In July 2025, the European Commission released draft updates to EU GMP Annex 11, Chapter 4, and introduced the new Annex 22. Together, these documents represent the single most significant development in digital GMP guidelines in at least the last 10 years. Though each annex covers a different topic – computerized systems, documentation and records, and AI-based systems – collectively, their combined message is clear: the world of life sciences digital compliance is being redefined to reflect today’s technology reality.

Since the last revision of Annex 11 in 2011, the industry has witnessed a paradigm shift. Cloud-hosting solutions, SaaS delivery models, distributed and remote access environments, mobile technologies, and early-stage AI/ML adoption have become part of everyday GMP operations. The existing GMP annex was designed for the era of on-prem systems. Validation models were fixed, and all change was controlled. Today’s systems in the life science industry are designed, deployed, and operate in a completely different way. There is no matching guidance available today. The 2025 drafts acknowledge this gap and aim to close it by raising expectations around digital maturity, governance, and accountability. 

What’s changing in Annex 11 

One of the most overt indications of this change is the scale of the Annex 11 revision itself. What was once a concise five-page guideline has expanded into a detailed 19-page standard. It is not mere quantity – it is indicative of a broader and more prescriptive approach to managing modern computerized systems over their lifecycle. 

The draft significantly strengthens expectations related to infrastructure qualification and cybersecurity. By explicitly referencing frameworks like NIS2 Directive and ISO 27001, Annex 11 harmonizes GMP systems even more to overall European cyber resiliency expectations. This signals a clear expectation that cybersecurity is no longer an IT concern operating in parallel to quality, but a core component of GMP compliance. 

Audit trail requirements have also been expanded and clarified. The draft requires specific expectations to be established with regard to recording all activities carried out by users on GMP-related systems, to shield the audit trail against anyone attempting to change it, and to incorporate the review of the audit trail into their day-by-day activities rather than treating them as periodic or reactive activities. For organizations running legacy systems, this may require structural system changes rather than procedural workarounds. 

Data integrity continues to be a central theme throughout the revision. The draft reinforces controls around identity and access management, electronic signatures, system security, lifecycle documentation, and supplier and service-provider oversight. Importantly, it formalizes how computerized systems should be embedded within the Pharmaceutical Quality System (PQS), placing greater emphasis on ongoing performance reviews and system governance rather than one-time validation events. 

Notably included in new requirements is the consideration for guidance related to alarm management. For the first time, Annex 11 addresses alarm classification, criticality, lifecycle controls, and expectations around review and trending. This closes long-standing industry gaps where alarm oversight has often been inconsistently implemented across systems and sites. 

Stronger documentation governance through Chapter 4 

Alongside Annex 11, the updated Chapter 4 plays a critical supporting role by reinforcing expectations around documentation and records. Where Annex 11 focuses on systems, Chapter 4 focuses on the data itself and how it is governed throughout its lifecycle. 

The draft also tightens traceability obligations and defines expectations regarding master documentation. Principles of ALCOA++ are also explicitly incorporated, and expectations related to data remaining attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring, and available from the time of creation and archival are reaffirmed. 

Collectively, Annex 11 and Chapter 4 reinforce a key regulatory point: digital compliance is more than isolated controls or papering over documents. It requires integrated governance across systems, data, and processes. 

Annex 22 and the new expectations for AI in GMP 

The introduction of Annex 22 is perhaps the most progressive part of the 2025 drafts. It is the first regulatory infrastructure the EU has produced for AI systems within the pharmaceutical industry, at a minimum, regarding manufacturing processes. 

In particular, Annex 22 focuses primarily on deterministic models of AI and lays down requirements regarding its governance, verification, and oversight when implemented within GMP environments. The annex reiterates the need for ALCOA++ principles to be incorporated into processes utilizing AI. In addition to this, it sets clear guidelines for validation and testing of AI behavior, including performance consistency and change management. 

Crucially, the draft specifies the limits that will surround the use of AI technology within the framework for decision-making, indicating that the supervision of these models will still be necessary. While generative AI and LLMs are currently excluded from scope, the annex acknowledges that future updates are likely as the technology matures and regulatory understanding evolves. 

Rather than encouraging rapid AI adoption, Annex 22 takes a measured approach that prioritizes control, transparency, and accountability – reflecting the cautious but inevitable integration of AI into regulated manufacturing environments. 

What this signals for the industry 

Together, Annex 11, Chapter 4, and Annex 22 seem to signal a harmonized regulatory vision. The EU is establishing an expectation of greater digital sophistication, stronger data governance, standardized oversight of suppliers and cloud services, and disciplined management of AI and ML technologies. 

For many life sciences organizations, particularly those with complex legacy landscapes or limited experience with AI and cloud governance, meeting these expectations will require more than incremental updates. Documentation practices, validation models, system architectures, and quality oversight mechanisms may all need to evolve. 

At the same time, the public consultation period offers a valuable window for organizations to assess how well their current digital frameworks align with where EU GMP is heading and to plan remediation proactively rather than reactively. 

How Qualitest supports readiness and compliance 

From Qualitest’s standpoint, these drafts reinforce a shift we have seen across the industry: compliance is moving away from static validation toward continuous digital assurance. Meeting the new expectations requires a combination of regulatory insight, technical depth, and practical execution. 

Qualitest supports life sciences organizations through Annex 11 and Annex 22 readiness assessments that identify gaps across systems, data integrity, cybersecurity, documentation, and AI governance. Our risk-based digital validation frameworks help organizations modernize CSV practices in line with evolving regulatory thinking, while our data integrity and AI assurance accelerators enable scalable, repeatable compliance across global operations. 

By combining deep life sciences domain expertise with AI-powered testing, continuous monitoring, and supplier oversight models, Qualitest helps organizations translate regulatory change into operational resilience. The goal is not just compliance with the next inspection cycle, but building digital foundations that can adapt as technology, and regulation continues to evolve. 

As the EU GMP framework enters this new phase, organizations that act early will be best positioned to balance innovation with compliance. With the right assurance partner, this regulatory shift becomes less about managing risk and more about enabling confident, controlled digital transformation.