Hostname: page-component-6766d58669-bp2c4 Total loading time: 0 Render date: 2026-05-20T08:06:49.993Z Has data issue: false hasContentIssue false
  • English
  • Français

AI and corporate responsibility – From fragmented compliance to unified governance

Part of: AI and The Corporation

Published online by Cambridge University Press:  20 May 2026

Michal Jackowski Open the ORCID record for Michal Jackowski [Opens in a new window]  and
Jaroslaw Greser
Michal Jackowski*
Affiliation:
SWPS University, Poznań, Poland
Jaroslaw Greser
Affiliation:
Wrocław University, Wrocław, Poland Centre for IT & IP Law - CITIP, KU Leuven, Leuven, Belgium
*
Corresponding author: Michał Jackowski; Email: mjackowski@swps.edu.pl
Rights & Permissions [Opens in a new window]

Abstract

The rapid proliferation of artificial intelligence (AI) technologies across corporate value chains has exposed fundamental gaps in traditional approaches to ensuring respect for human rights. This article analyzes the transition from fragmented compliance mechanisms to unified governance models that seek to embed human rights standards within AI deployment, focusing in particular on the European Union’s regulatory framework and its global implications. A central focus is placed on the EU’s AI Act, which introduces the Fundamental Rights Impact Assessment (FRIA) as the first mandatory evaluation mechanism for selected high-risk AI systems. We demonstrate that FRIA marks a significant regulatory innovation. Alongside FRIA, we examine the Council of Europe’s voluntary HUDERIA methodology, which while conceptually aligned with FRIA, enables organizations to undertake comprehensive rights assessment across their entire AI portfolio. We argue that the convergence of mandatory (FRIA) and voluntary (HUDERIA) frameworks strengthens corporate responsibility for human rights in AI, extending ethical obligations where legal norms may not reach. However, we also highlight the real-world challenges to universalizing these standards – growing regulatory divergence between the EU’s rights-driven approach and the US innovation-focused “America’s AI Action Plan.” The resulting tension threatens the global harmonization of human rights protections in AI.

Keywords

artificial intelligencebusiness and human rightsHUDERIAFRIAfundamental rightscorporate responsibility

Information

Type
Research Article
Information
Cambridge Forum on AI: Law and Governance , Volume 2 , 2026 , e3
Check for updates
Creative Commons
Creative Common License - CCCreative Common License - BY
This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (http://creativecommons.org/licenses/by/4.0), which permits unrestricted re-use, distribution and reproduction, provided the original article is properly cited.
Copyright
© The Author(s), 2026. Published by Cambridge University Press.

1. Introduction

The integration of artificial intelligence (AI) into corporate operations has fundamentally transformed the relationship between technology, governance and human rights protection. And it has been even accelerated by the emergence of competing global approaches to AI governance, most notably the contrast between the European Union’s rights-based regulatory frameworks and the United States’ market-driven approach formulated in the “America’s AI Action Plan” (The White House, 2025). AI systems increasingly get involved in providing critical decisions. They affect employment, credit allocation, healthcare delivery and social services. Their capacity to impact individual rights increases, creating a fundamental “governance gap” between technological capability and traditional frameworks. These frameworks were primarily developed for conventional business activities and are now inadequate to address the unique characteristics of AI systems, like opacity, scalability, adaptive learning capabilities and potential for systemic bias. It has become even more urgent to address this deficit, as AI use has moved from experimental applications to core business processes across sectors. Earlier technological innovations primarily affected specific industries or functions. Nowadays AI touches each field of life. No sector of economic activity remains untouched by algorithmic decision-making. It creates unprecedented challenges for ensuring that corporate AI deployment respects fundamental rights. And traditional approaches to corporate accountability, typically organized around sectoral regulations or voluntarily applicable norms, struggle to address the interconnected and systemic nature of AI impacts.

At the theoretical heart of this challenge lies the horizontal effect (Drittwirkung) of fundamental rights. The doctrine that human rights norms create obligations not only for state actors but also for private entities, particularly corporations whose activities may significantly impact rights enjoyment (Engle, Reference Engle2009). The horizontal effect doctrine has evolved considerably since its origins in German constitutional jurisprudence, expanding from its initial applications in free speech regulations to encompass employment and contract law, and ultimately, broader corporate responsibility for rights protection throughout value chains. The horizontal effect doctrine becomes particularly complex in a multipolar AI governance environment where different jurisdictions may have fundamentally different conceptions of which rights deserve priority and how they should be balanced against innovation imperatives.

The application of horizontal effect doctrine to AI systems presents novel complexities that existing legal frameworks struggle to address. Traditional horizontal effect analysis focuses primarily on direct relationships between corporations and individuals. AI systems operate through complex value chains and involve multiple stakeholders like developers, providers, deployers, data suppliers and third parties. They affect individuals through algorithmic processes that may be unclear even to the organizations deploying them. This complexity necessitates new approaches to implementing horizontal effect obligations that can address distributed responsibility, emergent harms and the dynamic nature of AI system impacts.

The European Union responded to these challenges through the AI Act. It can be called a milestone in the evolution of both AI governance and corporate responsibility law (Regulation (EU) 2024/1689, 2024). The AI Act introduces the Fundamental Rights Impact Assessment (FRIA) as a mandatory requirement for deployers of certain high-risk AI systems marks. It is the first time that international law has directly mandated complex corporate human rights impact assessment (HRIA) for technological systems. And this new regulation goes far beyond traditional privacy or data protection approach, requiring comprehensive evaluation of AI system impacts across the full spectrum of fundamental rights recognized in the EU Charter of Fundamental Rights.

FRIA represents more than incremental regulatory reform. It embodies a fundamental reconceptualization of corporate responsibility in the digital age. Previous frameworks treated human rights considerations as external constraints on business operations. FRIA requires integration of rights assessment into the core architecture of AI deployment decisions. It follows broader trends in corporate governance toward embedding environmental, social and governance (ESG) considerations into strategic decision-making. ESG refers to a set of standards used to assess the sustainability and ethical implications of an investment or a business, centered around three areas: environmental, social and corporate governance. It also reflects important learning from the evolution of corporate social responsibility (CSR) approaches toward more binding legal frameworks. Wan Jan (Reference Wan Jan2006) defined CSR as an ethical stance and business strategy, following Hopkins (Reference Hopkins2003) definition, who described CSR as “treating the stakeholders of the firm ethically or in a responsible manner.” Early CSR initiatives were valuable in raising awareness of corporate social impacts. However, they were insufficient for ensuring consistent protection of human rights across global value chains (see Latapí Agudelo, Jóhannsdóttir & Davídsdóttir, Reference Latapí Agudelo, Jóhannsdóttir and Davídsdóttir2019). The development of the UN Guiding Principles on Business and Human Rights was one of the first important steps toward more systematic approaches to corporate human rights responsibility. They introduced the concept of human rights due diligence as a proactive obligation (United Nations Human Rights Council, 2011), but the voluntary nature of these frameworks limited their effectiveness, especially where commercial interests conflicted with rights protection. FRIA’s mandatory character creates binding legal obligations that operationalize human rights due diligence principles, although specifically for AI deployment contexts. This is complemented with broader trends toward mandatory due diligence legislation in Europe, including France’s Loi de Vigilance, Germany’s Supply Chain Due Diligence Act (LkSG) and the EU’s Corporate Sustainability Due Diligence Directive (CSDDD) (Directive (EU) 2024/1760, 2024). However, FRIA goes beyond these frameworks by requiring assessment not only of corporate impacts on rights but of the specific ways that AI systems may affect the enjoyment of fundamental rights through their design, operation and deployment.

The significance of this regulatory innovation extends beyond the European context through what scholars have termed the “Brussels Effect.” This phenomenon whereby EU regulatory standards influence global business practices through market integration and competitive dynamics (Bradford, Reference Bradford2020). It assumes that multinational corporations will adapt their AI governance practices to comply with FRIA requirements and these approaches will become global standards, creating spillover effects that extend EU regulatory influence far beyond its territorial boundaries. This dynamic is particularly pronounced in AI governance, where the technical complexity of compliance often makes it more efficient for companies to apply consistent standards across their global operations rather than maintaining different practices for different jurisdictions.

However, this European approach now faces challenges from divergent global approaches to AI governance, most notably the United States’ “America’s AI Action Plan” (July 2025), which explicitly prioritizes innovation, competitive advantage and “American values” over traditional multilateral governance frameworks and rights-based approaches. The US plan was confirmed and strengthened by the November 24, 2025 launch of the Genesis Mission implemented by the US President’s executive order. Framed as comparable to the Manhattan Project in both its urgency and ambition, Genesis positions the development of AI as a critical frontier of scientific discovery and economic growth, arguing that the United States is engaged in a race for global technological dominance in this field.

