Skip to main content
HashnodeComplizo

Command Palette

Search for a command to run...

Your Enterprise Customer Just Asked for a 'Fundamental Rights Impact Assessment' of Your AI Hiring Tool: Here's What Article 27 Requires and How to Answer

Published
4 min read
A
Ari Volcoff

A procurement email arrived last Tuesday. Public-sector body. Twenty-two pages of vendor questionnaire. You're halfway through when you hit section 6: "Please attach your Fundamental Rights Impact Assessment (FRIA) as required by Article 27 of the EU AI Act."

You close the laptop and google it.

You're not alone. Article 27 is one of the least-discussed obligations in the EU AI Act, yet it's already showing up in government and financial-sector vendor questionnaires in 2026. Here's exactly what it requires, who it applies to, and how to answer when your customer asks.

What Article 27 Actually Says

Article 27 requires certain deployers of high-risk AI systems to conduct a Fundamental Rights Impact Assessment before putting the system into use. The obligation falls primarily on deployers — the organisations using your AI — not on you as a software provider. But your enterprise customers are conducting FRIAs, and they need documentation from you to complete them.

That's why it's showing up in your vendor questionnaire.

Who Triggers This Obligation

Article 27 applies to deployers who are:

  • Public bodies (government agencies, municipalities, public-sector organisations)
  • Private entities providing public services (banks, insurers, utilities)
  • Operators of critical infrastructure

If your HR tech customer is a bank, a government agency, or a large insurer, they must complete a FRIA before deploying your AI hiring tool.

What the Questionnaire Section Is Actually Asking

When your customer asks for a FRIA, they're asking you to provide the documentation inputs they need to complete their own FRIA. Specifically, they need:

1. Risk classification confirmation. Is your system high-risk under Annex III? For AI used in employment decisions — screening CVs, scoring candidates, ranking applicants — the answer is yes. Category 4 of Annex III covers AI systems used in employment, workers management, and access to self-employment.

2. Intended purpose documentation. The precise purpose your system is designed for. Not "we help HR teams hire better" — the specific decisions it influences: shortlisting candidates for interview, scoring application quality, ranking applicants by predicted performance.

3. Foreseeable impacts on fundamental rights. You need to provide a documented analysis of which fundamental rights your system could affect. For HR AI, these include:

  • Right to non-discrimination (Article 21, EU Charter of Fundamental Rights)
  • Right to an effective remedy and access to justice (Article 47)
  • Privacy and data protection (Article 8)

4. Bias testing results. Evidence that you've tested for discriminatory outcomes across protected characteristics: gender, age, racial or ethnic origin, disability.

5. Human oversight mechanisms. How a human can review, override, or reject the AI's output before a final hiring decision is made.

How to Answer Each Section

"Do you have a FRIA for your system?"

The honest answer: the FRIA obligation falls on the deployer, not the provider. But you should have documentation your customers can use to conduct theirs. Your Technical Documentation (Article 11) and your instructions for use (Article 13) must contain the information they need. If you have AI regulation compliance documentation — a risk register, a fundamental rights analysis, bias testing results — attach it and explain its purpose.

"What fundamental rights does your system affect?"

Be specific. Don't write "we respect all fundamental rights." Instead: "Our system influences candidate shortlisting decisions. The fundamental rights most relevant to this use case are the right to non-discrimination (Article 21 EU Charter), the right to privacy (Article 8), and procedural rights in employment contexts. Our bias evaluation methodology tests for disparate impact across gender, age, and ethnicity. Results of our most recent bias evaluation are available in our Evidence Pack."

"How have you assessed the risk to individuals?"

Describe your risk management process under Article 9. What testing did you do? What errors or inaccuracies did you identify? What safeguards did you build in? What residual risks remain and how does your customer manage them through human oversight?

"What documentation do you provide to help us conduct our FRIA?"

Generate a consistent, documented set of answers about your AI system — the feature registry, the risk classification rationale, the bias testing summary, the human oversight description — and package them into an Evidence Pack your customers can attach to their FRIA.

The Practical Answer for Your Next Questionnaire

You don't need to produce a FRIA for your customer. You need to produce the documentation inputs that let them conduct their own. That means:

  1. A clear risk classification statement (Annex III, Category 4, high-risk)
  2. A precise description of intended purpose and scope
  3. A fundamental rights analysis addressing the most likely impacts
  4. Bias testing results or methodology
  5. Human oversight mechanisms description

If you can supply those five items consistently and quickly, you pass the section.

Try Complizo free at complizo.com

#compliance#eu-ai-act#hr-tech

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Complizo

87 posts