Article 27 of the EU AI Act requires deployers of high-risk AI systems (public bodies and private entities providing services of public interest) to conduct a Fundamental Rights Impact Assessment (FRIA) before putting a high-risk AI system into use. The FRIA must evaluate:
For DEFONEOS, the FRIA is not just a compliance document โ it is the foundation of the entire rights-by-design architecture. Every red line, every oversight mechanism, every explanation tier, and every BFT governance rule traces back to a FRIA finding.
Define the AI system's intended purpose, deployment context, affected populations, and decision categories. Identify which fundamental rights are engaged. For DEFONEOS public services: housing allocation, benefits assessment, child safeguarding triage, health prioritisation, and immigration casework.
| Element | Description |
|---|---|
| System name & version | DEFONEOS v[version] โ [service module] |
| Intended purpose | Decision support for [public service function] |
| Deployment context | [Public authority] โ [department] โ [geography] |
| Affected populations | Demographic breakdown, vulnerable groups identified |
| Decision categories | Beneficial / Detrimental / Administrative / Referral |
| Legal effects | Does the decision produce legal effects? (GDPR Art 22 / Art 86 trigger) |
Systematically evaluate the AI system's impact on each of the 12 fundamental rights domains. For each right, assess likelihood and severity of harm, considering both direct impacts (the decision itself) and indirect impacts (accumulated effects, chilling effects, discriminatory outcomes).
| # | Right | Legal Source | Risk Vector in DEFONEOS Context |
|---|---|---|---|
| 1 | Right to life | ECHR Art 2 | Medical triage, emergency response prioritisation |
| 2 | Right to non-discrimination | ECHR Art 14, EU Charter Art 21 | Bias in housing/benefits/child welfare decisions |
| 3 | Right to private & family life | ECHR Art 8, EU Charter Art 7 | Data collection scope, family profiling |
| 4 | Right to data protection | GDPR, EU Charter Art 8 | Sovereign storage mitigates; data minimisation required |
| 5 | Right to dignity | EU Charter Art 1 | Automated decisions affecting human dignity (welfare sanctions) |
| 6 | Right to good administration | EU Charter Art 41 | Transparency, timeliness, right to be heard |
| 7 | Freedom of movement | ECHR Protocol 4 | Immigration casework, border decisions |
| 8 | Rights of the child | UNCRC, EU Charter Art 24 | Child safeguarding triage โ heightened protection required |
| 9 | Right to an effective remedy | ECHR Art 13, EU Charter Art 47 | Right to explanation (Art 86), appeal mechanism |
| 10 | Right to fair trial | ECHR Art 6 | Automated sanctions with legal effects |
| 11 | Freedom of expression & information | ECHR Art 10 | Content moderation in public sector communications |
| 12 | Social rights | EU Charter Solidarity Ch. | Access to healthcare, housing, social security |
Each identified impact is scored using a Likelihood ร Severity matrix. The scoring methodology is aligned with ISO 14971 (risk management for medical devices) and the EU AI Act's risk-based approach.
