Starting August 2, 2026, the EU AI Act becomes enforceable. For organizations deploying high-risk AI systems in Europe, that means one new mandatory requirement: a Fundamental Rights Impact Assessment, or FRIA.
If you work in data protection or information security, your immediate question is practical: How does this differ from a DPIA? Do I run both? The short answer is that a FRIA follows familiar DPIA logic, but it’s wider in scope. Rather than focusing only on privacy and personal data, it examines how a specific AI system might harm non-discrimination, access to justice, labor rights and a half-dozen other fundamental rights enshrined in the EU Charter.
For most DPOs and security teams, the FRIA is new territory. But it’s not an alien territory. The framework builds on what you already know.
The Timeline: August 2, 2026 Is Closer Than You Think
The EU AI Act has been phased in since early 2024, with rules for high-risk systems becoming mandatory on August 2, 2026. That enforcement date applies to deployers of high-risk AI systems anywhere in the EU, regardless of whether the system itself is built or hosted in Europe.
Deployers, not just providers, are the regulated actors. If you buy an off-the-shelf AI tool, implement it in your HR workflow, or deploy a third-party model in your organization, you are the deployer. And if that system falls into one of the Annex III categories, you must conduct a FRIA before or immediately upon deployment.
This is not optional. The fines for breaching the AI Act start at EUR 6 million or 1.5% of global turnover, whichever is higher.
What the AI Act FRIA Actually Requires
A Fundamental Rights Impact Assessment is a documented analysis of how deploying a specific AI system could affect the fundamental rights of affected persons and groups. The EU AI Act does not define a single FRIA template, but Article 27 sets out the mandatory components.
First, describe the deployment context. Where, exactly, will this system be used? In employment decisions? In loan approvals? In law enforcement? Who uses it and who is affected by its outputs?
Second, identify the affected persons and groups. This goes beyond “data subjects” in GDPR terms. It includes anyone whose fundamental rights could be impacted. Someone denied access to a service because of an AI system, someone misidentified by facial recognition, someone excluded from a job application because of algorithmic filtering. All of these are affected persons.
Third, perform a risk assessment per fundamental right. The EU Charter lists dozens, but in practice, the ones that appear in AI Act guidance most often are privacy, non-discrimination, freedom of expression, rights of the child, right to work, access to justice and essential services, and transparency. For each applicable right, what could go wrong? What’s the probability? What’s the severity?
Fourth, describe mitigation measures. If there’s a risk of discriminatory outcomes, what technical, procedural or organizational safeguards do you have in place? How do you monitor for bias? Who audits the system’s decisions?
Finally, the FRIA must be signed off by someone with decision-making authority. This is not a compliance checkbox. It’s a statement of governance.
Which Organizations Need a FRIA
Not all AI systems trigger a FRIA. Only high-risk systems do. The EU AI Act defines high-risk AI as systems used in specific domains listed in Annex III:
- Recruitment and hiring: Using AI to filter CVs, conduct automated interviews, or assess candidates.
- Employment: AI that manages scheduling, performance reviews, or discipline decisions.
- Education: Systems that assess students, track attendance, or allocate educational resources.
- Law enforcement: Facial recognition for investigation, predictive policing, or evidence analysis.
- Migration and asylum: AI that categorizes asylum seekers or predicts immigration fraud.
- Access to essential services: AI that determines eligibility for loans, insurance, housing, utilities, or health services.
- Critical infrastructure: AI that manages power grids, water systems, transport networks.
- Biometric identification: Real-time facial recognition in public spaces, or any automated biometric matching system.
If your organization deploys AI in any of these areas, the FRIA requirement applies to you.
The DPIA-FRIA Relationship: Not Redundant, but Overlapping
This is the question every DPO is asking: Do I now run two separate assessments?
Not necessarily. In fact, if your AI system processes personal data in a way that triggers a Data Protection Impact Assessment under Article 35 GDPR, you’re already obligated to run a DPIA. The FRIA and DPIA share structural similarities. Both require you to identify risks, assess impacts and document mitigation measures. Both demand governance sign-off.
The EU has acknowledged this overlap. Many organizations can combine the FRIA and DPIA into a single unified assessment document. The trick is ensuring that the combined assessment covers both privacy-specific risks (Article 35 GDPR) and the wider fundamental rights risks (Article 27 EU AI Act).
Where they differ: a DPIA focuses narrowly on personal data processing risks. A FRIA is broader. It covers non-privacy harms like discrimination, exclusion from services, or violation of labor rights. If your AI system could deny someone access to credit or work, the FRIA addresses that harm even if the system processes no personal data (though in practice, most high-risk AI systems do process personal data).
The practical implication is straightforward. Your existing DPIA process becomes the foundation, but you expand it to include fundamental rights risks beyond privacy.
What Your Organization Should Do Now
Here’s a checklist for DPOs, CISOs and AI governance teams before August 2026:
Audit your AI deployments. Inventory every AI system your organization uses or builds. Does it fall into one of the Annex III categories? Be honest. If you’re using AI for hiring, performance management, loan decisions, or any other high-risk domain, it counts.
Determine which systems are high-risk. Not all AI in these domains is automatically high-risk, but the threshold is low. If the system can significantly impact the rights or opportunities of individuals, treat it as high-risk.
Map your DPIA process. If you already conduct DPIAs under GDPR, identify which high-risk AI systems are covered by existing DPIA documentation. These become your starting point for FRIA expansion.
Expand risk identification. For each high-risk system, move beyond privacy risks. What could discriminate? What could exclude someone from a critical service? What transparency obligations do you have? Document these alongside your privacy analysis.
Organize governance. Ensure that your FRIA approval comes from someone with real authority to decide whether to proceed with deployment or demand changes.
Document and version control. Keep your FRIA documents in a centralized location alongside your other compliance assessments. As your AI system evolves, your FRIA evolves with it.
The good news is that you don’t need a new tool category for this. If you’re already managing DPIAs within a compliance program, your existing workflow expands to cover FRIA. The structure, review process and documentation approach follow the same logic you already use.
The Bottom Line
The FRIA is not a radical departure from existing compliance practice. It’s an extension of the DPIA framework that European organizations already know, applied to a wider set of risks. For teams that run solid DPIAs today, the FRIA is evolutionary, not revolutionary.
But evolutionary doesn’t mean small. By August 2026, you need to have audited your AI deployments, identified which ones are high-risk and embedded FRIA assessment into your governance process. That’s four months away. Start the inventory now. Map your high-risk systems. Then integrate FRIA into your existing data protection program.
The organizations that do this early will have a significant advantage: they’ll avoid scrambling in July and August, they’ll catch gaps in their current AI deployments and they’ll build FRIA assessment into their normal change management process rather than bolting it on as a reaction.
Questions about where to start with FRIAs? The practical first step is understanding what data your systems actually process. Nixon Pro gives you a technical audit of your website’s data flows, which becomes a key input for any DPIA or FRIA. Get in touch if you’d like guidance on how to approach impact assessments in your organization.
The definitive legal text is EU AI Act Article 27 for FRIA requirements, and GDPR Article 35 for DPIA requirements.
Related reading: How to run a DPIA: a practical guide for privacy officers | EDPB 2026 enforcement focus: transparency requirements | GDPR privacy policy requirements
