The expansion of the Annex 11 includes detailed infrastructure requirements and mandates for testing critical systems, aligning with the NIS2 Directive and the ISO 27001 standard. It offers a comprehensive list of directives for mandatory audit logging of all user interactions across GMP-relevant systems, which may require expensive upgrades to older systems but are critical for maintaining regulatory compliance.
A critical component of the Updated Annex 11 is Data Integrity. Included throughout several sections of the document, such as Identity and Access Management, Audit Trails, Electronic Signatures, and Security. Formalized obligations for qualification, oversight on lifecycle documentation, and contracts with service providers are also covered. A new section of the Annex 11 discusses implementation and integration with Pharmaceutical Quality Systems (PQS), covering how computerized systems must be embedded into the organization’s PQS and the requirement for regular reviews to ensure the proper operation of the system. Additionally, a new section addresses Alarm Management and the lifecycle of alarms.
The new Annex 11, the updates to Chapter 4, and the new Annex 22 should be considered as a single “regulatory triad” when considering the impact of these updates. Having reviewed Annex 11, let’s take a quick look at the other two documents.
Chapter 4 supports Annex 11 by reinforcing traceability requirements and incorporates the data principles of ALCOA++ (“Attributable, Legible, Contemporaneous, Original, and Accurate” – the ++ accentuates “complete, consistent, enduring, available, and traceable”). Chapter 4 examines documentation storage duration, GMP-related record signature procedures, and master documentation governance.
Annex 22, a new document, introduces regulations regarding AI/ML systems in pharmaceutical manufacturing and applies to deterministic AI models, excluding areas such as generative AI and Large Language Models (LLMs). It does recommend ALCOA++ principles, thorough Validation and Testing, and restrictions; although clear strategic governance principles are not its primary focus, as one would expect. Annex 22, as well as Annex 11 and Chapter 4, are still in draft, and therefore, the opportunity exists to provide comments until October 7, 2025. You can send your comments to: https://health.ec.europa.eu/consultations/stakeholders-consultation-eudralex-volume-4-good-manufacturing-practice-guidelines-chapter-4-annex_en
In summary, the newly updated Annex 11, Chapter 4, and the newly introduced Annex 22 present both opportunities and challenges. They acknowledge digital systems and recognize that they are essential for protecting data integrity, product quality, and patient safety; however, they also represent a significant regulatory movement towards more meticulous control measures. The modification process may be expensive and challenging for some organizations, particularly smaller, younger companies, as well as those that are new to AI in GMP contexts. The entire industry must comply with regulatory requirements, and these new digital compliance standards add to the extensive requirements set forth by the EU. PQE Group can help organizations assess their current state, revise risk and vendor management processes, and prepare internal stakeholders to act promptly in anticipation of additional regulatory changes coming in 2026.
Danilo Maruccia is a Principal Consultant at PQE Group, bringing over 27 years of experience in information technology, cybersecurity, and computer systems validation within the life sciences industry, as well as extensive professional experience in medical device cybersecurity and regulatory frameworks and standards.