Skip to content
Confir.
Free trial
AI Inventory

Google Gemini and the EU AI Act: Classification, Obligations, and What Your Organisation Owes

AI Tool Compliance23 May 2026· 15 min read· 2,952 words

Gemini is a GPAI model — your compliance depends on how you deploy it. Article 50 disclosure from Aug 2026; high-risk Annex III obligations by Dec 2027.

Google Gemini is a GPAI-based assistant — a general-purpose AI (GPAI) model, as defined in Article 3(63) of Regulation (EU) 2024/1689, that Google makes available through Workspace, the Gemini app, and Vertex AI. That status matters structurally: the GPAI obligations in Chapter V (Articles 51–55) sit with Google as the model provider, not with your organisation. Your compliance question is a different one. It turns on what you do with Gemini, not what Gemini is called.

This guide works through that question systematically: how to classify your Gemini deployment by use, which obligations follow from that classification, where Article 50 transparency duties come in even for low-stakes uses, and what changes when you build on top of Gemini rather than simply consume it.

The Classification Principle: Use Determines Risk

The EU AI Act does not list Gemini or any commercial tool by name. It classifies AI systems by the role they play in decisions that affect people. Gemini used for internal meeting summaries sits at minimal risk — no mandatory obligations. Gemini used to screen job applicants sits at high risk under Annex III, point 4(a), and inherits a substantial compliance stack. The tool name is irrelevant; the use case is everything.

This is the first and most important correction to make when assessing Gemini in your AI inventory. Do not label Gemini itself as high-risk. Classify each deployment by its intended purpose and the decisions it influences.

The three outcomes your classification exercise will reach

Minimal risk — general productivity, drafting, summarisation, internal Q&A, translation, code generation for internal tooling. No mandatory EU AI Act obligations beyond keeping a record for your AI inventory (good practice, not yet a hard statutory duty for deployers). Article 4 AI literacy obligations apply to your organisation from 2 February 2025 regardless of which tools you use.

Limited risk (transparency obligations under Article 50) — customer-facing or user-facing Gemini deployments where the person interacting with the system might not know they are talking to AI. Article 50 applies from 2 August 2026. Two duties are most relevant here:

  • Article 50(1): if Gemini is deployed as a chatbot or conversational agent that interacts with natural persons, you must disclose that they are interacting with an AI system — unless it is obvious from the context.
  • Article 50(2): if Gemini generates synthetic audio, video, images, or text that is disseminated to the public, it must be marked as artificially generated or manipulated.

These transparency duties are the floor for most commercial Gemini deployments. They are not optional and apply to deployers, not only providers.

High risk — Gemini deployed for an Annex III purpose: recruitment screening (point 4(a)), employee performance evaluation or termination recommendations (point 4(b)), creditworthiness assessment (point 5(b)), eligibility for essential public services or social benefits (point 5(a)), student placement or educational evaluation (point 3(a)), remote biometric identification or categorisation (point 1(a)/(b)), or similar. High-risk obligations apply from 2 December 2027 for stand-alone systems under Annex III (deferred from the original August 2026 date under the Digital Omnibus agreed in May 2026). That gives you time to prepare — it is not a reason to defer starting.

GPAI Provider Obligations Belong to Google

Gemini is a GPAI model within the meaning of Article 3(63): a model trained on large volumes of data, capable of serving a broad range of tasks. Chapter V of the AI Act (Articles 51–55) creates a dedicated regime for GPAI providers. Google, as the entity that trained and places Gemini on the market under its own name, bears those obligations. Your organisation does not, unless you train or fine-tune a model at a scale that makes you a GPAI provider yourself (the systemic-risk threshold under Article 51 is 10²⁵ FLOPs of training compute — orders of magnitude beyond what any deployer running Gemini API calls is doing).

What this means practically: you do not owe Google's Article 53 obligations (technical documentation of the model, downstream information to deployers, copyright policy, training-data summary). You owe your own obligations as a deployer or, if you build a product on top of Gemini, potentially as a provider of that product.

Provider or Deployer? The Role Question for Gemini Users

Your role under the Act determines which obligations sit with you.

You are a deployer (Article 26) if you use Gemini through Google's standard API, Workspace integration, or consumer app without materially modifying the model, and you deploy it under your organisation's authority in a professional context. Most organisations using Gemini are deployers.

You become a provider (Article 16) — and inherit the heavier obligation set — in three circumstances, governed by Article 25:

  1. You place a Gemini-based system on the market under your own name or trademark.
  2. You substantially modify a Gemini-based system (Article 3(23) defines substantial modification as a change that affects the system's compliance with high-risk requirements, or a change to intended purpose that moves it into or within the high-risk category).
  3. You modify the intended purpose of a Gemini-based system in a way that creates a new high-risk use case.

A company that takes Gemini, fine-tunes it on proprietary HR data, and sells the resulting candidate-screening tool to other employers is a provider of a high-risk AI system. It must conduct conformity assessment under Article 43, compile technical documentation under Article 11 and Annex IV, prepare an EU Declaration of Conformity under Article 47, and register the system in the EU database under Article 49 — all before placing it on the market. This is the heaviest path.

A company that uses Gemini's API to generate first-draft performance review summaries that managers then edit and approve is a deployer. The obligations are lighter — but not absent, especially if the use case is high-risk.

Deployer Obligations for High-Risk Gemini Deployments

If your Gemini deployment is high-risk (Annex III applies), Article 26 sets out what your organisation must do.

Use the system according to instructions. Google publishes usage policies, acceptable-use documentation, and data-processing terms for Workspace and Vertex AI. Deployers must follow provider instructions — that is Article 26's baseline requirement, and it is also the foundation of your due-diligence record.

Implement meaningful human oversight. Article 14 requires that high-risk systems be designed to allow human oversight; Article 26 requires deployers to actually exercise it. For Gemini, this means the people acting on its outputs — rejecting candidates, approving credit decisions, recommending student placements — must have genuine authority to override the system, access to enough information to assess its output, and the training to do so critically. A reviewer who rubber-stamps Gemini's recommendation without scrutiny does not satisfy Article 14.

Keep logs. Article 26 requires deployers to retain logs of the system's operation for at least six months (where those logs are generated by and under the control of the deployer). Do not confuse this with the provider's ten-year technical documentation retention under Article 18.

Inform workers. If you deploy Gemini to monitor, evaluate, or assist in decisions affecting your employees, Article 26 requires you to inform workers' representatives before deployment begins.

Run a Fundamental Rights Impact Assessment (FRIA) where required. Article 27 applies to public bodies deploying high-risk AI and to private deployers of creditworthiness (Annex III, 5(b)) or life and health insurance risk-scoring (Annex III, 5(c)) systems. If your Gemini deployment falls into one of those categories, the FRIA is mandatory — it is not a voluntary best-practice exercise.

Monitor and report. Deployers must monitor for risks from actual use and report serious incidents to the provider and, where required, to the relevant market-surveillance authority under the mechanism in Article 73 (that article governs the provider's formal reporting duty; the deployer's obligation to flag incidents to the provider flows from Article 26).

The Article 50 Transparency Layer: Applies Regardless of Risk Level

Even a minimal-risk Gemini deployment may trigger Article 50 obligations if it involves direct human interaction. From 2 August 2026:

Chatbots and conversational agents (Article 50(1)): any Gemini-powered interface that interacts with natural persons in real time must tell those persons they are talking to an AI — unless the context makes it obvious. A customer-support bot embedded in your website, a Gemini-powered internal helpdesk, a product assistant in your app: all require disclosure.

Synthetic content (Article 50(2)): Gemini-generated images, audio, or video presented to the public must carry an Article 50(2) machine-readable label. Text intended for public dissemination that is AI-generated must be marked under Article 50(4) — though there is a narrow exception for human-reviewed and substantially edited content.

These are transparency duties, not safety duties. The sanction for non-compliance falls under Article 99(4): up to €15 million or 3% of worldwide annual turnover, whichever is higher. That ceiling applies to the same tier as most other deployer and provider obligation breaches.

Data Residency, GDPR, and Workspace vs. Vertex AI

Gemini comes in two structurally different forms for enterprise users, and the compliance implications differ.

