EU GMP Annex 22, Annex 11 and Chapter 4: AI Rules for 2026

On 7 July 2025, the European Commission, the European Medicines Agency (EMA) and the Pharmaceutical Inspection Co-operation Scheme (PIC/S) released the most significant overhaul of digital GMP rules in more than a decade: a redrafted Annex 11 (Computerised Systems), a brand new Annex 22 (Artificial Intelligence), and a revised Chapter 4 (Documentation). The joint consultation closed on 7 October 2025, and the final approved versions are expected in mid-2026. For any site that uses computerised or AI systems, these three documents will reset the inspection baseline.

This guide explains what is changing, why Annex 22 matters even if you think you do not use artificial intelligence, and how the European package converges with the United States Food and Drug Administration (FDA) enforcement trend. We also map a practical readiness path so your quality system is ready before inspectors arrive. For the deeper Annex 11 walkthrough, see our companion article on the EU GMP Annex 11 revision.

Executive Summary

Here is the short version for busy quality and regulatory leaders:

Three documents, one package. Annex 11, Annex 22 and Chapter 4 were published together and should be read together. They share a common goal: trustworthy data across the full lifecycle.
Annex 11 expands from 5 pages to 19. The revision shifts from interpretive guidance to prescriptive rules on security, identity and access management, and audit trail control.
Annex 22 is the first GMP rule for AI. It permits only static, deterministic machine learning models in critical applications and excludes generative AI and large language models from those uses.
Chapter 4 codifies ALCOA++ and data governance. Electronic signatures, hybrid records and a lifecycle data governance system are now explicit expectations.
Global alignment. PIC/S drafted the documents jointly with EMA, so the rules will land across more than 50 participating authorities, not just the European Union.
It converges with FDA. The FDA issued its first AI related warning letter in 2026 and finalised its Computer Software Assurance guidance in 2025. AI and computerised system governance is becoming a single global inspection theme.

What Changed on 7 July 2025

What is it? The European Commission opened a three month public consultation on a redrafted Annex 11, a new Annex 22, and a revised Chapter 4 of the EU GMP Guide. What should companies do? Read all three as a single framework, map the gaps against your current computerised system validation (CSV) and data integrity programs, and start remediation now rather than waiting for the final text.

The three drafts were prepared jointly by the EMA Inspectors Working Group and PIC/S to keep global standards aligned. That joint authorship is the most important structural fact in this update. It means the rules will not be a European island. Below is the confirmed timeline.

Milestone	Date	Status
Drafts published for consultation	7 July 2025	Complete
Public consultation closed	7 October 2025	Complete
Final approved versions expected	Mid-2026	Pending
Likely transition period before enforcement	After publication (to be confirmed)	Pending

Annex 11: From 5 Pages to 19

What is it? Annex 11 governs computerised systems used in GMP activities. The 2011 version was roughly 5 pages of high level, interpretive guidance. The 2025 draft expands to about 19 pages with detailed, prescriptive sections and a glossary. Why does it matter? Inspectors will now have explicit text to cite, so vague or informal controls that once passed will be harder to defend.

The revision concentrates on the areas where data integrity findings cluster. The biggest shifts are summarised below.

Focus area	What the 2025 draft expects
Audit trail	Record all user activity on GMP systems, protect the trail from alteration, and review it as part of routine work rather than only periodically
Identity and access management	Strong account control, individual accountability, and second factor authentication at the point of electronic signature; a password alone is no longer enough
Cybersecurity	Treated as a core GMP requirement, with penetration testing, timely patch management and incident response
Supplier and service provider oversight	Written agreements that define data ownership, access, security and compliance duties, plus ongoing monitoring and audits of providers
Cloud and infrastructure	Explicit expectations for cloud computing, hosted services and the shared responsibility model
Electronic signatures	Recognised, traceable and linked to the signing individual

The practical message is that computerised system validation can no longer stop at installation and functional testing. It has to extend into the security, access and data governance controls that keep a validated system trustworthy in daily use. This is where our pharmaceutical validation services and quality control services focus their work.

Annex 22: The First GMP Rule for Artificial Intelligence

What is it? Annex 22 is the first dedicated GMP framework for artificial intelligence and machine learning in the manufacture of medicinal products and active substances. Why does it matter? It draws a sharp line around what kind of AI is acceptable in critical GMP applications, and it does so before most companies have any AI governance in place.

