The landscape of AI governance is undergoing a rapid, high-stakes transformation — shifting from voluntary ethical frameworks to mandatory legal compliance. With the EU AI Act now in force, compliance officers and legal teams face an "alphabet soup" of overlapping requirements that carry very different legal obligations, deadlines, and penalty regimes.

The primary source of confusion sits among three core assessments: the Data Protection Impact Assessment (DPIA), the Algorithmic Impact Assessment (AIA), and the newly mandated Fundamental Rights Impact Assessment (FRIA). As an IAPP Certified AI Governance Professional (AIGP), I can attest that distinguishing these is not an academic exercise. It is a critical operational requirement for the August 2, 2026, enforcement deadline. Conflating them produces redundant work, governance gaps, and direct exposure to the AI Act's tiered penalty regime.

This article gives you a precise, practitioner-level breakdown of each assessment, their triggers, who is obligated, and — critically — how to integrate them efficiently using the Article 27(4) bridge.

The Three Assessments at a Glance

Before diving into each assessment individually, it helps to see the legal architecture side by side. These are not interchangeable tools — they operate under distinct legal regimes, cover different populations, and report to different authorities.

GDPR Art. 35
DPIA
ISO 42001 / NIST RMF
AIA
EU AI Act Art. 27
FRIA
Primary Focus
Data protection & privacy
Primary Focus
Algorithmic & societal impact
Primary Focus
Full spectrum of fundamental rights
Obligated Party
Data Controller
Obligated Party
Any organisation / developer
Obligated Party
Specific deployers (public / finance)
Reporting
Internal; consult DPA only for residual risk
Reporting
Internal / framework-dependent
Reporting
Mandatory — Market Surveillance Authority
Max Penalty
€20M or 4% global turnover
Max Penalty
Varies by jurisdiction
Max Penalty
€35M or 7% global turnover

DPIA (Data Protection Impact Assessment): The Privacy Bedrock

The DPIA is established under Article 35 of the GDPR. It remains the foundational tool for identifying and mitigating risks to the rights and freedoms of natural persons that arise specifically from personal data processing activities. It is not an AI-specific instrument — but in the context of AI systems that process personal data, it is almost always triggered.

When Is a DPIA Triggered?

A DPIA is mandatory when processing is likely to result in a high risk. In the AI context, the four most common triggers are:

Trigger 01
Systematic Profiling
Automated processing to evaluate personal aspects — behaviour, performance, preferences, location, or movements.
Trigger 02
Automated Decision-Making
Decisions based solely on automated processing that produce legal or similarly significant effects on individuals.
Trigger 03
Large-Scale Sensitive Data
Processing special categories — biometric, health, criminal records — to train or operate AI models at scale.
Trigger 04
Public Area Monitoring
Systematic, large-scale monitoring of publicly accessible spaces — for example, AI-enabled CCTV networks.

Minimum Content Requirements (Article 35(7))

A legally compliant DPIA must include four mandatory elements:

  • A systematic description of processing activities and their stated purposes.
  • An assessment of the necessity and proportionality of the processing relative to those purposes.
  • An assessment of the risks to the rights and freedoms of data subjects.
  • The measures envisioned to address those risks — including safeguards, security controls, and mechanisms to demonstrate ongoing compliance.
A DPIA is an internal document in the first instance. You are only required to consult your supervisory authority when residual risk — risk that remains after all mitigation measures — is still deemed high. That consultation is not optional at that point; it is mandatory.

AIA (Algorithmic Impact Assessment): The Global Unit of Analysis

The term "AIA" is used generically across multiple jurisdictions and frameworks. In a professional governance context, it refers to a cross-functional evaluation tool recognised in international standards — primarily ISO/IEC 42001 and the NIST AI Risk Management Framework (RMF). Unlike the DPIA, it is not grounded in a single mandatory EU regulation; it is the practitioner's primary analytical instrument when working outside — or alongside — the EU legal perimeter.

Key Characteristics That Distinguish the AIA

Scope: AIA vs. DPIA — A Direct Comparison
DPIA
AIA
Affected population
Data subjects only
All stakeholders — including groups & society
Environmental factors
Out of scope
In scope
Group-level bias
Indirect / limited
Central concern
Primary frameworks
GDPR
NIST RMF, ISO 42001, Colorado SB 24-205, NYC LL 144

Within the NIST AI RMF, the AIA is deployed during the Map and Measure functions to characterise risk pathways and analyse impact on all affected groups. In ISO/IEC 42001, it forms a core component of the AI Management System (AIMS) audit cycle.

