Cegeka_Logo Careers Language Solutions
Back Data solutions icon

Data & AI

Discover our different data solutions to help you become a data-driven company.

 Website_Navigation_Applications

IFS

Unlock innovation and growth with IFS and Cegeka’s Managed Services.

 Business Applications

Business Applications

Transform your business with Microsoft Dynamics ERP and CRM, integrated with Microsoft’s Power Platform.

 Services
Back Website_Navigation_IT_Team_Extension_3

IT Team Extension

The best IT professionals to support your projects.

 Website_Navigation_Outsourcing-1

Outsourcing

Outsourcing your IT helps you to focus on your strategy.

 Website_Navigation_Consultancy-1

Consultancy

The right skills and attitude to support the IT projects at your office.

 Website_Navigation_Projects-1

Projects

Integrating the right digital solutions for your IT project.

 Industries
Back pharma-icon-80-80

Pharma & Life Sciences

Face the increasingly complex challenges in Pharma & life sciences with confidence.

 Insights
Back
Knowledge is our backbone

We believe in sharing our insights and expertise with you. Explore our resources and learn more about our products, services and industry trends.

 Icons_Navigation_Case Studies-1

Case Studies

Step into the world of our delighted customers and see how we helped them achieve their goals.

 Icons_Navigation_News Items-1

News

Stay in the loop with our company news, announcements, awards and events.

 Icons_Navigation_Blogs-1

Blogs

Read our latest articles on topics ranging from technology, innovation, business and beyond.

 Icons_Navigation_Webinars-1

Webinars

Be part of the action with our live or on-demand webinars, where our experts share invaluable knowledge.

 Icons_Navigation_Ebooks-1

E-books & Whitepapers

Download our guides and reports on various aspects of technology and business.

 Icons_Navigation_Events-1

Events

Find out where we are going to be next, and register for our upcoming events.

 About Us Back
shaping digital together

We work shoulder to shoulder with our clients to ensure technology drives impact when and where it matters most.

Start the journey with us Icons_Navigation_Why Cegeka

Why Cegeka

Discover why more than 2,500 clients around the world choose to work with us, and stay with us.

Icons_Navigation_Cegeka&Society

ESG at Cegeka

We turn ESG ambition into action via sustainable IT, carbon footprint reduction and an inclusive work environment.

 Icons_Navigation_Our Story

The Cegeka Story

In just over 30 years, Cegeka has grown from 30 people to a global company with 9,000 employees across 3 continents.

 Icons_Navigation_Annual Report

Annual Report

See how our work makes a difference, explore the full annual report to learn more.

More Cegeka

Our Management

Corporate News

Contact & Locations

 Back
Select language

Global   (EN)

Austria   (DE)

Belgium   (NL)

Belgium   (FR)

Denmark   (EN)

Germany   (DE)

Italy   (IT)

Romania   (EN)

Sweden   (EN)

The Netherlands   (NL)

United Kingdom   (EN)

United States   (EN)

 Let’s get in touch Cegeka_Logo Solutions Data solutions icon

Data & AI

Discover our different data solutions to help you become a data-driven company.

 Website_Navigation_Applications

IFS

Unlock innovation and growth with IFS and Cegeka’s Managed Services.

 Business Applications

Business Applications

Transform your business with Microsoft Dynamics ERP and CRM, integrated with Microsoft’s Power Platform.

 Services Website_Navigation_IT_Team_Extension_3

IT Team Extension

The best IT professionals to support your projects.

 Website_Navigation_Outsourcing-1

Outsourcing

Outsourcing your IT helps you to focus on your strategy.

 Website_Navigation_Consultancy-1

Consultancy

The right skills and attitude to support the IT projects at your office.

 Website_Navigation_Projects-1

Projects

Integrating the right digital solutions for your IT project.

 Industries pharma-icon-80-80

Pharma & Life Sciences

Face the increasingly complex challenges in Pharma & life sciences with confidence.

 Insights
Knowledge is our backbone

We believe in sharing our insights and expertise with you. Explore our resources and learn more about our products, services and industry trends.

