AI in the public sector: overlap between the FRIA and DPIA, and the path to a single integrated assessment

Since the AI Act came into force, public-sector organisations that want to deploy an AI system processing personal data must carry out not one, but two mandatory assessments. The first is the Data Protection Impact Assessment (DPIA), a risk assessment that maps the risks a data-processing operation poses to the rights and freedoms of data subjects. The DPIA has been around since the General Data Protection Regulation (GDPR) took effect in 2018 and is by now a familiar tool for many organisations. The second is the Fundamental Rights Impact Assessment (FRIA), which evaluates how an AI system may affect people's fundamental rights.

AI systems can create broader risks than data protection alone. Think of discrimination or harm to human dignity. Both assessments therefore evaluate risks, but each from its own angle. At the same time, they overlap considerably in practice. In this blog we explain how the DPIA and the FRIA differ, where they intersect, and why an integrated approach can add real value.

The scope of the DPIA and the FRIA

The main difference lies in the scope. The DPIA is anchored in Article 35 GDPR and is mandatory whenever a processing operation is likely to result in a high risk to the rights and freedoms of natural persons. This applies regardless of whether AI is involved, yet AI applications that process personal data quickly trigger the requirement. Examples include systematic profiling, automated decision-making with legal effects, large-scale processing of special categories of personal data, or monitoring of publicly accessible areas. These are processing activities that, according to the European Data Protection Board (EDPB) guidelines, pose a high risk. The FRIA derives from Article 27 of the AI Act and applies to public-law bodies and to private parties providing public services. The obligation arises when they put a high-risk AI system into use. This includes AI applications listed in Annex III of the AI Act, such as systems for credit scoring, employment decisions, law enforcement and migration. In an earlier blog (available in Dutch only) we discussed the FRIA and the requirements it must meet. [1]

Whether the FRIA obligation applies therefore depends on the context in which the system is deployed. Take an AI system that screens job applicants as an example.[2] If a private organisation uses it, no FRIA obligation arises directly, even though the system qualifies as high-risk AI. If a public-sector body uses the same tool, a FRIA is mandatory. In that case both a DPIA and a FRIA are conducted, each from its own perspective. The DPIA assesses whether applicant data is processed lawfully, whether retention periods are correct, and whether data subjects can exercise their rights. The FRIA looks at different questions. Does the model inadvertently discriminate against certain groups? Is the human dignity of candidates adequately safeguarded, for instance by ensuring a human is always involved in the final decision? An AI system can therefore be fully GDPR-compliant and still infringe fundamental rights.

The Model DPIA Rijksdienst and IAMA

Various tools are available for carrying out both assessments. Within the Dutch public sector, two instruments are commonly used. For the DPIA this is the Model DPIA Rijksdienst (the central government's model DPIA). For the human-rights review of algorithms it is the Impact Assessment Mensenrechten en Algoritmes (IAMA). The IAMA has a broader scope than the FRIA. Where the FRIA applies specifically to high-risk AI systems under the AI Act, the IAMA covers all algorithms that may affect fundamental rights, including simple rule-based systems that do not qualify as AI. In February 2026 the IAMA was updated and aligned with the requirements of the AI Act. For public-sector organisations already working with the IAMA, this provides a solid foundation for meeting the FRIA obligation as well. The Model DPIA Rijksdienst and the IAMA show some overlap. The Ministry of the Interior and Kingdom Relations has therefore published guidance on using both instruments together.[3]

Both the DPIA and the FRIA are form-free. Organisations not bound by an internal mandatory template can therefore shape both assessments themselves. They may, for example, use the Model DPIA Rijksdienst and the IAMA, develop their own instrument, or choose a combination. The condition is that the chosen instruments meet the requirements of Article 35 GDPR and Article 27 AI Act.

The overlap and the bridge of Article 27(4)

Although the DPIA and the FRIA approach risks from different angles, there is considerable overlap in practice. Running both assessments entirely from scratch means duplication of effort and increases the risk of inconsistencies between documents that relate to the same system.

For this reason the European legislator built a bridge between the two instruments. Article 27(4) of the AI Act provides that where part of the FRIA obligations has already been fulfilled through a DPIA, the FRIA supplements that existing assessment. The FRIA does not replace the DPIA, nor vice versa. The provision does, however, allow organisations to reuse existing work and conduct both assessments as one coherent process. The Regulation thus encourages an integrated approach, provided both frameworks are fully covered.

Rather than running the DPIA and the FRIA separately, an organisation can opt for a single integrated assessment. Placing both frameworks side by side reveals which elements overlap, which are complementary, and where the FRIA genuinely adds new content. In practical terms, an integrated assessment might follow these steps:

  1. Joint system description: document what the AI system does, which data it processes and for what purpose, supplemented with the specific elements required by the DPIA and the FRIA.
  2. Map data subjects and affected groups: identify both the data subjects whose personal data are processed and the broader groups whose fundamental rights may be affected.
  3. Address remaining DPIA and FRIA elements: ensure every requirement of Article 35 GDPR and Article 27 AI Act is covered. A checklist helps avoid gaps.
  4. Combined risk analysis and a single set of mitigating measures: assess data-protection and fundamental-rights risks together and translate the outcomes into one consolidated overview of measures.
  5. Coherent documentation: record both assessments as a single whole, demonstrating compliance with both frameworks.


At ICTRecht we are currently developing an integrated assessment framework that meets both sets of requirements. This helps organisations carry out the DPIA and the FRIA in one coherent process. If you need support with this, get in touch. We are happy to think along with you.

Why does this matter right now?

The AI Act is now in force and its obligations are being phased in. Originally, high-risk AI systems would have had to comply with the Regulation's rules from 2 August 2026. On 29 June 2026, however, the Council of the European Union gave final approval to the Digital Omnibus. This package is intended to simplify the EU's digital regulatory framework, including the implementation of the AI Act. Part of it is that several AI Act deadlines are pushed back. The obligations for standalone high-risk AI systems (Annex III) now shift to 2 December 2027, and for embedded high-risk AI (Annex I) to 2 August 2028. You can read more about the Digital Omnibus for AI in this blog (available in Dutch only).

That extension allows some extra time, but even with the new deadlines the implementation period is tight. Start mapping your AI systems in good time. Carrying out risk assessments at an early stage allows the outcomes to inform the design or implementation of the system, rather than requiring corrections afterwards.

The arrival of the FRIA requires additional effort, yet it also offers an opportunity to organise AI risk management more broadly and coherently. Explore how you can integrate both assessments into a single, joined-up process instead of running them separately. That saves time and delivers a better result.

In short, if you would like to know more about the relationship between a DPIA and an FRIA, or get a head start on the AI Act, please contact us. We would be happy to collaborate on this.

Contact us


1. See the EDPB guidelines (WP248 rev.01, 2017).

2. This concerns a high-risk application under Annex III, category 4 of the AI Act.

3. See ‘Handreiking gezamenlijk gebruik Rijksmodel DPIA en IAMA.

Back to overview