Annex 22 applies when an AI model is used in a critical application that directly affects patient safety, product quality or data integrity. Within that scope, the draft permits only static and deterministic models. A static model does not adapt its behaviour during use by learning from new data. A deterministic model returns identical outputs when given identical inputs. Models that keep learning, probabilistic models, generative AI and large language models are excluded from critical use.

AI type	Critical GMP use under Annex 22
Static, deterministic machine learning	Permitted, with strict controls
Adaptive or self-learning models	Not permitted in critical applications
Probabilistic models	Not permitted in critical applications
Generative AI and large language models	Excluded from critical applications

For permitted models, the draft sets demanding expectations across the lifecycle:

Intended use and acceptance criteria must be defined before deployment, with a documented test plan and predefined acceptance criteria.
Independent test data must be used to demonstrate fitness for the intended use, kept separate from training data.
Explainability and performance must be evidenced; a model that cannot be explained cannot be trusted in a critical role.
Data management over training, validation and test datasets must be rigorous and traceable.
Continuous monitoring and human fallback are required, so that critical decisions can route to a qualified human operator when needed.

Chapter 4: Documentation, ALCOA++ and Data Governance

What is it? Chapter 4 governs documentation and records. The revision modernises it for electronic and hybrid environments and turns Good Documentation Practice into a structured data governance discipline. Why does it matter? It formally codifies ALCOA++ in regulation and recognises electronic signatures for the first time.

The draft glossary defines ALCOA++ as attributable, legible, contemporaneous, original and accurate, plus complete, consistent, enduring, available and traceable. The added traceable element reinforces the role of audit trails. The revision also requires a data governance system that is integrated into the pharmaceutical quality system and that covers the entire data lifecycle, regardless of format or medium.

Two further points deserve attention. First, dedicated provisions address hybrid systems that mix paper and electronic elements, which reflects the reality that most sites still operate mixed records. Second, electronic signatures are recognised as legally binding and must be traceable and ALCOA++ compliant. Together with Annex 11, Chapter 4 closes the loop between how records are created, how they are signed, and how they are protected.

PIC/S Alignment: A Global, Not Just European, Change

Because PIC/S co-authored the drafts, the same expectations will flow into the GMP guides of more than 50 participating authorities, including Health Canada, the FDA, the United Kingdom Medicines and Healthcare products Regulatory Agency, and regulators across Asia and Australasia. For a Canadian licence holder or an exporter, this matters in a very concrete way: aligning to the EU package is also a route to readiness for inspections elsewhere. The PIC/S joint consultation notice confirms the shared authorship and intent to maintain global alignment.

The FDA Convergence: AI Governance Becomes a Global Inspection Baseline

What should companies notice? The European AI rules are arriving at the same moment the FDA is acting on AI under existing law. This is not a coincidence; it is convergence. Treat AI and computerised system governance as a single global theme rather than two regional projects.

In 2026 the FDA issued its first warning letter citing the inappropriate use of AI in document creation under existing cGMP, reaching for 21 CFR 211.22(c) on Quality Unit responsibility. We analysed that case in detail in FDA's first AI warning letter and what it means for your Quality Unit. In parallel, the FDA finalised its Computer Software Assurance guidance in 2025, encouraging risk based, critical thinking led validation rather than documentation for its own sake. Read together with the FDA work on distributed manufacturing and AI/ML quality, the direction of travel is unmistakable.

Theme	European package (Annex 11, 22, Chapter 4)	FDA direction
AI in GMP	Annex 22 limits critical use to static, deterministic models	First AI warning letter under 21 CFR 211.22(c); Quality Unit accountable
Validation philosophy	Risk based CSV with stronger security and data governance	Computer Software Assurance, critical thinking over paperwork
Data integrity	ALCOA++ codified in Chapter 4; audit trail control in Annex 11	ALCOA+ and existing 21 CFR Part 11 expectations
Accountability	Human oversight and fallback required for AI	Human Quality Unit remains responsible regardless of AI use

Readiness Checklist: What to Do Before Mid-2026

Use this checklist to structure your gap assessment across all three documents:

Build a current inventory of every GMP computerised system, including cloud and vendor hosted services.
Flag any system that uses AI or machine learning, and confirm with each vendor whether the model is static and deterministic.
Review audit trail capability: completeness, protection from alteration, and routine review built into daily operations.
Strengthen identity and access management, including second factor authentication at the point of electronic signature.
Assess cybersecurity controls: penetration testing, patch management and incident response.
Update supplier and service provider agreements to define data ownership, access, security and audit rights.
Map your documentation and records against ALCOA++ and confirm electronic signature compliance.
Establish or refresh a lifecycle data governance system integrated into your pharmaceutical quality system.
Define human oversight and fallback procedures for any permitted AI application.
Document the gaps, prioritise by risk, and assign owners and target dates through your CAPA system.

