The EMA published a consultation draft of EU GMP Annex 11 in 2025 that, when finalized, will represent the most significant update to the computerized systems framework since the 2011 publication. For organizations running EU-regulated activities — GMP manufacturing, EU clinical trials under CTR 536/2014, or dual-market medical device work — the changes to electronic signature requirements are material. The most important change is Clause 12.1, which makes multi-factor authentication explicitly mandatory rather than treating it as one of several acceptable authentication approaches. This guide breaks down what's changing, what it means for organizations already complying with FDA 21 CFR Part 11, and what preparation looks like before the final revision is adopted.
Key Takeaways
- The 2025 consultation draft is not yet final — EMA consultation closed, finalization expected 2026-2027.
- Clause 12.1 makes MFA a hard requirement for electronic signatures in GxP systems.
- Clause 9 expands audit trail scope to cover the full data lifecycle, including exports, migrations, and archival.
- New AI provisions (Clause 16) address algorithmic decision-making attribution.
- FDA Part 11 Section 11.200(a) already requires two identification components — organizations using proper 2FA are well-positioned.
- US sponsors running EU trials need to assess Annex 11 draft requirements now.
What Annex 11 (2011) Currently Requires for Electronic Signatures
Clause 12 of the current 2011 Annex 11 says "electronic signatures should be equivalent in impact to handwritten signatures" and requires audit trails to link the signature to the action and the person — but it doesn't specify multi-factor authentication explicitly. Authentication requirements under the 2011 version are principle-based: access controls must prevent unauthorized use, audit trails must capture who signed what.
Organizations have historically interpreted this to allow username and password as sufficient, especially when combined with strong access controls and a validated system. The result: wide variation in how electronic signatures are implemented across EU-regulated sites, some with MFA, many without. The absence of an explicit MFA requirement in the 2011 text is precisely what the 2025 draft corrects.
The 2025 Draft Revision: A Principle-Based Framework Gets Specific
The EMA's 2025 consultation draft expands Annex 11 from about 5 pages to 19 pages. That expansion reflects 15 years of technology change: cloud systems, AI-assisted decision-making, cybersecurity threats, and SaaS platforms didn't exist at scale in 2011. The regulatory philosophy shifts from "these principles apply to computerized systems" to "here is what computerized systems must do under each function."
This specificity is both more burdensome and more predictable. Organizations know what they need to demonstrate, rather than arguing about whether their username-and-password implementation satisfies a principle-based access control requirement. For compliance teams, clarity is worth the additional implementation effort.
Clause 12.1: Multi-Factor Authentication Is Now Mandatory
The 2025 draft Clause 12.1 states that electronic signatures in GxP systems must use multi-factor authentication. Username and password alone no longer suffice.
MFA is defined as requiring at least two of the three authentication factor categories:
- Something you know — password, PIN
- Something you have — hardware token, authenticator app (TOTP)
- Something you are — biometric
For most regulated organizations, this means adding TOTP authenticator apps or hardware tokens to existing username-and-password workflows. The practical implication is direct: any system that currently supports only username and password for signing will need to be updated or replaced before the final revision is adopted.
The comparison to FDA Part 11 is worth understanding clearly. Section 11.200(a) requires "at least two distinct identification components such as an identification code and password" for non-biometric electronic signatures. Most regulators have interpreted this to require the two components at signing, not just at login. The Annex 11 draft aligns with the stricter FDA interpretation but makes the MFA requirement more explicit, removing the ambiguity that let some organizations argue a single-factor sign-in qualified under the 2011 text.
Organizations already enforcing 2FA at signing for Part 11 compliance are better positioned for Annex 11 Clause 12.1 readiness than they may realize. The conceptual requirement is the same; Annex 11 just says it plainly.
Clause 9: Expanded Audit Trail Scope
The 2011 Annex 11 required audit trails for data creation, modification, and deletion. The 2025 draft expands this to cover the full data lifecycle. Clause 9 requires audit trails to capture:
- Record export events — who exported what, and to where
- Migration events — data moved between systems, with attribution and timestamps
- Archival events — when and by whom records were transferred to long-term storage
This matters because FDA 483 findings frequently cite gaps at system boundaries. What happened to data when it left System A for System B is often unaudited. A record might be complete inside each system, but the handoff event itself leaves no trail. The Clause 9 expansion addresses that gap directly.
The Clause 9 requirement also aligns with ALCOA++'s Traceable principle, which requires that the complete lifecycle of a data point be reconstructable across system boundaries. If you're already building audit trail coverage for ALCOA++ Traceable, the Annex 11 Clause 9 requirements should map closely to what you're already doing.
AI and Algorithmic Functions: Clause 16
New to the 2025 draft: Clause 16 addresses AI and algorithmic decision-making in GxP computerized systems. This is the first time Annex 11 has directly addressed AI.
