EU AI Act Art.27 FRIA Compliance Finale: Complete Documentation Package and August 2026 Checklist for High-Risk AI Deployers

Post #5 in the sota.io EU AI Act FRIA 2026 Series

The August 2, 2026 deadline for EU AI Act compliance is now under 60 days away. If you are a deployer of high-risk AI in the public sector — or a private organisation providing public services — Art.27 requires you to have completed a Fundamental Rights Impact Assessment (FRIA) before your system goes into use.

This finale post closes out the five-part FRIA series. It brings together everything from the previous posts into a single actionable compliance package: the document set you need to assemble, how to integrate FRIA with your broader AI governance framework, the EU database registration obligation, and a 45-item checklist to confirm you are ready for August 2, 2026.

If you have not yet read the series, start with who must conduct a FRIA and why, then work through the methodology guide, monitoring and update obligations, and the sector-specific employment, education and social services guide.

The FRIA Documentation Package

A completed FRIA is not a single document. It is an evidence package consisting of several interconnected files. Auditors — both internal and from National Competent Authorities conducting market surveillance under Art.74 — will expect to see all components, not just a summary assessment.

Document 1: The FRIA Core Assessment

The primary FRIA document records the structured assessment of fundamental rights risks. Its minimum required content under Art.27:

Section 1 — Deployer Identity and System Description

• Organisation name, legal form, contact details
• Full description of the AI system (name, version, supplier, purpose)
• Deployment context: where, how, and by whom the system is used
• Population of affected persons (scale, demographics, vulnerability factors)
• Geographic scope of deployment

Section 2 — Fundamental Rights in Scope

• Identification of EU Charter rights that may be affected (dignity, equality, non-discrimination, privacy, education, work, remedy)
• For each right: why it is potentially affected by this AI deployment
• Reference to Annex III category triggering the FRIA obligation

Section 3 — Risk Assessment

• For each identified rights impact: likelihood (low/medium/high), severity (low/medium/high), and reversibility
• Cumulative and intersectional risk analysis (when multiple rights or populations are affected simultaneously)
• Identification of potentially affected groups, with heightened analysis for vulnerable categories (children, persons with disabilities, migrants, elderly)

Section 4 — Mitigation Measures

• For each identified risk: specific technical and organisational measures adopted
• Residual risk after mitigation: documented and accepted at the appropriate governance level
• Link to Art.26 deployer obligations (monitoring protocols, feedback mechanisms, bias oversight)

Section 5 — Human Oversight

• Description of human-in-the-loop or human-over-the-loop mechanisms
• Identification of the responsible natural person(s) for oversight and intervention
• Escalation paths when automated output is challenged by affected persons

Section 6 — Governance and Accountability

• Name and role of the person who conducted the FRIA
• Name and role of the approving authority within the organisation
• Date of completion and approval
• Review schedule (frequency and triggers for update)
• Reference to EU database registration entry (Article 27 registration obligation)

Document 2: Supporting Evidence Annex

The core assessment should be backed by an evidence annex that demonstrates it was conducted in substance, not merely as a paperwork exercise.

What belongs in the evidence annex:

• Technical documentation extracts from the provider (or internal documentation if the deployer is also a provider)
• Data flow diagrams showing what personal data the AI system processes and how
• Minutes or records of consultation with affected stakeholders, workers' representatives, or data protection officers
• Results of any bias or fairness testing conducted pre-deployment
• DPA correspondence records (if a GDPR Art.35 DPIA was also conducted — see integration guidance below)
• Risk register showing link between identified FRIA risks and the organisation's Art.9 risk management inputs
• Screenshots or workflow documentation showing human oversight mechanisms in operation

Document 3: GDPR Art.35 DPIA Integration Record

Where the AI system processes personal data (which is nearly always the case for Annex III systems), the FRIA obligation under Art.27 and the GDPR Art.35 DPIA requirement will overlap. Both must be conducted but they need not be duplicated.

The recommended approach is to document the integration explicitly:

DPIA Status: [Completed | In Progress | Not Required]
DPIA Reference: [Internal document ID]
DPIA Completion Date: [Date]
Overlap Sections: [List which sections of the DPIA inform the FRIA and vice versa]
Data Protection Officer Consulted: [Name and date]

If the two assessments were conducted as a combined document, the integration record should note this and specify which sections satisfy which legal obligation. Regulators will accept a combined document provided it clearly delineates FRIA-specific content (fundamental rights beyond privacy) from DPIA-specific content (personal data processing risks).

Document 4: EU Database Registration Record

Art.27 requires that the FRIA be registered in the EU database for high-risk AI systems. This is a separate step from the provider's registration of the AI system itself under Art.49.

The registration record in your compliance file should capture:

• The EU database reference number for the AI system registration
• The date on which the FRIA summary was submitted to the database
• The version of the FRIA that was submitted
• The URL or access path of the public-facing entry (if publicly visible)

This registration step is frequently overlooked. Many organisations complete a thorough FRIA document but fail to complete the database submission step, leaving them technically non-compliant even though the substantive assessment was done.