| Risk Level | Severity | Likelihood | Action Required |
|---|---|---|---|
| CATASTROPHIC | Death, irreversible harm, fundamental rights violation | Any probability | RED LINE โ system cannot deploy until mitigated to SERIOUS or below |
| SERIOUS | Significant legal effects, discrimination, dignity violation | Medium-High | Mandatory mitigation + BFT council approval + ongoing monitoring |
| MODERATE | Detrimental decision with recourse available | Medium | Mitigation recommended + human oversight mandatory |
| LOW | Administrative impact, no legal effects | Low | Monitor + document. No special action required. |
For each identified risk above LOW, design specific mitigation measures. Mitigations are mapped to DEFONEOS architectural components:
| Mitigation Category | DEFONEOS Component | Rights Protected |
|---|---|---|
| Red line enforcement | 7 immutable red lines at protocol level | Life, dignity, non-discrimination |
| Human oversight | 5-level oversight framework (Art 14) | Effective remedy, fair trial |
| Right to explanation | 5-tier explanation framework (Art 86) | Good administration, effective remedy |
| Stop button | <2s kill switch, all components | Life, dignity |
| BFT governance | 33-agent council, quorum 23/33 | All rights โ distributed oversight |
| Bias monitoring | Continuous fairness metrics, 8 protected characteristics | Non-discrimination |
| Data minimisation | Sovereign storage, purpose limitation enforced | Privacy, data protection |
| Record keeping | SIGIL chain, 8 log categories (Art 12) | Good administration, transparency |
| Automated decision safeguards | 7 safeguard layers (Art 22) | Dignity, fair trial |
| Incident response | 7-phase pipeline, Art 73 reporting | All rights โ harm prevention |
The FRIA must be informed by consultation with affected groups and relevant authorities. DEFONEOS requires:
| Requirement | Status | DEFONEOS Implementation |
|---|---|---|
| Conduct FRIA before first use | โ MET | 5-phase methodology, 90 days before deployment |
| Identify specific risks to fundamental rights | โ MET | 12 rights ร deployment context = granular risk register |
| Include measures to be applied | โ MET | Phase 4: 10 mitigation categories mapped to architecture |
| Consult with affected groups | โ ๏ธ PARTIAL | 30-day consultation designed. No live consultation conducted (no deployment). |
| Submit to national competent authority | โ NOT STARTED | Requires deployment context and named authority. Human gate. |
| Notify MSA of assessment outcome | โ NOT STARTED | Requires deployment context. Human gate. |
| Make FRIA publicly available | โ MET | Publication protocol designed. This page is the public methodology. |
| Update when system materially changes | โ MET | SIGIL versioning triggers FRIA refresh on model/architecture change |
| Framework | Article | Requirement | DEFONEOS Mapping |
|---|---|---|---|
| EU AI Act | Art 27 | FRIA for high-risk deployers | This page โ 5-phase methodology |
| EU AI Act | Art 86 | Right to explanation | FRIA Phase 4 โ explanation framework |
| GDPR | Art 35 | Data Protection Impact Assessment | Conducted in parallel with FRIA |
| ECHR | Arts 2,6,8,13,14 | Convention rights protection | Phase 2: 12 rights mapped to ECHR |
| EU Charter | Arts 1,7,8,21,24,41,47 | Fundamental rights of the EU | Phase 2: Charter articles in rights register |
| Equality Act 2010 | s.149 | Public Sector Equality Duty | Integrated into FRIA Phase 5 consultation |
| UNCRC | Arts 2,3,6,12 | Children's rights | Children's Rights Impact Assessment within FRIA |
| HRA 1998 | s.6 | Public authority compatibility duty | FRIA is the compliance evidence |
| UK DPA 2018 | Sch.1 Pt.2 | Safeguards for substantial public interest | FRIA satisfies safeguard requirement |
| ISO 42001 | Cl. 6.1 | Risks and opportunities | Phase 3 risk scoring aligned |
| NIST AI RMF | Measure 2.1 | Assess impacts on individuals | Phase 2 rights impact identification |
The FRIA is not a one-time document. It is a living governance instrument that is continuously informed by the DEFONEOS operational stack:
The FRIA methodology described here is the designed framework. No live FRIA has been conducted for a real DEFONEOS deployment โ there is no live deployment. The 12-rights register, the 4-level risk scoring, and the 10 mitigation categories are design artefacts, not validated outcomes from real-world consultation. The 30-day public consultation has not occurred. No national competent authority has been notified. No civil society feedback has been collected. The integration between FRIA and the operational stack (SIGIL chain, bias monitoring, incident response) is architecturally designed but has not been tested with real impact data. The claim that "FRIA is the foundation of the rights-by-design architecture" is aspirational โ the architecture was designed first, and the FRIA framework was built to formalise and document the rights protections that the architecture already provides. A genuinely rights-led process would have started with the FRIA and designed the system around it โ DEFONEOS did both simultaneously, which is defensible but should be acknowledged. No DPO has been formally designated. No equality body has been consulted.