EU AI Act Article 50 โ€” 20 days to seal | Get passport
๐Ÿ‰

Fundamental Rights Impact Assessment (FRIA)

EU AI Act Art 27 ยท Rights-by-Design ยท 5-Phase Methodology ยท Impact Scoring ยท Mitigation Framework ยท Consultation Protocol ยท EAT Directive aligned

EU AI ACT ART 27 FRIA ACTIVE
5
Assessment Phases
12
Rights Analysed
4
Risk Levels
90d
Before Deployment
30d
Consultation Period
100%
SIGIL Signed

What is Article 27?

Article 27 of the EU AI Act requires deployers of high-risk AI systems (public bodies and private entities providing services of public interest) to conduct a Fundamental Rights Impact Assessment (FRIA) before putting a high-risk AI system into use. The FRIA must evaluate:

For DEFONEOS, the FRIA is not just a compliance document โ€” it is the foundation of the entire rights-by-design architecture. Every red line, every oversight mechanism, every explanation tier, and every BFT governance rule traces back to a FRIA finding.

5-Phase FRIA Methodology

1
Phase 1 โ€” Scope & Context Definition

Define the AI system's intended purpose, deployment context, affected populations, and decision categories. Identify which fundamental rights are engaged. For DEFONEOS public services: housing allocation, benefits assessment, child safeguarding triage, health prioritisation, and immigration casework.

ElementDescription
System name & versionDEFONEOS v[version] โ€” [service module]
Intended purposeDecision support for [public service function]
Deployment context[Public authority] โ€” [department] โ€” [geography]
Affected populationsDemographic breakdown, vulnerable groups identified
Decision categoriesBeneficial / Detrimental / Administrative / Referral
Legal effectsDoes the decision produce legal effects? (GDPR Art 22 / Art 86 trigger)
2
Phase 2 โ€” Rights Mapping & Impact Identification

Systematically evaluate the AI system's impact on each of the 12 fundamental rights domains. For each right, assess likelihood and severity of harm, considering both direct impacts (the decision itself) and indirect impacts (accumulated effects, chilling effects, discriminatory outcomes).

The 12 Fundamental Rights Analysed

#RightLegal SourceRisk Vector in DEFONEOS Context
1Right to lifeECHR Art 2Medical triage, emergency response prioritisation
2Right to non-discriminationECHR Art 14, EU Charter Art 21Bias in housing/benefits/child welfare decisions
3Right to private & family lifeECHR Art 8, EU Charter Art 7Data collection scope, family profiling
4Right to data protectionGDPR, EU Charter Art 8Sovereign storage mitigates; data minimisation required
5Right to dignityEU Charter Art 1Automated decisions affecting human dignity (welfare sanctions)
6Right to good administrationEU Charter Art 41Transparency, timeliness, right to be heard
7Freedom of movementECHR Protocol 4Immigration casework, border decisions
8Rights of the childUNCRC, EU Charter Art 24Child safeguarding triage โ€” heightened protection required
9Right to an effective remedyECHR Art 13, EU Charter Art 47Right to explanation (Art 86), appeal mechanism
10Right to fair trialECHR Art 6Automated sanctions with legal effects
11Freedom of expression & informationECHR Art 10Content moderation in public sector communications
12Social rightsEU Charter Solidarity Ch.Access to healthcare, housing, social security
3
Phase 3 โ€” Risk Scoring & Severity Assessment

Each identified impact is scored using a Likelihood ร— Severity matrix. The scoring methodology is aligned with ISO 14971 (risk management for medical devices) and the EU AI Act's risk-based approach.

Risk LevelSeverityLikelihoodAction Required
CATASTROPHICDeath, irreversible harm, fundamental rights violationAny probabilityRED LINE โ€” system cannot deploy until mitigated to SERIOUS or below
SERIOUSSignificant legal effects, discrimination, dignity violationMedium-HighMandatory mitigation + BFT council approval + ongoing monitoring
MODERATEDetrimental decision with recourse availableMediumMitigation recommended + human oversight mandatory
LOWAdministrative impact, no legal effectsLowMonitor + document. No special action required.
4
Phase 4 โ€” Mitigation & Safeguard Design

For each identified risk above LOW, design specific mitigation measures. Mitigations are mapped to DEFONEOS architectural components:

Mitigation CategoryDEFONEOS ComponentRights Protected
Red line enforcement7 immutable red lines at protocol levelLife, dignity, non-discrimination
Human oversight5-level oversight framework (Art 14)Effective remedy, fair trial
Right to explanation5-tier explanation framework (Art 86)Good administration, effective remedy
Stop button<2s kill switch, all componentsLife, dignity
BFT governance33-agent council, quorum 23/33All rights โ€” distributed oversight
Bias monitoringContinuous fairness metrics, 8 protected characteristicsNon-discrimination
Data minimisationSovereign storage, purpose limitation enforcedPrivacy, data protection
Record keepingSIGIL chain, 8 log categories (Art 12)Good administration, transparency
Automated decision safeguards7 safeguard layers (Art 22)Dignity, fair trial
Incident response7-phase pipeline, Art 73 reportingAll rights โ€” harm prevention
5
Phase 5 โ€” Consultation, Publication & Review