This emerging multipolar governance environment creates new challenges for the universal application of human rights principles in AI deployment. The traditional dynamic of the Brussels Effect may face unprecedented challenges from explicit counter-influence efforts, as the American AI Action Plan emphasizes establishing “American AI” as the global standard. Under the pressure of this US approach, FRIA may not become the universal standard as initially anticipated, particularly if multinational corporations face competing regulatory incentives that favor less comprehensive rights-based frameworks.Footnote 1

Considering the given context, this article introduces a new perspective by comparing the approaches of the US and the EU regarding AI and human rights regulations through the lens of horizontal effect. This article argues that while the convergence of mandatory (FRIA) and voluntary (HUDERIA) frameworks represents a significant advancement in corporate human rights protection, this convergence is increasingly threatened by emerging multipolar governance approaches that prioritize national competitiveness over universal rights standards. The resulting tension challenges the traditional assumption that European regulatory models will achieve global influence through market dynamics.

To highlight the challenges of transforming AI regulations from fragmented compliance to unified governance in a multipolar world, this article is organized into several sections. Section 2 analyses the horizontal effect of fundamental rights in business. Section 3 discusses FRIA as the first comprehensive regulation that mandates HRIAs in AI value chains. Section 4 examines the implementation obligations of FRIA for private organizations. Section 5 evaluates the effects of transitioning to voluntary human rights frameworks. Finally, the concluding Section 6 summarizes the insights and implications presented throughout the article.

2. Horizontal effect of fundamental rights in business

2.1 Business entities as addressees of human rights

The concept of the horizontal effect of fundamental rights is commonly understood in the literature as the principle that these rights apply to conflicts arising between private individuals, rather than only between individuals and the state or other public entities. As noted by Frantziou (Reference Frantziou2019), this principle emphasizes the application of fundamental rights in private disputes.

At the current stage in the development of the human rights concept, undoubtedly business entities are addressees of human rights, in the meaning that they have the capacity to be subjects of these rights. There is also no doubt that these entities can violate these rights through their actions. In the legal doctrine, there is an ongoing debate as to how companies are held liable for not complying with human rights principles (Paust, Reference Paust2002), as in its present form the international system for the protection of human rights does not allow for the enforcement of liability on business entities. Therefore, it is vital to develop specific tools that will serve to impose the human rights observance on companies. The starting point for the design of such instruments is the distinction between different types of liability that a business entity may bear.

The emphasis on developing specific tools for imposing human rights observance on businesses highlights a crucial gap in the current legal framework, suggesting that without such mechanisms, the accountability of corporate entities for rights violations remains largely unaddressed.

2.2 Ethical responsibility

The first aspect for the discussion is responsibility of an ethical nature. In this paper, we will limit ourselves to analyzing business ethics norms that aim to regulate the operations of business entities (Gasparski, Reference Gasparski2007). It can be noted that business ethics norms protect values which are also safeguarded under human rights (Kietliński, Martinez Reyes & Oleksyn, Reference Kietliński, Martinez Reyes and Oleksyn2005). However, such a situation is not guaranteed in every case as understanding business ethics norms is not universal in nature (Gasparski, Reference Gasparski2007), and moreover, their observance is voluntary and frequently not subject to any institutionalized sanctions for their violations (Chryssides & Kaler, Reference Chryssides and Kaler1999; Filek, Reference Filek2004). Consequently, it cannot be stated that the system of regulation regarding human rights based on ethical norms will be sufficient for the protection of individuals harmed by corporate activities. Nevertheless, it remains necessary to develop ethical standards which will be helpful in regulating obligations not covered by legal provisions, and which will play a vital role in interpreting various legal norms.

This ethical dimension becomes particularly crucial in the current multipolar AI governance environment. Where different jurisdictions may prioritize different values – European emphasis on fundamental rights versus American emphasis on technological leadership and economic competitiveness – ethical frameworks provide space for corporate leadership that transcends minimum legal compliance.

The discussion highlights the inadequacy of voluntary business ethics norms in consistently protecting human rights, particularly in a complex global context where diverse legal and ethical priorities exist.

2.3 Corporate responsibility

The second area is the sphere of corporate responsibility. In the context of human rights, it has two meanings. The first one refers to a company’s voluntary decision to assume certain types of obligations, including those arising from legal norms which the company is not required to comply with. In this situation, it may face legal sanctions for actions that breach the internally imposed rules since such conduct violates the principles of fair competition.Footnote 2

In the second meaning, responsibility refers to the violation of the so-called social license to operate. This idea is based on the notion that a social agreement has created a specific area of human activity where business entities operate (Alston, Reference Alston2005; Jägers, Reference Jägers2002; Sullivan, Reference Sullivan2003). However, consequently, they are forced to act in accordance with rules related to natural persons to the broadest extent possible (Clapham & Jerbi, Reference Clapham and Jerbi2001; Jungk, Reference Jungk2001; Sullivan, Reference Sullivan2003). The source of corporate responsibility in this meaning also includes norms that have neither been imposed nor voluntarily adopted, but which according to societal expectations should be respected (Warhurst, Reference Warhurst2001). Such norms include the provisions on human rights. However, it must be emphasized that responsibility in this sense will never lead to legal sanctions. It resembles in nature the violation of ethical standards. Nevertheless, it should be stated that this understanding of “responsibility” has become the basis for the creation of normative documents. Among these the main role is played by the Guiding Principles on Business and Human Rights: Implementing the United Nations “Protect, Respect and Remedy” Framework, adopted on March 21, 2011, and developed by the Special Representative of the United Nations Secretary-General on business and human rights (BHR) (Ruggie, Reference Ruggie2011). The approach is based on three pillars which are intended to increase corporate accountability for human rights violations. These pillars are: the state duty to protect, access to remedy and the corporate responsibility to respect (United Nations, 2011). It is vital to underline that the unanimous adoption of the report by the Human Rights Council on June 16, 2011 was met with a highly positive response from the states, some of which announced plans to incorporate the relevant solutions into their own legal systems (Jerbi, Reference Jerbi2011). In addition, it is argued that the document implies a positive obligation on the part of the states to take such action (Krajewski, Reference Krajewski2018).

The focus on corporate responsibility often masks genuine accountability, allowing companies to evade real consequences for unethical practices.

2.4 Accountability for human rights violation

The third aspect of corporate responsibility for human rights violations is the aspect of accountability. This refers to the compliance with legal norms and in the event of their violation, the assumption of responsibility through proper procedures. As previously noted, there are currently no global instruments which would serve as a basis for such accountability (O’Brien, Reference O’Brien2019). However, there exist appropriate regulations at the national level and within the European Union. In this context, we will examine several of these regulations from the field of civil law. Due to the length limitations of this article, a comprehensive analysis is not possible. Our intention is to demonstrate that such regulations function in the legal frameworks of various countries and there are no obstacles to applying similar solutions to entities involved in AI development.

At the national level, one of the most important institutions shaping corporate responsibility is the Alien Tort Claims Act (ATCA), which forms part of the procedural rules before federal courts in the United States.Footnote 3 Under this regulation, district courts have jurisdiction over any civil action brought by any foreigner for a tort committed in violation of the general rules of international law or treaties to which the United States are a party (Jägers, Reference Jägers2002; Steinhardt, Reference Steinhardt and Alston2005; Stephens, Reference Stephens2002). This includes treaties concerning human rights (Farbstein, Reference Farbstein2023; Sosa v. Alvarez-Machain, 542 U.S. 692, 2004). It is significant due to the fact that in the first decade of the 21st century it served as a tool for seeking compensation for human rights violations (Kohl, Reference Kohl2014). Although in subsequent rulings the courts narrowed its application and held that it could not be applied extraterritorially (Kiobel v. Royal Dutch Petroleum Co., 569 U.S. 108, 2013), to companies other than American ones (Jesner v. Arab Bank PLC, 584 U.S. 241, 2018), and that it must concern “more domestic conduct than general corporate activity” (Nestlé USA, Inc. v. Doe, 2021); however, more recent decisions offer hope for a broader application of this legal institution (Farbstein, Reference Farbstein2023). The limitations of the ATCA highlight the challenges in achieving meaningful accountability for corporate human rights abuses.

2.5 European approach to private actors human rights responsibility

The development of law in continental European countries has led to the consolidation of civil liability of corporations for human rights violations as an expression of due diligence obligation, in particular in relations of subsidiaries and entities within the supply chain (Rouas, Reference Rouas2022). Examples of such solutions can be found in already mentioned French and German statutes. However, it is often noted that these provisions are of limited significance as commercial law tends to focus on the interests of shareholders and profit maximization (Sjåfjell, Reference Sjåfjell2020). Moreover, the obligations introduced are largely of formal and procedural character and are mostly concerned with identifying and managing risk to the enterprise rather than preventing or remedying human rights violations (Deva, Reference Deva2023).

