Introduction

The EU’s Annex 11, governing computerised systems in GMP environments, is undergoing its most significant revision in more than a decade. Released in draft form on 7 July 2025, the update responds to the rapid evolution of digital technologies such as cloud computing, artificial intelligence, and mobile systems. This article examines the main changes and their impact on pharmaceutical manufacturing and related industries.

Expanded Scope and Enhanced Structure

The revised Annex 11 has grown substantially, expanding from a short 5-page document into a detailed 19-page guideline with 17 chapters plus a glossary. It now explicitly covers a wider range of technologies, including:

• Mobile applications

• Cloud services (SaaS, PaaS, IaaS)

• Artificial intelligence and machine learning

• Blockchain and IIoT

• Systems indirectly influencing product quality or data integrity

This reflects a recognition that digital tools are no longer optional but essential components of regulated manufacturing.

Structural Redefinition and Core Principles

The new structure introduces or strengthens 17 sections, such as:

• Scope

• Principles

• Pharmaceutical Quality System (PQS)

• Risk Management

• System Requirements

• Supplier and Service Management

• Alarms

• Qualification and Validation

• Data Handling

• Identity and Access Management

• Audit Trails

• Electronic Signatures

• Periodic Review

• Security

• Backup

• Archiving

• Glossary

This reorganization emphasizes lifecycle management, accountability, and robust oversight of computerised systems.

Pharmaceutical Quality System: Central Governance

A key addition is the formal integration of computerised systems within the Pharmaceutical Quality System. This establishes clearer responsibilities for senior management, requiring oversight of deviations, change control, internal audits, and resource allocation. By embedding system governance into the PQS, Annex 11 elevates digital oversight to the same level as manufacturing and quality control processes.

Lifecycle and Risk-Based Approach

The draft places strong emphasis on lifecycle management, from system design and validation through to retirement or decommissioning. Quality Risk Management is now positioned as a central principle, requiring risk assessment and mitigation to be applied at every stage. This ensures that regulatory expectations extend beyond implementation to the entire operational life of the system.

Data Integrity and ALCOA+ Enforcement

The revision reinforces data integrity through explicit application of ALCOA+ principles—data must be Attributable, Legible, Contemporaneous, Original, Accurate, and Complete. This approach underpins requirements for audit trails, identity management, access controls, and secure electronic signatures. By making ALCOA+ a foundation, the draft aligns Annex 11 with modern expectations for reliable and tamper-evident data.

Access Control, Audit Trails, and Electronic Signatures

Several sections focus on strengthening control mechanisms:

• Identity and Access Management: Introduces strict segregation of duties, strong authentication, and elimination of shared accounts.

• Audit Trails: Requires tamper-evident logs that clearly link actions to individual users.

• Electronic Signatures: Expanded requirements ensure traceability and compliance with regulatory standards.

Together, these changes increase accountability and reduce the risk of data manipulation or misuse.

Security, Backup, and Archiving

Cybersecurity receives significant attention in the new Annex 11. The draft requires organizations to implement measures such as firewalls, patch management, virus protection, penetration testing, and disaster recovery planning. Backup procedures must be validated, with restoration processes regularly verified. Archiving requirements are expanded to ensure that data remains accessible, readable, and secure for the long term.

Supplier and Service Provider Oversight

The update highlights the growing reliance on third-party services, especially cloud providers. It introduces stricter requirements for contracts, service level agreements, audits, and documentation. Importantly, while suppliers are expected to meet defined obligations, manufacturers retain ultimate accountability for compliance. This ensures that outsourcing does not dilute responsibility for product quality or patient safety.

Notable New Sections: Alarms and System Requirements

Two notable additions are the dedicated sections on Alarms and System Requirements:

• Alarms: For the first time, Annex 11 specifies expectations for the management of alarm functions, including documentation, testing, and response procedures.

• System Requirements: Establishes expectations for documenting and validating functional and technical specifications, strengthening the foundation for system qualification.

Both additions reflect the regulator’s desire for greater clarity and control in system design and operation.

Industry Perspectives and Compliance Implications

The draft is widely seen as the most significant update in over a decade. While it brings greater clarity on expectations for modern technologies, some in the industry have raised concerns about the prescriptive nature of the requirements. Organizations with older or legacy systems may find it challenging to retrofit compliance measures such as advanced audit trails or enhanced cybersecurity. Nonetheless, the revision reflects the reality of digital transformation in regulated environments and sets a clear direction for the future.

Next Steps: Consultation and Implementation

The draft was released on 7 July 2025, with a public consultation period open until 7 October 2025. Final adoption and enforcement are expected in mid-2026. Companies are encouraged to begin preparing now by conducting gap assessments, reviewing their quality systems, training staff, and planning validation or remediation activities. Early action will ensure a smoother transition once the new requirements take effect.

Conclusion

The updated Annex 11 represents a major step forward in aligning regulatory requirements with the digital era. By expanding its scope, reinforcing data integrity, mandating lifecycle management, strengthening cybersecurity, and formalizing supplier oversight, the draft ensures that computerised systems are fully integrated into GMP governance. Organizations that adapt proactively will be better positioned to achieve compliance, safeguard product quality, and maintain patient trust in an increasingly digitalised pharmaceutical landscape.