For US-based practitioners, the AIA is the primary instrument of compliance. The Colorado AI Act (SB 24-205) and NYC Local Law 144 — which mandates annual bias audits for automated employment decision tools — both operationalise the AIA concept rather than the GDPR-derived DPIA.

FRIA (Fundamental Rights Impact Assessment): The New AI Act Mandate

The FRIA is the most consequential new obligation in the EU AI Act for deploying organisations. It is grounded in Article 27 and expands the risk lens far beyond privacy to encompass the full spectrum of rights protected by the EU Charter of Fundamental Rights — including dignity, equality, freedom of expression, and access to justice.

Who Is Obligated?

The FRIA obligation falls on specific deployers — not providers — in three categories:

1
Public Bodies & Entities Governed by Public Law
All public sector deployers — regardless of the AI system's specific function — are mandated to conduct a FRIA.
2
Private Entities Providing Public Interest Services
Includes education institutions, hospitals and healthcare providers, social services, and essential utilities (water, energy). Critical exception: utility companies are exempt only when AI is used as a safety component for infrastructure management. If the same company uses high-risk AI for HR or credit assessments, the FRIA is mandatory.
3
Deployers of High-Risk AI for Financial Assessments
Specifically: creditworthiness scoring and life/health insurance risk assessment systems (Annex III, Area 5).

Annex III High-Risk Domains That Trigger a FRIA

  • Education: Systems determining access to, or ranking within, educational institutions.
  • Employment / HR: Recruitment, promotion, performance monitoring, or termination tools.
  • Essential Services: AI determining eligibility for social benefits, housing, or utilities.
  • Law Enforcement & Migration: Risk assessment systems and biometric identification tools.
  • Financial Services: Creditworthiness and insurance risk scoring.

The Five Core Questions a FRIA Must Answer

The FRIA is not a repackaged DPIA. It is legally required to address questions that fall entirely outside a DPIA's scope:

Q1
Which fundamental rights are affected? Enumerate the specific Charter rights at stake — dignity (Art. 1), equality (Art. 20–21), freedom of expression (Art. 11), right to an effective remedy (Art. 47).
Q2
What is the potential impact on equality and non-discrimination? Identify demographic groups that may be disproportionately affected by the system's outputs.
Q3
What are the consequences of error or biased output? Map the real-world downstream harm — denial of credit, exclusion from employment, removal of welfare benefits — from a false positive or false negative.
Q4
Who is accountable, and what human oversight exists? Document the Article 14-compliant human oversight mechanism, including who has authority to override the system's output.
Q5
What meaningful path to redress exists? Describe the concrete mechanism by which an affected individual can challenge, contest, or appeal an AI-driven decision.
Results must be reported to the relevant Market Surveillance Authority using a standardised template to be published by the AI Office. This is not a discretionary internal document — it is a mandatory regulatory notification.

The Article 27(4) Bridge: Integrated Workflow

Article 27(4) of the EU AI Act contains a critical efficiency provision: the FRIA should complement existing assessments, not duplicate them. By reusing DPIA components systematically, experienced practitioners report a 30–40% reduction in FRIA preparation time.

The efficiency gain is concentrated in two reusable sections: System Description (S1) and Affected Persons (S2), which are often identical across both assessments. The following seven-step workflow integrates both obligations into a single operational process.

01
Define System & Context SHARED — Reuse S1
Document the system architecture, intended purpose, deployment context, and technical capabilities once. This section feeds both assessments.
02
Describe Data Processing DPIA Focus
Map all personal data flows, identify the lawful basis under GDPR, and document retention and access controls.
03
Map Affected Persons & Rights SHARED — Reuse S2
Reuse S2 for individuals and add non-privacy fundamental rights for the FRIA — equality, dignity, freedom of expression.
04
Identify Risks & Harms COMBINED
Build a single unified risk register covering both privacy harms and fundamental rights violations — likelihood, severity, and affected population for each.
05
Define Mitigation & Oversight COMBINED
Document Article 14 human oversight controls, bias testing protocols, and redress mechanisms — applicable to both legal regimes.
06
Document Separate Conclusions
State residual risks under each legal regime independently. The DPIA conclusion addresses GDPR proportionality; the FRIA conclusion addresses Charter rights compliance.
07
Generate Dual Outputs
Produce the DPIA for internal records (consult DPA if residual risk is high) and the FRIA report for mandatory notification to the Market Surveillance Authority.

Sector-Specific Scenarios

Abstract framework comparisons become concrete when applied to real deployment scenarios. The following three cases illustrate how obligations stack in practice.

Scenario A Bank Deploys a Credit Scoring Model
Assessments Triggered
DPIA (systematic profiling) + FRIA (Annex III Area 5a — creditworthiness)
Primary FRIA Focus
Demographic bias that disproportionately restricts credit access — non-discrimination under Charter Article 21.
Expert Note
AI systems used exclusively for financial fraud detection are explicitly excluded from FRIA requirements.
Scenario B HR Firm Deploys an AI Recruitment Tool
Assessments Triggered
DPIA (automated decisions) + FRIA (Annex III Area 4 — employment and HR)
Primary FRIA Focus
Non-discrimination (Charter Article 21) and workers' rights — dimensions entirely outside a DPIA's scope.
Key Insight
The DPIA addresses candidate data rights. The FRIA addresses whether the system systematically disadvantages protected groups in hiring outcomes.
Scenario C Municipal Agency: AI for Welfare Eligibility
Assessments Triggered
DPIA (large-scale sensitive data) + FRIA (mandatory for all public bodies — no threshold applies)
Primary FRIA Focus
Right to good administration (Charter Article 41) and right to an effective remedy (Article 47) — ensuring contested decisions can be reviewed.
Exception to Note
If the same agency uses AI only for critical infrastructure safety — managing water systems, for example — the Annex III point 2 exception may apply.

The Cost of Confusion: Sanctions and Operational Risk

The penalty regime for mishandling these assessments is asymmetric and severe. FRIA violations carry the highest fines in the AI Act's tiered structure — exceeding even the penalties for prohibited AI practices in certain cases.

GDPR — DPIA Violation
€20M
or 4% of global annual turnover — whichever is higher.
Supervisory authority may also order suspension of the processing activity.
EU AI Act — FRIA Violation
€35M
or 7% of global annual turnover — whichever is higher.
Market surveillance authority can order immediate AI system suspension. For core business processes, disruption cost typically exceeds the fine itself.

The operational risk of non-compliance often exceeds the financial penalty. An immediate suspension order against a credit scoring engine or a welfare eligibility platform can halt core business operations within hours. The reputational damage to a public sector body whose AI system is suspended for rights violations is compounding and long-lived.

AIGP Expert Checklist: Preparing for August 2026

The August 2, 2026, enforcement deadline requires organisations to move beyond the checkbox mentality. The following actions represent the minimum viable compliance posture for any organisation operating high-risk AI in the EU.

August 2026 Readiness Checklist
Build an AI System Inventory. Register every AI system in use, including third-party SaaS and embedded vendor tools. You cannot assess what you have not catalogued.
Map All Systems Against Annex III. Classify each system. Identify which deployments are high-risk and which FRIA obligations they carry.
Select a FRIA Staffing Model. In-house builds institutional knowledge. Externalized carries regulatory credibility. The hybrid model — the most common AIGP recommendation — balances accountability and expert validation.
Build Integrated DPIA/FRIA Templates. Design your documentation workflow to capture S1 (System Description) and S2 (Affected Persons) once, and output to both assessment formats.
Conduct Vendor Technical Documentation Audits. Under Article 13, providers must supply technical documentation sufficient for deployers to complete their FRIA. Demand this contractually before you are audited.
Monitor the Digital Omnibus Proposal. This proposal may shift some high-risk obligations to December 2027. Nevertheless, maintain the August 2026 target for all current high-risk deployments — the proposal is not yet law.

Conclusion: From Compliance Checkbox to Strategic Governance

The DPIA, AIA, and FRIA are not bureaucratic redundancies. They are the primary mechanisms for achieving what the EU AI Act describes as human-centric and trustworthy AI. When executed correctly — and integrated efficiently using the Article 27(4) bridge — they function as rigorous design reviews that identify edge cases, systemic biases, and accountability gaps before they become regulatory liabilities or reputational crises.

With the August 2, 2026, deadline approaching, the organisations that will succeed are those that treat these assessments as a strategic advantage rather than an administrative hurdle. The penalty exposure is real. The operational risk of a suspension order is real. But so is the competitive differentiation available to organisations that can credibly demonstrate to regulators, customers, and procurement bodies that their AI systems are governed with precision and accountability.

Proper governance is not about slowing innovation. It is about ensuring that innovation is defensible, ethical, and built to last.