Google Vertex AI and the EU AI Act: The Platform Is Not the System
Vertex AI is infrastructure — the EU AI Act attaches to the AI system you build on it. Classify by intended purpose, fix your role, and own Article 12 logging.
Train a candidate-ranking model on Vertex AI to shortlist hires and that system is high-risk under the EU AI Act — and you, not Google, own the full provider stack for it. Vertex AI is infrastructure; the obligation lands on what you build.
Vertex AI is a managed machine-learning platform. From one console you can train and deploy your own models — AutoML, custom training, MLOps pipelines — and consume general-purpose models like Gemini through Model Garden. These are two structurally different compliance paths under Regulation (EU) 2024/1689. Fix the role and classification first.
Vertex AI is a platform — the Act attaches to the system you put on it
The EU AI Act never names Vertex AI or any cloud. It regulates the AI system as defined in Article 3(1) — a machine-based system placed on the market or put into service — and classifies it by its intended purpose under Article 6 and the Annexes. The platform underneath is an input.
So reframe the question: not "is Vertex AI compliant?" but "what AI system have I built or deployed on it, and what decision does it influence?" A single account can host one minimal-risk workload and one high-risk workload; the console is identical, the legal treatment is not. And because Vertex AI is built for training your own model, the moment you configure one for a purpose you typically become both the provider and the data-governance owner of that system — the build-your-own path pulls the heaviest duties toward you, earlier.
Provider or deployer? The Vertex AI fork depends on what you do
The Act assigns obligations by role, and Vertex AI lets you occupy either — sometimes both.
You train or fine-tune — you are the provider
Train or fine-tune a model on Vertex AI, configure it for a purpose, and put it into service under your own name, and Article 16 makes you the provider of that AI system — the heaviest obligation stack, detailed below.
You only call a hosted endpoint — you are the deployer
Call a hosted Gemini endpoint via standard API access, leave it unmodified, and use it under your own authority, and you are a deployer under Article 26: follow the provider's instructions, exercise oversight, retain logs for at least six months, and inform workers' representatives before workplace deployment.
The role can shift under your feet
Article 25 governs role shifts. Put your own name or trademark on a system, make a substantial modification (Article 3(23) — a change affecting compliance with the high-risk requirements or the intended purpose), or repurpose it into a high-risk use, and you become the provider even if you began as a deployer. Google's layer sits apart and does not flow down to cover what you build: see the provider vs deployer role logic.
Classify the system by intended purpose, not by the platform
With your role fixed, classify the system. The Act sorts AI into prohibited, high-risk, limited-risk, and minimal-risk tiers; the heavy regime attaches only to high-risk systems under Article 6.
High-risk via Annex III (stand-alone) — Article 6(2)
The stand-alone high-risk areas most relevant to Vertex AI builds sit in Annex III:
- Employment (point 4) — 4(a) recruitment and selection; 4(b) decisions on terms, promotion, termination, and monitoring in an existing employment relationship.
- Access to essential services (point 5) — creditworthiness and credit scoring (5(b), excluding fraud detection), and risk assessment and pricing for life and health insurance (5(c)).
- Critical infrastructure (point 2) — AI as a safety component in the operation of critical infrastructure, including the supply of water, gas, heating, electricity, and road traffic.
High-risk via Annex I (product-embedded) — Article 6(1)
The second route is product-embedded. A custom Vertex AI model acting as a safety component of a regulated product falls under Article 6(1) and Annex I, whose Section B covers motor-vehicle type-approval under Regulation (EU) 2018/858, plus aviation, rail, and marine. Classification then runs through the product legislation.
Most builds are not high-risk — but check Articles 5 and 50
Most marketing, adtech, demand-forecasting, and general logistics models trained on Vertex AI are not high-risk — they sit in none of the Annex III areas. Two duties still bite: Article 5 prohibits subliminal or manipulative techniques and the exploitation of vulnerabilities; Article 50 imposes transparency duties on chatbots and synthetic or deepfake content. Document the decision; do not assume non-regulation.
Article 6(3) offers a filter even inside Annex III: a system escapes high-risk if it only performs a narrow procedural task, improves a completed human activity, detects patterns without replacing human judgement, or does preparatory work — but never if it profiles natural persons. Even then, document the assessment and register under Article 49.