The European Union has also taken steps to increase corporate accountability. Its flagship initiative in this area is Directive (EU) 2024/1760 of June 13, 2024 on CSDDD (Directive (EU) 2024/1760, 2024). This Act implements the principles of the UN Guiding Principles and establishes binding substantive and organizational duties related to the identification, prevention, mitigation and remedying actual and potential adverse impacts of a company’s operations, both within its own organization and in relation to subsidiaries and commercial relationships in the entire value chain. The Directive also provides for enforcement mechanisms in the form of supervision by national authorities, administrative sanctions and civil liability in tort in cases of willful breach of due diligence obligations. However, it should be noted that, although the Directive has been adopted, it may not enter into force in its current form, as it has become part of the Omnibus deregulation package (Directorate-General for Communication, 2025) proposed by the European Commission. The proposed amendments aim to narrow the scope of due diligence obligations to direct commercial relationships only, to remove the requirement to terminate contractual relationships with contractors committing gross violation of human rights and to limit the ability to pursue civil claims to domestic legal systems of Member States, without establishing harmonized EU conflict-of-law mechanisms (European Commission, 2025). These proposals have been met with protests from civil society organizations (ClientEarth, 2025), reflecting broader tensions between regulatory ambition and industry resistance that mirror global debates about the appropriate scope of corporate human rights obligations. It must be underlined that a similar trend can be observed in the field of legal provisions aiming at increasing accountability within the AI area. One example can be the AI Liability Directive (European Commission, 2022), which despite its flaws (Bieda et al., Reference Bieda, Flisak, Greser, Lubasz, Namysłowska, Skrodzka-Kwietniak and Załucki2024), served as complementary to the AI Act, including the area of liability for fundamental rights violations. The progress in corporate accountability often falls short, prioritizing shareholder interests over meaningful human rights protections.

2.6 US deregulation approach

However, these legal frameworks now operate within a changing global context where the United States has explicitly signaled its intention to counter what it perceives as “burdensome regulations” and multilateral governance approaches. The American AI Action Plan’s emphasis on reducing regulatory barriers and promoting American technological leadership creates new challenges for the extraterritorial application of European human rights frameworks and may encourage regulatory arbitrage by multinational corporations. Against this backdrop of evolving horizontal effect obligations, the European Union’s introduction of FRIA represents a concrete operationalization of these theoretical principles in the specific context of AI governance. This divergence underscores a critical tension in contemporary governance literature, where the balance between innovation and regulation becomes a battleground for differing ideological positions on the role of state oversight in digital environments.

3. FRIA as the first complex regulation mandating HRIA in AI value chains

3.1 FRIA as an evolution of risk assessment in European law

The European Union’s AI Act introduces the FRIA as the first comprehensive, legally mandated human rights evaluation mechanism specifically tailored for AI systems (Regulation (EU) 2024/1689, 2024). The entire AI Act is full of language that mandates the protection of fundamental rights. Recital 1 explicitly states that one of the objectives of the regulation is to “promote the widespread adoption of human-centric and trustworthy artificial intelligence (AI) while ensuring […] a high level of protection of […] fundamental rights as enshrined in the Charter of Fundamental Rights of the European Union.” The Act refers to the protection of fundamental rights throughout the entire AI lifecycle, including the development, deployment and use of AI systems. The provider of high-risk AI systems is primarily responsible for identifying and mitigating risks to fundamental rights by ensuring compliance through a risk management system (i.e. Articles 8, 9 and subsequent provisions of the AI Act). However, this regulatory framework is complemented by Article 27 of the AIA, which imposes specific obligations on deployers to safeguard fundamental rights during the operational phase, i.e., the part of the lifecycle over which the provider no longer has control. Recital 96, which refers directly to the FRIA, states that the impact assessment was introduced to effectively ensure the protection of fundamental rights in certain areas of social and economic life. The FRIA must be carried out by entities using high-risk AI systems that are either public sector bodies, private entities providing public services or operating in banking or insurance sectors.

The FRIA introduced in the AI Act is not an entirely novel invention by the EU legislator. It is not the first digital regulation in Europe to include similar provisions. Article 35 of the GDPR requires the conduct of a data protection impact assessment (DPIA) in specified circumstances. Similarly, Articles 34 and 35 of the Digital Services Act (DSA) impose risk assessment obligations on providers of very large online platforms and very large online search engines. The FRIA is not a product exclusive to the digital or AI domain. It builds upon substantial experience with HRIAs, which have been developed at the international level and implemented by companies in various sectors – some of which have already been discussed earlier. However, it is important to note that HRIA in the context of AI is not equivalent to traditional HRIA (Mantelero, Reference Mantelero2024). The AI Act establishes a comprehensive legal framework for protecting human rights specifically during the use phase of AI systems. Given the widespread application of AI across virtually every aspect of social and economic life, the relevance of this regulation extends across all sectors. Moreover, it imposes human rights obligations not only in the citizen–state relationship but also within horizontal relationships between individuals and private actors that may be both very large general purpose model AI providers, but also small and medium enterprises from AI value chain.

The introduction of the FRIA within the EU’s AI Act is a crucial step, but its effectiveness will ultimately depend on rigorous enforcement and the genuine commitment of all stakeholders to prioritize human rights over technological advancement.

3.2 Innovative aspects of FRIA

Because the regulation primarily governs social and economic interactions, it explicitly addresses the risks of fundamental rights violations by providers of high-risk AI systems. For this reason, Article 27 of the AI Act and its accompanying provisions should be considered innovative, as they establish an unprecedented convergence between traditional data protection approaches and evolving human rights obligations in the digital sphere.

The novelty of the AI Act and the FRIA lies also in the fact that it is the first regulation to establish a binding legal obligation to protect fundamental rights backed by enforceable sanctions in the event of interference. Until now, regulations concerning HRIA and systems for the protection of human rights in digital contexts have been voluntary (Bertaina, Ceravolo & De Gregorio, Reference Bertaina, Ceravolo and De Gregorio2025). In contrast, under the AI Act, the FRIA constitutes a mandatory assessment, and its outcomes must be used to prevent or mitigate risks (Mantelero, Reference Mantelero2024). The original proposal of the European Parliament envisioned the FRIA as applying to all high-risk AI systems under Article 6(2), with the sole exception of systems used for the management and operation of critical infrastructure. The final text retains this exception but also significantly narrows the overall scope of the FRIA. It now applies only to (1) deployers that are “public sector bodies” or “private entities providing public services” and (2) deployers of AI systems used for creditworthiness assessments of natural persons, credit scoring, and the evaluation of risk and pricing in life and health insurance. While this narrower scope is less ambitious from a fundamental rights perspective than the original proposal, it nonetheless represents a regulatory innovation.

The FRIA distinguishes itself from traditional HRIA mechanisms by introducing an ex ante approach to the protection of fundamental rights. This not only prevents harmful applications from entering the market but also turns the FRIA into a design tool, in line with the by-design approach (Mantelero, Reference Mantelero2024). This risk assessment accompanies AI systems throughout the entire deployment lifecycle. It is applied during the initial phases of planning and scoping, risk assessment and mitigation (including the identification of harm, evaluation of its impact and risk treatment) and post-assessment monitoring (Fulop & Poindl, Reference Fulop, Poindl, Pehlivan, Forgo and Valcke2025). What truly sets the FRIA apart from similar processes is this preventive, anticipatory character. The reference in Article 27(1) to the potential impact of AI system use and the criterion of likelihood underscores this forward-looking dimension. The aim of Article 27 revealed during legislative debates, and its systemic interpretation, lead to the conclusion that the FRIA is a forecasting exercise in risk evaluation and management. Risk materializes not when harm occurs, but when the deployer designs a specific use case for the AI system, thereby triggering the obligation to take appropriate mitigating measures (Mantelero, Reference Mantelero2024).

Importantly, the innovative aspect of the FRIA is also its recognition of the contextual and socio-technical nature of AI systems. The FRIA acknowledges the complex, distributed architecture of AI value chains, moving beyond traditional, linear regulatory models. Unlike conventional approaches that concentrate on single actors or one-dimensional processes, the FRIA requires deployers to assess fundamental rights implications across interconnected relationships within the AI ecosystem. This recognition of AI’s systemic character positions the FRIA as a bridge between individual rights protection and collective governance challenges (Mantelero, Reference Mantelero2024).

Ultimately, the FRIA offers a practical framework for fundamental rights protection, helping to bridge the gap between general AI ethics principles and concrete legal obligations (Bertaina et al., Reference Bertaina, Ceravolo and De Gregorio2025; Janssen, Galetta & Gellert, Reference Janssen, Galetta and Gellert2022). It is also connected with the broader Conformity Assessment process, contributing to a comprehensive risk management system for safeguarding fundamental rights (Fulop & Poindl, Reference Fulop, Poindl, Pehlivan, Forgo and Valcke2025).

