The EU AI Act and FRIA Impact Assessment

The goal of the European Union’s Artificial Intelligence Act (AI Act) is to ensure the realization of people’s fundamental rights when AI systems are used. The regulation establishes common rules for the use of AI in businesses and organizations, sets stricter requirements for high-risk AI systems, and prohibits particularly harmful use cases.
2NS offers services for AI Act impact assessments. You can find more information about our services here.
In this blog, we take a closer look at what an AI impact assessment (FRIA, Fundamental Rights Impact Assessment) covers and how the process unfolds.

As the name suggests, the impact assessment required by the AI Act evaluates the effects of AI use cases on individuals’ rights, in accordance with the requirements of the AI Act. The regulation requires that the impact assessment addresses at minimum the following:

1. Description of the Use Context
The assessment begins with a description of the system’s operating environment and purpose, answering at least the following questions:

• In which processes or services, and for what purpose, is the AI system used?
• How frequently and for how long is the AI system used?
• What kinds of decisions are made using AI?

2. Those Affected by the Impact
The following groups that the system may affect — either directly or indirectly — must be identified:

• Which natural persons or groups of people can the system affect?
• How do the impacts appear in practice?
• What is the scale of the system’s impact on people and their rights?

Special attention must be paid to vulnerable groups, such as minority groups.

3. Risks to Fundamental Rights
The key here is to identify potential harms and whether the system endangers any of the subject’s fundamental rights. The following are examples of possible harms:

• Discrimination
• Violation of privacy or other fundamental rights such as personal data protection
• Incorrect decisions
• Manipulation
• Lack of transparency

4. Human Oversight
The regulation requires that high-risk systems have adequate human oversight, so organizations must answer questions such as:

• How does a human monitor the system?
• What manual override or review mechanisms are in place?
• How has the system and its operation been tested, for example, with what kinds of use cases?

5. Risk Management and Measures
The assessment must describe concrete measures in the event that risks materialize:

• What is done if a risk is realized?
• What internal monitoring and complaint mechanisms have been defined?
• How can a wrong decision be corrected or overridden, and can flawed reasoning by the system be detected and corrected?

6. Reporting to Authorities

The results of the assessment must be submitted to the national market surveillance authority, with certain legislative exceptions.

The AI Act entered into force on 1 August 2024, but its application began on 2 August 2025. High-risk AI requirements come into effect in August 2026.
The AI impact assessment must be completed before the first deployment and must be updated whenever the use case, risks, or system characteristics change.

The AI impact assessment (FRIA) complements the DPIA assessment required by the existing GDPR regulation. GDPR compliance assessments can be used as a foundation when conducting an AI impact assessment.
The goal of the assessment is to promote responsible use of AI, prevent risks, and ensure that AI is used proportionately and with justification.

The EU AI Act applies particularly to public sector actors and private actors that provide services to the public sector. Examples include state and municipal authorities, educational institutions, healthcare and social service providers, the judiciary, and other public administration. The FRIA must also be conducted in companies offering credit assessments and insurance, where high-risk AI systems are used to assess the creditworthiness of natural persons, determine credit scores, perform risk assessments, or set pricing for life and health insurance. In practice, this means banks and credit institutions as well as insurance companies offering life and health insurance.

The FRIA assessment is carried out in practice through interviews, which form the basis for a comprehensive overall picture of the situation. Typically, the impact assessment involves 3–5 interviews or workshops, along with a review of the AI system’s key use cases. The duration and scope of the review naturally depends on how broadly or across how many cases AI is used. At its fastest, the process can take one to two weeks, while scheduling multiple interviews may require additional calendar time.
Following the impact assessment, the client receives a comprehensive report of the overall picture along with any recommended corrective actions. The report can be used as evidence for authorities as well as for the organization’s own customers, demonstrating that the use of AI is considered and well-directed.

Does your organization need FRIA assessment?