Last reviewed: April 9, 2026

Jurisdictions covered: EU (primary), US, Canada, UK (comparison)

Reading time: 12 minutes

FRIA vs DPIA vs AIA: Which AI Impact Assessment Do You Need?

Your AI system processes personal data and is classified as high-risk under Annex III. Do you need a FRIA? Yes (Art. 27). A DPIA? Probably (GDPR Art. 35). A conformity assessment? Yes (Art. 43). An algorithmic impact assessment? Depends on which US states you operate in.

Four assessments. Four legal bases. Significant overlap. No official guidance on combining them.

This is what AI compliance in the EU looks like in 2026. The Fundamental Rights Impact Assessment (FRIA) covers rights impacts. The Data Protection Impact Assessment (DPIA) covers data risks. Algorithmic Impact Assessments (AIAs) apply in specific US and Canadian contexts. And the conformity assessment is a separate pre-market compliance process.

Most compliance teams do not understand which assessments are legally required, which can be combined, and where the overlap ends. This article provides the comparison matrix and decision logic. For the full FRIA guide and the GDPR-AI Act overlap analysis, see our dedicated articles.

Key Takeaways

• FRIA and DPIA are both mandatory for most high-risk AI systems processing personal data. They are not alternatives — you need both.
• ~30% overlap between FRIA and DPIA: risk identification, affected persons analysis, and mitigation measures. A combined process saves months of duplicated work.
• Conformity assessment (Art. 43) is NOT an impact assessment. It is a pre-market compliance verification. It does not replace FRIA or DPIA.
• US algorithmic impact assessments (Colorado, NYC Local Law 144) add requirements for companies operating across jurisdictions. These are separate from EU obligations.
• No official combined assessment guidance has been published. The EDPB has recommended joint work between AI Act and GDPR authorities, but no merged template exists.

FRIA: What It Covers (and What It Doesn’t)

The Fundamental Rights Impact Assessment under Art. 27 requires specified deployers to assess the impact of their high-risk AI system on fundamental rights before first use.

Who must conduct a FRIA: Public bodies, providers of public services, deployers using AI for credit scoring, and deployers using AI for insurance pricing (Art. 27(1)).

What it covers: Impact on the full spectrum of fundamental rights in the EU Charter — equality, dignity, non-discrimination, access to services, privacy, data protection, freedom of expression, right to an effective remedy. This is broader than data protection alone.

What it does NOT cover: Technical compliance (that’s the conformity assessment), data processing mechanics (that’s the DPIA), or algorithmic bias testing (that’s the US AIA).

For the step-by-step guide, see our FRIA Template article.

The Decision Tree: Which Assessments Do You Need?

Step 1: Is your AI system classified as high-risk under the AI Act?

• Yes → Continue to Step 2
• No → FRIA not required. Check Step 3 for DPIA.

Step 2: Are you a deployer subject to Art. 27? (Public body, public-service provider, credit scoring deployer, or insurance pricing deployer)

• Yes → FRIA required before first use. Continue to Step 3.
• No → FRIA not required under Art. 27. Continue to Step 3.

Step 3: Does your AI system process personal data in a way likely to result in high risk?

• Yes → DPIA required under GDPR Art. 35. Most high-risk AI systems trigger this.
• No → DPIA not required for this specific system.

Step 4: Does your AI system require conformity assessment under Art. 43?

• If high-risk → Yes. Self-assessment (Annex VI) or third-party (Annex VII).
• This is a separate process from impact assessments. It covers technical compliance, not rights impact.

Step 5: Do you operate in US states with algorithmic assessment requirements?

• Colorado → AIA required for “high-risk” AI decisions in employment, housing, credit, insurance, education
• NYC → Bias audit required for automated employment decision tools (Local Law 144)
• Other states → Check local requirements

Common result: Most high-risk AI systems processing personal data need FRIA + DPIA + conformity assessment. Multi-jurisdiction companies add US AIAs on top.

Common Mistakes

1. Treating FRIA as a DPIA. The FRIA covers fundamental rights beyond data protection. A FRIA that only assesses data privacy misses its purpose.

2. Skipping DPIA because you did a FRIA. The FRIA does not assess data processing necessity, proportionality, or data subject rights mechanisms. You still need a DPIA.

3. Confusing conformity assessment with impact assessment. The conformity assessment (Art. 43) verifies technical compliance with Arts. 9-15. It is a pre-market process for providers. The FRIA and DPIA are risk assessments for deployers. Different actors, different purposes.

4. Not involving affected persons. Art. 27(1)(b) requires considering the views of affected groups. A FRIA conducted entirely by the compliance team without external input misses this requirement.

5. Treating assessments as one-time exercises. Both FRIA and DPIA require updating when the AI system changes, when new risks emerge, or when the deployment context shifts. Build update triggers into your process.

Disclaimer: This content is for informational purposes only and does not constitute legal advice. Impact assessment requirements vary by jurisdiction. Reg Intel is not a law firm and does not provide legal services.

Last verified: April 9, 2026