Short answer: for deployments in scope of Article 27 of Regulation (EU) 2024/1689, a missing Fundamental Rights Impact Assessment is increasingly treated by AI liability underwriters as a reason to deny or materially reduce a claim, not merely a regulatory paperwork gap. Deployers who assume the FRIA is a compliance-team obligation with no bearing on their insurance position are exposed in a way that is easy to fix before an incident and very difficult to fix after one.

Key takeaways

  • Article 27 of Regulation (EU) 2024/1689 requires certain deployers, chiefly public-law bodies and specific private operators including creditworthiness assessors, to complete a Fundamental Rights Impact Assessment before putting a high-risk AI system into use.
  • AI liability underwriters are increasingly requesting the completed FRIA as part of the underwriting submission for in-scope deployments, alongside Article 9 risk management and Article 14 human oversight documentation.
  • Where policy wording treats the FRIA as a condition precedent to cover, a missing assessment can be grounds for denial rather than a reason for a reduced payout, because the insurer never priced the risk it was actually exposed to.
  • A FRIA completed after an incident does not retroactively satisfy Article 27 and does not restore the underwriting position that would have existed had the assessment been completed on time.
  • The FRIA and the Article 9 risk management system are complementary, not interchangeable. Underwriters that ask for one increasingly ask for both where a deployment is in scope of Article 27.

Why the FRIA is not just a compliance document

Most deployers encounter the Fundamental Rights Impact Assessment as a discrete compliance task assigned to legal or data protection teams, produced to satisfy a notification requirement to the relevant market surveillance authority under Article 27. Treated this way, the FRIA sits alongside other filed-and-forgotten regulatory paperwork. That framing misses what the document actually is from an underwriting perspective: a structured, first-party account of who could be harmed by the deployment, how, and what the deployer has done about it, written before deployment rather than reconstructed afterward under pressure.

AI liability insurers price risk on exactly that basis. An underwriter evaluating a creditworthiness-assessment AI system, one of the specific use cases named in Article 27, needs to know who is affected by the system's decisions, what the plausible harm scenarios are, and what mitigations exist. A completed FRIA answers precisely those questions in the format a regulator already accepts. A deployer without one is asking an underwriter to price a risk with the equivalent of an unfilled application form, and underwriters respond to that gap either by declining to quote, quoting with a coverage exclusion for the deployment in question, or attaching a condition precedent requiring the FRIA to be completed before cover incepts.

What Article 27 actually requires

Article 27 of Regulation (EU) 2024/1689 applies to a narrower set of deployers than the general Article 26 deployer obligations. It captures bodies governed by public law, and private operators providing public services, deploying certain categories of high-risk AI systems listed in Annex III. It also names specific private-sector use cases directly: AI systems used to evaluate the creditworthiness of natural persons or establish their credit score, and AI systems intended to be used for risk assessment and pricing in relation to life and health insurance.

Where it applies, the deployer must complete an assessment covering the deployment process and the specific purpose of the system, the period and frequency of use, the categories of natural persons and groups likely to be affected, the specific risks of harm to those persons, the human oversight measures in place, and the measures to be taken if the risks materialise, including internal governance and complaint mechanisms. The completed assessment must be notified to the market surveillance authority, and the authority may require the deployer to take corrective action. Critically, the assessment must be completed before the system is put into use. It is not a document that can be produced retrospectively to satisfy the legal obligation, and the same is true of its practical value to an insurer.

How underwriters are actually using the FRIA

The connection between Article 27 compliance and AI liability underwriting follows the same logic already established for Article 9 risk management documentation: compliance work produces the evidence base that underwriting needs, and the two workstreams converge whether or not an enterprise has deliberately designed them to. What is different about the FRIA specifically is its narrower, targeted scope. It applies to a smaller set of deployments, but precisely the set that concentrates the highest reputational and financial severity: public-sector and quasi-public-sector AI, and private-sector credit and insurance-pricing systems where a wrong or biased decision affects a person's access to financial services.

For these deployments, underwriters are treating the FRIA as the single most informative document in the submission, ahead of general risk management documentation, because it is purpose-built to answer the question an underwriter cares about most for reputationally sensitive AI: who gets hurt, and how badly, if this goes wrong. A submission that includes a completed, current FRIA gives the underwriter a structured basis for pricing. A submission without one, for a deployment that is legally required to have one, signals either that the deployer has not identified its own Article 27 exposure, which is itself a governance red flag, or has identified it and not acted, which is worse.