Common Mistakes to Avoid

Assuming you have no AI. Machine learning is embedded in many off the shelf systems. Annex 22 applies by function, so an honest inventory comes first.
Treating the three documents separately. Annex 11, Annex 22 and Chapter 4 interlock. A gap in one usually exposes a gap in another.
Leaving audit trail review as a periodic task. The draft expects review to be part of routine operations, especially before batch release.
Relying on passwords alone for signatures. Second factor authentication at the point of signing is now the expectation.
Waiting for the final text. Remediation of access control, data governance and supplier agreements takes months. Start during the draft window.
Letting AI output reach a record without human approval. This is the exact failure the FDA cited. Keep a qualified human accountable for every GMP decision.

Frequently Asked Questions

When will Annex 11, Annex 22 and Chapter 4 become final?

The drafts were published on 7 July 2025 and the consultation closed on 7 October 2025. The final approved versions are expected in mid-2026, most likely with a transition period before enforcement.

Does Annex 22 ban artificial intelligence in pharma manufacturing?

No. Annex 22 permits static, deterministic machine learning models in critical applications, with strict controls. It excludes adaptive, probabilistic and generative models, including large language models, from those critical uses.

What does ALCOA++ mean in the revised Chapter 4?

ALCOA++ means attributable, legible, contemporaneous, original and accurate, plus complete, consistent, enduring, available and traceable. Chapter 4 codifies it and recognises electronic signatures for the first time.

Do these EU rules affect Canadian or other non-EU manufacturers?

Yes. PIC/S co-authored the drafts, so the same expectations will spread across more than 50 participating authorities. Aligning to the EU package supports readiness for Health Canada, FDA and other inspections.

How does this connect to FDA enforcement?

The FDA issued its first AI related warning letter in 2026 under existing cGMP and finalised its Computer Software Assurance guidance in 2025. The European and United States approaches converge on risk based validation, data integrity and human accountability for AI.

What is the single most important first step?

Inventory every GMP computerised system, flag anything using AI or machine learning, and confirm with each vendor whether the model is static and deterministic. Everything else builds on that inventory.

How MFLRC Can Help

MF License & Regulatory Consultants (MFLRC) helps pharmaceutical, biologics, cannabis, natural health product and medical device manufacturers prepare for these changes with practical, inspection ready deliverables, not generic checklists. Our support across this package includes:

Annex 11, 22 and Chapter 4 gap assessments that map your current state against the draft requirements and prioritise remediation by risk.
Computerised system validation and Computer Software Assurance aligned strategies that focus effort on what is critical.
AI governance and credibility documentation for static, deterministic models, including intended use, test plans and monitoring.
Data governance and data integrity frameworks built around ALCOA++ and integrated into your quality system.
SOP development, audits and mock inspections to confirm readiness before regulators arrive.

Explore our audit services and regulatory affairs, licensing and import and export support, or learn more about the firm at mflrc.com.

Need help getting ready for the 2026 EU GMP changes? Contact MFLRC for expert guidance tailored to your systems and your markets.

Book an AI Governance and CSV Readiness Assessment

Conclusion

The 7 July 2025 release of Annex 11, Annex 22 and Chapter 4 marks the moment digital and AI governance moved from good practice to formal GMP expectation. With finals expected in mid-2026 and PIC/S alignment carrying the rules across more than 50 authorities, this is a global shift, reinforced by parallel FDA action. The organisations that treat the draft window as their preparation window will walk into inspections with confidence. The ones that wait will be remediating under pressure. A focused gap assessment now is the difference between the two.

Sources and References

European Commission, Annex 22 (Artificial Intelligence) consultation guideline. health.ec.europa.eu
PIC/S, Joint stakeholders consultation on the revision of Chapter 4, Annex 11 and new Annex 22. picscheme.org
U.S. FDA, Computer Software Assurance for Production and Quality System Software (final guidance, 2025). fda.gov
U.S. FDA, 21 CFR Part 211 current good manufacturing practice for finished pharmaceuticals. ecfr.gov

EMA, EudraLex Volume 4, Good Manufacturing Practice guidelines. ema.europa.eu