The environment for commissioning, qualification, and validation (CQV) professionals remains defined by persistent challenges. Rapid technological advancements—most notably in artificial intelligence, machine learning, and automation—are constantly reshaping the expectations for validation. Compliance requirements are in frequent flux as agencies modernize guidance, while the complexity of novel biologics and therapies demands ever-higher standards of sterility, traceability, and process control. The shift towards digital systems has introduced significant hurdles in data management and integration, often stretching already limited resources. At the same time, organizations are expected to fully embrace risk-based, science-first approaches, which require new methodologies and skills. Finally, true validation now hinges on effective collaboration and knowledge-sharing among increasingly cross-functional and global teams.
Overlaying these challenges, three major regulatory paradigm shifts are transforming the expectations around risk management, contamination control, and data integrity. Data integrity in particular has become an international touchpoint. Since the landmark PIC/S guidance in 2021 and matching World Health Organization updates, agencies have made it clear that trustworthy, accurate, and defendable data—whether paper-based or digital—are the foundation of regulatory confidence. Comprehensive data governance, end-to-end traceability, and robust documentation are now all non-negotiable.
Contamination control is experiencing its own revolution. The August 2023 overhaul of EU GMP Annex 1 set a new benchmark for sterile manufacturing. The core concept, the Contamination Control Strategy (CCS), formalizes expectations: every manufacturer must systematically identify, map, and control contamination risks across the entire product lifecycle. From supply chain vigilance to environmental monitoring, regulators are pushing for a proactive, science-driven, and holistic approach, far beyond previous practices that too often relied on reactive measures. We this reflected in recent USP drafts as well.
Quality risk management (QRM) also has a new regulatory backbone. The ICH Q9(R1) revision, finalized in 2023, addresses long-standing shortcomings—particularly subjectivity and lack of consistency—in how risks are identified and managed. The European Medicines Agency’s ongoing revision of EudraLex Chapter 1, now aiming for finalization in 2026, will further require organizations to embed preventative, science-based risk management within globalized and complex supply chain operations. Modern products and supply webs simply cannot be managed with last-generation compliance thinking.
The EU Digital Modernization: Chapter 4, Annex 11, and Annex 22
With the rapid digitalization of pharma, the European Union has embarked on an ambitious modernization of its GMP framework. At the heart of these changes are the upcoming revisions to Chapter 4 (Documentation), Annex 11 (Computerised Systems), and the anticipated implementation of Annex 22 (Artificial Intelligence).
Chapter 4—Documentation is being thoroughly updated in parallel with Annex 11. The current chapter, which governs all aspects of documentation in GMP environments, was last revised in 2011. Its modernization is a direct response to the prevalence of digital tools—electronic records, digital signatures, and interconnected documentation systems. The revised Chapter 4 is expected to provide much clearer requirements for the management, review, retention, and security of both paper and electronic records, ensuring that information flows align seamlessly with the increasingly digital processes described in Annex 11. Together, these updates will enable companies to phase out paper where possible, provided electronic systems are validated, auditable, and secure.
Annex 11—Computerised Systems will see its most significant overhaul since the dawn of digital pharma. The new guidance, scheduled for publication and adoption in 2026, directly addresses areas that the previous version left insufficiently covered. The scope now embraces the tectonic shift toward AI, machine learning, cloud-based services, agile project management, and advanced digital workflows. For instance, close attention is being paid to the robustness of electronic signatures, demanding multi-factor authentication, time-zoned audit trails, and explicit provisions for non-repudiation. Hybrid (wet-ink/digital) records will only be acceptable if they can demonstrate tamper-evidence via hashes or equivalent mechanisms. Especially significant is the regulation of “open systems” such as SaaS and cloud platforms. Here, organizations can no longer rely on traditional username/password models; instead, compliance with standards like eIDAS for trusted digital providers is expected, with more of the technical compliance burden shifting onto certified digital partners.
The new Annex 11 also calls for enhanced technical controls throughout computerized systems, proportional risk management protocols for new technologies, and a far greater emphasis on continuous supplier oversight and lifecycle validation. Integration with the revised Chapter 4 ensures that documentation requirements and data management are harmonized across the digital value chain.