The GPAI layer: consuming Gemini through Model Garden
Gemini accessed via Vertex AI Model Garden is a general-purpose AI (GPAI) model under Article 3(63). The Chapter V obligations — Articles 51–55, in force since 2 August 2025 — sit with Google as the model provider, not with you. You will not cross the systemic-risk presumption by making API calls: Article 51 presumes it at 10^25 FLOPs of training compute, which targets the trainer, not a downstream caller.
Your job as a downstream deployer or provider is due diligence: choose a model whose provider supplies the Article 53 information — downstream documentation, copyright policy, and training-data summary. (Confir's coverage of GPAI provider obligations is partial and on the roadmap.)
What a high-risk Vertex AI build actually owes
If your workload lands in Annex III and you are the provider, two duties are sharpened because you trained the model yourself.
Article 10 data governance for custom-trained models
Article 10 is the obligation custom Vertex AI pipelines most often underestimate. Training, validation, and testing datasets must be relevant, representative, and as free of errors as possible, examined for bias and gaps. When you train your own model, this lands on you from the first dataset.
Article 12 logging — design it into the pipeline
Article 12 requires high-risk systems to technically allow automatic recording of events across their lifecycle. Design your Vertex AI pipelines, model endpoints, and prediction logs to capture this from the start; retrofitting it later is expensive. On the deployer side, Article 26 requires you to retain logs for at least six months and keep Article 14 oversight real.
Provider obligations before you go to market
Before the system reaches the market, work the sequence: lifecycle risk management (Article 9); data governance (Article 10); technical documentation prepared in advance and retained ten years (Article 11 plus Annex IV; Article 18); transparency to deployers (Article 13); human oversight (Article 14); accuracy, robustness, and cybersecurity (Article 15); conformity assessment (Article 43 — Annex VI self-assessment for most Annex III, Annex VII notified body for biometrics); an EU Declaration of Conformity (Article 47 plus Annex V); and registration (Article 49). For public-body deployers, and private deployers in creditworthiness (Annex III 5(b)) and insurance pricing (5(c)), Article 27 adds a mandatory Fundamental Rights Impact Assessment.
Timeline and penalties: what bites and when
Map your workload against the application dates:
| Obligation | Application date | Affects |
|---|---|---|
| Article 5 prohibitions | In force since 2 February 2025 | Manipulative or vulnerability-exploiting builds |
| Article 4 AI literacy | In force since 2 February 2025 | Staff using or building any workload |
| GPAI Articles 51–55 | In force since 2 August 2025 | Google as Gemini's model provider |
| Article 50 + CSAM/"nudifier" prohibition | 2 December 2026 | Chatbots, synthetic-content marking |
| High-risk Annex III (Article 6(2)) | Statute reads 2 August 2026 | Custom recruitment, scoring, infrastructure models |
| High-risk Annex I (Article 6(1)) | 2 August 2027 | Models as safety components of products |
A caveat on the high-risk dates. The Digital Omnibus reached provisional political agreement on 6–7 May 2026 (COREPER confirmed the text around 13 May 2026), but as of June 2026 it is not yet law — it still needs a European Parliament plenary vote, formal Council adoption, and publication in the Official Journal. Until then the statute legally still reads 2 August 2026 for stand-alone high-risk Annex III. Plan against 2 August 2026 until the deferral is enacted. The deferral is fixed calendar dates; the standards-contingent "stop the clock" variant was rejected — not everything is delayed.
Penalties follow Article 99: up to €35 million or 7% of total worldwide annual turnover, whichever is higher, for prohibited practices (Article 99(3)); up to €15 million or 3% for high-risk and most obligation breaches, including Article 50 transparency (Article 99(4)); up to €7.5 million or 1% for incorrect or misleading information to authorities (Article 99(5)). Article 99(6) caps SMEs and start-ups at the lower of the percentage or the fixed amount.
Worked example: a logistics company building on Vertex AI
Consider Hafenlogistik GmbH, a Hamburg-based freight-routing firm of roughly 180 employees and around €38 million turnover, running two Vertex AI workloads.
Workload 1 — demand forecasting. A custom model predicts shipment volumes to optimise truck dispatch. Not an Annex III area, so minimal or limited risk: no high-risk stack — only Article 4 AI literacy, plus Article 50 disclosure if a chatbot is bolted on later.
