EU GMP Annex 11 governs computerized systems used in pharmaceutical manufacturing and quality control across the European Union. First published in 2011, the annex has remained unchanged for over 14 years, even as cloud computing, artificial intelligence, and SaaS platforms have changed how life sciences organizations manage electronic records. On 7 July 2025, the European Commission and the Pharmaceutical Inspection Co-operation Scheme (PIC/S) published a thorough draft revision that expands Annex 11 from 5 pages to 19, introduces dedicated sections on cybersecurity and identity management, and explicitly addresses cloud and AI-based systems for the first time. Public consultation closed on 7 October 2025, and the finalized version is expected mid-2026.
Key Takeaways
- The 2025 draft revision of Annex 11 is the first update since 2011 and expands the annex from 5 to 17 sections plus a full glossary.
- New provisions address AI governance (via new Annex 22), cybersecurity, cloud/SaaS qualification, and enhanced identity and access management.
- Electronic signature requirements now mandate multi-factor authentication, eIDAS-aligned trust services, and time zone-aware timestamping.
- Audit trail requirements are strengthened with explicit immutability mandates, periodic review obligations, and ALCOA++ alignment.
- The revision shifts Annex 11 from interpretive guidance to detailed regulation. Organizations should begin gap assessments now.
This article breaks down the key changes in the draft revision, compares the updated Annex 11 with FDA 21 CFR Part 11, and explains what QA managers, regulatory affairs teams, and IT departments at EU pharmaceutical and biotech companies need to do to prepare.
What Is EU GMP Annex 11?
Annex 11 is a supplementary guideline to EudraLex Volume 4, the EU's Good Manufacturing Practice (GMP) guide for medicinal products. It applies to all computerized systems used as part of GMP-regulated activities, including manufacturing execution systems (MES), laboratory information management systems (LIMS), electronic batch records, quality management systems (QMS), document management platforms, and e-signature solutions.
The current version, published in 2011, established foundational requirements for system validation, data integrity, audit trails, electronic signatures, and access controls. It's enforced by national competent authorities across EU member states and by PIC/S member inspectorates globally. While the 2011 version was effective for its era, it provides limited guidance on cloud infrastructure, Software-as-a-Service delivery models, artificial intelligence, and modern cybersecurity threats, all of which are now standard in pharmaceutical operations.
Why Is Annex 11 Being Revised?
The 2011 Annex 11 was written for a world of on-premise servers and locally installed software. Since then, the pharmaceutical industry has gone through a major digital shift:
- Cloud adoption. The majority of new GxP-critical systems are now delivered as cloud-hosted SaaS platforms, raising questions about data sovereignty, vendor oversight, and shared responsibility models that the current annex doesn't address.
- AI and machine learning. Pharmaceutical companies increasingly use AI/ML for process optimization, predictive quality, and decision support. No GMP guideline previously governed these technologies.
- Ransomware attacks on pharmaceutical manufacturers and supply chains have demonstrated that data integrity requires cybersecurity controls far beyond what the 2011 version contemplated.
- Inspectors have issued hundreds of data integrity findings since 2011. The EMA, MHRA, and PIC/S have all published supplementary guidance, but Annex 11 itself hasn't kept pace.
- The revision explicitly aligns with PIC/S to create consistent expectations for computerized systems across all PIC/S member countries, reducing divergent interpretations between jurisdictions.
Key Changes in the 2025 Draft Revision
The draft revision expands Annex 11 from a concise, interpretive guideline into a detailed regulation spanning 17 sections and a formal glossary. Here are the changes that matter most for organizations managing electronic records, electronic signatures, and audit trails.
1. AI Governance and New Annex 22
Alongside the revised Annex 11, the European Commission published a completely new Annex 22: Artificial Intelligence. This is the first time AI and machine learning have been formally regulated within the EU GMP framework. The revised Annex 11 cross-references Annex 22 for any computerized system that incorporates AI/ML components.
Key requirements include formal risk assessment of AI/ML models before deployment, ongoing performance monitoring and drift detection, validation of training data sets, human oversight of AI-driven decisions that affect product quality, and documentation of model versioning throughout the system lifecycle. For e-signature platforms, this means any AI-assisted features (automated document routing, anomaly detection in signing patterns, intelligent workflow assignment) must be validated and documented under both Annex 11 and Annex 22.
2. Cybersecurity as a Core GMP Requirement
The 2011 version of Annex 11 mentioned security only in passing. The 2025 draft elevates cybersecurity to a core GMP requirement, with organizations expected to implement strong technological and procedural controls to safeguard GMP data. Specific expectations include:
- Regular penetration testing of GxP systems
- Timely patch management with documented change control
- Incident response plans specifically addressing data integrity impacts
- Network segmentation and monitoring for GMP-critical systems
- Alignment with established cybersecurity standards such as ISO 27001
Regulatory trend: Cybersecurity is no longer treated as an IT-only concern. The revised Annex 11 makes it clear that a cybersecurity breach compromising GMP data integrity is a GMP failure, with all the regulatory consequences that entails. QA teams must be involved in cybersecurity governance, not just IT departments.
