What is KlarvoEngine?

KlarvoEngine is Klarvo's regulatory intelligence engine. It analyses your AI system through a 3-pass classification pipeline and produces an article-cited compliance memo with obligations, deadlines, and recommended controls — in under 60 seconds.

What is the EU AI Act?

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive AI regulation. It classifies AI systems by risk level and imposes obligations on providers and deployers of AI systems operating in the EU.

Any organisation that provides or deploys AI systems affecting people in the EU — regardless of where the organisation is based. This includes websites with AI chatbots, companies using AI analytics, and businesses integrating AI models into their products.

Prohibited AI practices have been enforceable since February 2025. GPAI model obligations since August 2025. Article 50 transparency and most remaining obligations apply from August 2, 2026.

What are the penalties?

Up to €35 million or 7% of global turnover for prohibited practices. Up to €15 million or 3% for transparency and other violations. For SMEs, the penalty is whichever amount is lower.

When is FRIA Required?

Fundamental Rights Impact Assessment (FRIA)

Automatic detection: KlarvoEngine flags when FRIA is required based on your classification. If your system is high-risk and you're a public body or deploying credit/insurance AI, the FRIA requirement appears in your obligations automatically.

Article 27 of the EU AI Act requires certain deployers of high-risk AI systems to conduct a Fundamental Rights Impact Assessment before first use — and to update it when circumstances change.

Who Must Conduct a FRIA?

FRIA is required when all of the following are true:

You are a deployer (you use AI, not just build it)

The AI system is high-risk (matches an Annex III category)

You fall into one of these categories:

- Public body or body governed by public law

- Private entity providing a public service (hospitals, utilities, transport, etc.)

- Deployer of certain specific Annex III systems regardless of public/private status — notably credit scoring, insurance risk assessment, and emergency service dispatch

FRIA Triggers — Decision Tree

Is the system high-risk (Annex III)?
  → No → FRIA not required
  → Yes ↓

Are you a public authority?
  → Yes → FRIA required
  → No ↓

Do you provide a public service (even as a private entity)?
  → Yes → FRIA required
  → No ↓

Is the system used for credit scoring, insurance risk, or emergency dispatch?
  → Yes → FRIA required
  → No → FRIA not required (but recommended as good practice)

When to Conduct FRIA

Scenario

Timing

First deployment of high-risk system

Before putting into use

Material change to the system

Before implementing the change

New use case or expanded scope

Before the expansion

Periodic review

As defined in governance policy (recommended annually)

After a serious incident

Before resuming use

What FRIA Must Include (Article 27 Elements)

(a) Process Description: How you use the AI system — intended purpose, decision points affected, workflow integration, human oversight measures.

(b) Time Period & Frequency: Expected duration of deployment, frequency of use, scale of people affected per time period.

(c) Affected Categories of Persons: Natural persons and groups likely affected — with specific attention to vulnerable groups, geographic scope, and how they'll be informed.

(d) Specific Risks to Fundamental Rights: Right-by-right analysis covering non-discrimination, privacy, freedom of expression, worker rights, due process, access to services, safety. Each risk rated by likelihood and severity.

(e) Human Oversight Measures: How oversight is designed, competence of oversight personnel, their authority to intervene or stop.

(f) Mitigation, Governance & Complaints: Risk mitigation measures mapped to identified risks, governance arrangements, complaint mechanisms, monitoring plans, and reassessment triggers.

Notification Requirements

After completing FRIA:

Notify the market surveillance authority using the prescribed template (unless exempt)

Update when circumstances change — particularly new risks, expanded use, or incidents

Retain records for the lifetime of the AI system deployment

Exemptions from Notification

You may be exempt from notification (but not from conducting the FRIA itself) in:

National security contexts

Military/defence applications

Research-only use not affecting real people

Integration with DPIA

If you've completed a DPIA under GDPR, you can build on it:

Aspect

DPIA

FRIA

Focus

Personal data protection

All fundamental rights

Trigger

High-risk data processing

High-risk AI deployment

Rights covered

Privacy & data protection

Dignity, non-discrimination, safety, worker rights, etc.

Can reference each other

Yes

FRIA has a broader scope than DPIA — it covers rights beyond data protection, including non-discrimination, freedom of expression, and worker rights.

Best Practices

📋 Don't skip the FRIA trigger check: Even if you're unsure, complete the evaluation — it's documented due diligence

🔄 Plan for updates: FRIA is not a one-time exercise — material changes require updates

👥 Involve affected groups: Where practical, consult representatives of affected persons

📄 Use Klarvo's FRIA Wizard: The structured workflow ensures all Article 27 elements are covered