Google Cloud

GCP Compliance Complete Guide: HIPAA, FedRAMP, ISO, PCI DSS, Japan 3-Ministry-2-Guideline

2026-05-24
NicheeLab Editorial Team

A complete walkthrough of GCP compliance coverage. We cover the major regulations — HIPAA, FedRAMP, PCI DSS, ISO, GDPR, Japan's 3-Ministry-2-Guideline — and how Assured Workloads automates them.

Major Certifications at a Glance

CategoryCertification / Regulation
General securityISO 27001 / 27017 / 27018 / 27701, SOC 2 / 3
BCPISO 22301
QualityISO 9001
FinancialPCI DSS Level 1
US governmentFedRAMP High / Moderate, IL2 / IL4 / IL5, ITAR
HealthcareHIPAA BAA, HITRUST CSF
EuropeGDPR, EU Cloud Code of Conduct, C5 (Germany)
JapanFISC, 3-Ministry-2-Guideline, ISMAP
Other country-specificHITRUST (US), PIPEDA (Canada), APRA CPS 234 (Australia)

Assured Workloads

A folder-level feature that delivers regulatory compliance in a single click. Allowed services, regions, Access Transparency, CMEK, and more are applied automatically.

RegimeScope
FedRAMP HighUS government (sensitive)
FedRAMP ModerateUS government (general)
CJISUS law enforcement
IL2 / IL4 / IL5US Department of Defense
HIPAAHealthcare
HITRUSTHealthcare security
ITARUS export controls
Canada Public SectorCanadian government
EU Sovereign ControlsEU sovereignty
EU Regions and Support with Sovereignty ControlsEU regulations

Example HIPAA-Compliant Configuration

  1. Sign the BAA via Google Workspace
  2. Create a folder with Assured Workloads for HIPAA
  3. Use only allowed services (Cloud Healthcare API, GCE, GCS, BQ, etc.)
  4. Apply CMEK to all PHI data
  5. Enable all Cloud Audit Logs and export to BQ (6-year retention)
  6. Enable Access Transparency and Access Approvals
  7. Prevent exfiltration with VPC Service Controls
  8. Detect and mask PHI with Sensitive Data Protection

FedRAMP Coverage (US Federal)

  • FedRAMP High Authorization (Compute, GKE, Storage, BigQuery, etc.)
  • FedRAMP Moderate covers an even wider scope
  • Dedicated GovCloud regions (us-central-fedramp, etc.)
  • Automated via Assured Workloads for US Government

Japan-Specific: 3-Ministry-2-Guideline

Two guidelines from Japan's Ministry of Internal Affairs and Communications, Ministry of Economy, Trade and Industry, and Ministry of Health, Labour and Welfare that govern handling of medical information (the 3-Ministry-2-Guideline framework).

  • Keep everything in asia-northeast1 (Tokyo) with asia-northeast2 (Osaka) for DR
  • Cloud Healthcare API + CMEK
  • Enable all Cloud Audit Logs
  • Access Transparency for support-access visibility
  • PHI detection with Sensitive Data Protection
  • VPC Service Controls

ISMAP (Japanese Government Information Systems)

  • Japan's government cloud-usage standard (Information System Security Management and Assessment Program)
  • GCP is a registered ISMAP cloud service
  • Typically combined with asia-northeast1 / 2 regions and a Japanese SI partner

EU GDPR / Data Sovereignty

  • Keep data entirely within EU regions (europe-west1, etc.)
  • Data Residency Controls (Organization Policy)
  • Sovereign Cloud partners
    • T-Systems Sovereign Cloud (Germany)
    • S3NS Sovereign Cloud (France, Thales + Google)
  • EU GDPR Data Processing Addendum (DPA) provided

Access Transparency / Approvals

  • Access Transparency: Logs data access by Google Support / SRE to the Audit Log
  • Access Approvals: No access without prior customer approval
  • Key Access Justifications: Approval is required even for KMS key usage
  • Essential for accountability in regulated industries

Shared Responsibility Model

ItemGoogleCustomer
Physical securityYes
HardwareYes
Network infrastructureYesVPC / Firewall design
HypervisorYes
OSManaged onlyCustomer for GCE
ApplicationYes
DataYes
IAM configurationYes

Compliance Information Sources

  • Compliance Reports Manager: download certification report PDFs from the GCP console
  • Trust Center (cloud.google.com/security/compliance)
  • Compliance Resource Center for regulation-specific details

Does GCP sign a HIPAA BAA?