Google Workspace with Gemini operates under Google's Workspace Customer Agreement and associated Data Processing Amendment. Data is processed in Google's infrastructure; EU customers can select EU data residency. The GPAI model obligations (Chapter V) sit with Google; you are a data controller under GDPR and a deployer under the AI Act.

Vertex AI / Gemini API gives you more control — and more responsibility. You define the prompts, the context, the application logic, and the downstream outputs. If you build a product that makes consequential decisions using Vertex AI, you are more likely to cross the threshold from deployer to provider under Article 25. Assess your Vertex AI use cases separately.

GDPR remains a parallel obligation. Where Gemini processes personal data — and most enterprise deployments do — you need a lawful basis, a data processing agreement with Google, and, for special-category data or high-volume profiling, a Data Protection Impact Assessment (GDPR Article 35). GDPR compliance is not a substitute for EU AI Act compliance; both apply.

Building on Gemini: When You Become the Provider

The scenario that changes the compliance calculus most sharply is building a product or service on top of Gemini and distributing it to others.

If you offer a Gemini-based recruitment screening tool, a credit-analysis assistant, or a healthcare triage system under your own brand, you are a provider of an AI system within the meaning of Article 3(3). If that system is high-risk, you inherit the full Article 16 obligation stack — before you launch:

  • Article 9: establish and maintain a risk management system throughout the lifecycle.
  • Article 10: implement data governance for training and validation data (if you fine-tune or adapt the model).
  • Article 11 + Annex IV: compile technical documentation.
  • Article 13: provide transparency information to the downstream deployer.
  • Article 14: build in human oversight by design.
  • Article 43: complete a conformity assessment (most Annex III categories use the Annex VI internal self-assessment route; biometrics under Annex III, point 1 generally requires the Annex VII notified-body route).
  • Article 47 + Annex V: sign and keep an EU Declaration of Conformity.
  • Article 49: register the system in the EU database before placing it on the market.

The high-risk application date for stand-alone Annex III systems is 2 December 2027, deferred from 2 August 2026 under the Digital Omnibus. For high-risk AI embedded in Annex I regulated products (medical devices, machinery, etc.), the deadline is 2 August 2028. These timelines are tighter than they look once documentation, conformity assessment, and any notified-body review are factored in.

Article 4: AI Literacy Applies Now

Whatever your Gemini deployment's risk classification, Article 4 has applied since 2 February 2025. Organisations must ensure that staff who use, oversee, or make decisions based on AI systems have sufficient AI literacy for the role they play. For Gemini deployments, this means at minimum: users understand that outputs can be wrong, biased, or confidently stated fabrications; reviewers of high-risk outputs understand the system's limitations and their override authority; and the organisation has documented how it is meeting the literacy requirement.

Article 4 is one of the most under-resourced obligations in practice. It is also one of the cheapest to address before an inspection arrives.

How Confir Helps

Confir's AI register lets you record each Gemini deployment — by use case and deployment context — as a separate entry. The rule-based classification engine then derives the risk tier (unacceptable, high, limited, minimal) and your organisation's role (provider, deployer) from a plain-English intake. Same inputs produce the same output every time; the logic is transparent and auditable, not probabilistic.

For a deployer with a mix of Gemini use cases — Workspace Gemini for internal productivity, a customer-facing Gemini chatbot, and a Vertex AI integration for a B2B product — those three entries will land at minimal, limited (Article 50 disclosure required), and potentially high-risk or provider-level respectively. Each gets scoped separately.

Frequently Asked Questions

Is Google Gemini itself a high-risk AI system under the EU AI Act?

No. Gemini is a GPAI model — a general-purpose model governed by Chapter V (Articles 51–55), which is a separate, cross-cutting regime, not a risk tier. The EU AI Act classifies AI systems by use, not by tool name. A Gemini deployment that screens job applicants is high-risk under Annex III, point 4(a). A Gemini deployment that drafts internal emails is minimal risk. The model itself carries no inherent risk tier; the deployment does.

What are Google's obligations under the EU AI Act, and do they pass to us?

