Annex 11 and Annex 22 Revisions: Preparing GxP Systems for EMA’s New AI and Data Integrity Rules

On 7 July 2025, the European Commission published draft revisions to three interconnected sections of EudraLex Volume 4, the EU Good Manufacturing Practice (GMP) guidelines. The package includes a comprehensive revision of Annex 11 on computerised systems, a brand-new Annex 22 covering the use of artificial intelligence in pharmaceutical manufacturing, and an updated Chapter 4 addressing documentation requirements in the digital era. Together, these three documents constitute the most significant update to EU GMP digital compliance requirements in over a decade.

For IT leaders, quality operations directors, and validation professionals in the pharmaceutical, biotechnology, and medical device industries, this regulatory package demands immediate attention. The revised Annex 11 expands from a slim 4-page document to a detailed 19-page framework that addresses cloud computing, cybersecurity, electronic signatures, and data integrity with far greater specificity than its predecessor. The new Annex 22 establishes, for the first time, explicit GMP requirements for the use of AI and machine learning in manufacturing environments. And the revised Chapter 4 modernizes documentation requirements to accommodate electronic records, hybrid systems, and data governance frameworks.

The stakeholder consultation period closed on 7 October 2025, and the final versions are expected in mid-2026. Organizations that begin preparation now will have the advantage of aligning their compliance programs before the final text is published.

Why These Revisions Are Happening Now

The original Annex 11 was published in 2011, when cloud computing was in its infancy, artificial intelligence was largely theoretical in manufacturing contexts, and most pharmaceutical companies still operated significant portions of their GMP-critical systems on-premises with paper-based backup processes. The regulatory landscape has changed dramatically since then.

Technology Evolution

Pharmaceutical manufacturing now relies extensively on cloud-hosted platforms, software-as-a-service (SaaS) applications, connected sensors and Internet of Things (IoT) devices, and increasingly, AI-driven process optimization and predictive analytics. The 2011 Annex 11 was simply not designed to address these technologies, and the growing gap between regulatory expectations and operational reality created compliance uncertainty for manufacturers and inspectors alike.

Data Integrity Enforcement Experience

The intervening years have seen a sustained global enforcement focus on data integrity. Regulatory authorities including the EMA, FDA, MHRA, and PIC/S have issued numerous warning letters, import alerts, and consent decrees related to data integrity failures in GMP environments. The revised Annex 11 incorporates lessons learned from over a decade of enforcement activity, codifying expectations that had previously existed only in guidance documents and inspection observations.

AI in Manufacturing

The rapid adoption of AI and machine learning in pharmaceutical process development and manufacturing has outpaced the regulatory framework. Companies are deploying AI models for process analytical technology (PAT) applications, predictive maintenance, quality prediction, and yield optimization. Without a dedicated GMP framework for AI, inspectors and manufacturers lacked a shared vocabulary and set of expectations for how these technologies should be validated, monitored, and controlled.

Annex 11 Revision: What Changed After 15 Years

The revised Annex 11 retains the fundamental principle that computerised systems used in GMP environments must be validated and controlled, but it expands the scope and specificity of those requirements substantially. The draft has grown from its original concise format to a comprehensive 19-page document that addresses modern technology architectures and data management practices.

Key New and Expanded Areas

Enhanced Data Integrity and Audit Trail Requirements

Data integrity is the central theme of the revised Annex 11. The ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, and Available) are woven throughout the document, establishing data integrity not as a separate compliance concern but as a foundational quality attribute that must be addressed at every stage of the system lifecycle.

Audit Trail Requirements

The revised Annex 11 significantly strengthens audit trail expectations. Systems must generate audit trails that capture all GMP-relevant data changes, including the identity of the person making the change, the date and time of the change, the reason for the change, and the before and after values. Critically, the revision requires that audit trails be subject to regular review. This review must be risk-based, with higher-risk data receiving more frequent and more detailed audit trail review. The revision explicitly prohibits the ability to disable or modify audit trail functionality without documented justification and appropriate approval.

Electronic Signatures

The revised Annex 11 provides expanded guidance on electronic signature implementation. Signatures must be uniquely linked to the signing individual, capable of identifying the signer, created using means that the signer can maintain under their sole control, and linked to the data to which they relate in a manner that ensures any subsequent change is detectable. The revision also addresses the use of biometric signatures and establishes requirements for signature meaning, ensuring that electronic signatures carry the same legal and quality significance as their wet-ink counterparts.

System Lifecycle Management Under Revised Annex 11

The revised Annex 11 moves decisively beyond the traditional validation-centric approach to embrace a comprehensive system lifecycle management framework. This aligns with the risk-based lifecycle approach advocated by GAMP 5 and the FDA’s CSA guidance, creating a more harmonized global regulatory landscape.

