Regulation (EU) 2024/1689 on artificial intelligence (AI Act) introduces, in certain situations, the obligation to perform a fundamental rights impact assessment, known as FRIA (Fundamental Rights Impact Assessment). This obligation is set forth in Article 27 of the AI Act and must be fulfilled before the implementation of certain high-risk AI systems.
What is a FRIA
A FRIA is an assessment through which the implementer of an AI system analyzes the impact that its use may have on the fundamental rights of individuals affected by the system. Its purpose is to identify, anticipate, and manage the risks that may arise when an AI system is used in sensitive contexts, such as recruitment, education, public services, lending, insurance, or other areas where AI-assisted decisions can have significant effects on individuals.
The FRIA is not a purely technical analysis of the AI system, but a legal and operational assessment of how the system is actually used: who may be affected, what rights may be impacted, what risks exist, and what measures must be taken to prevent or mitigate them.
To whom does the obligation apply?
The obligation to conduct an FRIA falls on the operators of certain high-risk AI systems. For the purposes of the AI Act, the operator is the entity that uses an AI system under its authority in the course of a professional activity.
Thus, the obligation applies to:
1. public-law entities and private organizations that provide public services, before using high-risk AI applications, with the exception of systems in the critical infrastructure sector;
2. implementers of high-risk AI systems used to assess the solvency of individuals or determine credit scores, with the exception of systems used to detect financial fraud;
3. implementers of AI systems used for risk assessment and pricing in life and health insurance.
High-risk AI systems to which the FRIA may apply, depending on the quality of the implementer and the field of use, primarily include: biometric identification, biometric classification, or emotion recognition systems; systems used in education and vocational training; systems used in recruitment, selection, workforce management, or access to self-employment; systems regarding access to essential private services, essential public services, and benefits; systems used in law enforcement; systems in the field of migration, asylum, and border control; as well as systems used in the administration of justice and democratic processes.
What FRIA Entails
FRIA must include at least: a description of the processes in which the AI system will be used; the duration and frequency of use; the categories of individuals or groups that may be affected; the specific risks of harm to them; how human oversight is ensured; and the measures that will be taken if risks materialize, including internal governance mechanisms and mechanisms for handling claims.
This requirement applies upon the first use of the system. In similar cases, the implementer may rely on previous assessments or existing assessments provided by the supplier, but must update the assessment if the relevant elements change or are no longer current. After making the assessment, the implementer notifies the market surveillance authority by submitting the completed template to be developed by the AI Office. If certain aspects are already covered by a data protection impact assessment, the FRIA supplements it, without replacing it.
How HUDERIA Can Help
Additionally, a useful tool for structuring an FRIA is HUDERIA, the Council of Europe’s methodology for evaluating the risks and impacts of AI systems from the perspective of human rights, democracy, and the rule of law. HUDERIA is a non-mandatory tool and does not replace the requirements of the AI Act. However, it can be used as a complementary tool, serving as a practical method for identifying, assessing, and managing risks.
HUDERIA has four components: COBRA—context-based risk analysis, the stakeholder engagement process, risk and impact assessment, and the risk mitigation plan. When preparing FRIA, the main focus can be placed on COBRA, as it helps organizations collect and map relevant information regarding the context of use, design, development, and deployment of the AI system, in order to identify risks to human rights, democracy, and the rule of law.
Conclusions
The FRIA is becoming an essential compliance tool for organizations using high-risk AI systems in sensitive contexts. For businesses, this means that the use of AI must be documented, justified, and accompanied by concrete measures for control, oversight, and remediation. HUDERIA can support this process through a structured methodology, particularly via the COBRA component, providing a practical framework for identifying risks and preparing a FRIA assessment that is coherent and adapted to the actual context of use.
Authors: Ioana Chiper Zah & Tatiana Țapu
