Annex 11 Draft - First Analysis

Since 07 July 2025, three new guidance documents have been available on the EMA website in draft form, which can be commented on by the industry until 07 October 2025 - EU GMP Guidance Annex 11 “Computerised Systems”, Annex 22 “Artificial Intelligence” and Chapter 4 “Documentation”. The documents were drafted by the EMA GMP/GDP working group of inspectors together with the PIC/S and are to be published as final versions from 2026.

Annex 11 draft

Following the publication of the Annex 11 concept paper in 2022, which provided an initial insight into the expected scope of the new regulation for computerized systems, significant innovations could already be expected. The international working group under the leadership of Danish inspector Ib Alstrup has taken into account the development of modern technologies in the IT sector and refined many unclear points.
Even on first reading, it is noticeable that the division into chapters has been retained, but the individual sub-chapters have been given a clear title in italics, which significantly improves clarity.

• The pharmaceutical quality management system mentioned in section 3. clarifies not only the usual topics (deviations, changes, self-inspections) but also the responsibility of senior management to regularly review all elements that influence the proper operation of the system.
• The elements of risk management referred to in section 4. reference ICH Q9; there is also an initial reference to the IT security requirements mentioned later in the document.
• Almost one page is reserved for requirements specifications (section 6. User Requirements), which are often neglected in practice, and there - as in many other places in the document - reference is made to the possibility of using modern electronic tools to compile them.
• Section 7. deals in detail with the services of external IT companies that are widely employed today and the various requirements for their control (audit, contract, documentation), where the expected contractual regulations are mentioned with nine subsections.
• A new topic is the very detailed specification under 8. for the requirements for alarms and their verification with associated documentation, for example in the batch record. A non-erasable/deactivatable record (log) with a corresponding annotation, similar to an audit trail, is expected here.
• Qualification and validation of the computerized system (Section 9.) correspond to the regulations in the old Annex 11, but reference is made to the possibility of using an application in a limited scope even if validation has not been fully completed, provided that this is explicitly stated in the validation report.
• The risk of manual data entry instead of electronic interfaces between systems is pointed out in section 10. This section also contains an initial reference to the encryption of critical data.
• The correct management of access to computerized systems (Section 11.) is discussed in detail in a number of subsections. In 11.3 it is outlined that system access by means of a smart card, which could be used by another person, for example, is not adequate. Requirements for secure passwords can be found in 11.5; the working group limits this to the general requirements, but does not specify a minimum length or a maximum validity period for passwords, nor for the regular verification of user accounts (11.11). The need to separate administrator rights from user rights (Segregation of Duties, SoD) is briefly discussed in 11.10.
• The fact that there was no details on the management of audit trails in the old Annex 11 has been taken into account in section 12: the requirements for the technical setup and an on-time review are clarified in ten neatly structured subsections.
• Electronic signatures are addressed in Section 13, which also uses some of the definitions listed in 21 CFR Part 11 (e.g. Open Systems) and also discusses hybrid solutions.
• The periodic reviews of the systems (Section 14), which were not included in the old Annex 11, take up a lot of space. The expectations of the periodic review are listed in twelve subsections.
• It is positive that the current topic of IT security (Section 15.) is treated in detail, with clearly defined requirements for the IT infrastructure (firewalls, disaster recovery - RTO/RPO, patches, virus protection, etc.). In this context, the necessity of regular penetration tests for critical systems is also emphasized, which will unfortunately have a considerable impact on costs.
• The topic of back-up can be found in section 16 with a definition of the requirements for physical and logical separation as well as regular restore tests.
• It is most welcome that - as in the OECD GLP guidelines - the new Annex 11 addresses the archiving of data (Section 17.), as this was previously handled very briefly in the GMP regulations.
• At the end of the document there is a glossary where a large number of technical terms are explained.
  

Summary

With the new Annex 11 draft, the GMP/GDP working group of inspectors has found a very good starting point to amend the missing aspects of the previous regulation. Users of current IT technologies are provided with good ideas that do not go into too much detail and leave sufficient scope for pragmatic implementation within the company. This also includes references to the numerous security threats that unfortunately exist and are increasingly affecting the regulated industry.