A European Enterprise Customer Just Asked for Your AI Performance Management Tool's Fundamental Rights Impact Assessment: Here's What to Send

A European enterprise customer just asked for your AI performance management tool’s Fundamental Rights Impact Assessment: here’s what to send

Your sales engineer just forwarded you a message from a prospective customer’s legal team. They are a 4,000-person manufacturing company headquartered in Germany. Their procurement questionnaire has a section titled "AI Governance — Deployer Obligations." Question 7 reads:

"Has the vendor conducted or can it support the Fundamental Rights Impact Assessment required under Article 27 of the EU AI Act? Please provide documentation."

You search Article 27. It runs to six subsections. It is addressed to deployers, not providers — but your customer is asking you, the provider, to help them with it.

Here is what Article 27 requires and exactly what you send.

Who Has the Article 27 Obligation

Article 27 places the Fundamental Rights Impact Assessment (FRIA) obligation on deployers — the organisations that put high-risk AI systems into use in specific contexts. That is your customer, not you.

However, deployers cannot complete the FRIA without detailed input from the provider. Article 27(1) requires the assessment to describe the intended purpose, the population affected, and the specific risks to fundamental rights in the deployment context. Much of that information lives in your technical documentation and system card.

When a customer asks this question, they are not confused about who owns the obligation. They are asking whether you, as the provider, have the materials they need to complete theirs.

What Article 27 Requires the Deployer to Assess

The FRIA covers:

The intended purpose and reasonably foreseeable uses. The deployer must document the specific HR process the AI system is used for — in this case, performance appraisal, goal tracking, or similar use — and the categories of workers affected.

The fundamental rights at risk. For an AI performance management system, the rights most likely in scope are: non-discrimination (Article 21 of the EU Charter), dignity at work, data protection and privacy (Article 8), and the right to an effective remedy (Article 47) when an automated decision affects employment terms.

The severity and likelihood of those risks. This is a proportionality analysis. A tool that generates ranked performance scores that feed directly into promotion or dismissal decisions presents higher severity than a tool that assists managers with writing structured feedback.

Existing safeguards and residual risk. What controls reduce the likelihood or impact of each identified risk?

The outcome. The deployer draws a conclusion about whether the system can be deployed as intended or whether additional safeguards are required.

What You Provide as the Provider

You cannot complete the FRIA for your customer — the deployment context is theirs to define. But you supply the inputs without which they cannot complete it. Specifically:

A completed provider disclosure package for FRIA purposes. This is a structured document that covers: the system’s intended purpose as designed; the categories of decision the system is intended to support (not replace); the data inputs used; the populations the system was designed and tested on; accuracy and performance metrics disaggregated by relevant demographic groups if available; the human oversight mechanism built into the workflow; and the logging and auditability capabilities.

The technical documentation summary. Your Annex IV documentation contains the training methodology, the performance benchmarks, and the risk management outputs. You share a summary — not the full file, which may contain proprietary architecture details — but enough for the deployer’s legal team to complete their rights analysis.

Your EU declaration of conformity if you have drawn it up. This shows the deployer that you have already assessed the system against the high-risk requirements, which reduces the compliance burden on their side.

Guidance on the FRIA process. Many deployers — particularly mid-market companies outside the legal-tech sector — have never conducted a FRIA before. A one-page guide explaining the Article 27 process, pointing to the official EU AI Act guidance, and explaining how your documentation maps to each FRIA section is a deal accelerator.

The Most Common Mistake Providers Make

Treating this question as a legal problem for their customer to solve alone. Deployers who receive no support from providers either abandon the procurement or engage expensive legal counsel to reconstruct information the provider already has. Both outcomes cost you the deal.

The providers who move fastest through enterprise procurement are the ones who deliver a complete, pre-packaged FRIA disclosure kit at the point of the question. The customer’s legal team signs off. The deal moves.

How to Answer the Questionnaire Question

A direct answer to "Has the vendor conducted or can it support the FRIA required under Article 27?" looks like this:

"The FRIA obligation under Article 27 sits with deployers, not providers. We support your completion of this assessment by providing: (1) a structured provider disclosure pack covering intended purpose, affected populations, data inputs, performance metrics, and human oversight design; (2) a summary of our technical documentation as required by Article 11 and Annex IV; (3) our risk management outputs under Article 9; and (4) a mapping guide showing how each document addresses the Article 27 assessment criteria. These materials are available on request under NDA."

That answer closes the section, positions you as prepared, and makes the customer’s legal team’s job easy.

Try Complizo free at complizo.com