WARRANT
[email protected] Open the demo →
ENTRY № 30 · STATUTORY READING · EU AI ACT, ART. 27
PUBLISHED 2026-05-11 · ~11-MIN READ · WARRANT COMPLIANCE

Article 27, line by line.

Five paragraphs of the EU AI Act. One column of the Official Journal. Article 27 binds three categories of deployer to perform a fundamental rights impact assessment before the first use of a high-risk AI system, then to file the result with the market surveillance authority on a template the AI Office develops. Public-body deployers. Private entities providing public services. Private deployers of Annex III(5)(b) creditworthiness and Annex III(5)(c) life-and-health insurance risk-pricing systems. The article is the deployer-side instrument that Article 26(9) routes to. It is the human-rights sibling to the GDPR Article 35 data protection impact assessment, and Article 27(4) is the carve-out that keeps the two from duplicating each other. Application 2026-08-02 subject to provisional deferral to 2027-12-02 under the May 2026 Omnibus.

Warrant is regulator-grade evidence infrastructure for AI agents in regulated industries: drop an agent's execution trace, get a record mapped to a specific EU AI Act obligation, independently verifiable without contacting Warrant.

WHO
Deployers· public + Annex III 5(b)/(c)
Before first use. Article 26(9) sets the trigger.
APPLICATION
2026-08-02
Subject to provisional Omnibus deferral to 2027-12-02 (May 2026 trilogue, pending OJEU).
CONTENTS
6· Art. 27(1)(a)–(f)
Each verbatim in the reading below.
01 · § 27(1) · THE TRIGGER

Who has to do it, and when.

Prior to deploying a high-risk AI system referred to in Article 6(2), with the exception of high-risk AI systems intended to be used in the area listed in point 2 of Annex III, deployers that are bodies governed by public law, or are private entities providing public services, and deployers of high-risk AI systems referred to in points 5 (b) and (c) of Annex III, shall perform an assessment of the impact on fundamental rights that the use of such system may produce. Regulation (EU) 2024/1689 · Article 27(1), chapeau · 13 June 2024

The chapeau does four things in one sentence. It pins the obligation to deployers, not providers. It scopes to high-risk AI systems referred to in Article 6(2), which is the Annex III route. It carves out Annex III point 2, critical infrastructure. It identifies three trigger limbs that pull the obligation onto a specific deployer.

Limb one. Bodies governed by public law. Public hospitals operating under public-law statutes. Public broadcasters. Government departments and their agencies. The category travels with the Member State's administrative-law definition of public-law bodies, and the EU AI Act adopts it without redefining it.

Limb two. Private entities providing public services. The 2025 Member State guidance and Commission recitals treat this as covering schools, hospitals, welfare administrators and other entities that deliver public-service mandates even when constituted as private legal persons. The test is the service, not the corporate form.

Limb three. Deployers of high-risk AI systems referred to in points 5(b) and (c) of Annex III. Two specific Annex III categories where the FRIA bites every deployer regardless of public or private status. Annex III(5)(b) covers AI systems intended to be used to evaluate the creditworthiness of natural persons or establish their credit score. Annex III(5)(c) covers AI systems intended to be used for risk assessment and pricing in relation to natural persons in the case of life and health insurance. A private bank running an Annex III(5)(b) credit-scoring agent on retail applicants is squarely inside Article 27 even though it is neither a public-law body nor a public-service provider.

The exclusion is Annex III point 2, AI systems used as safety components in the management and operation of critical digital infrastructure, road traffic, and the supply of water, gas, heating and electricity. The legislative judgement is that critical-infrastructure high-risk systems carry their fundamental-rights weight through other obligations, not through the FRIA.

"The article does not ask whether harm has happened. It asks the deployer to write down, before first use, what harm could happen and to whom."Warrant Compliance · 2026-05-11

The temporal anchor is prior to deploying. The verb is operative. The deployer cannot run the FRIA after the system is in service, then back-fill the file. Article 27(2) tightens this further. The obligation applies to the first use of the high-risk AI system. First use is the moment the deployer puts the system into service for its intended purpose against real subjects, not a pilot against synthetic data.

