deployment monitoring detects whether the system’s actual impact on fundamental rights matches the FRIA’s pre-deployment predictions, triggering reassessment when divergence is detected.

When It’s Relevant

Mandatory under the EU AI Act for deployers of high-risk AI systems who are public bodies, private entities providing public services, or entities using AI for credit scoring or life and health insurance risk assessment. Recommended for any organisation deploying AI in contexts where fundamental rights may be affected, regardless of legal obligation.

A FRIA is most critical when:

  • The AI system is used by or on behalf of a public authority
  • The system affects access to essential services (housing, healthcare, education, social benefits, financial services)
  • The system profiles, ranks, or scores individuals in ways that affect their opportunities
  • The system operates in law enforcement, border control, or judicial contexts
  • Historical data used for training may encode societal biases along protected characteristics

See this control in the framework. FRIA governance is operationalised across S1, L2, L1, L6, and S4 in the AI Control Index v6.0.

Open Framework →

Related Terms

References

  1. [1] European Parliament and Council of the European Union (2024) Regulation (EU) 2024/1689, Article 27: Fundamental Rights Impact Assessment for High-Risk AI Systems. Official Journal of the European Union.
  2. [2] European Union Agency for Fundamental Rights (2024) Fundamental Rights Impact Assessment for AI: A Methodology. FRA, Vienna.
  3. [3] Parlementaire ondervragingscommissie Kinderopvangtoeslag (2020) Ongekend Onrecht. Tweede Kamer der Staten-Generaal, The Hague, 17 December 2020.
  4. [4] Treasury Board of Canada Secretariat (2023) Algorithmic Impact Assessment Tool v2.1. Government of Canada, Ottawa.
  5. [5] Mantelero, A. (2018) ‘AI and Big Data: A Blueprint for a Human Rights, Social and Ethical Impact Assessment’, Computer Law & Security Review, 34(4), pp. 754–772. doi: 10.1016/j.clsr.2018.05.017.
  6. [6] European Commission (2021) Proposal for a Regulation laying down harmonised rules on Artificial Intelligence — Impact Assessment. SWD(2021) 84 final, Brussels.
  7. [7] Yeung, K. and Lodge, M. (2019) ‘Algorithmic Regulation: An Introduction’, in Yeung, K. and Lodge, M. (eds.) Algorithmic Regulation. Oxford: Oxford University Press, pp. 1–18.

AI Control Index v6.0 · Glossary · June 2026 · i-DEPOT 158508 (BOIP) · CC BY-NC-ND 4.0

By Jeroen Janssen, Apparens