EU GMP Annex 11 update: What changed after 14 years

During my involvement with different ISPE’s GAMP® Special Interest Groups, I have heard firsthand about the challenges that industry professionals face in implementing modern digital technologies within a compliant framework. Our discussions have highlighted how new and evolving technologies are transforming all aspects of pharmaceutical operations – from automated manufacturing processes to AI-driven clinical trial design to real-time supply chain monitoring.  

Today, the industry operates in a technological landscape that has been transformed by cloud computing, artificial intelligence, blockchain, and mobile apps. As a result, critical gaps have emerged between regulatory guidance and real-world practices. Regulatory frameworks must evolve to keep pace.  

To address the rapid advancement of digital technologies and the implementation of modern systems in pharmaceutical manufacturing, the European Union is proposing a significant update to EU GMP Annex 11. The public consultation on the draft revision concluded in October 2025, with the final approved version expected to be published in mid-2026. 

Here’s a breakdown of the key drivers behind the revision, and why it’s an important step for providing relevant guidance for the industry.

4 major changes in the EU GMP Annex 11 revision 

1. Modernization of regulatory expectations and guidance 

In 2011, Annex 11 was revised in response to the growing reliance on computerised systems and the increased complexity of those systems within the regulated life sciences sector. At that time, the intent was to align regulatory expectations with the digital trends of that era. But now, over a decade later, technological innovation has far outpaced those early expectations.  

Considering the rapid advancements in digital technologies, the update to Annex 11 is timely and essential. Modernizing Annex 11 is necessary to ensure that the guidance remains clear, practical and relevant in the current technological landscape - while remaining flexible and adaptable to support future innovation. 

2. Increased emphasis on risk management throughout the system lifecycle

Risk management remains a central pillar of the revised EU GMP Annex 11 (draft). Unlike the previous version which offered broad guidance, the new Annex 11 emphasizes a systemic approach to ensuring integrity, reliability, and safety through the entire lifecycle of computerised systems used in pharmaceutical manufacturing.  

The updated Annex 11 (draft) acknowledges that risks are dynamic and underscores a proactive, documented, and continuous approach to risk management. The risks that the system poses to product quality, patient safety, and data integrity should be continually assessed, starting at the selection and design of an appropriate computerised system, ongoing risk monitoring during system operation, and a final review of the risks when the system is taken out of use. 

As digital technologies continue to evolve, the updated Annex 11 (draft) recognizes that new categories of risks are emerging too. One of the most pressing of these is cybersecurity. In today’s technological landscape, cybersecurity threats can severely compromise data integrity, disrupt business operations, and put patient safety and privacy at risk. Knowing this, the revised Annex 11 (draft) presents cybersecurity as a core GMP requirement now. Organizations will be expected to implement robust technological and procedural controls to minimize and mitigate cybersecurity risks and safeguard GMP data - with explicit expectations for regular penetration testing, timely patch management, and incident response. 

3. Promoting a culture of quality

Computerised systems used in GMP activities are considered core GMP-controlled assets, not just supporting tools. This underlines the critical role that computerised systems play in ensuring product quality, patient safety, and data integrity.  

Organizations will be expected to implement a robust Pharmaceutical Quality Systems (PQS) to cover the entire lifecycle of computerised systems. That means everything from design and validation to operation, maintenance, cybersecurity, supplier management, and eventual system retirement must fall under the PQS.  

The PQS should be comprehensive and proactive, ensuring quality is built in and maintained at every stage of the system’s use. Key governance activities must include management oversight and commitment to promoting a culture of quality. Personnel competence, training, and clear accountability are key pillars of this system. 

The revised Annex 11 (draft) highlights the assignment of responsibility, noting that the regulated user remains responsible for quality and compliance - even when using outsourced services (e.g. cloud platforms). Organizations will be expected to apply risk management principles and exercise effective oversight of the service provider’s activities. 

Organizations should seriously consider implementing a suitable quality management system adapted to handle the complexities of the PQS. Montrium’s eQMS Connect platform will provide eQMS structure and functionality that supports key elements of the PQS, including the management of policies and procedures, training, change control, audits, and CAPA. 

4. Harmonized compliance across global regulations

The revised EU GMP Annex 11 (2025) takes a significant step toward regulatory convergence on a global scale, explicitly aiming to align with the Pharmaceutical Inspection Co-operation Scheme (PIC/S) and harmonising European expectations for computerised systems with international standards and practices. 

