Annex 11 Is About to Get Four Times Longer: What the EU's 2026 Rewrite Means for APAC Pharma

Annex 11 Is About to Get Four Times Longer: What the EU's 2026 Rewrite Means for APAC Pharma

May 20, 2026

The European Commission opened consultation on the revised EU GMP Annex 11 back in July 2025. It closed on 7 October. The final text lands mid-2026. If this is the first you're hearing of it, you're not alone, and that's part of the problem.
Most quality teams in the region treated it as a European matter. It isn't. If you ship into Europe, manufacture under contract for a European MAH, or benchmark to PIC/S like everyone eventually does, this rewrite is going to reach your validation lifecycle, your cybersecurity setup, your cloud contracts, and whatever AI you've quietly let into a GxP process.

We're having this conversation with nearly every CSV and QA client right now. Here's the short version.

Why a rewrite, and why now
Annex 11 was last finalised in 2011. Think about what your IT estate looked like then. Cloud-hosted QMS, SaaS safety databases, AI-assisted batch review, software that updates itself every fortnight, none of it existed in any regulated sense. The guidance has been straining against reality for years.

Three documents are moving together:

Annex 11, Computerised Systems, revised
Annex 22, Artificial Intelligence, brand new
Chapter 4 of EudraLex Volume 4, Documentation, revised
The drafting was a joint effort between the EMA GMP/GDP Inspectors Working Group and PIC/S. That second name is the one to watch. PIC/S spans 59 jurisdictions, HSA Singapore and TGA Australia among them. When PIC/S settles on a position, the rest of Asia tends to fall in line within two years. The revised Annex 11 runs about four times the length of the old one. That number alone should tell you how much is changing.

What actually moves
The principles you already know mostly survive. These are the parts that shift:

Risk management goes through the lifecycle, not the project phase. You assess risk at selection, watch it through operation, and review it again at decommissioning. The one-and-done validation report is finished.
Cybersecurity becomes a core GMP requirement. The 2011 text barely touches it. The new draft wants a documented risk framework, penetration testing on critical systems, real patch management, an incident response plan, encryption, and RTO/RPO targets. For most manufacturers we deal with, this is where the biggest hole is.
AI gets its own Annex. Annex 22 spells out intended use, training data quality, performance metrics, ongoing monitoring, and human review. If you've let an AI module into release decisions, deviation triage, or signal detection, that's now a compliance obligation, not a side project.
Cloud and SaaS are squarely in scope. You remain accountable, full stop. Supplier qualification, vendor audits, data integrity clauses in the contract, change notification, all of it stops being optional.
Documentation gets rewritten alongside. Chapter 4 pulls hybrid and electronic records into one data governance approach, and audit trail review shifts toward review-by-exception on critical parameters, before release, not as a quarterly tidy-up.
Where teams are already going wrong
Three patterns keep showing up.

First, the "it's an EU rule" shrug. It's a PIC/S rule in everything but name, which means HSA, NPRA, CDSCO and the rest will be reading from it soon enough. Inspections in the region will already be tightened on data integrity and audit trails through 2025. Cybersecurity and AI are next in the queue.

Second, parking cybersecurity with IT and walking away. Under the revised Annex 11, QA owns the GMP consequences of a breach the same way it owns a deviation on the line. If your QA lead can't describe the pen-testing schedule, that gap is going to surface in front of an inspector.

Third, assuming your AI footprint is too small to matter. We've heard "we don't really use AI" more times than we can count, usually right before someone mentions the anomaly detection in their MES or the case intake in their PV system. Annex 22 covers all of it.

What to do now, not in 2026
The working assumption is a 12 to 18-month transition once the text publishes. Sounds comfortable. It isn't, given the scope.

Where we'd start:

Inventory every computerised system in scope, including the GxP spreadsheets, the cloud apps IT doesn't know about, and any AI buried inside a vendor product
Gap-assess against the draft, weighted toward cybersecurity, lifecycle documentation, periodic review, and supplier oversight
Map your AI and ML footprint to Annex 22, with documented intended use, data lineage, metrics, and a human oversight model for each one
Re-read your cloud and SaaS contracts for audit rights, change notification, data integrity, and security
Rewrite your CSV framework and SOPs so they support lifecycle risk management instead of a single project-phase pass
Get QA, IT, and Information Security working from one shared model
If your SOPs still describe a one-time IQ/OQ/PQ with no periodic review of cloud systems, no AI governance, and no cybersecurity assessment, those documents will block everything else before you start.

How we help
Our Annex 11 readiness work tends to run in four stages:

A gap assessment across Annex 11 and Annex 22, benchmarked to where PIC/S inspectors are actually pushing this year
An updated CSV and QMS framework, including the SOPs, risk matrices, periodic review templates, and supplier procedures built for the new lifecycle model
Hands-on support on live validations, cloud vendor qualifications, and AI documentation, so your first Annex 11-aligned project isn't trial and error with an auditor watching
Training for QA and IT as working sessions, not slide decks, because nobody picks up risk-based thinking from a lecture
Platform and geography don't matter to us. We've done this on-premises and cloud-native, for single-site SMEs and multi-country MAHs. The approach carries over.

If you do one thing this quarter
Pull your most recent GxP validation package and count how many of these it actually evidences: lifecycle risk assessment, cybersecurity controls and testing, supplier qualification depth, a periodic review schedule, audit trail review by exception, and AI governance where it applies.

If you can't get past three, that's the gap this rewrite exists to expose. It only gets more expensive to close once the final text drops mid-2026.

The official EU consultation page, drafts included, is here: https://health.ec.europa.eu/consultations/stakeholders-consultation-eudralex-volume-4-good-manufacturing-practice-guidelines-chapter-4-annex_en

When you're ready, talk to us at https://valina-services.com/contactus.php, and we'll run an Annex 11 and Annex 22 readiness assessment against your systems, your vendors, and the regulators you actually answer to.

This article is general information, not regulatory advice. Always consult qualified professionals on your specific compliance requirements.

By Dr Suhanya Parthasarathy.PhD