Do You Need a FRIA for Your Medical AI?
TL;DR
Short answer for most medical AI: probably not, via the standard route.
- The Fundamental Rights Impact Assessment (FRIA) under Article 27 is tied to high-risk systems in the Annex III use-case route (Article 6(2)), and it is a deployer duty, not a provider one.
- Medical devices are high-risk via Article 6(1), the product route (Annex I), so they are generally outside the Article 27 FRIA requirement.
- What you likely do need is a GDPR data protection impact assessment (DPIA) under Article 35, which is a separate instrument and often triggered by health-data processing.
- As a medtech provider, the FRIA is rarely yours to do anyway; it falls on certain deployers.
Do not confuse the DPIA (likely yes) with the FRIA (usually no). This guide draws the line.
Every legal claim below is cited. See Sources.
What a FRIA is
A FRIA is an assessment a deployer performs before putting certain high-risk AI systems into use, to identify the risks to fundamental rights and the mitigations. Under Article 27, it describes the deployer's processes where the system will be used, the period and frequency of use, the categories of people likely to be affected, the specific risks of harm to them, the human-oversight measures, and the governance and complaint arrangements if those risks materialise.
Is your AI system high-risk?
Find out in 2 minutes, free, no signup required.
Take the free assessmentWho must do it (and who does not)
Article 27(1) is specific about scope. It opens: "Prior to deploying a high-risk AI system referred to in Article 6(2), with the exception of high-risk AI systems intended to be used in the area listed in point 2 of Annex III, deployers that are bodies governed by public law, or are private entities providing public services, and deployers of high-risk AI systems referred to in points 5(b) and (c) of Annex III, shall perform an assessment..."
Two things follow:
- It is triggered by Article 6(2), the Annex III use-case route (things like employment, education, essential services, law enforcement), not the Article 6(1) product route.
- It is a duty of deployers in specific categories (public bodies, private providers of public services, and deployers of certain Annex III credit and insurance systems), not of providers.
Why medical devices are usually outside the FRIA
A medical device is high-risk under Article 6(1) because it needs a notified body (see Is my medical AI high-risk?). It is not made high-risk by an Annex III use case. Since Article 27 is scoped to Article 6(2)/Annex III systems, a medical AI that is high-risk only via the product route is generally not subject to the FRIA requirement. This is a common point of confusion: "high-risk" does not automatically mean "needs a FRIA."
There is a narrow edge to keep in mind: if a system happens to be high-risk under both the product route and an Annex III use case, and it is deployed by a public body or public-service provider, the FRIA could be in play for that deployer. But for a typical SaMD or AI-enabled device, the FRIA is not your obligation.
What you actually need instead: a DPIA
The instrument that does commonly apply to medical AI is the GDPR DPIA under Article 35, triggered by high-risk processing of personal data, which health data frequently is. The DPIA and the FRIA are different tools: the DPIA is about data-protection risk, the FRIA about fundamental-rights risk in deployment. Where both happen to apply, Article 27(4) says the FRIA complements the DPIA rather than replacing it. For medical AI, plan the DPIA; treat the FRIA as a deployer-side, Annex-III question. See GDPR × AI Act × MDR for health data.
If you are a medtech provider, here is your move
Because the FRIA is a deployer duty tied to Annex III, a device maker is rarely the one performing it. What is useful:
- Focus on your provider obligations (Article 16) and your integrated MDR/IVDR conformity, not on a FRIA you likely do not owe.
- Support your deployer customers: hospitals and health systems may owe a DPIA (and, in rare Annex III overlaps, a FRIA). Give them the information they need, which also strengthens your product.
- Know the difference so you can answer the question confidently when procurement asks.
Common mistakes
- "High-risk means we need a FRIA." No. The FRIA is scoped to Annex III (Article 6(2)); medical devices are high-risk via Article 6(1).
- "The provider does the FRIA." It is a deployer duty for specific deployers, not a provider duty.
- "A FRIA replaces the DPIA." They are separate; where both apply the FRIA complements the DPIA (Article 27(4)).
- "We do not need a DPIA because we are doing the AI Act." Health-data processing commonly triggers a DPIA regardless.
FAQ
Does my medical AI startup need to do a FRIA?
Almost certainly not. The FRIA under Article 27 is tied to Annex III (Article 6(2)) high-risk systems and is a deployer duty. Medical devices are high-risk via Article 6(1), the product route, so they are generally outside the FRIA requirement. Focus on your provider obligations and your DPIA.
What is the difference between a DPIA and a FRIA?
A DPIA (GDPR Article 35) assesses data-protection risk from processing personal data. A FRIA (AI Act Article 27) assesses fundamental-rights risk from deploying certain high-risk AI systems. They are different instruments; where both apply, the FRIA complements the DPIA.
Could a medical AI ever require a FRIA?
In narrow cases, for example if a system is high-risk under both the product route and an Annex III use case and is deployed by a public body or public-service provider. For a typical medical device high-risk only via Article 6(1), the FRIA does not apply.
Who performs the FRIA, the provider or the deployer?
The deployer, and only specific categories of deployer (public bodies, private entities providing public services, and deployers of certain Annex III credit and insurance systems). Providers do not perform the FRIA.
Sources (official)
- EU AI Act, Regulation (EU) 2024/1689: per-article on the European Commission AI Act Service Desk. Cited: Article 27 (fundamental rights impact assessment, scoped to Article 6(2)/Annex III, a deployer duty, complementing the DPIA under Article 27(4)), Article 6 (classification; 6(1) product route vs 6(2) Annex III route), Article 26 (deployer obligations); official text on EUR-Lex.
- GDPR, Regulation (EU) 2016/679: official text on EUR-Lex. Cited: Article 35 (data protection impact assessment).
Legalithm provides compliance information and tooling, not legal advice. Whether a FRIA or DPIA applies depends on your specific system and deployment; confirm with qualified counsel. Article references are to Regulation (EU) 2024/1689 (the AI Act) and Regulation (EU) 2016/679 (the GDPR).



