Skip to main content
HashnodeComplizo

Command Palette

Search for a command to run...

A State Education Board Just Asked Whether Your AI Admissions Ranking Tool Requires a Fundamental Rights Impact Assessment: Answering the Article 27 Questions

Updated
5 min read
A
Ari Volcoff

A state education board just sent your sales team a procurement questionnaire. Buried in the AI governance section is a question you weren't expecting: "Has a Fundamental Rights Impact Assessment (FRIA) been conducted for your AI system, and if so, by whom?"

Your first instinct is to ask your legal counsel. But this is 11 p.m. before a deadline, and they're not picking up. Here's what you need to know.

What Is a Fundamental Rights Impact Assessment Under the EU AI Act?

Article 27 of the EU AI Act requires certain deployers of high-risk AI systems to carry out a Fundamental Rights Impact Assessment (FRIA) before deploying the system. The FRIA is a structured self-assessment: it forces the deployer — typically the institution buying and operating your AI tool — to think through how the system might affect fundamental rights such as non-discrimination, privacy, human dignity, and the right to education.

The key word here is deployer. Article 27 imposes the FRIA obligation on the institution using your tool, not on you as the AI provider. A university or school board buying your AI admissions ranking tool is the deployer under the EU AI Act. They carry out the FRIA.

But here's why the question ends up in your procurement questionnaire: the deployer cannot complete the FRIA without substantial technical information from you. They need to understand how your model works, what data it was trained on, what risks the provider has already identified, and what human oversight mechanisms exist. That's why the question is directed at you — you're being asked to confirm the FRIA has happened and to help supply the inputs for it.

Is an AI Admissions Tool Likely High-Risk?

Annex III of the EU AI Act lists categories of high-risk AI systems. Category 4(a) covers AI systems used in educational and vocational training institutions to determine access to educational institutions or to evaluate and assess students. An AI tool that ranks, scores, or filters university or school applicants almost certainly falls under this category.

That means the deployer — the education board — has a genuine Article 27 FRIA obligation. And that means you will see this question repeatedly in EdTech procurement.

How to Answer the Article 27 FRIA Questions

"Has a FRIA been conducted for your AI system?"

The honest answer depends on your own process. The FRIA obligation formally belongs to the deployer, not the provider. However, many AI providers in the EdTech space proactively perform an internal fundamental rights analysis during their own conformity assessment (required under Articles 9 and 16) and document the findings. If you have done this, say so clearly: "Complizo has conducted an internal fundamental rights risk analysis as part of our conformity assessment process. This analysis is documented in our technical file and is available to prospective deployers on request."

If you have not run a formal FRIA, do not fabricate one. Instead: "The FRIA obligation under Article 27 rests with the deploying institution. We provide deployers with the technical documentation, data governance records, and risk register necessary to complete the FRIA efficiently. We are prepared to schedule a documentation handover session to support your assessment."

"What fundamental rights risks has your team identified?"

This is where your Article 9 risk management documentation earns its keep. For an AI admissions tool, the most common fundamental rights risks include: proxy discrimination via correlated features (e.g., postcode as a proxy for ethnicity), opacity in individual scoring decisions affecting the right to an explanation, and data quality gaps that produce systematically lower scores for underrepresented groups.

Document those risks — along with your mitigations — and reference the specific section of your technical file where the evidence lives. Questionnaire reviewers are trained to look for substantive risk identification, not blanket assurances.

"Does your system allow the deployer to carry out the FRIA themselves?"

Article 27(3) requires that providers supply deployers with the information necessary for the FRIA. Your answer should map directly to Article 26 deployer support obligations: yes, you provide access to your technical documentation, the intended purpose description, the accuracy and robustness data, and the human oversight mechanism specifications — all the inputs a deployer's FRIA team will need.

"What is the format of the FRIA output?"

The EU AI Act does not mandate a specific format for the FRIA. However, a number of EU member state data protection authorities (including the French CNIL and the Dutch AP) have published FRIA templates that deployers often use. You should be aware of these templates and be able to confirm that the information you provide covers the fields they require.

What You Should Prepare Before This Question Arrives Again

The single most useful thing you can do is create a FRIA support package: a structured document that maps your technical file sections to the standard FRIA input fields. When the question arrives in a questionnaire, you attach the package and reference it. This turns a multi-week back-and-forth into a same-day response.

The package should include: a description of the system and its intended purpose, the intended deployer context, the training data sources and governance steps, the accuracy and error rate data broken down by demographic group where available, the risk register with mitigations, and the human oversight mechanisms that allow the deployer to override or suspend the system.

If your system has already been deployed in another educational institution, include anonymised evidence of how that institution ran their FRIA and what outcome it produced. That social proof is more persuasive to a procurement reviewer than any general assurance.

The Bigger Picture

Article 27 is one of the provisions that makes EU AI Act compliance a two-actor problem. You as the provider cannot satisfy Article 27 for your customer — but your customer cannot satisfy Article 27 without you. The procurement questionnaire is the moment where that interdependency becomes visible.

CTOs who understand this framing will answer the question in a way that positions their company as a competent partner in the deployer's FRIA process, not as a vendor trying to deflect regulatory obligations.

Try Complizo free at complizo.com

#ai-compliance#edtech#eu-ai-act

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Complizo

68 posts