An HR chatbot that automatically pre-sorts 2,000 applications per quarter is subject to a GDPR DPIA. The GDPR file is complete: legal bases identified, consent collected, right of access arranged. Yet, under the EU AI Act, that same chatbot may fall under Annex III point 4 (employment and management of workers) and require an additional analysis, the FRIA, which raises questions the DPIA did not have to address. Does this system create a systemic disadvantage for certain populations? How can a rejected candidate challenge the decision? Who answers in the event of a discriminatory incident?
This misunderstanding is common. The operational risk is that SMEs, supported by DPOs competent in GDPR, rely on their existing DPIA without integrating the EU AI Act's specific requirements. The deferral of Annex III to 2 December 2027, introduced by the Digital Omnibus of 7 May 2026, reinforces this confusion. It is inaccurate: the Article 6(3) registration obligation survives intact, Article 4 on AI literacy has been in force since February 2025, and certain Article 50 transparency obligations apply from 2 August 2026.
Contents
The GDPR DPIA: synthetic recap
Article 35 of the GDPR requires an impact assessment for any processing likely to result in a high risk to the rights and freedoms of natural persons. The methodology is standardised: description of the processing, assessment of necessity and proportionality, analysis of risks to the data subjects, technical and organisational mitigation measures.
The CNIL lists nine operational criteria to identify high-risk processing (the cumulation of two or more criteria triggers the DPIA obligation in principle). Methodological tools are mature: CNIL PIA guide (in French), EBIOS RM, ISO 27701. For a panoramic view of how GDPR and the EU AI Act interact, see our dedicated article on GDPR and EU AI Act dual compliance (in French).
The EU AI Act introduces an obligation of a different nature, which complements the DPIA without replacing it. This obligation covers fundamental rights as a whole, not solely the protection of personal data.
What the EU AI Act adds
3.1 Provider or deployer? The Article 3 distinction that changes everything
Before any impact analysis under the EU AI Act, the organisation's role must be identified. Article 3(3) defines the provider as the entity that develops or places an AI system on the market. Article 3(4) defines the deployer as the entity that uses an AI system under its own authority.
This distinction is critical for tech SMEs. An organisation that develops and uses an AI feature in its own SaaS combines provider and deployer obligations on the same system. The FRIA under Article 27 is a deployer-only obligation. Article 11 on technical documentation (Annex IV) is a provider-only obligation. Article 4 on literacy applies to both roles.
Without this prior qualification, the impact analysis risks ignoring applicable obligations or pursuing off-target analyses.
3.2 FRIA Article 27: an analysis of a different kind
The FRIA (Fundamental Rights Impact Assessment) is defined by Article 27 of the EU AI Act. It applies to deployers of high-risk AI systems (Annex III), and more specifically to three categories: public-law bodies, private entities providing public services, and deployers of AI systems listed under Annex III point 5(b) (creditworthiness assessment) and 5(c) (risk assessment and pricing in life and health insurance).
"description of the deployer's processes in which the high-risk AI system will be used"
Article 27(1) — EU AI Act, Regulation (EU) 2024/1689Article 27(1) sets the minimum scope: the documentation must include, among other things, a "description of the deployer's processes in which the high-risk AI system will be used". The analysis starts from concrete operational use, not from a theoretical description.
The Digital Omnibus of 7 May 2026 postpones Article 27's application to 2 December 2027. Preparation nonetheless remains recommended. The substantive difference from the GDPR DPIA: the DPIA focuses on data, the FRIA focuses on the persons affected and their fundamental rights as a whole.
3.3 Article 6(3): the mandatory documentation that survives the Omnibus
The Digital Omnibus deferred several Annex III deadlines. One obligation nonetheless survived intact: the registration provided for by Article 6(3). The obligation was maintained by the Digital Omnibus compromise, despite the revision initially considered by the Commission. Where an AI system listed in Annex III is nonetheless considered by the provider as not high-risk under Article 6(3), it must be registered in the EU AI Act database (information listed in Annex VIII Section B). This preparatory obligation cannot wait until 2027.
The draft guidelines published on 19 May 2026 by the Commission specify the conditions under which an Annex III system can escape the high-risk regime under Article 6(3). The draft identifies four cumulative conditions: (i) a narrow procedural task, (ii) improvement of the result of a human activity already performed, (iii) post-hoc detection of decision patterns without substituting human assessment, (iv) a preparatory task to a substantive human decision. The Commission insists on a narrow interpretation. The HR section of the guidelines confirms, for example, that automated matching and ranking systems designed to assist recruiters are identified as high-risk under Annex III point 4.
This draft remains open to public consultation until 23 June 2026 and is not binding (only the CJEU can ultimately rule on the matter). Article 80 further organises the mechanism whereby national market surveillance authorities may assess and, where appropriate, challenge a non-high-risk self-classification, which makes supporting documentation essential.
