FRIA Template: A Fill-in-the-Blank Structure for AIGP Exam Prep

Most AIGP candidates first meet the Fundamental Rights Impact Assessment (FRIA) as an abstract acronym buried inside Article 27 of the EU AI Act, sandwiched between FRIA and DPIA in a comparison table. That is the wrong way to learn it. The exam does not test whether you can recite the definition — it tests whether you can recognize, given a scenario, which sections of a FRIA a deployer would actually need to complete, and why.

This guide gives you a working FRIA structure, section by section, with the kind of fill-in-the-blank scaffolding you can practice against using your own hypothetical deployments. It is built directly from the Article 27 obligations, not a generic risk-assessment template repurposed for AI.

A FRIA is not a DPIA with an AI label. It assesses impact on fundamental rights — non-discrimination, dignity, fair trial, freedom of expression — not just personal data processing. Candidates who blur the two lose points on scenario questions.

Who Actually Has to Complete One

Article 27 limits the FRIA obligation to a specific population: deployers that are bodies governed by public law, or private operators providing public services, plus deployers of high-risk AI systems used to evaluate creditworthiness or to price life and health insurance. If a system is high-risk but the deployer is a private company outside those categories, no FRIA is triggered — that distinction alone shows up repeatedly in exam scenario questions. If you have not yet worked through how the EU AI Act sorts systems into risk tiers in the first place, that is worth doing before this template, since the FRIA obligation sits entirely downstream of that classification.

The Template, Section by Section

Below is the structure broken into the blanks you would actually fill in for a real deployment. Practice this against two or three hypothetical systems — a hiring algorithm, a credit-scoring tool, a public benefits eligibility system — and the exam's scenario questions stop feeling abstract.

Section 1 — System Description

• [ Blank: System name and version ] — exact AI system being deployed, including model version if it changes meaningfully over time
• [ Blank: Intended purpose ] — the specific use case as declared by the provider, not a general description of the AI's capability
• [ Blank: Deployment context ] — where, how often, and on what population the system will be used

Section 2 — Process Description

• [ Blank: Period and frequency of use ] — Article 27 explicitly requires this; a one-time pilot has a different risk profile than continuous deployment
• [ Blank: Categories of natural persons and groups affected ] — name the specific population, not "users" generically
• [ Blank: Human oversight measures in place ] — who reviews outputs, and what authority they have to override the system

Section 3 — Rights Impact Analysis

• [ Blank: Specific risks of harm to affected groups ] — this is where candidates lose the most points by writing generic "bias" answers instead of naming the actual right at stake
• [ Blank: Fundamental rights implicated ] — name them explicitly: non-discrimination (Article 21 EU Charter), human dignity, effective remedy, fair trial
• [ Blank: Likelihood and severity assessment ] — qualitative scoring of how probable and how serious each identified harm is

Section 4 — Mitigation and Governance Measures

• [ Blank: Specific measures to be taken ] — concrete controls, not aspirational statements; "will monitor for bias" is not a measure, "monthly disparate-impact testing against protected classes" is
• [ Blank: Governance measures internal to the deployer ] — escalation paths, complaint mechanisms, internal review cadence
• [ Blank: Notification obligation to market surveillance authority ] — Article 27(3) requires notifying the relevant authority, using a template the AI Office is responsible for developing

FRIA vs DPIA: The Distinction the Exam Tests Most

If you already hold a CIPP or have done DPIAs under GDPR, the instinct is to treat a FRIA as a variant of that process. Resist it. A DPIA asks: does this processing create risk to personal data? A FRIA asks a broader question: does this system's use create risk to a fundamental right, independent of whether personal data is involved at all.

A useful exam heuristic: if a question scenario describes a system affecting eligibility, access, or treatment of a person or group — and a GDPR-trained instinct says "this needs a DPIA" — check whether it also needs a FRIA. The two assessments frequently run in parallel, addressing different obligations under different legal bases, and Article 27(4) explicitly allows reusing parts of an existing DPIA to avoid duplicating work, provided the rights-specific elements are still addressed.