Workload 2 — candidate ranking. The firm fine-tunes a model to shortlist warehouse hires — Annex III point 4(a), high-risk. Because Hafenlogistik trained it under its own authority, it is the provider (Article 16) and the deployer at once, owing the full Article 9, 10, 11, 12, 14, 43, 47, and 49 stack plus the Article 26 duties; because the firm sits under both SME thresholds, the Article 99(6) cap applies to any fine.
Same account, two workloads, two different obligation sets. Classification follows the system, not Vertex AI.
How Confir helps
Register each Vertex AI workload as a separate inventory entry — by intended purpose and deployment context — rather than logging "Vertex AI" as a single line item. Confir's synthesis engine is deterministic and rule-based — no model inference, no hallucination. The same plain-English intake always yields the same risk tier and the same role, so the result is auditable rather than probabilistic. For a high-risk build it routes you to the structured assessment and a compliance package: Article 11 / Annex IV technical documentation, the Article 47 Declaration of Conformity, and an Article 27 Fundamental Rights Impact Assessment for qualifying deployers. For a limited-risk build it routes only to the Article 50 disclosure controls. See it at confir.eu and build your full AI system inventory.
Frequently asked questions
Is Google Vertex AI itself high-risk under the EU AI Act?
No. Vertex AI is a managed ML platform, not an AI system with a fixed risk tier. The EU AI Act classifies the system you build or deploy on it by its intended purpose under Article 6 and Annex III. A custom model you train to screen job applicants is high-risk under Annex III point 4(a); the same platform running an internal demand-forecasting model is minimal risk. The platform carries no classification — the system you put on it does.
If I train my own model on Vertex AI, am I the provider?
Almost certainly yes. If you train or fine-tune a model on Vertex AI, configure it for a purpose, and put it into service under your own name, Article 16 makes you the provider — and Article 25 reinforces this where you apply your trademark or set the intended purpose. As a provider of a high-risk system you owe the full stack: risk management (Article 9), data governance (Article 10), technical documentation (Article 11), logging (Article 12), conformity assessment (Article 43), and registration (Article 49).
Does Google bear my EU AI Act obligations because I use Vertex AI?
No. Google carries its own layer: for Gemini accessed through Model Garden it is the GPAI model provider under Chapter V (Articles 51–55), and for the platform it is an infrastructure provider. Those duties — downstream documentation, copyright policy, training-data summary under Article 53 — sit with Google and do not flow down. When you build or deploy a system on Vertex AI, your provider or deployer obligations run in parallel. Google's compliance does not cover yours.
What does Article 12 logging mean for a Vertex AI pipeline?
Article 12 requires high-risk AI systems to technically allow automatic recording of events across their lifecycle, so behaviour can be traced and incidents investigated. For a Vertex AI build, design your training pipelines, model endpoints, and prediction logs to capture the required records from the outset rather than retrofitting them. Separately, Article 26 requires deployers to retain logs under their control for at least six months. Logging is far cheaper to design in than to add later.
When do the high-risk deadlines apply to systems built on Vertex AI?
As of June 2026 the statute reads 2 August 2026 for stand-alone high-risk Annex III systems and 2 August 2027 for product-embedded Annex I systems. The Digital Omnibus reached provisional political agreement on 6–7 May 2026 to defer these, but it is not yet law — it still needs a European Parliament plenary vote, Council adoption, and publication in the Official Journal. Plan against 2 August 2026 until the deferral is enacted. Article 50 transparency duties apply from 2 December 2026.
What are the penalties for getting Vertex AI compliance wrong?
Article 99 sets three tiers, each at whichever figure is higher. Prohibited practices under Article 5 carry up to €35 million or 7% of total worldwide annual turnover (Article 99(3)). High-risk and most obligation breaches, including Article 50 transparency, carry up to €15 million or 3% (Article 99(4)). Supplying incorrect or misleading information to authorities carries up to €7.5 million or 1% (Article 99(5)). SMEs and start-ups benefit from Article 99(6), which caps the fine at the lower of the percentage or the fixed amount.
Related guides
- build your full AI system inventory
- provider vs deployer role logic
- Google Gemini under the EU AI Act
- AWS Bedrock and what you build on it
- Azure OpenAI obligations by use case
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →