Key Insight
Annex 11 of the EU GMP guidelines, the document that governs how pharmaceutical manufacturers must design, validate, and operate computerised systems, has gone largely unchanged since 2011. On 7 July 2025, the European Commission and the Pharmaceutical Inspection Co-operation Scheme (PIC/S) published a draft revision that changes that significantly.
The draft expands Annex 11 from 5 pages to 19, adds seven entirely new sections, and introduces explicit requirements covering areas the original document never addressed: cybersecurity, cloud and SaaS systems, artificial intelligence governance, multi-factor authentication, and ALCOA+ data integrity principles. A companion document, the proposed new Annex 22, sets out a first regulatory framework for AI and machine learning systems in pharmaceutical manufacturing.
For quality and IT teams operating GMP-regulated computerised systems, the draft signals a shift in regulatory expectations that is well underway. The final version is expected in mid-2026, but organisations that wait for publication before beginning gap assessments will have considerably less runway than those who start now.
Supporting Data
The 2011 version of Annex 11 was written for an era of on-premise systems. Since then, the pharmaceutical industry has moved substantially toward cloud infrastructure, Software-as-a-Service QMS platforms, AI-assisted manufacturing processes, and hybrid paper-electronic workflows. Regulatory guidance on these technologies has not kept pace.
The consequences are visible in inspection data. According to Zamann Pharma’s analysis of critical GMP inspection findings from 2024, more than 70% were directly linked to data integrity failures and weak pharmaceutical quality systems, the two areas that Annex 11 most directly governs. Inspectors from both the EMA and FDA have consistently cited audit trail gaps, inadequate access controls, and system validation deficiencies as recurring findings across the industry.
The 2025 draft addresses this gap through several specific expansions:
| Area | 2011 Annex 11 | 2025 Draft |
|---|---|---|
| Document length | 5 pages | 19 pages |
| Cybersecurity | Not addressed explicitly | Dedicated section, penetration testing required |
| Cloud / SaaS systems | Not addressed | Explicitly in scope |
| AI / ML systems | Not addressed | Addressed via companion Annex 22 |
| ALCOA+ principles | Not mentioned | Explicitly mandated |
| Electronic signatures | Basic requirements | Multi-factor authentication, eIDAS-aligned |
| Audit trails | General requirements | Immutability mandates, periodic review obligations |
| Senior management responsibility | Implied | Explicitly stated |
Analysis
The 2025 draft represents a regulatory catch-up, not a sudden shift in direction. Inspectors have been applying data integrity expectations derived from ALCOA+ and FDA 21 CFR Part 11 to EU GMP inspections for years, even without those principles being written into Annex 11 itself. What the draft does is formalise expectations that leading organisations have been meeting voluntarily, while creating enforceable obligations for those who haven’t.
Several aspects of the draft deserve particular attention.
Cybersecurity as a GMP requirement. This is the most significant conceptual shift. The draft treats computerised systems used in GMP activities as core GMP-controlled assets, not just supporting infrastructure. Organisations will be expected to implement regular penetration testing for high-risk systems, timely patch management, and documented incident response. The implication is that a cybersecurity gap is now a GMP gap, with the same inspection and enforcement consequences.
Cloud and SaaS now explicitly in scope. The 2011 version was silent on cloud systems. The 2025 draft removes that ambiguity: cloud-hosted and SaaS-delivered systems fall within Annex 11’s scope. Quality agreements with cloud and SaaS providers will need to be strengthened, with enhanced due diligence to ensure third-party vendors operate under GMP-compliant conditions.
Annex 22 and AI governance. The proposed companion Annex 22 is the first regulatory framework the EU has produced for AI systems within pharmaceutical manufacturing. It focuses primarily on deterministic AI models, covering governance, verification, and ongoing oversight, and explicitly recommends ALCOA++ principles for AI-generated data. Generative AI and large language models are not addressed in the current draft. For organisations exploring AI in GMP contexts, alignment with both Annex 11 and the draft Annex 22 is now a planning requirement.
Senior management accountability is now explicit. The 2025 draft places explicit responsibility for GMP computerised system compliance on senior management, where the 2011 version implied it. This matters practically: it shifts the framing of Annex 11 compliance from an IT validation exercise to a governance matter requiring board-level visibility.
Impact
For pharmaceutical manufacturers: the scope of what constitutes a compliant GMP computerised system will be materially wider under the final Annex 11. Systems that were adequate under a literal reading of the 2011 document may not meet the expectations articulated in the 2025 draft. Gap assessments conducted against the draft now will be more accurate than those conducted against the 2011 text.
For cloud and SaaS vendors: those supplying systems used in GMP activities now have formal regulatory expectations directed at their platforms, not just at their customers. Quality agreements will need to reflect audit trail immutability, access control architecture, and incident response SLAs explicitly.
For CROs and CMOs: the draft reinforces that responsibility for computerised system compliance cannot be outsourced. When a contract organisation uses a GMP-regulated computerised system on behalf of a sponsor, the regulated user retains full responsibility for Annex 11 compliance, regardless of whether the system was supplied by the sponsor or chosen independently.
For AI adoption timelines: the introduction of Annex 22 as a companion draft is both an enabler and a signal. It enables organisations to plan AI governance frameworks with regulatory visibility for the first time. It also signals that deploying AI in manufacturing or quality processes without a formal governance and validation approach will attract inspection attention once Annex 22 is finalised.
Recommendations
Start the gap assessment now, against the draft. The final version is expected mid-2026. Organisations that begin assessing their current computerised systems against the 2025 draft requirements now will have time to remediate before the final text takes effect. The key areas to assess first are audit trail configuration and review practices, access control and user authentication (particularly whether systems support multi-factor authentication), vendor and cloud provider quality agreements, and cybersecurity controls including patch management and penetration testing plans.
Treat cybersecurity as a GMP activity. High-risk GMP systems should have a documented cybersecurity risk assessment, a penetration testing schedule, and an incident response procedure that integrates with the pharmaceutical quality system. These are now inspection targets, not optional good practices.
Review cloud and SaaS vendor agreements. Quality agreements with cloud providers need to address Annex 11 requirements explicitly, including data ownership and access after contract termination, audit trail integrity guarantees, and the vendor’s own change control procedures for updates that could affect GMP functionality.
Plan for ALCOA++ alignment across all electronic records. Data must be attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring, and available from the point of creation through archival. This applies to records generated by all computerised systems in GMP scope, not just validated laboratory systems.
Future Outlook
The final version of the revised Annex 11 is expected in mid-2026. The draft comment period closed in October 2025, and the European Commission and PIC/S are incorporating feedback. A transition period after publication is likely, but its length has not been formally announced.
Beyond the immediate revision, the direction of travel is clear. Regulatory agencies globally are converging on data integrity, lifecycle validation, cybersecurity, and digital governance as the core pillars of computerised system oversight. The 2025 Annex 11 draft aligns explicitly with FDA 21 CFR Part 11, GAMP5, ICH Q9, and ICH Q10, reducing the gaps between jurisdictions that organisations have historically navigated separately.
For the pharmaceutical industry, the question is no longer whether digital transformation in manufacturing and quality will be regulated, but how quickly current systems need to be brought into alignment with the new expectations, and whether that work is easier done now or under inspection pressure later.
Sources
- Montrium, “EU GMP Annex 11 update: What changed after 14 years”
- Certivo, “EU GMP Annex 11 (2025 Draft): Computerized Systems Compliance Guide”
- Lachman Consultants, “EU GMP Annex 11: What’s Changing in the 2025 Draft Concept Paper?”
- Clinical Pathways Research, “EU Commission Releases Draft Annex 11: Computerised Systems”
- Eupry, “Annex 11 2025/2026 update: what’s new for pharma computerised systems”
- Qualitest Group, “EU GMP Annex 11 and Annex 22: Digital Compliance in Life Sciences”
- PQE Group, “EU GMP Annex 11 Ch.4 and Annex 22: Latest EU regulatory updates”
- GMP Insiders, “2025 EU GMP Draft Updates: Chapter 4, Annex 11, and Annex 22”
- Zamann Pharma, “Pharma Regulations in 2026: GMP Global Rules Guide”
- European Commission, “Annex 11 Consultation Guideline Draft”
- SimplerQMS, “EU Annex 11: Computerized Systems (What You Need to Know)”
- Tech Qualitas, “Staying Ahead: Key Updates to EU Annex 11 for Computerized Systems”
- Jensonr, “EU GMP Annex 11 Revision 2025”