Where the FRIA Sits in the Broader Compliance Timeline

The FRIA obligation under Article 27 applies from August 2026, alongside the broader set of high-risk system obligations. It is not retroactive in the sense of requiring assessment of historical use, but any system still in active deployment after that date and falling into the deployer categories above needs one completed before, or as part of, that deployment continuing.

For the exam specifically, expect FRIA questions to appear either as direct definitional recall (less common) or as scenario-based "spot the missing obligation" questions, where a fact pattern describes a public-sector deployment and asks what the deployer failed to do. Knowing the four-section structure above is usually enough to identify the gap correctly.

Common Mistakes Candidates Make on FRIA Questions

Across practice question sets and exam debriefs, the same handful of errors show up repeatedly. Knowing them in advance is often worth more than memorizing the template itself, since the exam tends to test recognition of these exact traps.

• Confusing "high-risk system" with "FRIA-triggering deployer" — every FRIA-triggering scenario involves a high-risk system, but not every high-risk system triggers a FRIA. The deployer category is the gate, not the system's risk tier alone.
• Writing mitigation measures as intentions rather than controls — "we will ensure fairness" is not a measure. "Quarterly disparate-impact testing reviewed by a named compliance officer" is. Exam answer choices are often written to separate vague-but-comforting language from specific, auditable controls.
• Treating the FRIA as a one-time document — Article 27 ties the assessment to the period and frequency of use, which means a system whose deployment context changes (new population, new use case, new geography) should trigger a fresh or updated FRIA, not a footnote to the old one.
• Forgetting the notification step — completing the four sections above is necessary but not sufficient. Article 27(3) requires notifying the relevant market surveillance authority, and exam scenarios frequently test whether candidates remember this final administrative step exists at all.

How the FRIA Interacts With the Provider's Documentation

A FRIA does not exist in isolation from the rest of the high-risk compliance package. Deployers are expected to draw on the provider's instructions for use and the system's technical documentation when completing Sections 1 and 2 above — particularly the intended purpose and any limitations the provider has already identified. A deployer who skips this and writes their own characterization of the system's purpose, disconnected from what the provider actually declared, creates an inconsistency that a market surveillance authority is specifically positioned to catch during review.

This is also where the relationship between the FRIA and the EU AI Act's broader conformity assessment regime becomes relevant for exam purposes. Understanding how a system gets classified into the high-risk tier in the first place makes the FRIA obligation feel less like an isolated checklist and more like the natural next step once that classification has already been made.

Practice Approach

Take three systems you can describe in two sentences each — a hiring tool, a fraud-detection system for a public utility, and a university admissions assistant — and run each through all four sections above without looking at notes. The systems that feel hardest to fill in are usually the ones with the least concrete human oversight described, which is itself a useful signal: vague oversight language is a recurring wrong-answer trap on the actual exam.

Once the four-section structure feels automatic, layer in timing: practice identifying not just what goes in each section but when the FRIA needs to be completed relative to deployment, and what changes would require revisiting it. That timing layer is where scenario questions tend to get harder, and it is also where a solid grasp of how the FRIA differs from the DPIA and AIA more broadly pays off, since several exam questions are built specifically around that boundary.

Where This Fits in Your Broader AIGP Study Plan

FRIA questions tend to cluster in the same study block as the rest of the EU AI Act's high-risk obligations — conformity assessment, technical documentation, post-market monitoring. If you have not yet mapped out how those pieces connect to the August 2026 enforcement timeline, this breakdown of the deadline and what it actually requires deployers to have in place is a useful companion to this template, since several of the same deployer categories overlap.

And if FRIA-style scenario questions are still feeling abstract after working through the template above, testing yourself against realistic exam-format questions is usually the fastest way to close the gap — a set of BoK v2.1-calibrated practice questions is a good next stop after this one.