A complete walkthrough of GCP compliance coverage. We cover the major regulations — HIPAA, FedRAMP, PCI DSS, ISO, GDPR, Japan's 3-Ministry-2-Guideline — and how Assured Workloads automates them.
| Category | Certification / Regulation |
|---|---|
| General security | ISO 27001 / 27017 / 27018 / 27701, SOC 2 / 3 |
| BCP | ISO 22301 |
| Quality | ISO 9001 |
| Financial | PCI DSS Level 1 |
| US government | FedRAMP High / Moderate, IL2 / IL4 / IL5, ITAR |
| Healthcare | HIPAA BAA, HITRUST CSF |
| Europe | GDPR, EU Cloud Code of Conduct, C5 (Germany) |
| Japan | FISC, 3-Ministry-2-Guideline, ISMAP |
| Other country-specific | HITRUST (US), PIPEDA (Canada), APRA CPS 234 (Australia) |
A folder-level feature that delivers regulatory compliance in a single click. Allowed services, regions, Access Transparency, CMEK, and more are applied automatically.
| Regime | Scope |
|---|---|
| FedRAMP High | US government (sensitive) |
| FedRAMP Moderate | US government (general) |
| CJIS | US law enforcement |
| IL2 / IL4 / IL5 | US Department of Defense |
| HIPAA | Healthcare |
| HITRUST | Healthcare security |
| ITAR | US export controls |
| Canada Public Sector | Canadian government |
| EU Sovereign Controls | EU sovereignty |
| EU Regions and Support with Sovereignty Controls | EU regulations |
Two guidelines from Japan's Ministry of Internal Affairs and Communications, Ministry of Economy, Trade and Industry, and Ministry of Health, Labour and Welfare that govern handling of medical information (the 3-Ministry-2-Guideline framework).
| Item | Customer | |
|---|---|---|
| Physical security | Yes | — |
| Hardware | Yes | — |
| Network infrastructure | Yes | VPC / Firewall design |
| Hypervisor | Yes | — |
| OS | Managed only | Customer for GCE |
| Application | — | Yes |
| Data | — | Yes |
| IAM configuration | — | Yes |
Does GCP sign a HIPAA BAA?
Yes. Major services including Cloud Healthcare API, Compute Engine, Cloud Storage, BigQuery, and Vertex AI are covered under HIPAA BAA. Sign the BAA via Google Workspace before use.
Does GCP support FedRAMP?
Yes — FedRAMP High (Compute, Storage, BigQuery, etc.) and Moderate are both supported. Assured Workloads for US Government makes it easy to build a compliant environment.
What about EU GDPR and data sovereignty?
Sovereign Cloud (T-Systems / S3NS) handles sovereignty requirements for France and Germany. You can also stay entirely within EU regions and enforce Data Residency Controls.
What about PCI DSS Level 1?
The GCP infrastructure is certified to PCI DSS Level 1. Under the shared responsibility model, certifying your own customer-facing application against PCI DSS is a separate effort.
Which ISO certifications does GCP hold?
Many — ISO 27001, 27017 (cloud-specific), 27018 (PII), 27701 (privacy information management), 22301 (BCP), 9001, and more.
What is Assured Workloads?
A folder-level feature that delivers regulatory compliance (HIPAA, FedRAMP, IL5, EU Regions, etc.) in a single click. Allowed services, regions, and access policies are applied automatically.
What about Access Transparency and Customer Lockbox?
Access Transparency logs every time Google Support accesses customer data. Access Approvals lets you require prior approval. Both are essential for accountability in regulated industries.
What about Japan's medical information guidelines?
GCP supports Japan's 3-Ministry-2-Guideline framework (Guidelines for Safety Management of Medical Information Systems). The standard configuration is Healthcare API + asia-northeast1 + CMEK + Access Transparency.
Related Articles: Compliance
Cloud Scheduler + Cloud Functions/Run で定期バッチ自動化チュートリアル (GCP)
Google Cloud Scheduler と Cloud Functions / Cloud Run Job で定期バッチ自動化。cron 形式、OIDC 認証、リトライ、Dead Letter、Workflows 連携、Cloud Run Job 並列実行を 2026 年最新版で解説。
Google Cloud (GCP) 認定資格ロードマップ 2026 完全版|全 15 試験を体系化
Google Cloud 認定資格 全 15 試験 (Foundational 2 + Associate 3 + Professional 10) の 2026 年版ロードマップ。14/15 試験が日本語対応、Generative AI Leader (2025-05 新)・PMLE 2026-06 新版、AWS/Azure/GCP シェア比較、役割別ルートを日本語で整理。
GCP Professional Cloud Developer (PCD) 完全ガイド|Cloud Run・GKE・CI/CD・APM
Google Cloud Professional Cloud Developer の試験範囲、Cloud Run / GKE / Cloud Build / Cloud Trace、AWS DVA / Azure AZ-204 比較、学習ロードマップを徹底解説。
GCP セキュリティベストプラクティス 20 選|ゼロトラスト・CMEK・VPC SC・SCC (2026)
Google Cloud のセキュリティベストプラクティス 20 選。IAM 設計、Workload Identity、CMEK / HSM、VPC Service Controls、BeyondCorp、Cloud Armor、Security Command Center、Sensitive Data Protection、Assured Workloads を 2026 年最新版で網羅。
Google Cloud is a trademark of Google LLC. For details on each regulation, refer to the official GCP Compliance page.
Practice with certification-focused question sets
Visit the GCP exam prep pageNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
Google Cloud Certification Roadmap (2026)
Choose your GCP certification path — Foundational, Associate...
CDL Cloud Digital Leader: Complete Exam Guide (2026)
Pass the Cloud Digital Leader exam — cloud business value, G...
GAIL Generative AI Leader: Complete Exam Guide (2026)
Pass the Generative AI Leader exam — Gemini, Vertex AI, Work...
Vertex AI Fundamentals for GCP Certs (2026)
Vertex AI basics every cert candidate needs — Workbench, Pip...
Associate Cloud Engineer (ACE): Complete Guide (2026)
Pass the Associate Cloud Engineer exam — Console, gcloud, pr...