The FRIA must be informed by consultation with affected groups and relevant authorities. DEFONEOS requires:

FRIA Template Structure (Annex VI Aligned)

FUNDAMENTAL RIGHTS IMPACT ASSESSMENT Article 27, EU AI Act | DEFONEOS v[VERSION] 1. EXECUTIVE SUMMARY 1.1 System overview 1.2 Deployment context 1.3 Key findings 1.4 Risk acceptance decision 2. SYSTEM DESCRIPTION 2.1 Intended purpose 2.2 Technical architecture 2.3 Decision categories 2.4 Human oversight mechanisms 2.5 Autonomy level 3. AFFECTED POPULATIONS 3.1 Demographic analysis 3.2 Vulnerable groups identified 3.3 Consultation summary 4. RIGHTS IMPACT ANALYSIS 4.1-4.12 Individual rights assessments (12 rights) For each: Impact identified โ†’ Likelihood โ†’ Severity โ†’ Risk score โ†’ Existing mitigations โ†’ Residual risk โ†’ Acceptance rationale 5. MITIGATION FRAMEWORK 5.1 Technical safeguards (red lines, stop button, BFT) 5.2 Procedural safeguards (oversight, explanation, redress) 5.3 Organisational safeguards (DPO, training, audit) 6. CONSULTATION RECORD 6.1 Civil society feedback 6.2 Regulator pre-notification 6.3 Community engagement 7. RESIDUAL RISK ACCEPTANCE 7.1 Decision rationale 7.2 Conditions for deployment 7.3 Monitoring requirements 7.4 Review trigger criteria 8. SIGNATURES 8.1 DPO 8.2 BFT Council quorum confirmation 8.3 Deployer authority SIGIL: [Ed25519 signature of full document hash]

Article 27 Compliance Matrix

RequirementStatusDEFONEOS Implementation
Conduct FRIA before first useโœ… MET5-phase methodology, 90 days before deployment
Identify specific risks to fundamental rightsโœ… MET12 rights ร— deployment context = granular risk register
Include measures to be appliedโœ… METPhase 4: 10 mitigation categories mapped to architecture
Consult with affected groupsโš ๏ธ PARTIAL30-day consultation designed. No live consultation conducted (no deployment).
Submit to national competent authorityโŒ NOT STARTEDRequires deployment context and named authority. Human gate.
Notify MSA of assessment outcomeโŒ NOT STARTEDRequires deployment context. Human gate.
Make FRIA publicly availableโœ… METPublication protocol designed. This page is the public methodology.
Update when system materially changesโœ… METSIGIL versioning triggers FRIA refresh on model/architecture change

Cross-Framework Alignment

FrameworkArticleRequirementDEFONEOS Mapping
EU AI ActArt 27FRIA for high-risk deployersThis page โ€” 5-phase methodology
EU AI ActArt 86Right to explanationFRIA Phase 4 โ†’ explanation framework
GDPRArt 35Data Protection Impact AssessmentConducted in parallel with FRIA
ECHRArts 2,6,8,13,14Convention rights protectionPhase 2: 12 rights mapped to ECHR
EU CharterArts 1,7,8,21,24,41,47Fundamental rights of the EUPhase 2: Charter articles in rights register
Equality Act 2010s.149Public Sector Equality DutyIntegrated into FRIA Phase 5 consultation
UNCRCArts 2,3,6,12Children's rightsChildren's Rights Impact Assessment within FRIA
HRA 1998s.6Public authority compatibility dutyFRIA is the compliance evidence
UK DPA 2018Sch.1 Pt.2Safeguards for substantial public interestFRIA satisfies safeguard requirement
ISO 42001Cl. 6.1Risks and opportunitiesPhase 3 risk scoring aligned
NIST AI RMFMeasure 2.1Assess impacts on individualsPhase 2 rights impact identification

Integration with DEFONEOS Architecture

The FRIA is not a one-time document. It is a living governance instrument that is continuously informed by the DEFONEOS operational stack:

โš ๏ธ Honesty Register

The FRIA methodology described here is the designed framework. No live FRIA has been conducted for a real DEFONEOS deployment โ€” there is no live deployment. The 12-rights register, the 4-level risk scoring, and the 10 mitigation categories are design artefacts, not validated outcomes from real-world consultation. The 30-day public consultation has not occurred. No national competent authority has been notified. No civil society feedback has been collected. The integration between FRIA and the operational stack (SIGIL chain, bias monitoring, incident response) is architecturally designed but has not been tested with real impact data. The claim that "FRIA is the foundation of the rights-by-design architecture" is aspirational โ€” the architecture was designed first, and the FRIA framework was built to formalise and document the rights protections that the architecture already provides. A genuinely rights-led process would have started with the FRIA and designed the system around it โ€” DEFONEOS did both simultaneously, which is defensible but should be acknowledged. No DPO has been formally designated. No equality body has been consulted.