What is a FRIA under the EU AI Act?

Art. 27(1) names three deployer groups explicitly: (a) public-sector bodies; (b) private bodies providing public services; (c) deployers of high-risk AI systems under Annex III item 5 (creditworthiness scoring), Annex III item 5(c) (risk assessment and pricing in life and health insurance) — which expressly captures insurers ^[1].

For insurers in 2026 practice: every AI system that produces an underwriting decision, a pricing decision or a claims decision about a natural person is a FRIA-bound system — provided it is a high-risk system under Annex III. The FRIA must be complete before deployment; a retrospective FRIA does not satisfy Art. 27.

Art. 27 lists seven mandatory components: (a) description of the deployment context and conformity with the intended purpose; (b) description of temporal frequency and duration; (c) categories of natural persons likely to be affected; (d) specific risks to their fundamental rights; (e) description of human-oversight measures; (f) description of risk-mitigation measures — including internal governance and complaint mechanisms; (g) damage-notification and escalation routes ^[1].

Art. 27(3) requires notifying the competent national market-surveillance authority of the FRIA results — via a filled-out template that the EU AI Office is to develop under Art. 27(5) ^[2]. As of mid-2026 that official template has not been published; deployers work with their own structures in the meantime but should expect to migrate their FRIA into the eventual official format. A 2026 inspection checks whether the FRIA results were notified at all.

The FRIA is not a one-off act: because it is tied to a specific deployment context (Art. 27(1)), material changes to that context — a new demographic target group, new pricing tariffs, a changed data source, a material model adjustment — force a fresh review and, where appropriate, an update ^[1]. Insurers with active ML tuning should fold the re-FRIA cadence into their governance routine. EIOPA’s August 2025 Opinion on AI governance and risk management deliberately leaves the AI Act’s high-risk systems out of scope but generally underlines ongoing AI risk governance ^[3].

The GDPR DPIA (GDPR Art. 35) examines the risk of data processing to the rights and freedoms of natural persons — primarily data-protection-focused. The FRIA examines the impact of AI use on all fundamental rights under the EU Charter of Fundamental Rights — broader, including the prohibition of discrimination, dignity, freedom of assembly. Both duties apply in parallel; 2026 inspections check the consistency between GDPR DPIA and FRIA for the same AI system ^[4].