Under Clause 16, any AI-generated or AI-recommended action that affects a regulated record must be attributable to both the algorithm (version, training dataset, validation status) and the human who reviewed and approved the outcome. The AI's role must be logged separately from the human's signature.
For organizations using AI tools in manufacturing quality review or clinical data management, this requires new documentation and audit trail fields. It's not enough to log that a human signed off on a record — the audit trail must also capture what the AI recommended, which version of the algorithm made that recommendation, and whether the human deviated from it. The Clause 16 framework treats the AI as a distinct actor in the record's history, not merely a tool.
Annex 11 vs. Part 11: Where the Requirements Diverge
For organizations operating across both FDA and EU jurisdictions, the practical question is where the two frameworks differ in ways that require separate implementation choices. Here's where the current Part 11 text and the 2025 Annex 11 draft diverge on key points:
| Requirement Area | FDA 21 CFR Part 11 | EU GMP Annex 11 (2025 Draft) |
|---|---|---|
| Authentication | Section 11.200(a) — two distinct identification components | Clause 12.1 — explicit MFA required (two of three factor categories) |
| Audit trail scope | Section 11.10(e) — creation, modification, deletion | Clause 9 — also includes export, migration, and archival events |
| Cloud systems | 2024 FDA guidance — sponsor responsible for vendor qualification | Annex 11 draft — explicit data sovereignty and residency requirements |
| AI attribution | Not addressed specifically | Clause 16 — AI attribution required alongside human signature |
| Validation approach | CSA risk-based since 2025 | Risk-based with documented impact assessment required |
Key differences between FDA 21 CFR Part 11 and EU GMP Annex 11 2025 draft for electronic signatures.
For a deeper look at how the regulatory text compares across jurisdictions, see the GxP electronic records regulations comparison.
What US Sponsors Running EU Trials Need to Do Now
The 2025 draft is not yet final. EMA closed the consultation period and is incorporating feedback before issuing the final text, expected sometime in 2026 or 2027. But sponsors running EU clinical trials under CTR 536/2014 should start assessing their systems against the draft requirements now, for two reasons.
First, finalization timelines in the EU can compress quickly. A transition period of 12 to 18 months after publication is typical, which means organizations with significant system changes ahead may have less runway than they expect.
Second, MHRA (UK post-Brexit) has indicated it will review Annex 11 alignment and may adopt similar provisions independently. Organizations with UK-regulated sites can't assume that waiting for the EU final text covers their MHRA obligations.
Practical first steps: audit whether your e-signature system requires MFA at signing (not just at login), assess whether your audit trail captures export and migration events, and review what your SaaS vendor's data sovereignty commitments are. If you're already compliant with FDA Part 11 Section 11.200(a) and require 2FA at signing, you're closer to Annex 11 Clause 12.1 readiness than you might think.
Transition Timing
The 2025 draft is not yet law. Organizations should monitor EMA's publication schedule and ensure their platform vendors are tracking the finalization process. A platform that already enforces MFA at signing (as required by FDA Part 11 Section 11.200(a)) will have significantly lower transition effort when the final Annex 11 is adopted.
Preparation Checklist for the 2025 Annex 11 Draft
If you want to start closing gaps before finalization, here's where to focus:
- Confirm your e-signature platform requires MFA at signing (TOTP, hardware token, or biometric) — not just at login. A system that enforces 2FA only at session start doesn't satisfy Clause 12.1.
- Verify your audit trail captures export, migration, and archival events in addition to creation, modification, and deletion.
- Confirm your SaaS vendor's data residency commitments and where audit trail data is stored. Annex 11 draft data sovereignty requirements mean "data is in the cloud" is not a complete answer.
- Review your validation documentation to confirm it covers the system's MFA implementation and audit trail scope as validated functionality, not just configuration notes.
- Identify any AI-assisted workflows that touch regulated records and assess how AI actions are attributed and logged separately from human signatures.
- Review your SOPs to confirm they address audit trail export and record migration procedures — if Clause 9 scope is new, your procedures likely don't cover it yet.
- Track EMA's Annex 11 finalization schedule and set a 90-day pre-publication review date so you have time to plan implementation before the transition clock starts.
For organizations doing this assessment, understanding the full FDA 21 CFR Part 11 framework is a useful starting point — the two regulatory frameworks share more common ground than the separate texts suggest, and gap analysis is easier when you can map both against a single set of system controls. The ALCOA++ data integrity framework is similarly useful for scoping audit trail coverage against both Clause 9 and the FDA data integrity guidance.
If you want to see how the two frameworks compare in detail, the GxP electronic records regulations overview covers both.
Certivo enforces MFA at signing (Password + TOTP, satisfying FDA Part 11 Section 11.200(a)), captures a full audit trail including export events, and is tracking the Annex 11 finalization process. If you're assessing platform readiness against the 2025 draft, visit the compliance page to see how Certivo maps to both frameworks.