As the GPAI provider, Google bears the Article 53 obligations: maintaining technical documentation of the model, passing relevant information downstream to deployers and providers building on Gemini, publishing a copyright policy, and providing a training-data summary. If Gemini crosses the systemic-risk threshold (10²⁵ FLOPs presumption under Article 51), Article 55 obligations also apply to Google. None of these obligations transfer to your organisation. You owe your own obligations as deployer or product provider — they are separate and run in parallel.

We use Gemini in Google Workspace for productivity. What do we actually owe?

At minimal risk, your core obligation is Article 4 AI literacy — in force since 2 February 2025. Ensure relevant staff understand Gemini's limitations and can critically assess its outputs. From 2 August 2026, if any Workspace-integrated Gemini feature interacts directly with customers or external users in a conversational context, Article 50(1) disclosure applies. Keep records of your classification decision. No high-risk obligations apply unless a specific use case falls within Annex III.

We built a product that uses the Gemini API. Are we a provider?

If you placed a system built on Gemini on the market under your own name, or substantially modified a Gemini-based system, Article 25 makes you the provider of that system. If the use case is high-risk, you owe the full Article 16 stack — risk management (Article 9), technical documentation (Article 11 + Annex IV), conformity assessment (Article 43), Declaration of Conformity (Article 47), and registration (Article 49). The relevant deadline for stand-alone Annex III high-risk systems is 2 December 2027 under the Digital Omnibus agreed in May 2026.

What does Article 50 require for a Gemini-powered customer chatbot?

Article 50(1) requires that users interacting with a chatbot or conversational AI agent be informed they are speaking to an AI system — unless it is obvious from context. This applies from 2 August 2026. The disclosure must be made at the start of the interaction, not buried in terms of service. If the chatbot also generates synthetic content (images, audio, video) for public dissemination, Article 50(2) machine-readable marking applies. Failure to disclose can result in fines under Article 99(4) of up to €15 million or 3% of worldwide annual turnover.

What are the penalties for non-compliance?

Article 99 has three tiers. Breaching the Article 5 prohibitions (banned practices): up to €35 million or 7% of global annual turnover, whichever is higher. Breaching most other obligations — including high-risk requirements, provider and deployer duties, and Article 50 transparency: up to €15 million or 3% of global annual turnover. Supplying incorrect or misleading information to authorities or notified bodies: up to €7.5 million or 1% of global annual turnover. For GPAI providers specifically, Article 101 allows the Commission to impose fines up to €15 million or 3%. There are no intermediate tiers; the "€30M/6%" figures that circulate are not in the Regulation. SMEs and start-ups benefit from the Article 99(6) proportionality cap, which limits fines to the lower of the percentage or the fixed amount.

How does GDPR interact with the EU AI Act for Gemini deployments?

Both apply, and satisfying one does not satisfy the other. GDPR governs the processing of personal data — lawful basis, data subject rights, security, and the requirement for a DPIA (GDPR Article 35) for high-risk processing. The EU AI Act governs the AI system's risk level, oversight, and transparency. For a high-risk Gemini deployment processing personal data, you need both a GDPR-compliant processing basis and an EU AI Act conformity pathway. Practical overlap areas: the Article 27 FRIA (Fundamental Rights Impact Assessment required for certain high-risk deployers) intersects with GDPR DPIA obligations and should ideally be run alongside one another to avoid duplicate effort.

Related guides

Manage your EU AI Act compliance in one place

Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.

Start free trial →

Related guides

Guide

AI Bill of Materials (AI-BOM): What It Is and How It Supports EU AI Act Compliance

AI-BOM is an emerging practice, not a statutory term. Structures base models, datasets and GPAI dependencies to feed Article 11 / Annex IV docs.

Template

AI Inventory Template: Field-by-Field Guide for EU AI Act Compliance

EU AI Act AI inventory template — every field explained: role, risk tier, Annex III category, GPAI dependency, and key dates. Deadline 2 Dec 2027.

Complete Guide

AI System Inventory for EU AI Act Compliance: The Complete Register Guide

Build an EU AI Act-compliant AI inventory: discover shadow AI, classify each system under Article 6, and prepare for Art 49 registration by 2 Dec 2027.