One particularly important point is that, unlike previous sector-specific instruments such as the GDPR or the DSA, the FRIA is aimed at the broad protection of fundamental rights. While earlier frameworks addressed data protection through mechanisms like DPIAs or sectoral human rights concerns (such as those covered under DSA or ESG), the FRIA constitutes the first comprehensive effort to systematically integrate human rights evaluation into AI deployment processes and further, as AI is embedded in each sphere of business life, in almost each corporate workflow.

The FRIA, while a significant advancement in the regulatory landscape, risks falling short of its ambitious goals due to its narrowed scope and reliance on a compliance-driven approach that may overlook the nuanced realities of AI’s socio-technical impacts.

These innovative aspects of FRIA have largely survived recent deregulation pressures, though not without modifications. The November 2025 Digital Omnibus on AI draft extends FRIA implementation timelines from August 2026 to December 2027 for high-risk systems, while eliminating AI literacy obligations for employers. However, unlike the substantial weakening of CSDDD under Omnibus I, FRIA’s core human rights assessment requirements remain unchanged, suggesting that the EU considers AI governance more strategically essential than supply chain due diligence.

3.3 Comparative study of FRIA and DPIA

It is widely accepted that the FRIA evolved from the DPIA as a more comprehensive instrument for assessing the impact of AI on fundamental rights. The DPIA was introduced in Article 35 of the GDPR as a mandatory evaluation for data processing operations likely to pose a high risk to the rights and freedoms of natural persons. Although Article 35 refers broadly to a “likely high risk to the rights and freedoms of individuals,” the Article 29 Data Protection Working Party clarified that, while data protection frameworks adopt a risk-based approach, the phrase “rights and freedoms” primarily concerns the rights to data protection and privacy. However, it may also implicate other fundamental rights such as freedom of expression, freedom of thought, freedom of movement, freedom from discrimination, freedom of religion and conscience, and the right to liberty (Article 29 Data Protection Working Party, 2017; see also Barta, Kawecki & Litwiński, Reference Barta, Kawecki and Litwiński2021).

The DPIA involves a systematic assessment of the necessity and proportionality of data processing operations in relation to their purposes, an evaluation of risks to the rights and freedoms of data subjects and the adoption of measures to mitigate those risks. It is an ex ante risk management tool, which must be carried out prior to the start of processing, and it has a cyclical structure – must be updated when processing operations or their context change (Fulop & Poindl, Reference Fulop, Poindl, Pehlivan, Forgo and Valcke2025; Janssen et al., Reference Janssen, Galetta and Gellert2022). As noted above, despite the relatively broad formulation in Article 35, both legal theory and enforcement practice have interpreted the DPIA as being primarily focused on data protection. In contrast, the FRIA extends to all potentially affected fundamental rights and freedoms, as enshrined in the Charter of Fundamental Rights of the EU, while retaining the core methodological features of the DPIA: (1) an ex ante approach, (2) a rights-based risk assessment, (3) a cyclical, iterative structure throughout the lifecycle of the AI product or service and (4) a reliance on expert judgment (Malgieri & Santos, Reference Malgieri and Santos2025). The key difference lies in its broader scope – the FRIA is not limited to data protection but instead considers all potentially affected rights and freedoms (Janssen et al., Reference Janssen, Galetta and Gellert2022; Mantelero, Reference Mantelero2024).

The FRIA was introduced into the AI Act by the European Parliament, as part of a compromise in response to the European Commission’s proposal, which emphasized a human-centric approach and the protection of fundamental rights, but failed to fully embed these principles in its risk-based model. During the legislative process, arguments were raised against the inclusion of the FRIA, claiming that it was redundant in the presence of the DPIA and Article 35 of the GDPR. However, the adoption of Article 27 AI Act reveals important shortcomings in the practical implementation of the DPIA, particularly its limited attention to rights beyond data protection, which are often underdeveloped or overlooked in practice (Mantelero, Reference Mantelero2024). In the context of the DPIA, the assessment of various fundamental rights is often filtered through the lens of data protection. This leads to a situation in which data protection categories are used to justify the final decision, thereby overshadowing the rationale for evaluating the impact on other fundamental rights. In contrast, the FRIA, like the HRIA, requires a detailed consideration of each relevant fundamental right, based on their definitions in legal doctrine and case law. This results in more accurate and transparent outcomes in the assessment process (Mantelero, Reference Mantelero2024).

The transition from DPIA to FRIA signifies a crucial shift in evaluating AI’s impact, highlighting a need for a more inclusive approach that transcends data protection to holistically address the spectrum of fundamental rights at risk.

3.4 Scope of Article 27 of AI Act

In defining the scope of application of Article 27 of the AI Act, reference must be made to Recital 48. It states that when classifying an AI system as high-risk, a key consideration is the extent to which the system may adversely impact fundamental rights protected under the Charter of Fundamental Rights of the European Union. These rights include the right to human dignity, respect for private and family life, protection of personal data, freedom of expression and information, freedom of assembly and association, and the right to non-discrimination. Also covered are the right to education, consumer protection, workers’ rights, rights of persons with disabilities, gender equality, intellectual property rights, the right to an effective remedy and to a fair trial, the right of defense and the presumption of innocence, and the right to good administration. The recital further highlights the specific rights of children, as outlined in Article 24 of the Charter and the UN Convention on the Rights of the Child. The fundamental right to a high level of environmental protection, enshrined in the Charter and implemented through EU policy strategies, must also be considered in evaluating the severity of harm an AI system may cause, including potential threats to health and safety. The AI Act places particular emphasis on the rights of vulnerable persons. Recital 67 specifically refers to the protection of individuals belonging to especially sensitive groups, including those defined by racial or ethnic origin. Legal scholarship also points to certain rights that are particularly exposed to interference in the context of AI, such as privacy, equality, freedom of expression, and procedural and socio-economic rights (Janssen et al., Reference Janssen, Galetta and Gellert2022). However, it is crucial to note that all fundamental rights may be impacted by AI systems and are therefore subject to protection within the FRIA framework.

As a result, the FRIA significantly broadens the scope of human rights protection. We perceive FRIA as precedent-setting, as it is the first comprehensive framework mandating HRIA specifically for AI systems. FRIA establishes methodological and institutional foundations that influence global AI governance approaches. The regulation’s emphasis on systematic assessment, stakeholder engagement and ongoing monitoring creates a template for addressing the fundamental rights implications of AI deployment across different jurisdictional contexts. In doing so, it has the potential to catalyze similar regulatory developments at the international level. While the emphasis on rigorous human rights assessments in AI governance is commendable, the challenge lies in balancing thorough oversight with the need for agile regulatory frameworks that can adapt to technological advancements without hindering progress.

4. FRIA implementation obligation by private organizations

4.1 Shift in human rights protection mechanisms

As mentioned already in Section 2, fundamental rights enshrined in international treaties originally safeguard fundamental rights against the state and do not directly address private entities. And the EU recognizes that private companies can severely impact an individual’s fundamental rights. They have traditionally been assumed to act on equal footing with other private (natural and legal) persons. The law was interfering where imbalances occurred, protecting the less powerful party (consumer, employee) in sectoral regulations. However in recent years, the EU recognized that the equal footing of individuals and (large) private organizations approach is inappropriate. Especially in a technology context, this is often due to the systemic power and information asymmetries inherent to the current data processing practices of digital organizations, not only large corporations but also small and medium enterprises. The asymmetries commonly stem from an unequal distribution between those organizations and individuals, in terms of access to the data, controlling and comprehending the (often) opaque processing of that data, risk assessment, inequalities of wealth, capital, access to expertise, knowledge, power and so forth. This makes it difficult for even knowledgeable individuals to properly evaluate and come to informed decisions over whether they should do business with those organizations (Janssen et al., Reference Janssen, Galetta and Gellert2022).

The AI Act is one of the regulatory instruments designed to counteract this problem, and the FRIA, established within it, functions as a risk management tool specifically tailored for the private technology sector. Its core objective is to internalize the costs associated with fundamental rights violations. Private technology companies should bear the responsibility for identifying and mitigating fundamental rights risks already at the design stage of AI systems. Unlike public entities, which operate within democratically established procedures and are subject to constitutional oversight, private actors require external regulatory mechanisms that compel them to take fundamental rights into account. The FRIA forces companies to factor in the societal costs of their innovations, a principle known in economic theory as the internalization of externalities. This mechanism is particularly important in the context of the informational asymmetry between technology developers and the broader public. As mentioned above, private entities, driven by profit maximization, may consciously disregard negative social consequences unless they are legally required to address them (Ceravolo, Malgieri & Mantelero, Reference Ceravolo, Malgieri and Mantelero2025; Janssen et al., Reference Janssen, Galetta and Gellert2022; Mantelero, Reference Mantelero2024). The implementation of the FRIA represents a significant step toward holding private technology companies accountable for fundamental rights risks, it also raises questions about the effectiveness of external regulation in truly altering profit-driven behavior unless accompanied by a broader cultural shift within these organizations toward prioritizing ethical responsibility.

