FDA 21 CFR Part 11 and EU GMP Annex 11 are the two most cited regulatory frameworks for electronic records and electronic signatures in life sciences. For organizations operating under both — dual-jurisdiction pharma companies, CROs with EU and US trial portfolios, biotech firms preparing global marketing applications — the practical question is not whether to comply with both. It's where they align, where they diverge, and which gaps need to be closed before the EMA finalizes the revised Annex 11 text.
The answer matters more right now than it did two years ago. The 2025 Annex 11 consultation draft is materially different from the 2011 publication. It runs 19 pages compared to the original 5. It makes multi-factor authentication at signing explicitly mandatory, expands the audit trail scope beyond what Part 11 Section 11.10(e) requires, and adds explicit provisions for AI-generated data and cloud system obligations. Finalization is actively in progress as of mid-2026.
Key Takeaways
- Part 11 is a binding federal regulation covering electronic records and signatures specifically. Annex 11 covers the full computerized system lifecycle.
- Both frameworks require audit trails, access controls, electronic signature controls, and system validation — the foundations align.
- Annex 11 Clause 9 expands audit trail scope to exports, migrations, and archival events. Part 11 Section 11.10(e) does not cover these explicitly.
- Annex 11 Clause 3 requires formal supplier qualification before deployment. Part 11 does not include an explicit parallel requirement.
- Organizations already enforcing 2FA at signing for Part 11 are well-positioned for Annex 11 Clause 12.1. Authentication at login only creates a direct gap.
- Finalization is approaching mid-2026. The typical EU GxP transition window is 12 to 24 months from finalization date.
Scope: What Each Regulation Actually Covers
The most important difference between the two frameworks is scope. Part 11 is a targeted regulation. It covers electronic records that are required by FDA predicate rules and electronic signatures applied to those records. The underlying computerized system is addressed only to the extent it affects the trustworthiness of those records: whether the system is validated, whether audit trails are accurate, whether access is controlled.
Annex 11 is broader. It covers the full lifecycle of a computerized system used in GxP activities: supplier qualification before purchase, validation through the development lifecycle, operational controls, periodic review, change management, and system retirement. Electronic records and electronic signatures are components of that broader framework, not the sole focus. An organization that focuses only on the record and signature provisions of Annex 11 and ignores the supplier qualification and periodic review clauses is partially compliant at best.
The Shared Foundation
Despite the scope difference, the two frameworks share a strong technical core. Both require:
- System validation: Part 11 Section 11.10(a) requires validation to ensure accuracy, reliability, and consistent intended performance. Annex 11 Clauses 4 through 10 cover validation planning, execution, and documentation with similar objectives.
- Audit trails: Both require secure, computer-generated records of who did what and when, with original values preserved on modification. Neither allows users to modify or delete audit trail entries.
- Access controls: Both require unique user identification, role-based access restrictions, and controls preventing unauthorized access to records or signature functions.
- Electronic signature binding: Both require that electronic signatures be cryptographically or logically linked to the records they sign, such that the record cannot be modified after signing without detection.
- Record retention: Both require that records remain accurate and retrievable for the full retention period defined by the applicable predicate rule. Annex 11 adds an explicit readability requirement over the retention period.
This alignment means a well-implemented Part 11 system covers most of the technical requirements an EU-scoped organization would face under Annex 11. The gaps are real but targeted, not systemic.
Where They Diverge: The Key Differences
The table below maps the seven most significant divergences between the two frameworks, using the specific regulatory text of Part 11 and the 2025 Annex 11 consultation draft.
| Requirement | FDA 21 CFR Part 11 | EU GMP Annex 11 (2025 Draft) |
|---|---|---|
| Electronic signature authentication | At least two distinct identification components at signing (Section 11.200(a)) | MFA explicitly required at signing, with independent factors (Clause 12.1) |
| Audit trail scope | Creation, modification, deletion of records (Section 11.10(e)) | Adds export, migration, and archival events (Clause 9) |
| Supplier qualification | Not explicit; flows from 21 CFR 211/820 quality system requirements | Clause 3: formal supplier audit or documented assessment required before deployment |
| Periodic re-evaluation | Not explicitly required as a stand-alone obligation | Clause 11: periodic review of the computerized system is mandatory |
| Cloud and SaaS provisions | General Part 11 principles apply; 2024 FDA guidance clarified applicability | Clause 3.4: explicit data ownership, access, and recovery obligations for cloud systems |
| AI record attribution | January 2026 FDA-EMA joint guidance addresses AI attribution (not in Part 11 text itself) | Clause 16: explicit AI-generated data attribution and human oversight requirement |
| Legal status | Federal regulation (legally binding, enforceable with 483s and Warning Letters) | GMP guideline (practically mandatory for EU marketing authorization holders) |
Authentication: Closer Than It Looks, With One Important Gap
On authentication requirements, the two frameworks are closer than a surface reading suggests. Part 11 Section 11.200(a)(1) requires that when an individual executes a series of signings during a single, continuous period of controlled system access, the first signing must use all required identification components. Subsequent signings in that session must use at least one component. For non-session signings, all components are required each time.
The 2025 Annex 11 draft Clause 12.1 requires multi-factor authentication with independent factors, presented at the time of signing. The drafting is more explicit than Part 11's text, but the practical requirement is similar: a second factor must be required at the signing event, not only at system login.
The meaningful gap is for organizations that authenticate users at login only. If your system allows a user who logged in hours earlier to execute signatures without re-entering credentials, that configuration likely satisfies neither framework. Under Part 11, the session-continuous provision requires at least one component at subsequent signings. Under Annex 11 Clause 12.1, MFA at signing is explicit. The remediation is the same for both: enforce a credential entry at each signing event, not just at session start.
Organizations already enforcing 2FA at signing for Part 11 compliance — password plus TOTP at each signature — are well-positioned for Annex 11 Clause 12.1. The technical architecture is already there.
Audit Trail Scope: Where the Real Gap Lives
The audit trail scope divergence is the larger practical gap for most organizations. Part 11 Section 11.10(e) requires audit trails that record actions that create, modify, or delete electronic records. This is the standard three-event scope: create, change, delete.
The 2025 Annex 11 draft Clause 9 extends that scope. It explicitly requires audit trail coverage for exports, migrations, and archival actions on GxP-relevant data. The rationale: an organization that logs who created and modified a record but does not log who exported it, migrated it to another system, or moved it to archive has an incomplete chain of custody. The data could be extracted or moved outside the system without audit trail evidence.
This is a gap that most cloud and SaaS platforms have not addressed, because Part 11 did not require it. The practical test for your current system: ask the vendor whether administrative export operations — bulk exports, database migrations, archival transfers — appear in the user-accessible audit trail with the same attribution and timestamp structure as record creation and modification events. If they don't, that is a direct Annex 11 gap to assess before finalization.
Supplier Qualification: The Part 11 Blind Spot
Part 11 does not include an explicit supplier qualification requirement. The obligation to qualify electronic system vendors flows from broader GMP requirements under 21 CFR Part 211 and the quality system regulation (now QMSR, 21 CFR Part 820). In practice, many FDA-only organizations treat vendor qualification as a soft obligation addressed through contractual representations and SOC 2 reports, rather than formal supplier audit documentation.
Annex 11 Clause 3 is explicit. Before deploying a computerized system in GxP use, the organization must either audit the supplier directly or conduct a documented supplier assessment covering the supplier's development, testing, and quality management practices. The assessment must be documented and retained. Relying solely on the vendor's self-certification or a general security audit does not satisfy the clause.
For organizations selecting an e-signature platform for both FDA and EU GMP use, this means the vendor must be able to support a Clause 3 assessment. That includes providing development lifecycle documentation, quality management system evidence, and access to technical staff who can answer assessment questions. A vendor that can only provide a SOC 2 report and a compliance whitepaper is not equipped to support a Clause 3 supplier qualification.
Practical Implications for Dual-Jurisdiction Organizations
For organizations that must satisfy both frameworks simultaneously, the compliance posture that works is:
- Build to the Annex 11 draft for new implementations. If you are selecting or validating a system now, use the 2025 draft as your design target. The finalization timeline is active, and the 12-to-24-month transition window means systems deployed today under Part 11 alone will need remediation shortly after the final text drops.
- Audit your audit trail scope against Clause 9 first. The export and archival event gap is the one most likely to require a platform-level fix rather than a SOP-level workaround. Identify whether your system logs those events now, while you still have time to evaluate alternatives or work with your vendor on a configuration change.
- Document supplier qualification for your existing platforms under Clause 3. If you already use a vendor for Part 11 purposes and now need to qualify that vendor for Annex 11 use, initiate the Clause 3 assessment now. Retroactive supplier qualification is possible but creates documentation gaps that inspectors will ask about.
- Confirm your Clause 11 periodic review schedule. Most Part 11 organizations have a change control process but no standing annual system review. Annex 11 Clause 11 requires one. If you don't have a documented schedule, the SOP can be written now and the first review date set proactively.
What to Do Before Annex 11 Finalizes
The EMA's comment period on the 2025 draft closed in October 2025. As of mid-2026, the finalization is actively in progress. Standard EU GxP transition timelines run 12 to 24 months from the date the final text is published. Organizations that begin gap assessment now are working within that window comfortably. Organizations that wait for the final text before starting will not be.
The three items to assess before finalization, in priority order:
- Authentication at signing (Clause 12.1): Verify that your system requires a second factor at each signing event, not only at session login. This is the highest-frequency inspection point and the change with the most significant validation implications if remediation is needed.
- Audit trail scope (Clause 9): Confirm whether export, migration, and archival actions are logged in your audit trail. If not, engage the vendor now. Platform-level changes take longer than SOP updates.
- Supplier qualification documentation (Clause 3): Initiate the Clause 3 assessment for your current e-signature platform if you haven't yet. For new platform selections, require Clause 3 documentation as a procurement qualification criterion.
For a full walkthrough of the 2025 draft provisions and a preparation checklist, see our EU GMP Annex 11 2025 draft guide. For the foundational Part 11 requirements, see our complete FDA 21 CFR Part 11 guide.
Conclusion
Part 11 and Annex 11 share a strong technical foundation. The audit trail, access control, and electronic signature binding requirements are aligned closely enough that a well-implemented Part 11 system covers most of what Annex 11 requires. The real compliance work for dual-jurisdiction organizations is in three targeted areas: audit trail scope beyond create-modify-delete, formal supplier qualification under Clause 3, and the periodic system review requirement in Clause 11.
With finalization of the revised Annex 11 text approaching, the window for comfortable gap assessment is now, not after publication. Organizations that treat the 2025 draft as effectively final for planning purposes will be in a much better position than those waiting for the ink to dry. For a detailed look at how to prepare, start with our EU GMP Annex 11 2025 draft electronic signature guide. To see how Certivo supports both Part 11 and Annex 11 requirements in a single validated platform, visit our compliance page.