Document 5: Review and Update Log

FRIA is not a one-time exercise. It must be updated when:

• The AI system is substantially modified (new version, new use case, expanded population)
• The context of deployment changes materially (new geographic area, new partner, new vulnerable group)
• An incident occurs that reveals a fundamental rights impact not captured in the original assessment
• The deployer identifies through monitoring that actual outcomes diverge from the assessed risks

The review log documents:

• Date of each review
• Trigger for the review (routine or event-driven)
• Outcome: no change needed / minor update / full reassessment
• Updated FRIA version number and approval record

Integrating FRIA with Your Broader AI Governance Stack

The FRIA does not exist in isolation. High-risk AI deployers subject to Art.27 typically have multiple overlapping compliance obligations. The documentation package is most effective when it explicitly links to these:

Art.9 Risk Management System: The FRIA's fundamental rights risk analysis should feed into the Art.9 RMS as a specialised input. Where the Art.9 system identifies risks to health, safety, or fundamental rights, the FRIA provides the structured human-rights-specific layer. Link the two documents with cross-references.

Art.26 Deployer Obligations: Art.26 requires deployers to implement human oversight, monitor AI system operation, and report serious incidents under Art.73. The FRIA's mitigation measures and human oversight section should mirror the Art.26 operational protocols. Any divergence — a mitigation measure written into the FRIA but not implemented in practice — will be visible to auditors.

Art.11 Technical Documentation: Providers are required to produce technical documentation under Art.11. If you are a deployer who has received documentation from the provider, the FRIA should reference the relevant sections (accuracy specifications, limitations, bias testing results). If you are also the provider, the Art.11 documentation and the FRIA should be stored together.

Python Reference Implementation

from dataclasses import dataclass, field
from datetime import date
from enum import Enum
from typing import Optional

class RiskLevel(Enum):
    LOW = "low"
    MEDIUM = "medium"
    HIGH = "high"

class RightCategory(Enum):
    DIGNITY = "dignity (Art.1 Charter)"
    NON_DISCRIMINATION = "non-discrimination (Art.21 Charter)"
    PRIVACY = "privacy (Art.7-8 Charter)"
    EDUCATION = "education (Art.14 Charter)"
    WORK = "work (Art.15 Charter)"
    EFFECTIVE_REMEDY = "effective remedy (Art.47 Charter)"
    SOCIAL_PROTECTION = "social protection (Art.34 Charter)"

@dataclass
class RightsRisk:
    right: RightCategory
    description: str
    likelihood: RiskLevel
    severity: RiskLevel
    reversible: bool
    mitigation: str
    residual_risk: RiskLevel

@dataclass
class FRIARecord:
    system_name: str
    deployer_name: str
    annex_iii_category: str
    affected_population: str
    completion_date: date
    approver_name: str
    approver_role: str
    dpia_reference: Optional[str]
    eu_database_ref: Optional[str]
    risks: list[RightsRisk] = field(default_factory=list)
    
    @property
    def highest_risk(self) -> RiskLevel:
        if not self.risks:
            return RiskLevel.LOW
        severity_order = {RiskLevel.HIGH: 2, RiskLevel.MEDIUM: 1, RiskLevel.LOW: 0}
        return max(self.risks, key=lambda r: severity_order[r.severity]).severity
    
    @property
    def requires_update(self) -> bool:
        days_old = (date.today() - self.completion_date).days
        return days_old > 365 or self.highest_risk == RiskLevel.HIGH
    
    def registration_complete(self) -> bool:
        return self.eu_database_ref is not None and len(self.eu_database_ref) > 0
    
    def compliance_status(self) -> str:
        issues = []
        if not self.dpia_reference:
            issues.append("DPIA integration not documented")
        if not self.registration_complete():
            issues.append("EU database registration missing")
        if self.requires_update:
            issues.append("FRIA due for review/update")
        if not issues:
            return "COMPLIANT"
        return f"GAPS: {'; '.join(issues)}"

The August 2, 2026 FRIA Compliance Checklist (45 Items)

Use this checklist to confirm you are ready before the deadline. Each item maps to a specific Art.27 requirement or supporting obligation.

Scope Determination (Items 1–8)

• 1. Confirmed our organisation falls under Art.27 scope (public body or private entity providing public services)
• 2. Identified which of our AI system deployments involve Annex III high-risk categories
• 3. Confirmed which Annex III points apply (biometric, education, employment, essential services, law enforcement, migration, justice)
• 4. Documented the deployer's legal basis for using each high-risk AI system
• 5. Confirmed that FRIA obligation applies to the identified systems (not all Annex III triggers FRIA for all deployers)
• 6. Identified if any systems will be deployed after August 2 for the first time (FRIA must be completed before deployment)
• 7. Checked for systems currently in pilot/testing phase that may transition to live deployment before August 2
• 8. Confirmed FRIA scope covers ALL Annex III deployments, not just the highest-profile ones

Core Assessment Completion (Items 9–20)

