From lawvable-awesome-legal-skills
Assesses whether a FRIA is required under Article 27 EU AI Act and structures the impact assessment for high-risk AI deployments.
How this skill is triggered — by the user, by Claude, or both
Slash command
/lawvable-awesome-legal-skills:fria-eu-ai-act-article-27-werner-plutatThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Assess whether a deployer must perform a Fundamental Rights Impact Assessment (FRIA) under Article 27 of the EU AI Act, and structure that assessment for a specific high-risk AI use case before the system is put into use.
Assess whether a deployer must perform a Fundamental Rights Impact Assessment (FRIA) under Article 27 of the EU AI Act, and structure that assessment for a specific high-risk AI use case before the system is put into use.
Important: This skill supports a structured legal-compliance workflow. It does not replace legal judgment. A FRIA is inherently contextual and should never be treated as a box-ticking exercise. Always identify assumptions, open questions, and contested interpretations explicitly.
Before you start: If you have not yet confirmed that the system is a high-risk AI system, use the EU AI Act System Classifier first. Article 27 applies only in the context of high-risk AI systems and only for a subset of deployers.
Follow this sequence in order. Do not skip the scope questions.
Article 27 only applies where the intended use concerns a high-risk AI system within the meaning of the AI Act.
Check:
If high-risk status is not yet confirmed: stop here and use the EU AI Act System Classifier first.
This is the most important gating step.
Article 27 does not apply to all deployers of high-risk AI. It applies to deployers that are:
Assess carefully:
If NO: document that Article 27 FRIA is not mandatory for this deployer, while separate deployer obligations under Article 26 may still apply.
If YES: proceed.
A FRIA must be carried out:
Check:
Article 27(2) requires the FRIA to be grounded in the deployer's actual processes.
Document:
If the process description is vague, the FRIA will be weak. Push for operational specificity.
Article 27(2) expressly requires the deployer to identify the categories of natural persons and groups likely to be affected.
Map:
Then identify which fundamental rights are realistically at stake under the EU Charter of Fundamental Rights, including where relevant:
→ For the detailed rights catalogue and examples, read references/fundamental-rights-catalogue.md.
Article 27(2) requires identification of the specific risks of harm likely to impact the identified persons/groups.
Assess, for each relevant right and affected group:
Use a structured assessment across:
→ For the scoring method and decision framework, read references/fria-methodology.md.
Article 27(2) requires a description of:
Check existing safeguards such as:
The question is not whether a safeguard exists on paper, but whether it is effective for this specific risk.
After accounting for safeguards, assess the residual risk.
Ask:
This is the core judgment section. Do not auto-approve because controls exist. Explain the reasoning.
If the FRIA identifies a specific risk to the rights of natural persons or groups of persons, the deployer must notify the relevant market surveillance authority.
Where the risk relates to processing of personal data and is relevant under data protection law, the deployer must also notify the competent data protection authority.
Check:
→ For authority mapping and notification structure, read references/notification-requirements.md.
Under Article 27(4), the FRIA may be conducted together with a GDPR Article 35 Data Protection Impact Assessment (DPIA), where relevant.
Do not merge them blindly. First determine:
Key point: A DPIA and a FRIA overlap, but they are not the same thing. A FRIA extends beyond data protection into broader Charter rights, procedural fairness, access, equality, and remedy.
→ For overlap and integration guidance, read references/dpia-fria-interaction.md.
If the deployment is in Germany, Austria, or Switzerland, consider the local governance and constitutional overlay.
In Germany in particular, assess:
→ For DACH-specific analysis, read references/dach-specific.md.
Use these questions at intake before drafting the FRIA:
System and Scope
Operational Context 5. In which process or decision workflow will the system be used? 6. What outputs does the system generate, and how are they used in practice? 7. How often will the system be used, over what time period, and at what scale? 8. Who are the human decision-makers or reviewers around the system?
Affected Persons and Rights 9. Which persons or groups are likely to be affected directly or indirectly? 10. Are vulnerable groups, children, patients, customers, benefit applicants, job candidates, or employees involved? 11. Which fundamental rights could realistically be interfered with? 12. What is the worst plausible harm for each key group?
Safeguards and Governance 13. What human oversight measures exist in real operation? 14. What complaint, appeal, or redress mechanisms exist? 15. What happens if the system produces an error, bias, or adverse outcome? 16. Are there data quality controls, logging, audits, or monitoring processes?
DPIA / Notification / Change 17. Is personal data processed, and has a DPIA been done or planned? 18. Has the use already started, or is this assessment still pre-deployment? 19. Has anything significantly changed since the last assessment? 20. Has the FRIA identified a specific risk that may require notification?
If key answers are missing, state assumptions and identify them as blockers or legal-risk gaps.
Load these as needed during the assessment:
| File | When to read |
|---|---|
| references/fundamental-rights-catalogue.md | Mapping the rights at stake - Charter rights, practical AI impact examples |
| references/fria-methodology.md | Running the assessment - scoring, proportionality, residual risk, decision logic |
| references/dpia-fria-interaction.md | Determining whether/how to combine a FRIA with a GDPR DPIA |
| references/notification-requirements.md | Determining whether notification is required and how to structure it |
| references/dach-specific.md | Germany/Austria/Switzerland overlay - authorities, procurement, works council, constitutional lens |
| references/templates.md | Producing practical outputs - FRIA report, matrix, notifications, management briefing |
Every FRIA engagement should produce these deliverables:
FRIA Scope Memo - short determination of whether Article 27 applies, including deployer status, high-risk status, use-case boundary, timing, and whether a FRIA is mandatory.
FRIA Report / Draft FRIA - structured assessment covering Article 27(2) elements: process description, intended use period/frequency, affected groups, rights at stake, specific risks of harm, oversight measures, mitigation/governance measures, residual risk, and notification analysis.
Rights Impact Matrix - practical table mapping affected groups, relevant rights, risk mechanisms, inherent risk, existing safeguards, residual risk, and required actions.
Management Briefing - one-page decision note for leadership explaining whether deployment can proceed, under what conditions, and what must happen before go-live.
Notification Pack (if required) - draft notice to the market surveillance authority and, where relevant, the competent data protection authority.
→ For templates and model wording, read references/templates.md.
This skill provides structured workflow support for Article 27 of Regulation (EU) 2024/1689 (EU AI Act). It does not constitute legal advice. Whether an entity is a body governed by public law, a private provider of public services, or whether a specific risk requires notification may depend on national law, sector rules, procurement structures, and supervisory practice. The analysis should be reviewed by qualified counsel, especially before deployment, authority engagement, or high-impact operational decisions.
Performs a fast 15-25 minute preliminary EU AI Act classification and compliance assessment with conversational triage workflow.
Supports EU AI Act compliance tasks: deadlines, penalties, GPAI systemic risk threshold (10^25 FLOPs), and FRIA assessments. Use for questions about enforcement dates, fines, or risk thresholds.
Triages and routes work on digital governance, compliance, and risk assessment under EU AI Act, GDPR, and related frameworks. Performs silent-upload, deadline-checks, and directs to specialized modules.
npx claudepluginhub lawve-ai/awesome-legal-skills