4.2 Theory versus implementation of FRIA

The AI Act clearly specifies which private organizations are obligated to uphold fundamental rights. At the same time, however, the scope and clarity of these obligations remain limited. Whereas Article 35 of the GDPR lays out relatively clear duties concerning data protection and the decision-making processes within that domain, the FRIA, by addressing the entire spectrum of fundamental rights, may prove far more challenging for private entities to implement. To clarify this ambiguity, the literature points to several arguments:

  • Private actors should be held to the same standard as public entities. To argue otherwise would contradict Article 1 of the AI Act and its underlying objectives – namely, the prevention of harm caused by high-risk AI systems.

  • A deployer preparing a FRIA must respect fundamental rights, interpret their limitations and apply the principle of proportionality where relevant. Yet, there are no established rules guiding how a private actor should conduct such a balancing exercise, especially when its own rights and economic interests may also be at stake. Consequently, it has been suggested in the literature that if the benefit of using an AI system outweighs its interference with fundamental rights, the deployer is acting lawfully. However, the greater the impact of the system on fundamental rights, the stronger the justification must be on the part of the private actor. This interpretation aligns with the European Court of Human Rights’ and Court of Justice of the European Union approach to balancing interests under GDPR (Fulop & Poindl, Reference Fulop, Poindl, Pehlivan, Forgo and Valcke2025, CJEU Case C-252/21, Case C-511/18, C-512/18 and C-520/18; ECHR Roman Zakharov v. Russia, 2015).

  • Infringement of the essence of a fundamental right is impermissible, whereas interferences may affect only non-core elements. That means that the deployer must be able to identify and assess what constitutes the core of a given right.

  • A deployer should prevent and mitigate all interferences with fundamental rights, seeking alternative or less intrusive means when such alternatives are adequate to achieve the intended goals.

These principles mirror the deliberations of constitutional theorists regarding the application of the principle of proportionality by public authorities. This suggests that private actors subject to the FRIA obligation will be required to assess the consequences of the systems they introduce on fundamental rights, respect those rights, explore their limitations and mitigate associated risks. FRIA will therefore raise awareness among private actors in the domain of fundamental rights and create legitimacy for decision-making in areas that affect public interests through technological choices. Whereas public authorities derive their legitimacy from a democratic mandate, private entities operate within the sphere of private autonomy, often less transparently and without parliamentary, judicial or public oversight. Thus, their legitimacy must be constructed through compliance with fundamental rights, and the FRIA framework with its requirements for consultation and participatory procedures supports this endeavor (Mantelero, Reference Mantelero2024; Malgieri & Santos, Reference Malgieri and Santos2025).

However the operationalization of FRIA requirements presents significant implementation challenges. They span technical, organizational and legal dimensions. Organizational capacity represents perhaps the most immediate implementation challenge. Few organizations possess the interdisciplinary expertise necessary for comprehensive fundamental rights assessment. Effective FRIA implementation requires competencies spanning human rights law, AI system analysis, stakeholder engagement and impact evaluation methodologies. This competency gap is particularly pronounced in smaller organizations or those without prior experience in human rights due diligence. It requires significant capacity building investments which may be too great burden and potentially may undermine the universal application of horizontal effect principles.

The assessment methodology challenge is compounded by the absence of standardized frameworks for evaluating AI system impacts on fundamental rights. FRIA operates in a relatively underdeveloped methodological landscape (Wernick, Reference Wernick2024). In the theory of law there are some frameworks presented (Bertaina et al., Reference Bertaina, Ceravolo and De Gregorio2025; Ceravolo et al., Reference Ceravolo, Malgieri and Mantelero2025; Mantelero, Reference Mantelero2024; Wernick, Reference Wernick2024). But so far methodological uncertainty creates implementation risks and may lead to inconsistent assessment quality across different organizations and sectors, potentially undermining the standardization objectives of horizontal effect implementation.

Stakeholder identification and engagement present additional complexity, as AI systems often affect diverse and sometimes difficult-to-identify communities. The distributed nature of AI impacts means that affected stakeholders may include not only direct system users but also individuals subject to algorithmic decisions, communities experiencing indirect effects and broader societal groups affected by systemic changes. Meaningful stakeholder engagement requires sophisticated outreach strategies, culturally appropriate consultation methods and mechanisms for incorporating diverse perspectives into assessment processes, reflecting the participatory dimensions of horizontal effect obligations.

Technical assessment challenges arise from the opacity and complexity of many AI systems, particularly machine learning applications that operate through patterns not easily interpretable by human assessors. FRIA implementation must address questions of algorithmic transparency, bias detection and impact attribution in contexts where system operations may not be fully understood even by their developers. This technical complexity is further complicated by the need to assess not only current system performance but also potential future impacts as systems adapt and evolve through learning processes, requiring dynamic assessment approaches that can accommodate algorithmic uncertainty.

Resource allocation and cost considerations present practical implementation barriers, particularly for smaller organizations or those deploying multiple AI systems subject to FRIA requirements. The comprehensive nature of fundamental rights assessment requires significant time investments, specialized expertise and ongoing monitoring capabilities. These resource requirements may create competitive disadvantages for organizations with limited compliance capabilities while potentially favoring larger entities with established risk management infrastructures, raising questions about the equitable application of horizontal effect obligations across different organizational contexts.

The disparity between the theoretical framework of the FRIA, which emphasizes a holistic assessment of fundamental rights, and its practical implementation reveals a significant gap in addressing rights outside of data protection, highlighting the need for a more robust integration of these principles in real-world applications.

4.3 Approaches divergence between the US and the EU regulations on AI and human rights governance

In our opinion, FRIA’s introduction coincides with growing international recognition of the need for human rights-centered AI governance. The timing of its implementation reflects lessons learned from the limitations of purely technical or market-based approaches to AI governance, incorporating insights from BHR frameworks that have evolved over the past decade. The regulation’s emphasis on impact assessment methodology draws from established human rights due diligence practices while adapting these approaches to the unique characteristics of AI systems, including their opacity, scalability and potential for automated decision-making that may bypass traditional accountability mechanisms. However, FRIA’s significance must now be understood within the context of emerging global tensions in AI governance. While the EU pursues comprehensive rights-based regulation, the United States has articulated a fundamentally different approach through its “America’s AI Action Plan,” confirmed by the Genesis Mission project, which explicitly prioritize innovation, competitive advantage and resistance to what it characterizes as “onerous regulation.” Furthermore, the US President’s Executive Order issued in December 2025 states that “it is the policy of the United States to sustain and enhance the United States’ global AI dominance through a minimally burdensome national policy framework for AI.” The Order further provides that

within 30 days of the date of this order, the Attorney General shall establish an AI Litigation Task Force whose sole responsibility shall be to challenge State AI laws inconsistent with the policy set forth in Section 2 of this order, including on grounds that such laws unconstitutionally regulate interstate commerce, are pre-empted by existing federal regulations, or are otherwise unlawful.

This policy direction suggests that regulatory frameworks imposing human rights-based obligations on corporations developing or deploying AI systems may be increasingly framed as unlawful or as creating an excessive regulatory burden. As a result, requirements aimed at embedding human rights protections, such as mandatory impact assessments or oversight obligations, risk being challenged not only politically but also through coordinated legal strategies designed to limit their enforceability.

This divergence creates new challenges for FRIA’s global influence and raises questions about the universal applicability of European AI governance models. FRIA’s implementation highlights a growing divide in AI governance strategies, where the EU’s rights-focused approach contrasts sharply with the US emphasis on innovation and deregulation, posing challenges for global harmonization in ethical AI practices.

5. Bridging to voluntary human rights frameworks

5.1 Mandatory character of FRIA

Although FRIA evolved from HRIA (Wernick, Reference Wernick2024), it differs significantly from traditional risk assessment mechanisms. HRIA, as part of corporate due diligence, has primarily been used as an ex post reaction to critical events. FRIA under the AI Act constitutes a mandatory obligation that must be fulfilled before deploying an innovative solution in the real world. Another key distinction lies in its operational scope. Traditional HRIA functions mainly as a policy-oriented tool, providing companies with an assessment of potential impacts and a list of possible preventive or mitigating measures, while ultimately leaving the decision about which actions to implement to the discretion of the company. By contrast, under the AI Act, the FRIA is a binding assessment, and its outcomes must be acted upon to prevent or mitigate risk. Finally, FRIA in AI differs from traditional HRIA in the nature of the situations assessed. While HRIA is usually applied in the context of industrial activities located in a specific territory and impacting on a wide range of human rights, including social rights, AI products are often globally distributed solutions that usually impact on a range of fundamental rights (Mantelero, Reference Mantelero2024).