Posts on the Draft Annex 11:
- Section 4 “Quality Risk Management”
- Section 5 “Personnel and Training”
- Section 6 “System Requirements”
- Section 7 “Supplier and Service Management”
- Section 10 “Handling of Data”
- Section 11 “Identity and Access Management”
- Section 13 “Electronic Signatures”
- Section 14 “Periodic Review”
Annex 22—a forthcoming addition—artificial intelligence
The introduction of Annex 22 represents a pivotal moment in the regulatory landscape for pharmaceutical manufacturing in Europe. This annex is the EU’s first dedicated framework addressing the use of Artificial Intelligence (AI) and machine learning in the production of active substances and medicinal products, responding to the rapid digital transformation now reshaping the industry.
Annex 22 sets out explicit requirements to ensure that any AI-based systems integrated into GMP-regulated environments are rigorously controlled and demonstrably trustworthy. It starts by mandating that manufacturers clearly define the intended use of any AI model deployed, ensuring its purpose is scientifically justified and risk-appropriate.
Quality risk management forms the backbone of Annex 22. Manufacturers must establish performance metrics tailored to the specific application and product risk profile of AI, and they are required to demonstrate the suitability and adequacy of all data used for model training, validation, and testing. Strong data governance principles apply: manufacturers need robust controls over data quality, traceability, and security throughout the AI system’s lifecycle.
The annex foresees a continuous oversight regime. This includes change control processes for AI models, ongoing monitoring of performance to detect drift or failures, and formally documented procedures for human intervention where necessary. The emphasis is on ensuring that, even as AI augments or automates manufacturing processes, human review and responsibility remain central for all quality- and safety-critical steps.
By introducing these requirements, Annex 22 aims to provide sufficient flexibility to enable innovation, while anchoring AI applications within a robust regulatory framework that safeguards product quality and patient safety at every stage. Together with the updates to Chapter 4 and Annex 11, Annex 22 gives companies clear, actionable expectations for responsibly harnessing digital innovation in the manufacturing environment.
Posts on Annex 22
Life Cycle Integration, Analytical Validation, and AI/ML Guidance
Across global regulators, a clear consensus has taken shape: validation must be seen as a continuous lifecycle process, not as a “check-the-box” activity. The latest WHO technical reports, the USP’s evolving chapters (notably <1058> and <1220>), and the harmonized ICH Q14 all signal a new age of ongoing qualification, continuous assurance, change management, and systematic performance verification. The scope of validation stretches from the design qualification stage through annual review and revalidation after every significant change.
A parallel wave of guidance for AI and machine learning is cresting. The EMA, FDA, MHRA, and WHO are now releasing coordinated documents addressing everything from transparent model architecture and dataset controls to rigorous “human-in-the-loop” safeguards for critical manufacturing decisions, including the new draft Annex 22. Data governance—traceability, security, and data quality—has never been under more scrutiny.
| Regulatory Body | Document Title | Publication Date | Status | Key Focus Areas |
| EMA | Reflection Paper on the Use of Artificial Intelligence in the Medicinal Product Lifecycle | Oct-24 | Final | Risk-based approach for AI/ML development, deployment, and performance monitoring across product lifecycle including manufacturing |
| EMA/HMA | Multi-annual AI Workplan 2023-2028 | Dec-23 | Final | Strategic framework for European medicines regulatory network to utilize AI while managing risks |
| EMA | Annex 22 Artificial Intelligence | Jul-25 | Draft | Establishes requirements for the use of AI and machine learning in the manufacturing of active substances and medicinal products. |
| FDA | Considerations for the Use of AI to Support Regulatory Decision Making for Drug and Biological Products | Feb-25 | Draft | Guidelines for using AI to generate information for regulatory submissions |
| FDA | Discussion Paper on AI in the Manufacture of Medicines | May-23 | Published | Considerations for cloud applications, IoT data management, regulatory oversight of AI in manufacturing |
| FDA/Health Canada/MHRA | Good Machine Learning Practice for Medical Device Development Guiding Principles | Mar-25 | Final | 10 principles to inform development of Good Machine Learning Practice |
| WHO | Guidelines for AI Regulation in Health Care | Oct-23 | Final | Six regulatory areas including transparency, risk management, data quality |
| MHRA | AI Regulatory Strategy | Apr-24 | Final | Strategic approach based on safety, transparency, fairness, accountability, and contestability principles |
| EFPIA | Position Paper on Application of AI in a GMP Manufacturing Environment | Sep-24 | Published | Industry position on using existing GMP framework to embrace AI/ML solutions |
The Time is Now
The world of validation is no longer controlled by periodic updates or leisurely transitions. Change is the new baseline. Regulatory authorities have codified the digital, risk-based, and globally harmonized future—are your systems, people, and partners ready?
Investigations of a Dog 
4 thoughts on “Regulatory Changes I am Watching – July 2025”