Article 27 of Regulation (EU) 2024/1689 — Fundamental rights impact assessment for high-risk AI systems. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 27 of Regulation (EU) 2024/1689 establishes an obligation for certain deployers of high-risk AI systems to conduct a fundamental rights impact assessment (FRIA) before putting such systems into service. The obligation applies to deployers that are bodies governed by public law as defined in Directive 2014/24/EU, and to deployers that are private entities providing services of a public nature — specifically in the areas of banking, insurance, healthcare, education and vocational training, employment and workers management, and administration of critical infrastructure.
The assessment must be conducted prior to deployment and must cover the following elements: a description of the deployer's processes in which the high-risk AI system will be used and their purpose; the categories of natural persons and groups likely to be affected; the specific fundamental rights risks that may result from the use; the concrete measures the deployer intends to implement to mitigate those risks; an indication of whether grievance or redress mechanisms exist; and, where applicable, a description of the impact on children.
Deployers covered by the obligation must also notify the relevant market surveillance authority before deploying certain categories of high-risk AI systems enumerated in Annex III. The assessment must draw on information provided by the provider pursuant to Article 13 and must be documented and kept available for competent authorities.
What This Means in Practice
For organisations within scope, Article 27 requires a structured, documented process before any high-risk AI system goes live. This is not a one-time checkbox exercise — the FRIA must reflect the actual deployment context and be revisited when that context changes materially.
A public hospital deploying an AI-assisted diagnostic or triage system must assess which patient groups could be disproportionately affected, what rights are at stake (dignity, non-discrimination, access to healthcare), and what safeguards exist if the system produces incorrect recommendations. A local authority using an AI system for benefits eligibility screening must identify risks to the right to social protection and due process, and document how human oversight will function in practice.
Private entities providing public-facing financial services — such as credit-scoring or insurance underwriting platforms — fall within scope if they qualify as deployers of Annex III high-risk systems. A fintech company using an AI model to assess loan applications must map the demographic groups exposed to algorithmic decisions, evaluate the risk of discriminatory outcomes, and establish a documented redress pathway.
Practically, deployers should build the FRIA into their existing data protection impact assessment (DPIA) workflows under GDPR where relevant, since Article 27(4) explicitly allows the two assessments to be conducted jointly. Organisations should designate a responsible owner for the assessment, use the provider's technical documentation and instructions for use as inputs, and create a versioned record that can be produced for supervisory authorities on demand.
Key Obligations
- Conduct a fundamental rights impact assessment before deploying any high-risk AI system within the deployer's scope, covering the intended use, affected persons, identified risks, and planned mitigations.
- Document the assessment in writing and retain it for inspection by competent authorities and market surveillance authorities upon request.
- Notify the relevant market surveillance authority prior to deployment where required by the specific category of high-risk AI system listed in Annex III.
- Use the information and instructions for use provided by the AI system's provider under Article 13 as a mandatory input to the assessment.
- Update the assessment when the deployment context changes significantly, including changes in the categories of persons affected, the purpose of use, or the risk profile of the system.
- Where a data protection impact assessment under Article 35 GDPR is also required, the two assessments may be conducted jointly to reduce administrative burden, provided all elements of both are covered.
Relationship to Other Articles
Article 27 sits within Chapter 3 of Title III, which distributes obligations between providers and deployers. It should be read alongside Article 26 (obligations of deployers generally), which establishes the broader duty of deployers to use high-risk systems in accordance with the provider's instructions and to implement human oversight. The FRIA draws directly on the information the provider is required to supply under Article 13 (transparency and provision of information to deployers) and Article 16(d) (provider obligation to draw up technical documentation).
Article 27(4) creates a direct procedural link to the GDPR: where a DPIA under Article 35 of Regulation (EU) 2016/679 is also required, the two assessments may be merged. This connection is particularly relevant for deployers processing personal data, which will be the case in most regulated contexts covered by Annex III.
Article 27 also connects to Article 72 (market surveillance) and Article 74 (access to data), as the completed assessment must be available to competent authorities exercising supervisory functions.
Compliance Timeline
The EU AI Act entered into force on 1 August 2024 (twenty days after publication in the Official Journal on 12 July 2024). Its provisions apply in phases:
- February 2, 2025 — Prohibitions on unacceptable-risk AI practices (Article 5) became applicable.
- August 2, 2025 — Obligations relating to general-purpose AI models (Title VIII, Chapter 2) and governance provisions became applicable.
- December 2, 2026 — Obligations for high-risk AI systems listed in Annex I (product safety legislation) become applicable.
- August 2, 2027 — Obligations for high-risk AI systems listed in Annex III (standalone high-risk systems, including those most likely to trigger Article 27 FRIAs in areas such as employment, education, biometric identification, and access to public services) become applicable.
Article 27 falls within the high-risk deployer obligations framework and therefore becomes enforceable on 2 August 2027 for Annex III systems, and 2 December 2026 for Annex I systems. Deployers should not wait until these deadlines: building FRIA processes now allows organisations to identify and remediate fundamental rights risks before enforcement begins and to align assessments with ongoing GDPR DPIA programmes.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Article 27 applies specifically to deployers of high-risk AI systems that are bodies governed by public law, or private entities providing public services such as banking, insurance, healthcare, or education. Not all deployers are covered — private companies operating purely in commercial contexts without a public service dimension are generally outside the scope of this specific obligation, though they remain subject to other deployer obligations under the AI Act.
The assessment must be conducted before deploying the high-risk AI system. It is a pre-deployment obligation, meaning the deployer must carry out and document the assessment prior to putting the system into use. It should be updated when there are significant changes to the deployment context or the system's use.
The conformity assessment under Article 43 is conducted by or on behalf of the provider to verify that the AI system meets the technical requirements of Chapter 2 before market placement. The FRIA under Article 27 is conducted by the deployer to assess the concrete impact on fundamental rights in the specific deployment context. They are complementary: the conformity assessment addresses the system's intrinsic compliance, while the FRIA addresses real-world impact on individuals in a given use case.
Article 27 does not explicitly mandate external auditing. The assessment may be completed internally by the deployer. However, deployers must notify the relevant market surveillance authority before deployment in certain cases, and the documented assessment must be made available to competent authorities upon request. Involving external expertise is best practice, particularly for complex or sensitive deployment contexts.
Deployers must use the information made available by the provider under Article 13 (transparency and provision of information) and the instructions for use. Providers are required to supply sufficient information about the system's intended purpose, capabilities, limitations, and risks to enable deployers to conduct a meaningful assessment of fundamental rights impacts.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.