By embedding risk management principles and promoting the PQS throughout the lifecycle of computerised systems, the revised Annex 11 (draft) aligns with GAMP®5, ICH Q9 (Quality Risk Management) and ICH Q10 (Pharmaceutical Quality System). Additionally, data integrity standards - including ALCOA+ principles, robust audit trails, and secure access controls - are emphasized. These are core elements that are reflected in international regulatory frameworks such as FDA 21 CFR Part 11, WHO guideline on data integrity, and ISO 27001 for information security management. The alignment of terminology and expectations ensures that data integrity standards are uniformly applied across different regions.  

For companies operating globally, the convergence enables the harmonization of validation practices and risk management activities. This comes with the benefit of reducing duplication of activities and improving inspection readiness across regulatory jurisdictions.

Understanding the harmonized requirements is one thing, implementing them is another. To help you get started, we've created a practical PQS checklist that translates Annex 11's updated expectations into actionable steps for your organization.

PQS checklist for Annex 11 compliance 

✅ Governance & management oversight 

• Senior management demonstrates commitment to quality, integrity, and compliance of computerised systems.
• Roles and responsibilities for computerised systems are clearly defined for stakeholders (e.g. System Owner, Quality Assurance, IT).
• Governance processes include management reviews of system performance, quality metrics, audit results, and CAPA.

✅ System lifecycle management 

• Computerised systems follow a documented lifecycle model (design, validation, operation, retirement).
• An up-to-date inventory of GMP-relevant systems is maintained.
• Change control procedures are established for system updates and configuration changes.
• System retirement includes data migration, archival, and decommissioning procedures. 

✅ Risk management 

• Risk assessments are performed at all lifecycle stages (selection, implementation, operation, and retirement) according to an established procedure.
• Risks to product quality, patient safety, data integrity and evaluated and mitigated.
• Cybersecurity risks are identified and managed through appropriate controls.
• Risk-based decisions are documented and justified.
• Risk controls are reassessed periodically or when significant changes occur.
• A disaster recovery plan is established and tested. 

✅ Personnel and training

• All users and administrators receive role-specific GMP and system training.
• Ongoing and recurrent training ensures awareness of data integrity, cybersecurity, and regulatory requirement and promotes a culture of quality.
• Training records are maintained.

✅ Supplier and service management 

• Third-party suppliers (e.g. cloud service providers, SaaS vendors) are assessed (based on risk and criticality) and approved according to an established procedure.
• Agreements/contracts define responsibilities and procedures, including data ownership, access, security, and compliance obligations.
• Ongoing oversight of suppliers, including applicable performance monitoring and audits.

✅ Qualification and validation 

• Validation activities follow an appropriate approach that is risk-based, documented, and approved.
• Requirements are defined and maintained throughout the system lifecycle.
• Traceability between specified requirements and testing is complete.
• Verification and testing provide evidence that the system fitness for intended use.
• Periodic review and revalidation procedures are defined. 

✅ Data integrity controls 

• ALCOA+ principles are implemented across all systems.
• Secure, role-based access controls are in place and regularly reviewed (based on risk).
• Authentication mechanisms are employed to provide an effective protection against unauthorised system access.
• Audit trails are enabled, protected, and periodically reviewed according to an established procedure (based on risk).
• Data is backed up and protected against loss or corruption according to an established procedure.
• Data retention and archival practices are established.
• Data transfer and data migration processes are validated. 

✅ Incident and deviation management 

• System alarms are managed according to an established procedure.
• Deviations and system incidents are logged, investigated, and resolved in a timely manner.
• Corrective and preventive actions (CAPAs) are documented and tracked to closure.
• Trends are monitored to support proactive improvement.

✅ Documentation & change control 

• System-related SOPs are part of the controlled document system.
• Changes (software, configurations, access rights, etc.) are managed under a formal, risk-based change control process.
• Impact assessments are triggered by changes and include (re)validation, data integrity, and business continuity considerations.

✅ Audit & continuous improvement 

• Internal audits are scheduled (based on risk) to ensure continued suitability and compliance of systems.
• CAPAs related to system deviations or failures are tracked and closed in a timely manner.
• Audit findings and lessons learned are used to drive continuous improvement in system governance.

Keeping pace with innovation 

I am sure my colleagues agree that the modernization of EU GMP Annex 11 will ensure that regulatory expectations keep pace with innovation, and vice-versa. By embedding principles of lifecycle validation, proactive risk management, and a culture of quality into the framework for computerized systems, the updated EU GMP Annex 11 will empower organizations to adopt new technologies with confidence, without compromising data integrity, patient safety, or compliance.