Skip to main content
← Back to templates

FRIA Template

Article 27-aligned Fundamental Rights Impact Assessment template for high-risk AI deployers.

Category: Assessments • Risk level: High

Fundamental Rights Impact Assessment (FRIA) Template

Legal basis: EU AI Act Art. 27 (FRIA), EU Charter of Fundamental Rights
Applicability: Deployers in high-risk contexts where required by law and risk profile
Document owner: [Name / Role]
Assessment date: [YYYY-MM-DD]
Review cycle: [Quarterly / Semi-annual]

0) FRIA Control Information

  • FRIA ID: [FRIA-YYYY-###]
  • AI system name: [System]
  • Version/build: [Version]
  • Deployer legal entity: [Entity]
  • Business process affected: [Process]
  • Deployment geography: [Member States]
  • Linked risk register ID: [ID]

1) System and Context Description

  1. Intended purpose: [Description]
  2. Decision influence level: [Advisory/partially automated/automated]
  3. Categories of affected persons: [Applicants/customers/employees/etc.]
  4. Scale and frequency of use: [Daily/weekly volumes]
  5. Human oversight model: [Review/override details]
  6. Foreseeable misuse scenarios: [List]

Guidance note: FRIA quality depends on precise operational context, not generic product language.

2) Fundamental Rights Screening (EU Charter)

Assess potential impact on at least:

  • Human dignity (Art. 1)
  • Non-discrimination (Art. 21)
  • Equality between women and men (Art. 23)
  • Rights of the child (Art. 24)
  • Integration of persons with disabilities (Art. 26)
  • Respect for private/family life (Art. 7)
  • Protection of personal data (Art. 8)
  • Freedom of expression and information (Art. 11)
  • Freedom to conduct a business (Art. 16)
  • Right to good administration (Art. 41)
  • Right to an effective remedy and fair trial (Art. 47)

For each right, capture:
- Impact pathway
- Affected groups
- Trigger conditions
- Existing safeguards

3) Stakeholder Mapping and Consultation

3.1 Internal stakeholders

  • Product owner
  • Compliance officer
  • Legal counsel
  • Security/data governance owner
  • Operations lead

3.2 External stakeholders

  • Worker representatives (if workplace use)
  • Customer advocacy groups
  • Sector regulators (where relevant)
  • External experts/auditors

3.3 Consultation log

  • Date
  • Stakeholder
  • Key concerns raised
  • Action taken

4) Risk Assessment Method (Likelihood × Severity)

4.1 Scoring scale

  • Likelihood: 1 (rare) to 5 (very likely)
  • Severity: 1 (minor) to 5 (critical)
  • Optional exposure multiplier: 1.0 to 1.5

4.2 Formula

  • Base score = Likelihood × Severity
  • Adjusted score = Base × Exposure multiplier

4.3 Rating bands

  • Low: 1-6
  • Medium: 7-12
  • High: 13-19
  • Critical: 20+

5) Rights Impact Register (Template Table)

Entry ID Right impacted Scenario Affected group Likelihood Severity Score Existing controls Residual score
F-001 [Art. X] [Scenario] [Group] [1-5] [1-5] [Score] [Controls] [Score]
F-002 [Art. X] [Scenario] [Group] [1-5] [1-5] [Score] [Controls] [Score]

6) Mitigation Plan

For each medium/high/critical rights risk:

  • Mitigation ID: [ID]
  • Control description: [Control]
  • Control type: [Preventive/Detective/Corrective]
  • Owner: [Role]
  • Deadline: [Date]
  • Success metric: [Metric]
  • Verification method: [Test/audit]

Examples:
- Introduce mandatory human review for negative decisions
- Remove sensitive proxy features
- Add applicant explanation and appeal channel
- Implement subgroup fairness monitoring

7) Data Protection and Privacy Interface

  • Personal data categories processed: [List]
  • Special categories processed: [Yes/No + details]
  • Lawful basis summary: [Basis]
  • DPIA reference (if applicable): [Doc ID]
  • Data minimisation controls: [Controls]
  • Retention and deletion controls: [Policy]

8) Transparency, Notice, and Remedy

  • User/subject notice delivered? [Yes/No]
  • Notice timing and channel: [Channel]
  • Explanation level provided: [Summary]
  • Contestation mechanism: [Process]
  • Human contact point: [Email/team]
  • Average resolution SLA: [Time]

9) Monitoring and Reassessment Plan

  • Monitoring cadence: [Frequency]
  • KPI dashboard: [Metrics]
  • Reassessment triggers:
    • Substantial modification
    • New incident pattern
    • New legal guidance
    • Material drift/performance change
  • Next FRIA review date: [Date]

10) Decision and Sign-Off

  • Overall FRIA outcome: [Accept / Accept with conditions / Not acceptable]
  • Conditions for operation: [List]
  • Escalation required? [Yes/No]
  • Approved by: [Name/Role/Date]
  • Compliance sign-off: [Name/Role/Date]
  • Legal sign-off: [Name/Role/Date]

11) Common FRIA Mistakes to Avoid

  1. Treating FRIA as legal text only (without operational evidence).
  2. Missing stakeholder consultation record.
  3. No measurable mitigation success criteria.
  4. No linkage between FRIA and risk register updates.
  5. No reassessment trigger design.

12) Annexes

  • Annex A: Rights impact workshop notes
  • Annex B: Fairness/bias test results
  • Annex C: User notice templates
  • Annex D: Incident and complaint summaries
  • Annex E: Decision logs and override samples
Download Markdown Open Interactive FRIA Wizard AI Fill — Pro Plan

Related resources

Risk quiz Glossary Blog