• 9. Completed Section 1: deployer identity, system description, affected population
• 10. Completed Section 2: identification of fundamental rights in scope with justification
• 11. Completed Section 3: risk assessment with likelihood, severity, and reversibility for each identified risk
• 12. Assessed risks for vulnerable groups specifically (children, disabled persons, migrants, elderly)
• 13. Conducted intersectional risk analysis where multiple rights or groups are affected
• 14. Completed Section 4: mitigation measures for each identified risk, with residual risk documented
• 15. Completed Section 5: human oversight description with named responsible persons
• 16. Confirmed oversight mechanisms are operationally implemented, not just documented
• 17. Completed Section 6: governance record with approver name, role, date, and review schedule
• 18. FRIA reviewed and approved at appropriate governance level (DPO, legal, senior leadership)
• 19. FRIA signed off before system goes into operational use
• 20. Version number assigned and stored in document management system

Evidence Assembly (Items 21–27)

• 21. Provider's technical documentation (Art.11) referenced and stored in evidence annex
• 22. Data flow diagrams prepared and included
• 23. Records of stakeholder consultation (workers, representatives, affected communities) assembled
• 24. Bias and fairness testing results referenced or conducted and documented
• 25. DPA / Data Protection Officer consulted and record of consultation kept
• 26. Any pre-deployment testing or audit results included in evidence annex
• 27. Evidence annex version-controlled alongside core FRIA document

GDPR Art.35 DPIA Integration (Items 28–31)

• 28. Confirmed whether a GDPR Art.35 DPIA is also required for this deployment
• 29. DPIA reference documented in FRIA integration record
• 30. Overlapping sections between DPIA and FRIA clearly delineated to satisfy both obligations
• 31. DPO sign-off obtained on GDPR-specific sections

EU Database Registration (Items 32–36)

• 32. Confirmed EU database system registration exists (Art.49 provider obligation fulfilled)
• 33. EU database reference number retrieved from provider or own registration
• 34. FRIA summary submitted to EU database as required by Art.27
• 35. Database registration record stored in compliance file with date and reference
• 36. Confirmed registration is publicly visible (where applicable) and accurate

Operational Integration (Items 37–41)

• 37. FRIA mitigation measures mapped to Art.26 deployer operational protocols
• 38. FRIA risk findings integrated into Art.9 Risk Management System inputs
• 39. Monitoring procedures from Art.26 aligned with FRIA review triggers
• 40. Incident response procedures reference FRIA and include fundamental rights escalation path
• 41. Art.73 serious incident reporting procedures updated to include fundamental rights harms

Review and Maintenance (Items 42–45)

• 42. Review schedule set (minimum annual, or upon material system changes)
• 43. Triggers for immediate FRIA update documented (substantial modification, new population, incident)
• 44. Responsible owner assigned for FRIA maintenance post-August 2, 2026
• 45. Review and update log template prepared and stored alongside FRIA document

Infrastructure Considerations: Where Documentation Lives Matters

For organisations deploying high-risk AI across EU jurisdictions, the infrastructure on which compliance documentation is stored has become a relevant consideration in itself. Market surveillance authorities conducting inspections under Art.74 may request access to FRIA documentation. If that documentation is stored on US-headquartered cloud infrastructure, it may be accessible to US authorities under the CLOUD Act — creating a tension between EU supervisory access and foreign governmental access that most compliance teams have not planned for.

Using EU-native infrastructure for compliance documentation — AI audit trails, FRIA records, technical documentation under Art.11, incident logs under Art.73 — eliminates this dual-access risk. Platforms built on European data centres with no US parent entity remove the CLOUD Act exposure from your documentation stack entirely.

What Happens If You Miss the Deadline

Art.27 non-compliance carries the same penalty framework as other EU AI Act deployer obligations under Art.99. For public authorities, this creates enforcement through national oversight bodies and potential administrative liability. For private entities providing public services, national competent authorities can impose corrective measures and fines.

The more practical risk is operational: a deployer using a high-risk AI system without a completed FRIA, after August 2, 2026, may be required to suspend use while the assessment is completed. For systems embedded in public service delivery — benefits, employment support, education — that suspension creates direct service disruption.

The 45-item checklist above is designed to be completable in 2 to 4 weeks for most organisations. If you are starting now with 59 days to go, there is still time to do this properly.

Series Summary

This five-post series has covered the full arc of Art.27 FRIA compliance:

1. Who must conduct a FRIA — scope, triggers, and the distinction between provider and deployer obligations
2. FRIA template and methodology — step-by-step assessment guide with worked examples
3. Monitoring and review obligations — continuous compliance, update triggers, and operational integration
4. Sector-specific guidance: employment, education, and social services — Annex III-specific rights analysis for the three highest-volume public sector deployment contexts
5. This post — the complete documentation package and August 2026 readiness checklist

For deployers working through the broader EU AI Act compliance programme, FRIA is one component of a larger framework. The EUDB registration guide, CE marking guide, and conformity assessment guidance cover the provider-side obligations that complement the deployer-side FRIA requirement.

August 2, 2026 is a hard deadline. The FRIA documentation package is achievable with structured effort. Start with scope determination, work through the assessment systematically, and complete the EU database registration step — it is the most commonly missed item.