3.4 Article 4: AI literacy in force since February 2025
Article 4 was not deferred by the Digital Omnibus. It has been in force since February 2025. It requires every operator involved in an impact analysis (DPIA or FRIA) to have a sufficient level of AI literacy to understand the nature, limitations and risks of the system analysed.
Without a minimum level of literacy, an impact analysis is conducted blind. The methodological consequence is clear: Article 4 training must precede the update of existing DPIAs, not the other way round.
3.5 Article 14: documented human oversight
The impact analysis must explicitly name the form of human oversight provided for each AI system. A declarative "human in the loop" is not enough. The FRIA documents oversight as it is provided; operational follow-up documents its effective exercise over time.
A FRIA that describes theoretical oversight without a named operational procedure leaves the organisation exposed in the event of an incident. Our pillar article on human oversight (see Article 14: human oversight for SMEs, in French) details the four-level operational methodology (REVIEW, OVERRIDE, MONITORING, STOP) that serves as a methodological downstream to the FRIA.
3.6 Article 50: interactive transparency post-Omnibus
Article 50 organises the transparency obligations for interactive AI systems and synthetic content. The obligations under 50(1) (AI interactions), 50(3) (emotion recognition) and 50(4) (deepfakes) apply from 2 August 2026 without arrangement. The 50(2) obligation (marking of AI-generated synthetic content so it can be detected) applies from 2 August 2026 for new systems. A grandfathering rule introduced by the Omnibus grants a deadline extension until 2 December 2026 for AI content-generation systems already on the market before 2 August 2026.
The implication for the FRIA is direct: factual transparency vis-à-vis the persons interacting with the system conditions the informed consent documented in the impact analysis.
Methodological bridge: DPIA and FRIA
4.1 Comparative table: DPIA versus FRIA
The table below summarises the practical differences across eight operational dimensions, for immediate use in DPO firms.
| Dimension | DPIA (Article 35 GDPR) | FRIA (Article 27 EU AI Act) |
|---|---|---|
| Scope | Personal data | Fundamental rights as a whole |
| Legal basis | High risk to the rights and freedoms of persons | High-risk AI system listed in Annex III |
| Operational trigger | 9 CNIL criteria (cumulation of 2 or more) | Deployer status + Annex III + 3 specific categories |
| Documented deliverable | Records of processing activities + action plan | Use description + risk analysis + governance + notification |
| Supervisory authority | CNIL (in France), national counterparts | AI Office + national market surveillance authorities |
| Prior consultation | CNIL if high residual risk remains | Notification to the national market surveillance authority |
| Reference methodology | CNIL PIA, EBIOS RM, ISO 27701 | AI Office framework (template expected, not published as of May 2026) + external frameworks (ECNL HRIA, Danish Institute for Human Rights HRIA) |
| Date of application | In force since 2018 | 2 December 2027 (Article 27 + Annex III post-Omnibus) |
Two operational readings emerge. First, the scope of the FRIA exceeds that of the DPIA: an AI system may affect fundamental rights (non-discrimination, access to an effective remedy, the right to work) without processing additional personal data. Second, the DPIA assesses the risks of a data-processing operation; the FRIA assesses the risks of an AI use on fundamental rights. An organisation's documentary governance must anticipate two distinct interlocutors.
4.2 Three articulation approaches for DPIA and FRIA
The choice of articulation depends on the size of the organisation, the number of AI systems deployed, and the level of industrialisation of existing DPIA processes.
Approach A: the integrated DPIA-Plus (recommended for SMEs of 10 to 100 staff). A single document covers both scopes. Article 27(4) provides that, where certain FRIA obligations are already met by a DPIA carried out under Article 35 GDPR, the FRIA complements that DPIA on the remaining components. The DPIA and FRIA can thus be consolidated into a single integrated report. The advantage is time saving and a unified view; the drawback is the risk of mixing GDPR and EU AI Act regimes. This approach suits SMEs with few AI systems and a small DPO team.
Approach B: parallel execution (recommended for mid-caps of 100 to 500 staff). Two distinct documents, each with its own legal subject matter, and an explicit cross-reference. The advantage is legal clarity and independent traceability. The drawback is duplicated effort, typically with 30 to 40 % substantive overlap. This approach suits multi-site organisations or those operating several AI systems in heterogeneous contexts.
Approach C: modular (existing DPIA + dedicated FRIA annex). The existing DPIA is retained as a base. A FRIA annex only complements the missing components: fundamental rights not covered by the DPIA, vulnerable groups affected, individual remedy mechanisms. This approach suits organisations whose GDPR DPIAs are already industrialised.
4.3 Five questions to integrate into a DPIA so that it covers the EU AI Act
Regardless of the chosen approach, five questions must be integrated into every impact analysis to cover the EU AI Act requirements.
1. Is the system an AI system within the meaning of Article 3(1)? The definition covers any automated system that infers, from inputs, how to generate outputs (predictions, content, recommendations, decisions). A simple deterministic script is not concerned; a scoring system based on a trained model is.
2. Does it fall within the high-risk category (Annex III)? The eight areas listed are (1) biometrics, (2) critical infrastructure, (3) education and vocational training, (4) employment and management of workers, (5) essential private and public services, (6) law enforcement, (7) migration and border control, (8) administration of justice and democratic processes. If the self-assessment concludes "not high-risk" within an Annex III area, Article 6(3) registration remains mandatory.
3. Is the organisation a provider (Article 3(3)), a deployer (Article 3(4)), or both? This qualification determines the exhaustive list of applicable obligations. A tech SME that integrates an AI feature into its software product combines provider and deployer on the same system.
4. Do users have the literacy required (Article 4) to interpret the outputs? Article 4 has been in force since February 2025. Without a minimum level of literacy, the impact analysis is biased from the outset and the human oversight provided for by Article 14 remains theoretical.
5. Is the human oversight provided for by Article 14 named, documented and testable? A declarative "human in the loop" does not satisfy Article 14. A four-level operational methodology (REVIEW, OVERRIDE, MONITORING, STOP) addresses this requirement, as detailed in the Complyla pillar on human oversight.
Five classic pitfalls to avoid
Pitfall 1: "we have a DPIA so we are EU AI Act compliant". False. A GDPR DPIA covers neither the Annex III classification, nor Article 4, nor Article 14, nor Annex IV (Article 11 technical documentation) for providers. A typical HR chatbot pre-sorting 2,000 applications per quarter may be the subject of a complete GDPR DPIA without satisfying the requirements of a FRIA under Article 27: the DPIA assesses neither the risk of systemic disadvantage for specific populations, nor the effectiveness of the individual remedy available to a rejected candidate.
Pitfall 2: "FRIA equals renamed DPIA". False. The scope is broadened to fundamental rights not covered by the GDPR: non-discrimination, access to an effective remedy, social rights. The DPIA covers data; the FRIA covers persons and their rights derived from the Charter of Fundamental Rights of the European Union.
Pitfall 3: "if not high-risk, no analysis". False. Article 4 and Article 50 apply outside the high-risk scope. Article 6(3) registration survives after the Omnibus, even for a "not high-risk" self-assessment within an Annex III area.
Pitfall 4: "let us wait for the official AI Office template". At the time this article was written, the official AI Office template on the FRIA had not been published. Article 27(1) is sufficiently specific to support internal documentation right now.
Pitfall 5: "the Digital Omnibus gives us time". False. The deferral only concerns Annex III obligations until late 2027. The Article 6(3) registration obligation survives intact. Article 4 has been in force since February 2025. Article 50(1)(3)(4) obligations apply from 2 August 2026 with no transition.
DPO action plan in five steps
Roadmap Q3 2026 → 2 December 2027
- Step 1 (Q3 2026): audit existing DPIAs and tag those involving AI. Inventory of AI systems deployed or in project. The inventory must include AI systems used without official declaration (see our article on shadow AI in SMEs, in French). Identification of potentially Annex III systems. Identification of related pre-existing GDPR DPIAs.
- Step 2 (following week): qualify the provider, deployer or both status for each identified Annex III system. For each existing DPIA, identify the components reusable under Article 27(4).
- Step 3 (weeks 3 and 4): build a DPIA-Plus template. Methodological choice between approaches A, B or C. Integration of the five EU AI Act questions. Documentation of the choice in the AI governance policy.
- Step 4 (month 2, pilot deadline Q4 2026): conduct a pilot FRIA on a real high-risk system. Test the methodology before generalisation. Identify the necessary adjustments.
- Step 5 (month 3 and beyond, full compliance before 2 December 2027): industrialise and coordinate. Coordination between IT, legal and business teams. Internal FRIA template based on Article 27(1). Update procedure in case of substantial change to the system (model drift, retraining). Explicit articulation with operational human oversight.
Conclusion
The EU AI Act does not erase the GDPR DPIA; it adds a complementary layer of analysis centred on fundamental rights. For European DPOs, the operational challenge of the eighteen months ahead is to articulate these two disciplines without methodological dilution. To structure the approach over three months, see our 90-day AI compliance checklist (in French).
And what does this mean for your SME?
Assess your EU AI Act compliance level in 10 minutes and receive a personalised pre-diagnostic.
Free assessment Download the PDF guideThis content is an informational guide and does not constitute legal advice. For any specific legal question related to the DPIA under Article 35 GDPR or the FRIA under Article 27 EU AI Act, consult a qualified lawyer.