Article 27 FRIA:
who it actually applies to, and what fills the gap when it doesn’t
Most teams preparing for August 2 assume the Article 27 Fundamental Rights Impact Assessment applies to every high risk system in Annex III. It doesn’t. Here’s the actual scope, the public service classification trap, and what fills the gap when FRIA technically doesn’t attach.
The one thing to understand
Article 27 FRIA scope is a UNION of three groups: public bodies, private entities providing public services, and any deployer of creditworthiness or insurance pricing AI. If you are not in one of those three groups, Article 27 does not directly attach to you, even when your AI system is high risk under Annex III.
The scope (the bit most teams miss)
Article 27(1) of the EU AI Act says, in full:
“Prior to deploying a high-risk AI system referred to in Article 6(2), with the exception of high-risk AI systems intended to be used in the area listed in point 2 of Annex III, deployers that are bodies governed by public law, or are private entities providing public services, and deployers of high-risk AI systems referred to in points 5 (b) and (c) of Annex III, shall perform an assessment of the impact on fundamental rights...”
Parsed for clarity, that’s a union of three groups:
- Public bodies deploying any high risk system (with critical infrastructure excluded under the Annex III point 2 carve out)
- Private entities providing public services deploying any high risk system
- Any deployer, public or private, of creditworthiness scoring (Annex III 5(b)) or life and health insurance risk assessment and pricing (Annex III 5(c)) AI
A common misreading is to assume Article 27 attaches to every Annex III high risk system. It doesn’t. A private company deploying workforce management AI (Annex III point 4) is not directly subject to Article 27 unless that company provides public services. Article 26 deployer obligations attach regardless. FRIA specifically does not.
This matters because the Article 27 obligations are non trivial: a structured assessment with six required inputs, notification to the market surveillance authority, and a documented mitigation framework. Doing one is real work. Doing one because you assumed you had to, when you didn’t, wastes counsel hours and creates documentation that doesn’t actually map to a specific legal obligation.
The reverse mistake is worse: assuming you’re exempt because you’re private, when in fact your service falls within the public service definition. That risks both compliance exposure and the reputational cost of being seen to dodge the requirement.
The “private entity providing public services” trap
The AI Act doesn’t define “public services.” That sounds technical but it’s the most important sentence in this article. The whole question of who’s in and who’s out of Group 2 turns on a term the Regulation leaves to interpretation.
EU law context helps. “Public services” most closely maps to Services of General Economic Interest (SGEI) under Articles 14 and 106(2) of the Treaty on the Functioning of the European Union. SGEI typically includes:
- Utilities (electricity, water, gas, waste management)
- Telecommunications, especially universal service obligation providers
- Postal services
- Healthcare (with significant Member State variation on private hospital classification)
- Public transport, definitionally narrower than all transport
- Social services and housing in some jurisdictions
- Education in some jurisdictions
What’s typically NOT a public service under EU law:
- E-commerce platforms
- Food delivery and quick commerce
- Meal kits and online grocery
- SaaS for private business use
- Streaming and entertainment
- Most travel and hospitality
- Adtech and digital advertising platforms
The ride hailing gray zone deserves its own paragraph. The Court of Justice has held that platform ride hailing is a transport service, not an information society service (Case C-434/15, Asociáción Profesional Elite Taxi v Uber Systems Spain, 20 December 2017). That makes it regulable under Member State transport law. But “transport service” doesn’t automatically equal “public service.” Some Member States license VTC operators in ways that make them look like SGEI providers (Spain, France, parts of Germany). Others treat them as purely private commercial actors. The Article 27 status of a ride hailing platform deploying driver allocation AI is genuinely undecided in most jurisdictions and may require local legal opinion.
The practical implication: if you’re uncertain whether your operation falls within “private entity providing public services,” get a written opinion before the August 2 trigger date. Don’t guess. The cost of guessing wrong in either direction is substantial.
What attaches even when FRIA doesn’t
Three things every Annex III high risk system deployer faces, regardless of public service status, from August 2:
Article 26 deployer obligations
Universal across all Annex III categories. Cover technical and organisational measures aligned to provider instructions, human oversight by competent natural persons, input data relevance and representativeness, operational monitoring per provider instructions, automatic log retention for at least six months, worker notification before workplace deployment, DPIA coordination under GDPR Article 35, and authority cooperation. Not optional, no carve out for private commercial actors.
GDPR Article 35 DPIA
Already applies to high risk processing of personal data. Most high risk AI systems trigger this independent of the AI Act. Article 27(3) of the AI Act provides that where the FRIA obligations are already met through the DPIA, the FRIA “shall complement” the DPIA. So even if FRIA technically doesn’t attach to you, the DPIA you’re already required to do under GDPR will cover much of the same ground.
National workforce rules
Where the high risk system manages workers, Member State law often imposes algorithmic transparency obligations that mirror FRIA in substance. Spain’s Ley Rider (Royal Decree-Law 9/2021, amending Article 64.4(d) of the Workers’ Statute) requires platforms to inform worker representatives of the parameters, rules and instructions on which algorithms or AI systems are based when they influence working conditions, access to or maintenance of employment, and profiling. Germany’s Works Constitution Act (BetrVG) gives works councils co-determination rights over technical equipment intended to monitor employee behaviour or performance (§ 87(1)(6)), which the Federal Labour Court has interpreted broadly enough to cover AI based monitoring. The 2021 Works Council Modernization Act (Betriebsrätemodernisierungsgesetz) added explicit AI provisions at § 80(3) (expert consultation), § 90(1) (planning information), and § 95(2a) (AI in personnel selection guidelines). The Platform Work Directive (Directive (EU) 2024/2831, with transposition deadline 2 December 2026) will harmonise much of this across the EU, including a presumption of employment for platform workers and mandatory transparency obligations for algorithmic management.