02 · § 27(1)(a)–(f) · CONTENTS

The six contents elements, verbatim.

Article 27(1) continues. For that purpose, deployers shall perform an assessment consisting of the following six elements. Each is reproduced verbatim, then read for what it requires of the deployer's evidence file.

27(1)(a)
a description of the deployer's processes in which the high-risk AI system will be used in line with its intended purpose; READING · the deployer has to describe the operational process the system slots into. Not the system. The deployer's process. This anchors the FRIA to a use-case description an inspector can read against the provider's Article 13 instructions for use.
27(1)(b)
a description of the period of time within which, and the frequency with which, each high-risk AI system is intended to be used; READING · duration and cadence. A six-week seasonal model is not the same as a system run on every retail application year-round. Cadence carries weight in the risk analysis at sub-paragraph (d).
27(1)(c)
the categories of natural persons and groups likely to be affected by its use in the specific context; READING · this is the affected-population identification, the part that makes a FRIA distinct from a generic risk register. The deployer must name the categories and groups. Vague references to "users" or "customers" do not discharge the obligation.
27(1)(d)
the specific risks of harm likely to have an impact on the categories of natural persons or groups of persons identified pursuant to point (c) of this paragraph, taking into account the information given by the provider pursuant to Article 13; READING · the harm-risk inventory has to be specific, not generic, and has to read the Article 13 IFU material the provider supplied. The provider's risk content feeds the deployer's FRIA. It does not replace it.
27(1)(e)
a description of the implementation of human oversight measures, according to the instructions for use; READING · the cross-reference is to Article 14 and to the IFU. The deployer describes how, in its operational process, the oversight points the provider designed in are actually staffed, reviewed and overruled.
27(1)(f)
the measures to be taken in the case of the materialisation of those risks, including the arrangements for internal governance and complaint mechanisms. READING · the response plan. Internal governance is the routing inside the deployer's organisation. Complaint mechanisms are the channels open to affected persons. Both must exist on paper before first use.

Six elements, taken together, are the spec. The deployer signs against them. The market surveillance authority reads against them under Article 27(3). The notable structural point is that Article 27(1) does not ask the deployer to score risk, draw a residual-risk line or produce a probability matrix. It asks for description and identification. The judgement layer is the regulator's, not the deployer's.

The list is closed, not illustrative. Six bullets, not seven. The AI Office template under Article 27(5) is structured against these six, and the notification under Article 27(3) is filed on that template.

03 · § 27(2) · FIRST USE, UPDATES

First use, similar cases, and the update obligation.

The obligation laid down in paragraph 1 applies to the first use of the high-risk AI system. The deployer may, in similar cases, rely on previously conducted fundamental rights impact assessments or existing impact assessments carried out by provider. If, during the use of the high-risk AI system, the deployer considers that any of the elements listed in paragraph 1 has changed or is no longer up to date, the deployer shall take the necessary steps to update the information. Regulation (EU) 2024/1689 · Article 27(2) · 13 June 2024

Three sentences, three rules. First, the FRIA is a first-use obligation. The deployer who puts the high-risk system into service for the first time is on the hook. A deployer who buys an established system from a previous operator is, on most readings, still a new deployer and still on the first-use hook for that deployment.

Second, the similar cases reliance rule. A deployer running the same high-risk AI system across multiple comparable use cases is not required to perform a fresh FRIA for each. It may rely on a previously conducted FRIA, or on an impact assessment the provider has already carried out, where the cases are similar. The deployer carries the burden of arguing similarity if challenged. Same provider, same intended purpose, same affected-population profile is the conservative test.

Third, the update obligation. The trigger for an update is content change, not calendar. The deployer must update where any of the elements in Article 27(1)(a) to (f) has changed or is no longer up to date. The natural triggers are a change in the process under (a), a change in cadence under (b), a change in the population under (c), the emergence of a new harm vector under (d), a change to the oversight staffing under (e), or a change to the governance or complaint channel under (f). The FRIA is a living document with a content-driven refresh cadence, not an annual ritual.

04 · § 27(3) · NOTIFY THE MSA

Notification to the market surveillance authority.