The mandatory nature of the FRIA fosters both awareness and legitimacy for engaging in HRIA within AI contexts. As organizations develop their capabilities and expertise through the implementation of FRIA, these competencies lay the groundwork for more comprehensive, voluntary human rights assessment frameworks, which may extend beyond regulatory requirements. This dynamic of gradual transition positions FRIA not only as a regulatory endpoint but also as a stepping stone toward the broader integration of human rights considerations into AI governance. It reflects the evolutionary potential of implementing the horizontal effect of fundamental rights in increasingly complex technological environments. The concept of FRIA marks a shift from reactive human rights assessments to a proactive, mandatory approach that integrates human rights considerations directly into the development and deployment of AI technologies, thereby enhancing accountability and a more responsible innovation landscape.

5.2 Importance of voluntary frameworks

This is where voluntary frameworks like the Council of Europe’s Human Rights, Democracy, and Rule of Law Impact Assessment (HUDERIA) become particularly significant (Council of Europe, 2024; Wernick, Reference Wernick2024). HUDERIA represents a comprehensive voluntary framework developed by the Council of Europe’s Ad Hoc Committee on AI (CAHAI) that provides structured, algorithm-neutral approaches to assessing AI system impacts throughout their lifecycle.

Unlike mandatory frameworks such as FRIA, HUDERIA’s voluntary nature allows organizations to extend human rights considerations beyond regulatory requirements, creating opportunities for ethical leadership and norm development where legal frameworks may be absent or insufficient. This flexibility becomes particularly valuable in a multipolar governance environment where organizations may seek to maintain consistent ethical standards across jurisdictions with different regulatory approaches. It can be used by both public and private actors for identifying and addressing risks and impacts to human rights, democracy and the rule of law.

The HUDERIA Methodology offers the combination of general and specific guidance and flexibility by allowing room for adaptation in the practical implementation. At the general level, it describes high-level concepts, processes and elements guiding risk and impact assessment activities of AI systems that could have impacts on human rights, democracy and the rule of law. It is a multi-step governance process offering an anticipatory approach to the governance of AI design. The methodology consists of four interconnected phases: Context-Based Risk Analysis (COBRA), Stakeholder Engagement Process (SEP), Risk and Impact Assessment (RIA) and Mitigation Planning (MP). Each phase is supported by comprehensive documentation through the Project Summary Report, ensuring accountability and continuous assessment capabilities (Janssen et al., Reference Janssen, Galetta and Gellert2022) (Council of Europe, 2024)

It includes three key steps:

  1. 1. It identifies key risk factors – specific characteristics within an AI system’s lifecycle context – that heighten the likelihood of adverse impacts on human rights, democracy and the rule of law. These risk factors are grouped into three categories: the system’s application context, design and development context, and deployment context.

  2. 2. Analyzing these factors enables and facilitates the checking of potential adverse impacts on human rights, democracy and the rule of law.

  3. 3. Building on this information, the triage process focuses on identifying and prioritizing systems with significant risks, ensuring that the HUDERIA Methodology remains proportional and not overly burdensome for minimal or low-risk AI systems. This process also supports informed decision-making on whether the benefits of building or deploying an AI system outweigh its risks, particularly regarding potential impacts on human rights, democracy and the rule of law.

The SEP enhances the RIA by incorporating the perspectives of potentially affected individuals identified during the COBRA stage. Tailored to the identified risk factors and potential impacts, stakeholder engagement can take various forms and levels of participation. This process not only improves the quality of risk analysis but also fosters transparency, builds trust and enhances the usability and performance of the AI system.

The RIA provides a detailed evaluation of the potential and actual impacts of AI system activities on human rights, democracy and the rule of law, focusing particularly on systems posing significant risks identified during the COBRA triage. It involves re-examining, contextualizing and expanding upon potential harms, while assessing key risk variables such as scale, scope, reversibility and likelihood to prioritize and manage risks effectively. Building on the COBRA analysis and potential SEP insights, this step ensures a comprehensive understanding of the risks to inform mitigation and governance strategies.

The MP element of the HUDERIA process outlines actions and strategies to address adverse impacts and mitigate identified harms. It involves formulating targeted measures based on the severity and likelihood of these harms and developing a comprehensive plan to implement them. Where appropriate, it also includes establishing mechanisms for affected individuals and other stakeholders to access remedies.

HUDERIA prompts regular reassessments through the iterative revisitation phase, to ensure that AI systems continue to operate safely and ethically as the context and technology evolve and public is protected from emerging risks throughout the system’s life cycle. It is supposed to prevent and mitigate risks in the application of AI in corporate governance by ensuring that AI tools are used ethically, responsibly, and in compliance with governance principles. They include ethical and legal concerns over handling sensitive company and stakeholder data; the risks to inherit or amplify existing biases; complexity in allotment of responsibility for decisions made or suggested by AI; overreliance on technology and inability by AI to replace human judgment in governance decisions. The HUDERIA framework highlights the crucial role of proactive engagement and flexible governance in addressing potential risks of AI systems, emphasizing the need for organizations to move beyond mere compliance and actively foster ethical practices that uphold human rights and democratic principles.

5.3 Relationship between different impact assessment mechanisms

The relationship between FRIA and HUDERIA demonstrates how mandatory and voluntary frameworks can work together to create more comprehensive human rights protection than either approach could achieve independently. FRIA provides regulatory baseline requirements with enforcement mechanisms, while HUDERIA offers methodologies for organizations seeking to implement comprehensive rights assessment as a matter of ethical commitment rather than legal compliance. This complementarity is particularly significant because it addresses a crucial gap in traditional approaches to corporate responsibility: the space between what law requires and what ethics demands. FRIA ensures minimum compliance with fundamental rights obligations for high-risk AI systems within EU jurisdiction, while HUDERIA, which is conceptually aligned with FRIA, provides methodologies for organizations seeking to implement comprehensive rights assessment across their entire AI portfolio, regardless of regulatory requirements or in multijurisdictional dimension. Companies with global operations could find it efficient to apply FRIA-style assessment approaches across their international AI portfolios, even in jurisdictions without similar regulatory requirements. This harmonization effect could contribute to the global influence of EU regulatory approaches and create momentum toward international convergence around HRIA in AI governance. In our opinion, HRIA frameworks and tools like HUDERIA can promote rights protection particularly in contexts where legal regulations are absent, through voluntarily adopted principles that guide organizational behavior and create accountability mechanisms beyond regulatory requirements. The interplay between FRIA’s regulatory mandates and HUDERIA’s ethical frameworks highlights the potential for a more nuanced approach to corporate accountability in AI, bridging the divide between legal compliance and moral responsibility, especially in regions lacking robust regulations.

6. Conclusion: from fragmented compliance to unified governance in a multipolar world

The convergence of BHR instruments with emerging AI governance frameworks represents one of the most significant developments in contemporary corporate accountability and technology regulation. The traditional paradigm of fragmented compliance was characterized by sector-specific regulations and voluntary CSR frameworks. The European Union found it fundamentally inadequate for addressing the complex rights implications of AI systems in global value chains. However, this convergence now faces unprecedented challenges from the emergence of multipolar AI governance approaches. We can notice the contrast between the European Union’s rights-based regulatory frameworks and the United States’ innovation-focused “America’s AI Action Plan.” It signals a fundamental departure from one consensus-building approach to international technology governance. When we began preparing this paper, our central thesis was that BHR instruments and AI governance are increasingly complementary and should be integrated into unified frameworks. And due to the Brussels Effect, such integration is likely to shape corporate human rights protection practices worldwide.

At the methodological level, the due diligence processes developed within BHR frameworks provide essential foundations for systematic human rights assessment in AI contexts. AI-specific evaluation tools enhance the precision and effectiveness of traditional HRIA. The evolution from DPIA to FRIA demonstrates how regulatory learning can produce more comprehensive assessment methodologies that address both technological complexity and rights protection imperatives.

At the institutional level, the governance structures and accountability mechanisms emerging around new AI regulation create infrastructure that supports broader corporate responsibility initiatives, while established BHR institutions provide legitimacy and experience that enhance the effectiveness of AI governance approaches. The evolution of horizontal effect doctrine and theory of human rights balancing transferred from constitutional law principles to concrete corporate obligations in AI deployment contexts could illustrate how legal concepts can adapt to technological change.

At the normative level, both BHR and EU’s AI governance frameworks share fundamental commitments to human dignity, transparency, participation and proactive responsibility.

The significance of FRIA as the first mandatory HRIA specifically designed for AI systems cannot be overstated. Despite mentioned challenges, by requiring systematic evaluation of AI system impacts across the full spectrum of fundamental rights, FRIA operationalizes horizontal effect obligations in ways that previous frameworks could not achieve. The mandatory character of these requirements addresses weaknesses in voluntary corporate responsibility approaches.