Lifecycle Phases and Requirements

The revision establishes explicit requirements for each phase of the system lifecycle. The concept phase requires documented intended use, preliminary risk assessment, and evaluation of regulatory requirements. During specification and design, user requirements, functional specifications, and design specifications must be documented with traceability maintained between documents. Configuration, development, and testing must follow a risk-based approach, with testing effort proportional to the risk associated with each system function. Deployment and operation require validated deployment procedures, operational qualifications, and established change control and incident management processes. Maintenance and monitoring demand ongoing performance monitoring, periodic reviews, and managed change control throughout the system’s operational life. And retirement requires documented decommissioning plans that address data retention, archival, and migration requirements.

Periodic Review

The revised Annex 11 strengthens the requirement for periodic reviews of computerised systems. These reviews must evaluate whether the system continues to operate in accordance with its validated state, whether any changes have been made that were not captured through formal change control, whether the system’s risk profile has changed since the last review, whether audit trail and data integrity controls remain effective, and whether the system’s support model (vendor support, infrastructure, and security patching) remains adequate.

Cloud, SaaS, and Outsourced Systems: New Expectations

One of the most impactful additions to the revised Annex 11 is the detailed treatment of cloud-hosted and SaaS-delivered systems. The 2011 version predated the widespread adoption of cloud platforms in GMP environments, leaving companies and inspectors to navigate this territory largely without specific regulatory guidance.

Cloud Qualification Requirements

The revised Annex 11 establishes that cloud service providers must be qualified as part of the system lifecycle. This qualification must address the provider’s quality management system and its relevance to GMP operations, data center locations and data sovereignty considerations, security controls including encryption, access management, and intrusion detection, disaster recovery and business continuity capabilities, and the provider’s change management processes and how customers are notified of changes that may affect GMP operations.

Service Level Agreements

The revision requires formal service level agreements (SLAs) with cloud and SaaS providers that cover system availability and uptime commitments, data backup and recovery capabilities, security incident notification procedures and timelines, change management notification and approval processes, audit rights and inspection support obligations, and data return and deletion procedures upon contract termination.

Annex 22: The First GMP Framework for AI in Manufacturing

The introduction of Annex 22 represents a landmark moment in pharmaceutical regulation. For the first time, a GMP framework explicitly addresses the use of artificial intelligence and machine learning in the manufacturing of active substances and medicinal products. The annex establishes a regulatory vocabulary for AI in GMP, defines which types of AI models are permitted in different contexts, and sets out lifecycle requirements for AI model development, validation, deployment, and monitoring.

Scope of Annex 22

Annex 22 applies to AI and machine learning models that are used within computerised systems and applications with direct GMP impact. This includes models used for process control and optimization, quality prediction and release decisions, data classification and anomaly detection, predictive maintenance that affects product quality, and process analytical technology (PAT) applications.

The annex does not apply to AI used in non-GMP contexts such as administrative functions, business intelligence, or research and development activities that are not directly linked to manufacturing operations.

Which AI Models Are Permitted in GMP Environments

One of the most significant aspects of Annex 22 is its clear delineation of which types of AI models are permitted for GMP-critical applications.

AI Model Lifecycle: From Development to Continuous Monitoring

Annex 22 establishes a comprehensive lifecycle framework for AI models used in GMP environments. This lifecycle extends beyond traditional software validation to address the unique characteristics of machine learning models, including their dependence on training data quality and their potential for performance degradation over time.

Intended Use Definition

Every AI model deployed in a GMP context must have a clearly documented intended use that specifies the manufacturing process or quality system function the model supports, the inputs the model will receive and the outputs it will produce, the performance criteria the model must meet, the conditions under which the model is expected to operate reliably, and the boundaries of the model’s applicability.

Training Data Quality

Annex 22 places significant emphasis on the quality of data used to train AI models. Training datasets must be representative of the operational conditions the model will encounter, free from systematic biases that could affect model performance, documented with full provenance including data sources, collection methods, and any preprocessing applied, and managed under data governance controls that ensure ongoing data integrity.

Model Validation

The validation of AI models under Annex 22 follows a structured process. Performance metrics must be established before validation begins, based on the model’s intended use and the criticality of the decisions it supports. Test datasets must be independent from training data. Validation must demonstrate that the model meets its performance criteria under representative operational conditions. Edge cases and boundary conditions must be tested to establish the limits of the model’s reliable operation.

Deployment and Parallel Running

Annex 22 expects a period of parallel deployment during which the AI model operates alongside existing processes. During this period, the model’s outputs are compared with the established process to verify that the model performs consistently in the production environment. The duration of the parallel running period should be risk-based, with higher-risk applications requiring longer periods of parallel operation.

Continuous Monitoring

Once deployed, AI models must be subject to continuous monitoring. The annex requires monitoring of model performance metrics against established acceptance criteria, input data characteristics to detect data drift that could affect model reliability, output distributions to identify shifts that may indicate model degradation, and system-level health indicators including computational performance and data pipeline integrity. When monitoring detects performance degradation or data drift beyond established thresholds, the model must be removed from GMP-critical use until it is investigated, retrained if necessary, and revalidated.

