Article 83 of Regulation (EU) 2024/1689 — Fundamental rights of natural persons guaranteed in the Union. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 83 of Regulation (EU) 2024/1689 establishes a specific obligation for certain deployers of high-risk AI systems to conduct a fundamental rights impact assessment (FRIA) prior to deploying such systems. The provision targets deployers that are public bodies and certain private entities providing public services or exerting significant influence over individuals in areas enumerated under Annex III of the Regulation.
The assessment must identify and document the potential impact of the AI system on the fundamental rights guaranteed under the Charter of Fundamental Rights of the European Union, including but not limited to the right to human dignity, prohibition of discrimination, right to privacy, protection of personal data, right to an effective remedy, and rights of children. Deployers are required to register the outcome of the assessment in the EU database established under Article 71 before the system is put into service.
Article 83 further specifies that where a deployer is already required to carry out a Data Protection Impact Assessment (DPIA) under Article 35 of Regulation (EU) 2016/679 (GDPR), the fundamental rights impact assessment may be conducted in conjunction with the DPIA to reduce administrative duplication. The result must be communicated to the relevant national competent authority upon request, and the deployer must retain the documentation as part of its broader technical and organisational compliance records under this Regulation.
What This Means in Practice
Article 83 introduces a structured due-diligence obligation that moves beyond internal risk management and places fundamental rights protection at the centre of AI deployment decisions. In practice, any public authority — a municipality using an AI system to assess eligibility for social benefits, a public employment agency deploying an automated screening tool, or a law enforcement body using AI-assisted risk profiling — must, before going live, systematically assess which fundamental rights could be adversely affected and document the mitigations applied.
Private entities that provide services of a public nature — such as banks performing creditworthiness assessments, private healthcare platforms, or private operators running critical infrastructure — face the same requirement when their AI systems fall within the Annex III categories.
The assessment is not a one-off tick-box exercise. Deployers should establish a repeatable methodology, involve relevant internal stakeholders (legal, compliance, product, ethics), and consult affected communities or their representatives where feasible. The outcome must be registered in the EU AI Act database under Article 71, creating a public accountability trail.
Concretely, a regional government deploying an AI tool to prioritise home-care services for elderly citizens must analyse whether the system risks discriminating against persons based on age, disability, or ethnicity, document how the algorithm's outputs are reviewed by a human decision-maker, and register this analysis before the first automated recommendation is acted upon. Failure to conduct the assessment prior to deployment constitutes a compliance breach that national market surveillance authorities are empowered to investigate and sanction.
Key Obligations
- Conduct a fundamental rights impact assessment before deploying any high-risk AI system listed in Annex III, where the deployer is a public body or a private entity exercising public-service functions or significant influence over individuals in sensitive domains.
- Document the categories of fundamental rights potentially affected by the AI system, the likelihood and severity of impact, and the technical and organisational safeguards applied to mitigate those risks.
- Register the completed fundamental rights impact assessment in the EU database for high-risk AI systems established under Article 71, prior to putting the system into service.
- Where a GDPR Data Protection Impact Assessment is also required under Article 35 of Regulation 2016/679, coordinate or merge the two assessments to avoid duplication while ensuring both sets of requirements are fully addressed.
- Retain documentation of the assessment as part of the deployer's broader compliance record and make it available to competent national authorities upon request.
- Review and update the assessment whenever a significant change is made to the AI system's use case, deployment context, or the population of affected individuals, in line with the continuous monitoring obligations under Article 72.
Relationship to Other Articles
Article 83 is best understood as part of a cluster of deployer-facing obligations that together constitute the operational compliance layer of the EU AI Act. It builds directly on the definition of high-risk AI systems (Article 6 and Annex III) and on the general obligations imposed on deployers (Article 26), which establishes the baseline duty of care for entities putting high-risk systems into use.
The registration requirement in Article 83 connects to Article 71, which sets up the EU database for high-risk AI systems, making the assessment outcome accessible for regulatory oversight. Article 72 on post-market monitoring reinforces Article 83 by requiring deployers to track real-world performance, meaning the FRIA is not static but feeds into an ongoing compliance cycle.
Article 83 should also be read alongside Article 9 (risk management system), which governs providers' risk identification obligations, and Article 10 (data and data governance), as biased training data is frequently a root cause of fundamental rights violations. Finally, its relationship to GDPR Article 35 DPIA is explicitly acknowledged in the text, making coordination with data protection officers a practical necessity for most deployers.
Compliance Timeline
Regulation (EU) 2024/1689 entered into force on 1 August 2024 following publication in the Official Journal of the European Union. The Regulation applies in a phased manner:
- February 2025 — Prohibitions on unacceptable-risk AI practices (Title II) became applicable.
- August 2025 — Rules governing general-purpose AI models (Title VIII) became applicable.
- August 2026 — Obligations for high-risk AI systems under Annex III, including the Article 83 fundamental rights impact assessment duty, become applicable to newly placed or put-into-service systems. This is the primary applicability date for most deployers subject to Article 83.
- August 2027 — Transitional deadline for high-risk AI systems already placed on the market or put into service before August 2026; deployers relying on pre-existing systems must achieve full Article 83 compliance by this date.
Deployers within scope should not wait until August 2026 to begin building their FRIA methodology. Establishing processes, training compliance teams, and conducting preliminary impact mapping now ensures that registration in the Article 71 database can be completed on time and that operational deployment is not delayed by late-stage compliance gaps.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Article 83 requires deployers of high-risk AI systems listed in Annex III — when those systems are used in areas that may affect fundamental rights — to conduct a fundamental rights impact assessment before putting the system into use. This applies to public bodies and certain private entities operating in regulated domains such as credit scoring, employment, education, and law enforcement support.
The obligation applies to deployers that are public bodies, or private entities providing public services, as well as private deployers exercising significant influence over individuals in sensitive domains covered by Annex III. Small and micro enterprises may benefit from proportionality considerations, but the obligation is not automatically waived.
Article 83 applies to high-risk AI systems covered by Annex III. These provisions become applicable to newly placed systems from August 2026 (general Annex III systems) or August 2027 (systems already on the market before August 2026 under transitional arrangements), in line with the phased application schedule of Regulation 2024/1689.
The two assessments are complementary but distinct. Where the processing of personal data is involved, deployers are encouraged to conduct both assessments jointly or in a coordinated manner. The fundamental rights impact assessment under Article 83 has a broader scope, covering rights beyond data protection, such as non-discrimination, access to justice, and dignity.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.