Yes. Major services including Cloud Healthcare API, Compute Engine, Cloud Storage, BigQuery, and Vertex AI are covered under HIPAA BAA. Sign the BAA via Google Workspace before use.

Does GCP support FedRAMP?

Yes — FedRAMP High (Compute, Storage, BigQuery, etc.) and Moderate are both supported. Assured Workloads for US Government makes it easy to build a compliant environment.

What about EU GDPR and data sovereignty?

Sovereign Cloud (T-Systems / S3NS) handles sovereignty requirements for France and Germany. You can also stay entirely within EU regions and enforce Data Residency Controls.

What about PCI DSS Level 1?

The GCP infrastructure is certified to PCI DSS Level 1. Under the shared responsibility model, certifying your own customer-facing application against PCI DSS is a separate effort.

Which ISO certifications does GCP hold?

Many — ISO 27001, 27017 (cloud-specific), 27018 (PII), 27701 (privacy information management), 22301 (BCP), 9001, and more.

What is Assured Workloads?

A folder-level feature that delivers regulatory compliance (HIPAA, FedRAMP, IL5, EU Regions, etc.) in a single click. Allowed services, regions, and access policies are applied automatically.

What about Access Transparency and Customer Lockbox?

Access Transparency logs every time Google Support accesses customer data. Access Approvals lets you require prior approval. Both are essential for accountability in regulated industries.

What about Japan's medical information guidelines?

GCP supports Japan's 3-Ministry-2-Guideline framework (Guidelines for Safety Management of Medical Information Systems). The standard configuration is Healthcare API + asia-northeast1 + CMEK + Access Transparency.

Related Articles: Compliance

Cloud Scheduler + Cloud Functions/Run で定期バッチ自動化チュートリアル (GCP)

Google Cloud Scheduler と Cloud Functions / Cloud Run Job で定期バッチ自動化。cron 形式、OIDC 認証、リトライ、Dead Letter、Workflows 連携、Cloud Run Job 並列実行を 2026 年最新版で解説。

Google Cloud (GCP) 認定資格ロードマップ 2026 完全版|全 15 試験を体系化

Google Cloud 認定資格 全 15 試験 (Foundational 2 + Associate 3 + Professional 10) の 2026 年版ロードマップ。14/15 試験が日本語対応、Generative AI Leader (2025-05 新)・PMLE 2026-06 新版、AWS/Azure/GCP シェア比較、役割別ルートを日本語で整理。

GCP Professional Cloud Developer (PCD) 完全ガイド|Cloud Run・GKE・CI/CD・APM

Google Cloud Professional Cloud Developer の試験範囲、Cloud Run / GKE / Cloud Build / Cloud Trace、AWS DVA / Azure AZ-204 比較、学習ロードマップを徹底解説。

GCP セキュリティベストプラクティス 20 選|ゼロトラスト・CMEK・VPC SC・SCC (2026)

Google Cloud のセキュリティベストプラクティス 20 選。IAM 設計、Workload Identity、CMEK / HSM、VPC Service Controls、BeyondCorp、Cloud Armor、Security Command Center、Sensitive Data Protection、Assured Workloads を 2026 年最新版で網羅。

Google Cloud is a trademark of Google LLC. For details on each regulation, refer to the official GCP Compliance page.

Check what you learned with practice questions

Practice with certification-focused question sets

Visit the GCP exam prep page
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Google Cloud

Google Cloud Certification Roadmap (2026)

Choose your GCP certification path — Foundational, Associate...

Google Cloud

CDL Cloud Digital Leader: Complete Exam Guide (2026)

Pass the Cloud Digital Leader exam — cloud business value, G...

Google Cloud

GAIL Generative AI Leader: Complete Exam Guide (2026)

Pass the Generative AI Leader exam — Gemini, Vertex AI, Work...

Google Cloud

Vertex AI Fundamentals for GCP Certs (2026)

Vertex AI basics every cert candidate needs — Workbench, Pip...

Google Cloud

Associate Cloud Engineer (ACE): Complete Guide (2026)

Pass the Associate Cloud Engineer exam — Console, gcloud, pr...

Browse all Google Cloud articles (103)
© 2026 NicheeLab All rights reserved.