Chapter 4 Revisions: Documentation in the Digital Age

The revised Chapter 4 of EudraLex Volume 4 updates the fundamental documentation requirements to accommodate modern digital practices. While less technically detailed than Annex 11 or Annex 22, the Chapter 4 revisions establish important principles that underpin the entire GMP documentation framework.

Electronic Records as Primary Records

The revised Chapter 4 formally establishes that electronic records can serve as primary GMP records without the need for paper backups. This is a significant shift from previous practice, where many organizations maintained parallel paper records as a compliance safeguard. Under the revised framework, electronic records are fully acceptable as primary records provided they meet the data integrity requirements of Annex 11, the systems generating and storing them are appropriately validated, and adequate backup, recovery, and archival processes are in place.

Data Governance Framework

The revised Chapter 4 introduces a requirement for documented data governance frameworks that define data ownership, stewardship, and accountability across the organization. This governance framework must address how data quality is maintained across its lifecycle, who is responsible for data at each stage of its lifecycle, how data is classified based on its GMP criticality, how data integrity is assured across system interfaces and data transfers, and how data retention and archival requirements are determined and enforced.

Hybrid System Management

The revision acknowledges that many organizations operate hybrid environments where electronic and paper records coexist. The revised Chapter 4 requires that organizations with hybrid systems document which records exist in which format, establish clear procedures for ensuring consistency between electronic and paper versions, define which version constitutes the official record in cases of discrepancy, and maintain the same level of data integrity controls for paper records as for electronic records.

Running a Gap Analysis Across All Three Documents

Given the interconnected nature of the Chapter 4, Annex 11, and Annex 22 revisions, organizations should conduct a coordinated gap analysis that addresses all three documents simultaneously.

Building an Implementation Roadmap

Given the breadth of changes across all three documents and the expected mid-2026 finalization date, organizations should begin implementation planning now. The following roadmap provides a phased approach.

Phase 1: Awareness and Assessment (Q1–Q2 2026)

The immediate priority is ensuring that relevant stakeholders understand the scope of the changes and that a comprehensive gap analysis is conducted. Circulate the draft documents to IT, quality, validation, and manufacturing leadership. Conduct the coordinated gap analysis described above. Identify the systems and processes with the largest gaps. Estimate the resources and budget needed for remediation. Engage with technology vendors about their plans to support the new requirements.

Phase 2: Quick Wins and Foundation (Q3–Q4 2026)

Focus on changes that can be implemented quickly and on building the foundational elements needed for more complex changes. Update data governance frameworks to address the Chapter 4 requirements. Review and enhance audit trail configurations and review processes. Begin cloud provider qualification activities for existing SaaS and cloud platforms. Establish or update cybersecurity risk assessment processes for GMP systems. Inventory any AI models in use in GMP contexts and assess their compliance with Annex 22.

Phase 3: Systematic Remediation (Q1–Q3 2027)

Execute the larger remediation activities identified in the gap analysis. Update system lifecycle documentation to align with the expanded Annex 11 requirements. Implement enhanced electronic signature controls where needed. Deploy audit trail review tools and processes. Establish AI model governance frameworks including training data management, validation protocols, and continuous monitoring infrastructure. Update service level agreements with cloud providers to address GMP-specific requirements.

Phase 4: Validation and Readiness (Q4 2027 onward)

Validate the changes implemented in previous phases. Conduct internal audits to verify compliance with the final published documents. Update standard operating procedures and training materials. Build inspection readiness packages that demonstrate compliance with the new requirements. Establish continuous improvement processes to maintain compliance over time.

Looking Ahead: Positioning for EU GMP Digital Compliance

The coordinated revision of Chapter 4, Annex 11, and the introduction of Annex 22 represent a decisive step toward a modern, digitally-aware GMP regulatory framework in the European Union. For IT and quality leaders, these changes are not optional upgrades. They are compliance requirements that will shape how GMP systems are designed, deployed, operated, and monitored for the foreseeable future.

The organizations that will be best positioned are those that view these revisions not as a burden but as an opportunity to modernize their GMP digital infrastructure. The enhanced data integrity requirements create the foundation for more reliable quality systems. The cloud qualification framework enables confident adoption of modern platform architectures. The AI governance requirements establish the guardrails needed to responsibly deploy machine learning in manufacturing. And the updated documentation requirements reduce the paper burden while strengthening the actual quality of GMP records.

The window between the draft consultation and final publication is a strategic planning opportunity. Organizations that use this time to assess their gaps, build their roadmaps, and begin foundational work will be well ahead of those that wait for the final text before taking action.

Sakara Digital helps pharmaceutical and biotech organizations prepare for evolving GMP digital compliance requirements, including Annex 11 readiness assessments, AI governance framework design, and cloud qualification strategies. If your team is evaluating the impact of these revisions on your GMP systems, we welcome the conversation.