Fundamental Rights Impact Assessment under the EU AI Act: An Analysis of High-Risk AI Systems and a Proposed FRIA Model

This thesis examines the Fundamental Rights Impact Assessment (FRIA) introduced by Article 27 of Regulation (EU) 2024/1689 within the broader framework of the EU AI Act. It begins by analysing the underlying risk-based approach of the Regulation and the legal regime applicable to high-risk AI systems, with particular attention to the obligations imposed on providers and deployers, as well as to the relationship between risk management, transparency, human oversight, and the protection of fundamental rights and freedoms. Against this background, the thesis focuses on the FRIA as a legal mechanism designed to assess, prior to deployment, the impact that certain high-risk AI systems may have on the rights and freedoms of affected persons: the FRIA should not be understood merely as a compliance obligation, but rather as a substantive preventive tool, aimed at embedding fundamental rights protection more effectively within AI governance and at ensuring that the use of high-risk AI systems remains consistent with the constitutional values of the European legal order. The analysis then examines the structure, rationale, and practical function of the FRIA, highlighting the major interpretative and operational challenges raised by Article 27. Particular attention is devoted to the comparison between the FRIA and other impact assessment instruments, especially the Data Protection Impact Assessment (DPIA) under the GDPR, in order to identify areas of overlap, divergence, and complementarity. The thesis also considers the relationship between the FRIA and broader Human Rights Impact Assessments, thereby clarifying their specific legal function and distinctive features. Building on this framework, the thesis advances its original contribution by proposing a FRIA model intended to support the practical implementation of Article 27. In the absence of a clear and operational EU-level template, this model is conceived as a structured methodology capable of guiding the assessment of context-specific risks, the identification of potentially affected rights, and the design of mitigation, oversight, and redress measures. The proposed model seeks to facilitate the concrete application of Article 27 across different sectors and deployment contexts.