EU GMP Annex 11 Ch.4 & Annex 22: Latest EU regulatory updates

by Danilo Maruccia, Principal Consultant and Senior Equity Partner @PQE Group

The European Commission released three significant documents on 7 July 2025: a draft revision of Annex 11, a revised Chapter 4 on documentation and records, and the brand-new Annex 22 on AI-based systems. These documents represent the most significant modernization of the EU GMP’s digital compliance framework in the last 14 years.

Since June 2011, the EU GMP Annex 11 has provided the compliance standard for pharmaceutical and biotech computerized systems. The document stipulated risk-based guiding principles that helped companies identify and utilize new technology systems. These technologies have evolved extensively over the last 14 years, driven by cloud computing, SaaS, mobile applications, and, importantly, artificial intelligence. The new Annex 11 – a detailed 19-page standard as opposed to the current 5-page guideline – includes, in fact, new technologies such as cloud computing and SaaS, as well as AI/ML-based systems.

EU GMP Annex 11 22_Maruccia_Blog

The expansion of the Annex 11 includes detailed infrastructure requirements and mandates for testing critical systems, aligning with the NIS2 Directive and the ISO 27001 standard. It offers a comprehensive list of directives for mandatory audit logging of all user interactions across GMP-relevant systems, which may require expensive upgrades to older systems but are critical for maintaining regulatory compliance.

A critical component of the Updated Annex 11 is Data Integrity. Included throughout several sections of the document, such as Identity and Access Management, Audit Trails, Electronic Signatures, and Security. Formalized obligations for qualification, oversight on lifecycle documentation, and contracts with service providers are also covered. A new section of the Annex 11 discusses implementation and integration with Pharmaceutical Quality Systems (PQS), covering how computerized systems must be embedded into the organization’s PQS and the requirement for regular reviews to ensure the proper operation of the system. Additionally, a new section addresses Alarm Management and the lifecycle of alarms.

The new Annex 11, the updates to Chapter 4, and the new Annex 22 should be considered as a single “regulatory triad” when considering the impact of these updates. Having reviewed Annex 11, let’s take a quick look at the other two documents.

Chapter 4 supports Annex 11 by reinforcing traceability requirements and incorporates the data principles of ALCOA++ (“Attributable, Legible, Contemporaneous, Original, and Accurate” – the ++ accentuates “complete, consistent, enduring, available, and traceable”). Chapter 4 examines documentation storage duration, GMP-related record signature procedures, and master documentation governance.

Annex 22, a new document, introduces regulations regarding AI/ML systems in pharmaceutical manufacturing and applies to deterministic AI models, excluding areas such as generative AI and Large Language Models (LLMs). It does recommend ALCOA++ principles, thorough Validation and Testing, and restrictions; although clear strategic governance principles are not its primary focus, as one would expect. Annex 22, as well as Annex 11 and Chapter 4, are still in draft, and therefore, the opportunity exists to provide comments until October 7, 2025. You can send your comments to: https://health.ec.europa.eu/consultations/stakeholders-consultation-eudralex-volume-4-good-manufacturing-practice-guidelines-chapter-4-annex_en

In summary, the newly updated Annex 11, Chapter 4, and the newly introduced Annex 22 present both opportunities and challenges. They acknowledge digital systems and recognize that they are essential for protecting data integrity, product quality, and patient safety; however, they also represent a significant regulatory movement towards more meticulous control measures. The modification process may be expensive and challenging for some organizations, particularly smaller, younger companies, as well as those that are new to AI in GMP contexts. The entire industry must comply with regulatory requirements, and these new digital compliance standards add to the extensive requirements set forth by the EU. PQE Group can help organizations assess their current state, revise risk and vendor management processes, and prepare internal stakeholders to act promptly in anticipation of additional regulatory changes coming in 2026.

Danilo Maruccia is a Principal Consultant at PQE Group, bringing over 27 years of experience in information technology, cybersecurity, and computer systems validation within the life sciences industry, as well as extensive professional experience in medical device cybersecurity and regulatory frameworks and standards.

Want to know more?

Our consultants can support you to achieve the full compliance of your products.

Visit our Quality Compliance dedicated page or get in touch with us to learn how PQE Group can help your business.

Contact us