The claims-time problem

The sharpest version of this issue arises not at underwriting but at claims time. Consider a deployer running a credit-scoring AI system in scope of Article 27 that never completed the assessment. A claimant alleges the system produced a discriminatory outcome. The insurer investigating the claim will, as a matter of course, request the deployer's Article 27 documentation as part of establishing whether the deployer met its regulatory and policy obligations. Its absence does two things simultaneously. First, it is direct evidence, discoverable in any subsequent regulatory investigation or litigation, that the deployer breached a binding EU legal obligation, which materially worsens the deployer's position regardless of the insurance question. Second, where the policy wording makes completion of legally required risk assessments a condition of cover, which is an increasingly common clause in AI liability wordings issued since late 2025, the missing FRIA gives the insurer a contractual basis to deny the claim entirely rather than merely dispute quantum.

This is the structural reason a missing FRIA is worse for a deployer than most other missing compliance documents. Article 9 risk management gaps and Article 14 oversight gaps typically weaken a claim and complicate negotiation. A missing FRIA for an in-scope deployment, where the policy treats it as a condition precedent, can end the claim before quantum is even discussed.

What a completed FRIA does not replace

A completed FRIA is not a substitute for the broader governance documentation that AI liability underwriters require. It does not replace the Article 9 risk management system, which addresses technical and operational risk across the system's full lifecycle rather than the specific fundamental-rights lens Article 27 applies. It does not replace Article 14 human oversight documentation, which describes who is responsible for intervening in the system's operation day to day. Deployers in scope of Article 27 should expect underwriters to request all three, not treat the FRIA as a complete substitute for the wider evidence file described in our companion analysis of how compliance documentation becomes insurance evidence.

What to do if your FRIA is missing or out of date

First, determine whether your deployment is actually in scope of Article 27. Many deployers assume they are not because they are not a public body, without checking whether they fall under the private-sector categories the article names directly, particularly creditworthiness assessment and insurance risk pricing. Second, if you are in scope and have not completed a FRIA, treat it as an immediate priority rather than a queued compliance task, because every day of operation without it is a day of uninsurable or under-insured exposure for that specific deployment. Third, if you have a FRIA but it predates a material change to the system, its data sources, or its deployment context, update it. A stale FRIA is treated by most underwriters in much the same way as a missing one, because it no longer describes the risk they are actually being asked to price. Fourth, once the FRIA is current, ensure it is included as a named document in your next AI liability underwriting submission rather than left for the underwriter to request separately, since submissions that proactively surface this evidence are processed faster and priced more favourably.

The Agent Insured waitlist is open for European enterprises preparing for AI liability coverage. Registering provides access to the Agentic Liability Monitor briefing, which tracks how AI liability underwriting standards, including FRIA-related conditions, are developing as the EU AI Act's enforcement period progresses.

Frequently asked questions

Will my AI insurance pay out if I never completed a FRIA?

It depends on the policy wording, but the practical answer for most current AI liability products is that a missing FRIA materially weakens or defeats a claim. Insurers increasingly treat the Article 27 Fundamental Rights Impact Assessment as a condition precedent to cover for deployments in scope of that obligation, meaning the absence of a completed FRIA can be used to deny a claim rather than merely reduce the payout.

What is a Fundamental Rights Impact Assessment under Article 27?

Article 27 requires certain deployers of high-risk AI systems, primarily bodies governed by public law and private operators providing certain public services, to assess the impact the deployment may have on the fundamental rights of affected persons before putting the system into use, and to notify the assessment to the relevant market surveillance authority.

Do AI insurers ask for the FRIA before quoting a policy?

Where the deployment falls within Article 27's scope, an increasing number of AI liability underwriters ask for the completed FRIA as part of the underwriting submission, alongside Article 9 risk management and Article 14 human oversight documentation. Its absence for an in-scope deployment is read as a governance gap rather than an immaterial paperwork omission.

References

  1. Regulation (EU) 2024/1689 on Artificial Intelligence, OJ L 1689, 12 July 2024. Article 27, Fundamental Rights Impact Assessment for high-risk AI systems.
  2. Regulation (EU) 2024/1689, Article 9, risk management system requirements for high-risk AI providers and deployer cooperation obligations.
  3. Regulation (EU) 2024/1689, Article 14 and Article 26(2), human oversight and deployer oversight assignment obligations.
  4. AI Underwriter Collective (AIUC), AIUC-1 Standard, 2024, evidence categories for fundamental rights and bias risk.
  5. Munich Re, AI Performance Insurance whitepaper, 2024.