3. Enhanced Risk Management Aligned with PIC/S
While the 2011 Annex 11 provided basic risk management guidance, the 2025 draft mandates specific risk assessment methodologies, documentation requirements, and ongoing risk monitoring throughout the entire system lifecycle. Risk assessments must cover patient safety, product quality, and data integrity impacts. The revision aligns these requirements with PIC/S expectations, ensuring consistent inspection criteria across all 54 PIC/S member authorities.
Organizations must now document formal risk assessments spanning initial system selection through decommissioning, with periodic re-evaluation as business processes and regulatory expectations evolve.
4. Cloud and SaaS Provisions
For the first time, Annex 11 directly addresses cloud computing and SaaS delivery models. The regulated user (the pharmaceutical company) retains full responsibility for quality and compliance regardless of where the system is hosted or who manages the infrastructure. Key provisions include:
- Supplier qualification — Cloud and SaaS providers must be qualified and periodically audited. Quality agreements must define deliverables, audit rights, version control, data migration, and exit strategies.
- Data sovereignty — Organizations must know where their data is stored and ensure compliance with applicable data protection and GMP requirements in those jurisdictions.
- Service level agreements — SLAs must address availability, disaster recovery, data backup, incident response, and change notification procedures.
- Shared responsibility — The draft makes explicit that outsourcing system hosting does not outsource regulatory responsibility. The regulated user must maintain oversight.
5. Updated Electronic Signature Requirements
Section 13 of the 2025 draft strengthens electronic signature requirements compared to the 2011 version. The updated provisions bring Annex 11 closer to the specificity of 21 CFR Part 11 while incorporating European regulatory considerations:
- Multi-factor authentication — Every electronic signature must be confirmed with an additional, independent authentication factor beyond the credentials used to access the system. This could be a password, biometric, or time-limited one-time code.
- eIDAS integration — Section 13.2 directly references the EU eIDAS Regulation (910/2014), requiring that cloud-based signature services meet eIDAS-qualified standards or equivalent national frameworks. Qualified Trust Service Providers (QTSPs) must undergo rigorous third-party audits and maintain certified infrastructure.
- Time zone-aware timestamping — Section 13.4 mandates automated, time zone-aware timestamping for all signature events, ensuring defensible chronology across geographies.
- Permanent linkage — Electronic signatures must be permanently linked to their respective records. If a signed record is subsequently modified, the modification must clearly appear as unsigned.
- Signature meaning — Each signature must capture the signer's identity, the exact content signed (not just a reference or hash in isolation), and the meaning of the action (review, approve, verify, or release).
Certivo and Annex 11 compliance: Certivo's e-signature platform provides multi-factor authentication (password + TOTP), immutable audit trails with SHA-256 hash chain verification, RFC 3161 trusted timestamps, and permanent signature-to-record linkage — addressing the draft Annex 11's enhanced e-signature requirements. Learn more about our compliance capabilities.
6. Enhanced Audit Trail Requirements
The 2011 Annex 11 required audit trails but provided minimal guidance on implementation. The 2025 draft dedicates a full section to audit trail requirements with much more detail:
- Immutability — Audit trails must be system-generated and immutable. Access controls must prevent unauthorized modifications and protect original data. The draft is unambiguous: entries can't be altered, overwritten, or deleted.
- Periodic review — Organizations must establish documented procedures for routine audit trail review, with clear procedural ownership. Reviews must happen routinely and during investigations, not only when deviations occur.
- ALCOA++ alignment — The draft explicitly ties audit trail requirements to ALCOA+ data integrity principles, requiring that trail entries be Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, and Available.
- Metadata retention — Audit trails must retain associated metadata throughout the data lifecycle: user identity, timestamp, action type, before/after values, and reason for change where applicable.
- Traceability linkage — Entries must be linked to the underlying log data for clear traceability, enabling reconstruction of the complete sequence of events.
7. Identity and Access Management Overhaul
The 2011 version offered generic statements about restricting access to “authorised persons.” The 2025 draft delivers 11 detailed subsections on identity and access management. Key changes include:
- Continuous lifecycle management of user access — timely granting, modification, and revocation as users join, change roles, and end their involvement in GMP activities.
- Prohibition of shared accounts for any GMP-critical activity.
- Periodic access reviews with documented evidence of completion.
- Segregation of duties between system administrators and GMP users.