Once the assessment referred to in paragraph 1 of this Article has been performed, the deployer shall notify the market surveillance authority of its results, submitting the filled-out template referred to in paragraph 5 of this Article as part of the notification. In the case referred to in Article 46(1), deployers may be exempt from that obligation to notify. Regulation (EU) 2024/1689 · Article 27(3) · 13 June 2024

The notification is the operative deliverable. The FRIA is performed inside the deployer's organisation. The result is reported outside. The recipient is the market surveillance authority designated under Article 70, the same authority that supervises the high-risk system under Article 74 and that can request the logs under Article 26(6).

What is filed is the AI Office template, filled out, not the deployer's internal working file. The template under Article 27(5) is the legible artefact. Internal working files, redlines and stakeholder consultation notes are not part of the notification, though they remain producible on demand under the cooperation duty in Article 26(12).

The Article 46(1) exemption is narrow. Article 46(1) allows a Member State market surveillance authority to authorise, on duly justified grounds of public security, the protection of life and health, environmental protection or the protection of key industrial and infrastructural assets, the placing on the market or putting into service of specific high-risk AI systems within the relevant Member State's territory, without conformity assessment. Where Article 46(1) is invoked, the FRIA notification can be waived. The FRIA itself is not waived, only the filing.

05 · § 27(4) · DPIA CARVE-OUT

Article 27(4) and the GDPR Article 35 cross-walk.

If any of the obligations laid down in this Article is already met through the data protection impact assessment conducted pursuant to Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680, the fundamental rights impact assessment referred to in paragraph 1 of this Article shall complement that data protection impact assessment. Regulation (EU) 2024/1689 · Article 27(4) · 13 June 2024

The operative verb is complement. Not substitute, not replace, not supersede. Where the GDPR Article 35 DPIA already discharges a part of the FRIA, the FRIA builds on top. The deployer is not made to re-state, re-quote or re-analyse what is already in the DPIA. The deployer is also not allowed to file the DPIA in place of the FRIA.

The cross-reference to Article 27 of Directive (EU) 2016/680 carries the same logic into the law-enforcement processing regime. A police-authority deployer that already has a Law Enforcement Directive impact assessment for a given processing operation does not duplicate. It complements.

The practical reading of the carve-out runs element by element. The deployer's FRIA file references the DPIA where the DPIA has already done the work. For Article 27(1)(c) categories of affected persons, the DPIA's data-subject inventory often covers most of the ground. For Article 27(1)(d) specific risks of harm, the DPIA's necessity-and-proportionality assessment will overlap on personal-data-related harms but will not cover non-data-related fundamental-rights harms. For Article 27(1)(e) oversight measures and Article 27(1)(f) governance and complaints, the DPIA usually has skeletal coverage. The FRIA fills these in.

The two assessments are parallel under different regimes. GDPR Article 35 attaches to the controller and is scoped to personal data. EU AI Act Article 27 attaches to the deployer and is scoped to fundamental rights more broadly. A single deployer is often both controller and deployer of the same high-risk AI system, which is why Article 27(4) exists to keep the two from forcing duplicate analysis.

06 · § 27(5) · AI OFFICE TEMPLATE

The AI Office template under Article 27(5).

The AI Office shall develop a template for a questionnaire, including through an automated tool, to facilitate deployers in complying with their obligations under this Article in a simplified manner. Regulation (EU) 2024/1689 · Article 27(5) · 13 June 2024

The closing paragraph delegates the form to the AI Office. The substance is fixed in Article 27(1)(a) to (f). The instrument is the template the AI Office develops. The phrase including through an automated tool contemplates a structured questionnaire or web form, not free-text Word documents lodged by email.

As of 2026-05-11 the AI Office template is in the public-consultation phase. The deployer-side prudent posture is to assemble the six elements internally in a structure that maps to a template the AI Office will publish, so the eventual filing is mechanical. [verification pending · final AI Office template publication date].

Two structural notes. The template is a facilitation device, not a substantive expansion of the obligation. If the AI Office template asks a question that goes beyond Article 27(1)(a) to (f), the deployer's answer is grounded in the article, not in the template's wording. And the automated-tool route does not displace the deployer's obligation to actually conduct the assessment. Filling the form is the notification. Performing the assessment is the obligation.

