EU AI Act Conformity Assessment and FRIA Process

Key steps

• Classify AI systems against the EU AI Act Annex III high-risk categories. Systems in biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, and administration of justice require conformity assessment.
• For each high-risk system, produce technical documentation meeting Article 11 and Annex IV requirements: system description, design specifications, training data governance, performance metrics, robustness and accuracy testing results, human oversight measures, and post-market monitoring plan.
• Determine the conformity assessment pathway:
  • Most high-risk systems: internal conformity assessment with technical documentation lodged in an EU-accessible register.
  • Biometric identification and law enforcement systems: third-party notified body assessment required.
• Select a notified body if required. The EU AI Act's list of notified bodies was published from 2025. Engage early — notified bodies have limited capacity.
• Conduct a Fundamental Rights Impact Assessment (FRIA) for public authority deployers and private operators deploying high-risk systems with significant impact on individuals. The FRIA must assess impacts on dignity, non-discrimination, privacy, and data protection.
• Register the system in the EU AI Act database where required (all high-risk systems from 2026).
• Implement post-market monitoring as required by Article 72.

FRIA process steps

1. Define the system scope and the affected population.
2. Identify fundamental rights that could be affected: non-discrimination, privacy, dignity, freedom of expression, right to explanation.
3. For each identified risk, assess severity and likelihood, and document existing mitigations.
4. Where residual risks remain, define additional mitigations or human oversight requirements.
5. Document the FRIA output and make it available to deployer compliance teams.