Annex 11 (2025 Draft) vs. FDA 21 CFR Part 11: Comparison
Organizations operating in both EU and US markets must comply with both Annex 11 and 21 CFR Part 11. The table below compares the two, incorporating the changes proposed in the 2025 draft:
| Requirement Area | EU GMP Annex 11 (2025 Draft) | FDA 21 CFR Part 11 |
|---|---|---|
| Regulatory Nature | GMP guideline annex (EudraLex Vol. 4); detailed in draft | Federal regulation (legally binding) |
| Scope | All computerized systems in GMP activities | Electronic records and signatures for FDA-regulated activities |
| Risk Management | Mandates formal risk assessments across full system lifecycle | No explicit risk management requirement |
| System Validation | Required; scaled to risk and complexity | Required; predicate rule compliance |
| Audit Trails | Immutable, ALCOA++ aligned, periodic review mandated | Secure, computer-generated, time-stamped per 11.10(e) |
| Electronic Signatures | Multi-factor auth, eIDAS integration, signature meaning required | Unique to signer, two-component (ID + password), signature meaning |
| Cybersecurity | Core GMP requirement; pen testing, patch management, incident response | Not specifically addressed (covered by predicate rules) |
| Cloud/SaaS | Explicit provisions for supplier qualification, SLAs, data sovereignty | Not specifically addressed |
| AI/ML Systems | Cross-references new Annex 22; formal governance required | Not addressed |
| Periodic Review | Mandatory periodic system and audit trail review | No explicit periodic review requirement |
| Supplier Oversight | Detailed qualification, audit, and SLA requirements | Vendor responsible for Part 11 compliance of their product |
| Enforced By | EU national competent authorities, PIC/S inspectorates | FDA |
The 2025 draft narrows many of the historical gaps between the two. In several areas (risk management, cybersecurity, cloud provisions) the revised Annex 11 now exceeds the specificity of 21 CFR Part 11. Organizations that already comply with Part 11 will have a solid foundation but should expect additional requirements around supplier oversight, periodic reviews, and cybersecurity governance.
What This Means for E-Signature Platform Selection
The draft revision has direct implications for organizations selecting or evaluating e-signature platforms for GMP use. Based on the proposed requirements, compliant platforms must support:
- Multi-factor authentication for every signature event. A password alone is no longer sufficient. The platform must enforce a second, independent authentication factor at the point of signing.
- Immutable, hash-chain audit trails. Simple database logging doesn't meet the immutability standard. Cryptographic verification (such as SHA-256 hash chains) provides the mathematically provable tamper evidence the draft demands.
- Trusted timestamping. Timestamps must come from a reliable, independent time source. RFC 3161 trusted timestamps from a recognized Time Stamping Authority provide the strongest evidence of when a signature was applied.
- Complete signature metadata. Each signature record must capture the signer's identity, the meaning of the signature, the exact content signed, and the timestamp, permanently linked and unalterable.
- Supplier qualification documentation. Vendors must be able to provide validation documentation, security audit reports, SOC 2 or ISO 27001 certifications, and defined SLAs.
- Role-based access with lifecycle management. The platform must support granular role-based permissions with documented provisioning, modification, and deprovisioning processes.
For a detailed vendor evaluation methodology, see our guide to choosing an e-signature platform for life sciences.
How to Prepare for the Revised Annex 11
Although the revision is still in draft form, the direction is clear and the final version is expected mid-2026. Organizations should begin preparation now:
- Conduct a gap assessment. Map your current computerized systems against the 17 sections of the draft. Identify where your existing validation documentation, SOPs, and technical controls fall short of the proposed requirements.
- Review supplier agreements. Evaluate your cloud and SaaS vendor contracts against the draft's provisions for supplier qualification, audit rights, SLAs, data sovereignty, and exit strategies. Update quality agreements where needed.
- Assess cybersecurity posture. Conduct penetration testing of GxP systems, review patch management processes, and develop or update incident response plans that specifically address GMP data integrity impacts.
- Upgrade audit trail practices. Ensure your systems generate immutable audit trails with periodic review procedures documented and assigned. If your current systems rely on simple database logging, evaluate platforms that provide cryptographic tamper detection.
- Evaluate e-signature compliance. Confirm that your e-signature workflows enforce multi-factor authentication, capture signature meaning, and produce permanently linked, timestamped records. If your current platform doesn't meet these standards, begin evaluating alternatives.
- Inventory AI/ML usage. Identify any AI or machine learning components within your GMP computerized systems and prepare for Annex 22 governance requirements, including model validation, performance monitoring, and human oversight documentation.
- Train your teams. QA, IT, and regulatory affairs personnel need to understand the scope of the changes. Schedule training on the draft revision so that teams can identify compliance gaps within their areas of responsibility.
Start with what you can control: While some aspects of the final regulation may change between the draft and the published version, the core themes (immutable audit trails, multi-factor authentication, cybersecurity governance, and supplier oversight) are well-established regulatory expectations unlikely to weaken. Addressing these areas now positions your organization for compliance regardless of the final text.
The Bottom Line
The 2025 draft revision is the most substantial update to European computerized system regulations in over a decade. It addresses the realities of modern pharmaceutical technology: cloud computing, artificial intelligence, SaaS delivery, and escalating cybersecurity threats.
For QA managers and regulatory affairs teams at EU pharma and biotech companies, the bar for computerized system compliance is rising. Organizations that begin gap assessments and system upgrades now, rather than waiting for the final publication, will be best positioned to achieve compliance without disruption. Start a free trial to see how Certivo's purpose-built compliance platform addresses the requirements of both the revised Annex 11 and FDA 21 CFR Part 11.