Net effect: most non public service deployers facing workforce AI obligations will end up doing a FRIA equivalent voluntarily, because Article 26 plus GDPR Article 35 plus national workforce rules effectively require the same analytical work. The Article 27 question becomes “do we have to file this with the market surveillance authority and structure it precisely the way Article 27(1) prescribes” rather than “do we have to do the underlying work at all.”
When to do a FRIA voluntarily
Three reasons even non public service deployers may want to do a FRIA voluntarily:
Customer or partner contract triggers
Enterprise customers, especially regulated entities (banks, healthcare providers, public sector buyers), increasingly require their vendors to demonstrate AI Act preparation. A completed FRIA is a clean artefact to share. A patchwork of separate DPIA documents and informal risk notes is harder to defend in due diligence.
Future regulation alignment
Article 27(5) requires the AI Office to develop a template questionnaire (potentially including an automated tool) to help deployers comply in a simplified manner. When that template is issued, the practical scope and application of the FRIA will sharpen. Separately, Member State transpositions of the Platform Work Directive (deadline 2 December 2026) will introduce algorithmic management transparency requirements that overlap significantly with FRIA in substance.
Internal risk management
FRIA forces a structured walk through risks of harm to specific affected categories. That’s good practice independent of regulatory requirement. Many internal AI risk frameworks already converge on a structure with similar inputs.
The cost of voluntary compliance is real but bounded by the scope of one system at a time. Voluntary compliance becomes attractive when that cost is less than the expected cost of being wrong about scope.
The Article 27 FRIA template
The six inputs Article 27(1) requires, in the order the Regulation specifies them:
- 1
Description of deployer processes
“A description of the deployer’s processes in which the high-risk AI system will be used in line with its intended purpose.”
- 2
Period and frequency of use
“A description of the period of time within which, and the frequency with which, each high-risk AI system is intended to be used.”
- 3
Categories of affected persons and groups
“The categories of natural persons and groups likely to be affected by its use in the specific context.”
- 4
Specific risks of harm
“The specific risks of harm likely to have an impact on the categories of natural persons or groups.”
- 5
Human oversight measures
“A description of the implementation of human oversight measures, according to the instructions for use.”
- 6
Risk materialisation response
“The measures to be taken in the case of the materialisation of those risks, including the arrangements for internal governance and complaint mechanisms.”
Article 27(2) requires notification of the assessment results to the market surveillance authority of the Member State of deployment.
Article 27(3) provides that where the underlying obligations are already met through the GDPR Article 35 DPIA, the FRIA “shall complement” the DPIA (avoiding duplicate work without merging the two documents).
Working template
Until the AI Office publishes the official questionnaire under Article 27(5), a working one page template covering these six inputs (structured for both Article 27 filing and voluntary use) is available here:
Open the FRIA template (PDF download) →What this means for August 2
If your organisation is a public body or provides public services, Article 27 attaches to every Annex III deployment you run. Start the assessment now.
If your organisation is a private commercial actor in food delivery, meal kits, SaaS, travel, e-commerce, or adtech, Article 27 does not directly attach unless your specific AI deployment falls under Annex III 5(b) or 5(c) (creditworthiness or insurance pricing). Article 26 still attaches. So does GDPR Article 35 DPIA. So do applicable national workforce rules. The voluntary FRIA question is then a strategic one.
If your organisation operates in ride hailing, transport adjacent services, healthcare adjacent services, or the platform worker space more broadly, get a written legal opinion on the public service classification question for each Member State you operate in. The answer is jurisdiction specific and the cost of getting it wrong is asymmetric.
The honest summary: Article 27 FRIA scope is one of the corners of the EU AI Act where the scope language is easy to misread in either direction. The cost of getting it wrong is real either way.
Know whether Article 27 attaches to your AI systems
ActComply runs the Article 27 scope check and the Article 26 deployer classification analysis end to end. Send us one AI surface and we return a written read on which obligations attach, how the FRIA scope analysis applies to your specific organisational status, and what mitigation work the deadline requires.
Assess your AI systems free →No credit card required
Related guides
More EU AI Act compliance pieces from ActComply.
EU AI Act Compliance Checklist
All 27 obligations across high risk, limited risk, general provider, and GPAI categories.
EU AI Act Risk Classification
Walk through the four risk tiers and how to classify your AI system.
High Risk AI Systems
Annex III categories and what counts as high risk under the AI Act.
Omnibus Update
How the May 2026 provisional agreement shifts high risk deadlines, and what stays unchanged.
Article 26 Deployer Obligations
All twelve Article 26 obligations attaching to every deployer of a high risk system on August 2.
Article 27 FRIA Template
Working one page template covering the six Article 27(1) inputs, with PDF download.
Article 50 Transparency Obligations
Provider and deployer obligations across chatbots, generative content, emotion recognition, and deep fakes.
Article 25(1)(b) Substantial Modification
When a deployer becomes a provider through substantial modification, and what crossing the line costs.
GPAI Provider Obligations
Article 53 + 55 obligations for general purpose AI model providers, plus the 10 July 2025 Code of Practice.