However, this thesis was severely challenged by the introduction of the American AI Action Plan and the European Commission’s own Omnibus deregulation package, which proposes to weaken the CSDDD. This trend toward deregulation, combined with external pressure from competing governance models, creates risks for the continued development of robust horizontal effect principles in corporate contexts. It may encourage regulatory arbitrage, where organizations seek to minimize compliance costs by operating in less regulated jurisdictions, potentially undermining the effectiveness of European rights-based approaches and FRIA application.

In this context, voluntary frameworks such as HUDERIA become particularly important. They offer mechanisms for organizations to maintain consistent human rights standards across diverse regulatory landscapes, reinforcing the role of human rights as ethical norms – especially in situations where legal norms are insufficient, contradictory or entirely absent. Corporations operating both within the EU and in non-EU jurisdictions may be more inclined to adopt such frameworks, aligned with the EU legal norms, as part of a unified governance strategy, even in areas where no binding legal obligations currently exist. The central finding of this analysis is that both FRIA and HUDERIA contribute to the strengthening of human rights observance as ethical norms in the context of corporate AI deployment. However, this norm-reinforcing function is increasingly challenged by divergent global approaches, which prioritize different values and objectives. Legal scholarship should engage critically and constructively with these challenges, promoting the protection of fundamental rights in the development and deployment of AI systems, while offering practical solutions to address the challenges identified by both legal theory but particularly by practice. From a human rights perspective, the removal of FRIA from the legal framework would inevitably represent a decline in the protection of human rights and the rule of law.

The findings highlight a significant tension between the EU’s rights-based approach to AI governance and the increasingly deregulated environment promoted by the American AI Action Plan, which could undermine efforts to ensure robust human rights protections.

Author contributions

CRediT Taxonomy Michal Jackowski Conceptualization-Lead, Data curation-Lead, Formal analysis-Lead, Funding acquisition-Equal, Investigation-Equal, Methodology-Equal, Project administration-Lead, Resources-Lead, Software-Equal, Supervision-Lead, Validation-Lead, Visualization-Lead, Writing - original draft-Lead, Writing - review & editing-Equal Jaroslaw Greser Conceptualization-Supporting, Data curation-Supporting, Formal analysis-Supporting, Funding acquisition-Equal, Investigation-Equal, Methodology-Equal, Project administration-Supporting, Resources-Supporting, Software-Equal, Supervision-Supporting, Validation-Supporting, Visualization-Equal, Writing - original draft-Supporting, Writing - review & editing-Equal.

Competing interests

The authors confirm that there are no competing interests involved, and there is no external funding for the publication.

Michał Jackowski is Professor of Law (SWPS University) specializing in the intersection of artificial intelligence, technology regulation and the transformation of legal institutions. His research focuses on AI governance, legal innovation, and the constitutional and regulatory implications of emerging technologies. He serves as International Cooperation Leader in the Artificial Intelligence Working Group at the Polish Ministry of Digital Affairs and participates as an expert in the development of codes of practice for general-purpose AI models within the EU AI Office.

He is an expert of the Polish Committee for Standardization, a member of the CEN-CENELEC working group on AI standardization and an expert of the Polish Chamber of Information Technology and Telecommunications. He is also Editor-in-Chief of the Oxford University Press series on Artificial Intelligence and Legal Technology and co-editor of the Global Report on the State of AI in Legal Practice. In addition to his academic work, he has practiced as an attorney and tax advisor for over 20 years.

Jarosław Greser is an assistant professor at the Research Center for Legal and Economic Issues of Electronic Communication at the University of Wrocław (CBKE) and a research fellow at the Centre for IT & IP Law (CITIP), KU Leuven.

His work focuses on the intersection between law and technology in the medical sector, in particular with respect to cybersecurity and privacy. Recently, he led the research project “Cybersecurity of the Medical Internet of Things—A Legal Perspective” and completed research stays at the University of Oslo (2022) and the Institute for Comparative Public Law and International Law in Heidelberg (2019).

Footnotes

1 At the time of submitting this article for publication (November 30, 2025), a key discussion is underway concerning which providers of large general-purpose AI models will endorse the EU Code of Practice prepared by the European Commission’s AI Office. Some providers have explicitly declared their intention to sign the Code, while others – such as Meta – have publicly rejected it or – as xAI – signed up to the Safety and Security Chapter. This divergence should not be interpreted solely in terms of willingness to comply with the specific provisions of the Code, but rather as an indicator of the broader readiness of US-based AI developers to align with the EU’s regulatory framework. The full list of signatories you can find under this link: https://digital-strategy.ec.europa.eu/en/policies/contents-code-gpai (accessed November 30, 2025).

2 For example, the case of Kasky v. Nike was brought under California’s Unfair Competition Law and False Advertising Law, which prohibits unfair or misleading advertising. In this case, the Court held that, according to established jurisprudence, false or misleading statements are generally not afforded constitutional protection unless necessary to stimulate or engage in public debate. With respect to the advertised products, it is relatively straightforward to verify the truthfulness of the message. Therefore, regulation of false or misleading statements in this context can be limited without detriment to public discourse (Hess & Dunfee, Reference Hess and Dunfee2007; Kasky v. Nike, Inc., 27 Cal. 4th 939, 45 P.3d 243, 2002).

3 District courts are courts with jurisdiction to hear both civil and criminal cases under federal law. They function as common courts, meaning they adjudicate all matters not expressly reserved for the competence of other federal courts (Gifis, Reference Gifis2010).