07 · CROSS-REFERENCE WEB

How Article 27 sits inside the wider regulation.

Article 27 does not stand alone. The article is one node in a cross-reference web that the deployer's evidence file has to honour. The five touchpoints are Article 26(9), GDPR Article 35, Article 14, Annex III, and Article 70.

26(9)
Where applicable, deployers of high-risk AI systems shall use the information provided under Article 13 of this Regulation to comply with their obligation to carry out a data protection impact assessment under Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680. READING · Article 26(9) is the DPIA-side hand-off. Article 27 is the FRIA-side hand-off. The two together define the deployer's pre-use evidence stack.
GDPR 35
The data protection impact assessment under Regulation (EU) 2016/679. READING · Article 27(4) integrates the FRIA with the DPIA. Where the DPIA already does the work, the FRIA complements. The DPIA does not substitute for the FRIA.
Art. 14
Human oversight design obligation on the provider, with deployer-side staffing under Article 26(2). READING · Article 27(1)(e) cross-refers to the IFU and to the implementation of the oversight measures. The FRIA describes what the deployer actually does with the oversight points the provider engineered in.
Annex III
High-risk use-case list. Points 5(b) and (c) carry the FRIA into the private sector. Point 2 is excluded. READING · the deployer's FRIA scope is read off Annex III, and a deployer running multiple Annex III categories carries the FRIA separately for each, subject to the similar-cases rule in Article 27(2).
Art. 70
Member State competent authorities and market surveillance authorities. READING · Article 27(3) notification runs to the market surveillance authority designated under Article 70. The Member State authority is the recipient of the FRIA filing.
08 · FIELD MAPPING

How Article 27 sub-clauses map to evidence fields.

Warrant's evidence package treats the FRIA as a structured record bound to the trace, not a free-text PDF. The mapping below is what each element of Article 27 turns into inside the evidence file. The deployer's FRIA artefact is then assembled from these fields and filed on the AI Office template under Article 27(3) and Article 27(5).

27(1)
Trigger limb identification. FIELD · deployer.deployer_id, deployer.trigger_limb (public_body | public_service_provider | annex_iii_5b | annex_iii_5c), deployer.annex_iii_categories[*].
27(1)(a)
Description of the deployer's processes. FIELD · fria.process_description, fria.intended_purpose_alignment_ref → ifu_section_id from Article 13.
27(1)(b)
Period and frequency. FIELD · fria.period_of_use, fria.frequency_of_use, fria.seasonality_pattern.
27(1)(c)
Affected categories of natural persons and groups. FIELD · fria.affected_categories[*].category_name, fria.affected_categories[*].vulnerability_factor, fria.affected_categories[*].estimated_volume.
27(1)(d)
Specific risks of harm. FIELD · fria.harm_taxonomy[*].harm_type, fria.harm_taxonomy[*].affected_category_ref, fria.harm_taxonomy[*].provider_ifu_input.
27(1)(e)
Implementation of human oversight measures. FIELD · fria.oversight_plan.staffing, fria.oversight_plan.intervention_points, fria.oversight_plan.escalation_path, cross-referenced to Article 26(2) competent-staff records.
27(1)(f)
Materialisation measures, governance, complaint mechanism. FIELD · fria.governance_arrangements, fria.complaint_channel.uri, fria.complaint_channel.intake_owner, fria.materialisation_playbook_ref.
27(2)
First use, similar-case reliance, update on content change. FIELD · fria.first_use_date, fria.similar_case_basis_ref, fria.last_updated_at, fria.update_trigger_event.
27(3)
Notification to the MSA on the AI Office template. FIELD · fria.msa_notification.authority_id (Article 70), fria.msa_notification.filed_at, fria.msa_notification.template_version, fria.msa_notification.acknowledgement_ref.
27(4)
DPIA integration. FIELD · fria.dpia_ref.gdpr35_assessment_id, fria.dpia_ref.complemented_elements[*] (27(1)(a)|(b)|(c)|(d)|(e)|(f)).
27(5)
AI Office template version. FIELD · fria.template_version.ai_office_release_id, fria.template_version.questionnaire_uri.
W
Sample EU FRIA evidence record · Warrant registerINDEPENDENTLY VERIFIABLE
→ /v/7de85ceaeac42a47
09 · FAQ

Questions a compliance officer asks first.

