Pharmaceutical regulations are changing – how to prepare for the upcoming EU GMP updates

The way pharmaceutical companies manage systems, documentation, and data is under renewed regulatory focus. Updates to the EU GMP guidelines are expected to clarify requirements related to digital systems, cloud-based services, and the controlled use of artificial intelligence.

Many companies are aware that regulatory changes are approaching. What is often less clear is how these changes will affect everyday operations and procedures, especially when reviewing existing systems or planning new ones.

This article outlines the upcoming updates to Chapter 4, Annex 11, and the new Annex 22, explaining what is changing and what pharmaceutical organizations should start considering as they prepare.

What are the updates about?

The upcoming EU GMP update is built around three closely connected guideline sections. Together, they reshape how pharmaceutical companies are expected to manage data, systems, and digital processes.

1. Chapter 4 is being updated with a stronger focus on data reliability and integrity. The key expectation is that information remains traceable, complete, and protected throughout its entire lifecycle.
2. Annex 11 is also being revised. It places greater emphasis on systematic lifecycle management, validation, and continuous risk management of computerized systems. In practice, this means stronger expectations for security, system oversight, audit trails, and electronic signatures, with data integrity (ALCOA+) at the core.
3. Annex 22 is entirely new. It introduces clear boundaries for the use of artificial intelligence and machine learning in the pharmaceutical industry, defining how AI can be applied in GMP-regulated activities in a controlled and compliant manner.

Why are the regulations being updated now?

Technology has evolved rapidly, while regulatory frameworks in the pharmaceutical industry have relied on more traditional operating models for a long time. This gap has made it challenging to adopt new digital solutions, even when they could improve quality, efficiency, and transparency.

The purpose of these updates is not to add complexity, but to provide clearer guidance. When regulatory expectations are better defined, pharmaceutical companies can adopt new technologies in a controlled and well-justified way, without compromising compliance, product quality, or patient safety.

“Human in the Loop” – decisions remain with people, not machines

The core message of the new AI guidance in Annex 22 is the principle of Human in the Loop. Even as automation increases and artificial intelligence is used more widely, responsibility does not shift to the system.

In GMP-critical processes, AI-supported activities must remain understandable, controlled, and explainable. Artificial intelligence must not function as a “black box” where decisions cannot be traced, justified, or consistently reproduced.

Annex 22 also clearly restricts the use of self-learning or adaptive AI in critical GMP activities. Models must be static and controlled, meaning their behaviour does not change during operation. This ensures predictable outcomes and supports product quality and patient safety.

What does this mean in everyday operations?

The update is less about individual requirements and more about a shift in mindset. Computerized systems and related documentation are no longer viewed as separate support functions, but as an integral part of the company’s quality system and day-to-day operations.

In practice, this places stronger emphasis on:

• maintaining data integrity and managing systems and documentation across their full lifecycle
• ensuring traceability of activities and actively reviewing recorded events
• implementing and assessing system changes in a controlled and structured way
• clearly defining responsibilities, even when services are provided by external partners

When will the changes take effect?

At this stage, the updates are still in draft form and are expected to be finalized during this year. More detailed timelines and possible transition periods will only become clear once the final versions are published.

That said, this does not mean companies should wait. On the contrary, now is the right time to review the current situation, build a clear understanding of potential impacts, and ensure that preparations are heading in the right direction.

How should companies approach existing systems?

Preparing for the upcoming EU GMP updates does not require immediate large-scale changes. A structured and well-planned approach is far more effective. The key is to ensure that the fundamentals are in place before the updated requirements come into force.

• Start with a GAP analysis
  Assess the current state of existing systems against the upcoming requirements and identify potential gaps that need to be addressed.
  
• Update documentation and audit trail practices
  Ensure that documentation and traceability meet the updated expectations of Chapter 4 and Annex 11, and that these practices support data integrity throughout the system lifecycle.
  
• Perform risk-based re-evaluations and requalification where needed
  Focus especially on changes that may impact product quality, data integrity, or information security.
  
• Ensure compliant use of Artificial Intelligence
  Confirm that AI models used in GMP-critical processes are aligned with Annex 22 requirements and that non-compliant models are not in use.
  
• Update key operating procedures (SOPs)
  Pay particular attention to procedures related to documentation, data security, Risk Management, Validation, lifecycle management, change control, and service provider management.
  
• Integrate system maintenance into the Pharmaceutical Quality System (PQS)
  The management of systems and related documentation must be a core part of the quality system, not a separate or isolated activity.
  
• Train the entire organization on the impact of the changes
  Ensure that different roles understand how the updates affect their responsibilities and how compliance is maintained in daily operations.

The upcoming requirements also apply to new system acquisitions

When new solutions are planned or implemented, compliance should be considered from the very beginning.

This helps ensure that product quality and patient safety requirements are met, and that systems support documentation, traceability, and information security in line with regulatory expectations. At the same time, any AI-related functionalities can be properly assessed and defined early on, avoiding the need for corrective actions later in the lifecycle.

How Feicon supports companies through the change

Feicon supports pharmaceutical companies in understanding and applying regulatory requirements in practice. Our approach is built around clarifying the overall picture; ensuring that regulatory expectations are naturally integrated into everyday operations and the company’s quality system.

We have supported our clients, for example, by:

• Training personnel to understand new regulatory requirements and their impact on daily work
• Conducting GAP analyses to assess whether systems and data management practices align with upcoming requirements, and coordinating the implementation of necessary corrective actions
• Validating large-scale systems to ensure compliance throughout their entire lifecycle, and supporting the development and updating of operating procedures (SOPs)

Would you like to learn more?

New regulatory requirements can feel demanding, but they also create an opportunity to improve quality, strengthen patient safety, and streamline operations.

Feel free to contact us to arrange a short remote discussion about your situation. The conversation is free of charge and non-binding, but it can provide valuable clarity on what the coming year is likely to require from your organization.