References

Alston, P. (Ed.). (2005). Non-state actors and human rights. Oxford University Press.Google Scholar
Article 29 Data Protection Working Party. (2017). Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (17/EN, WP 248 rev.01).Google Scholar
Barta, P., Kawecki, M., & Litwiński, P. (Eds.). (2021). Rozporządzenie Parlamentu Europejskiego i Rady (UE) 2016/679 z dnia 27 kwietnia 2016 r. w sprawie ochrony osób fizycznych w związku z przetwarzaniem danych osobowych i w sprawie swobodnego przepływu takich danych oraz uchylenia dyrektywy 95/46/WE (ogólne rozporządzenie o ochronie danych). Komentarz (1st ed.). C.H. Beck. [Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation): Commentary].Google Scholar
Bertaina, E., Ceravolo, F., & De Gregorio, G. (2025). Operationalizing fundamental rights impact assessments for AI systems: Methodological challenges and regulatory implications. Computer Law & Security Review, 42, 105892. https://doi.org/10.1016/j.clsr.2025.105892Google Scholar
Bieda, R., Flisak, D., Greser, J., Lubasz, D., Namysłowska, M., Skrodzka-Kwietniak, D., & Załucki, M. (2024). O potrzebie dostosowania pozaumownej odpowiedzialności cywilnej do sztucznej inteligencji: Uwagi do projektu dyrektywy w sprawie odpowiedzialności za sztuczną inteligencję [On the need to adapt non-contractual civil liability to artificial intelligence: Comments on the draft directive on AI liability]. Prawo w Działaniu, 58, 121143. https://doi.org/10.32041/pwd.5804CrossRefGoogle Scholar
Bradford, A. (2020). The Brussels effect: How the European Union rules the world. Oxford University Press.10.1093/oso/9780190088583.001.0001CrossRefGoogle Scholar
Ceravolo, F., Malgieri, G., & Mantelero, A. (2025). From data protection to fundamental rights: Implementing FRIA in AI value chains. European Law Journal, 33(3), 487512. https://doi.org/10.1111/eulj.12425Google Scholar
Chryssides, G. D., & Kaler, J. H. (1999). Wprowadzenie do etyki biznesu [Introduction to business ethics]. Wydawnictwo Naukowe PWN.Google Scholar
Clapham, A., & Jerbi, S. (2001). Categories of corporate complicity in human rights abuses. Hastings International and Comparative Law Review, 24(3), 339349.Google Scholar
ClientEarth, Anti-Slavery International, Clean Clothes Campaign, European Coalition for Corporate Justice, Friends of the Earth Europe, Global Witness, Notre Affaire À Tous, & Transport & Environment. (2025). Complaint to the European Ombudsman: Maladministration of the Commission in the preparation of the 2025 proposal to amend the CSDDD as part of the Omnibus I package. https://media.business-humanrights.org/media/documents/20250418-complaint-omnibus.pdfGoogle Scholar
Council of Europe. (2024). Methodology for the risk and impact assessment of artificial intelligence systems from the point of view of human rights, democracy and the rule of law (HUDERIA Methodology) (CAI(2024)16rev2). Accessed February 3, 2026. https://rm.coe.int/cai-2024-16rev2-methodology-huderia-en/1680beb441.Google Scholar
Deva, S. (2023). Mandatory human rights due diligence laws in Europe: A mirage for rightsholders? Leiden Journal of International Law, 36(2), 389414. https://doi.org/10.1017/S0922156522000802CrossRefGoogle Scholar
Directive (EU) 2024/1760 of the European Parliament and of the Council of 13 June 2024 on corporate sustainability due diligence and amending Directive (EU) 2019/1937 and Regulation (EU) 2023/2859. (2024). Official Journal of the European Union, L, 1760/1.Google Scholar
European Commission, Directorate-General for Communication. (2025). Commission proposes to cut red tape and simplify business environment. Accessed February 3, 2026. https://commission.europa.eu/news-and-media/news/commission-proposes-cut-red-tape-and-simplify-business-environment-2025-02-26_en.Google Scholar
Engle, E. (2009). Third party effect of fundamental rights (Drittwirkung). Hanse Law Review, 5(2), 165173.Google Scholar
European Commission. (2022). Proposal for a directive of the European Parliament and of the Council on adapting non-contractual civil liability rules to artificial intelligence (AI liability directive) (COM/2022/496 final).Google Scholar
European Commission. (2025). Commission simplifies rules on sustainability and EU investments (Press release IP/25/614). Accessed February 3, 2026. https://ec.europa.eu/commission/presscorner/detail/pl/ip_25_614.Google Scholar
European Court of Human Rights. (2015). Roman Zakharov v. Russia (Application (47143/06). 4 December 2015) https://hudoc.echr.coe.int/eng?i=001-159324Google Scholar
Farbstein, S. H. (2023, September 5). A good summer for human rights cases in U.S. courts: Alien tort statute update. Retrieved February 3, 2026, from. https://humanrightsclinic.law.harvard.edu/a-good-summer-for-human-rights-cases-in-u-s-courts-alien-tort-statute-update/.Google Scholar
Filek, J. (2004). Wprowadzenie do etyki biznesu [Introduction to business ethics] (2nd ed.). Wydawnictwo Akademii Ekonomicznej.Google Scholar
Frantziou, E. (2019). The horizontal effect of fundamental rights in the European Union : A constitutional analysis. Oxford University Press.Google Scholar
Fulop, T., & Poindl, P. (2025). Article 27, Fundamental Rights Impact Assessment for High Risk AI Systems. In Pehlivan, C. N., Forgo, N. & Valcke, P. (Eds.), The EU Artificial Intelligence (AI) Act: A Commentary (553–576). Wolters Kluwer.Google Scholar
Gasparski, W. (2007). Wykłady z etyki biznesu [Lectures on business ethics] (New supplemented ed.). Wydawnictwo Wyższej Szkoły Przedsiębiorczości i Zarządzania im. Leona KoźmińskiegoGoogle Scholar
Gesetz über die unternehmerischen Sorgfaltspflichten zur Vermeidung von Menschenrechtsverletzungen in Lieferketten (Lieferkettensorgfaltspflichtengesetz - LkSG) (2021). BGBl I 2959.Google Scholar
Gifis, S. H. (2010). Law dictionary (6th ed.). Barron’s Educational Series, Inc.Google Scholar
Hess, D., & Dunfee, T. W. (2007). The Kasky-Nike threat to corporate social reporting: Implementing a standard of optimal truthful disclosure as a solution. Business Ethics Quarterly, 17(1), 532. https://doi.org/10.5840/beq200717119Google Scholar
Hopkins, M. (2003). The Planetary Bargain. Accessed February 3, 2026. http://www.iblf.org/csr/.Google Scholar
Jägers, N. M. C. P. (2002). Corporate human rights obligations: In search of accountability. Intersentia.Google Scholar
Janssen, H., Galetta, D. U., & Gellert, R. (2022). Data protection impact assessments in practice: Experiences and lessons for fundamental rights impact assessment. Computer Law & Security Review, 38, 105434. https://doi.org/10.1016/j.clsr.2022.105434Google Scholar
Jerbi, S. (2011). UN adopts guiding principles on business and human rights. IHRB. Accessed February 3, 2026. https://www.ihrb.org/latest/commentary-un-guiding-principles-business-human-rights.Google Scholar
Jesner v. Arab Bank PLC, 584 U.S. 241. (2018).Google Scholar
Jungk, M. (2001). Defining the scope of business responsibility for human rights abroad. New York University Journal of International Law and Politics, 33, 768.Google Scholar
Kasky v. Nike, Inc., 27 Cal. 4th 939, 45 P.3d 243. (2002).Google Scholar
Kietliński, K., Martinez Reyes, V., & Oleksyn, T. (2005). Etyka w biznesie i zarządzaniu [Ethics in business and management]. Oficyna Wolters Kluwer Business.Google Scholar
Kiobel v. Royal Dutch Petroleum Co., 569 U.S. 108. (2013).Google Scholar
Kohl, U. (2014). Corporate human rights accountability: The objections of western governments to the alien tort statute. International and Comparative Law Quarterly, 63(3), 665697. https://doi.org/10.1017/S0020589314000323CrossRefGoogle Scholar
Krajewski, M. (2018). Staatliche Schutzpflichten und unternehmerische Verantwortung für Menschenrechte in globalen Lieferketten [State protection duties and corporate responsibility for human rights in global supply chains. In FAU Studien zu Menschenrechten (vol 2). FAU University Press. Accessed February 3, 2026. https://doi.org/10.25593/978-3-96147-124-9.Google Scholar
Latapí Agudelo, M. A., Jóhannsdóttir, L., & Davídsdóttir, B. (2019). A literature review of the history and evolution of corporate social responsibility. International Journal of Corporate Social Responsibility, 4(1). https://doi.org/10.1186/s40991-018-0039-yCrossRefGoogle Scholar
Malgieri, G., & Santos, C. (2025). Assessing the (severity of) impacts on fundamental rights. Computer Law & Security Review, 56, 106113. https://www.sciencedirect.com/science/article/pii/S0267364925000081 10.1016/j.clsr.2025.106113CrossRefGoogle Scholar
Mantelero, A. (2024). AI governance and fundamental rights: Embedding human rights in algorithmic design. European Law Journal, 31(4), 756781. https://doi.org/10.1111/eulj.12398Google Scholar
Nestlé USA, Inc. v. Doe, 593 U.S. 628 (2021).Google Scholar
O’Brien, C. M. (2019). Business and human rights: A handbook for legal practitioners. Council of Europe.Google Scholar
Paust, J. J. (2002). Human rights responsibilities of private corporations. Vanderbilt Journal of Transnational Law, 35(3), 801825.Google Scholar
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). (2016). Official Journal of the European Union, L, 119/1.Google Scholar
Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2016/798 (Artificial Intelligence Act). (2024). Official Journal of the European Union, L, 1689/1.Google Scholar
Rouas, V. (2022). Achieving access to justice in a business and human rights context. (1st ed.). University of London. https://doi.org/10.14296/202201.9781911507192CrossRefGoogle Scholar
Ruggie, J. G. (2011). Report of the special representative of the secretary-general on the issue of human rights and transnational corporations and other business enterprises: Guiding principles on business and human rights: Implementing the United Nations ‘protect, respect and remedy’ framework (A/HRC/17/31). United Nations Human Rights Council.10.1177/016934411102900206CrossRefGoogle Scholar
Sjåfjell, B. (2020). How company law has failed human rights—and what to do about it. Business and Human Rights Journal, 5(2), 179199. https://doi.org/10.1017/bhj.2020.9CrossRefGoogle Scholar
Sosa v. Alvarez-Machain, 542 U.S. 692. (2004).Google Scholar
Steinhardt, R. G. (2005). Corporate responsibility and the international law of human rights: The new lex mercatoria. In Alston, P. (Ed.), Non-state actors and human rights (pp. 177226). Oxford University Press.Google Scholar
Stephens, B. (2002). Translating Filártiga: A comparative and international law analysis of domestic remedies for international human rights violations. Yale Journal of International Law, 27(1), 157.Google Scholar
Sullivan, R. (Ed.). (2003). Business and human rights: Dilemmas and solutions. Greenleaf Publishing.Google Scholar
The White House. (2025, July). America’s AI action plan.Google Scholar
United Nations. (2011). Guiding principles on business and human rights: Implementing the United Nations “protect, respect and remedy” framework. United Nations Office of the High Commissioner for Human Rights.Google Scholar
United Nations Human Rights Council. (2011, March 21). Guiding principles on business and human rights: Implementing the United Nations “protect, respect and remedy” framework (A/HRC/17/31).Google Scholar
Wan Jan, W. (2006). Defining corporate social responsibility. Journal of Public Affairs, 6, 176184. https://doi.org/10.1002/pa.227CrossRefGoogle Scholar
Warhurst, A. (2001). Corporate citizenship and corporate social investment. Journal of Corporate Citizenship, 2001(1), 5773. https://doi.org/10.9774/GLEAF.4700.2001.sp.00008CrossRefGoogle Scholar
Wernick, C. (2024). The scope and effectiveness of FRIA: An empirical assessment of early implementation. Computer Law & Security Review, 40, 105756. https://doi.org/10.1016/j.clsr.2024.105756Google Scholar