Who triggers the Article 27 fundamental rights impact assessment?

Article 27(1) names three deployer categories. Bodies governed by public law. Private entities providing public services. Deployers of Annex III(5)(b) creditworthiness or credit-scoring systems and Annex III(5)(c) life-and-health insurance risk-assessment and pricing systems. The trigger fires before first use of a high-risk AI system referred to in Article 6(2). Annex III point 2 critical infrastructure is excluded from the FRIA scope.

What is the AI Office template under Article 27(5)?

Article 27(5) instructs the AI Office to develop a template for a questionnaire, including through an automated tool, to facilitate deployers in complying with the FRIA obligations in a simplified manner. The template is what the deployer files with the market surveillance authority under Article 27(3) once the assessment is complete. As of 2026-05-11 the AI Office template is in public consultation. [verification pending · final AI Office template publication date].

Can a GDPR Article 35 DPIA satisfy the Article 27 FRIA?

No. Article 27(4) handles the overlap directly. If any of the obligations laid down in Article 27 is already met through the data protection impact assessment conducted pursuant to Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680, the fundamental rights impact assessment shall complement that data protection impact assessment. The verb is complement, not substitute. The FRIA is a separate instrument that may reference and build on a DPIA where the two cover the same factual ground.

Does the deployer have to notify a public authority of the FRIA?

Yes. Article 27(3) requires the deployer, once the assessment has been performed, to notify the market surveillance authority of its results, by submitting the filled-out template referred to in Article 27(5). The exemption in Article 27(3) cross-refers to Article 46(1), the derogation from conformity assessment procedure on duly justified grounds of public security, life, health or environmental protection.

How often does the FRIA have to be updated?

Article 27(2) sets the update cadence on a content-change trigger, not a fixed calendar. If, during the use of the high-risk AI system, the deployer considers that any of the elements listed in Article 27(1) has changed or is no longer up to date, the deployer shall take the necessary steps to update the information. Changes that move any sub-paragraph (a) to (f) materially require an update to that element.

How does Article 27 interact with GDPR Article 35?

The two are parallel impact assessments under different regimes. GDPR Article 35 attaches to the controller and protects personal data. EU AI Act Article 27 attaches to the deployer and protects fundamental rights more broadly. Article 27(4) integrates them so that a deployer running one high-risk AI system across both regimes does not duplicate factual analysis. Where the DPIA already covers the FRIA element, the FRIA complements. Where it does not, the FRIA fills the gap.

What counts as before first use under Article 27?

Article 27(2) states that the obligation laid down in Article 27(1) applies to the first use of the high-risk AI system. First use is the moment the deployer puts the system into service for its intended purpose against real subjects, not a pilot against synthetic data. The FRIA must be performed and notified to the market surveillance authority before that moment, not retrospectively at the end of a pilot.

10 · READ THE SOURCE

Read the source directly.

Authored by Warrant Compliance, the regulatory-analysis function at Warrant. [email protected]. Editorial commentary on regulatory text. Not legal advice. The verbatim quotations of Article 27(1) chapeau, Article 27(1)(a) to (f), and Article 27(2) to (5) reflect the official English-language text of Regulation (EU) 2024/1689 as published in the Official Journal of the European Union on 12 July 2024.

FILED ALONGSIDE
ENTRY № 29 · STATUTORY READING
Article 26, deployer obligations.
Twelve paragraphs of operational deployer duties. Article 26(9) is the trigger to the FRIA read here.
ENTRY № 17 · STATUTORY READING
Article 14, human oversight.
The oversight design obligation Article 27(1)(e) cross-refers to when describing implementation.
ENTRY № 23 · STATUTORY READING
GDPR Article 22, automated decision-making.
The parallel privacy-regime instrument. Article 27(4) keeps the FRIA and the DPIA from duplicating.