 Icons_Navigation_Case Studies-1

Case Studies

Step into the world of our delighted customers and see how we helped them achieve their goals.

 Icons_Navigation_News Items-1

News

Stay in the loop with our company news, announcements, awards and events.

 Icons_Navigation_Blogs-1

Blogs

Read our latest articles on topics ranging from technology, innovation, business and beyond.

 Icons_Navigation_Webinars-1

Webinars

Be part of the action with our live or on-demand webinars, where our experts share invaluable knowledge.

 Icons_Navigation_Ebooks-1

E-books & Whitepapers

Download our guides and reports on various aspects of technology and business.

 Icons_Navigation_Events-1

Events

Find out where we are going to be next, and register for our upcoming events.

 About Us
shaping digital together

We work shoulder to shoulder with our clients to ensure technology drives impact when and where it matters most.

Start the journey with us Icons_Navigation_Why Cegeka

Why Cegeka

Discover why more than 2,500 clients around the world choose to work with us, and stay with us.

Icons_Navigation_Cegeka&Society

ESG at Cegeka

We turn ESG ambition into action via sustainable IT, carbon footprint reduction and an inclusive work environment.

 Icons_Navigation_Our Story

The Cegeka Story

In just over 30 years, Cegeka has grown from 30 people to a global company with 9,000 employees across 3 continents.

 Icons_Navigation_Annual Report

Annual Report

See how our work makes a difference, explore the full annual report to learn more.

More Cegeka

Our Management

Corporate News

Contact & Locations

 Global   Global EN Austria   Austria DE Belgium   Belgium NL Belgium   Belgium FR Denmark   Denmark EN Germany   Germany DE Italy   Italy IT Romania   Romania EN Sweden   Sweden EN The Netherlands   The Netherlands NL United Kingdom   United Kingdom EN United States   United States EN Careers Let’s get in touch
Home Discover our latest blogs Discover our latest blogs EU GMP Annex 11 & Annex 22: The New Compliance Reality for AI in Pharma
Business Applications
Pharma & Life Sciences
5 minutes reading

EU GMP Annex 11 & Annex 22: The New Compliance Reality for AI in Pharma

Thomas Van Dorpe

Thomas Van Dorpe

maj 06, 2026

Pharma is in the middle of its biggest regulatory shift in more than 30 years. And for the first time, regulators are directly addressing AI, with its own dedicated annex, its own governance expectations, and its own set of design constraints.

If you've heard the names Annex 11 and Annex 22 lately and felt unsure what they actually require, you're not alone. There's a lot of noise out there, and not much practical explanation. We'll break down what's changing, why it matters, and what your organization needs to think about, before you make any decisions about AI adoption.

Why this reform is different

Regulatory updates happen all the time. So why does this one deserve special attention?

Because the scope is genuinely different. The current revision tackles things regulators have never explicitly addressed in GMP before: AI model behavior, cloud accountability, data governance at the quality system level, and the full digital lifecycle of computerized systems. A few things stand out as particularly significant.

Accountability doesn't transfer when you move to the cloud. If your AI system is hosted by a vendor, built by a vendor, or running on cloud infrastructure you don't directly control, you are still accountable. You must be able to explain the system, provide evidence from your own site, and demonstrate control. That's a shift that many organizations aren't fully prepared for. Data governance now happens at the pharmaceutical quality system level, not just at the system level. This means data integrity isn't just an IT checklist item anymore, it's a quality system obligation. The direction is already clear. Both Annex 11 and Annex 22 are post-consultation and in consolidation as of early 2026, with finalization expected during 2026. Companies that are waiting for the final wording before acting are already behind. The framework is set.

Annex 11: The foundation that's often underestimated

Before any conversation about AI, there's Annex 11. And most organizations underestimate how much it matters. The original Annex 11, published in 2011, was five pages. The revised draft runs to nineteen and it's a fundamentally different document. It now covers the full system lifecycle explicitly: supplier and service management, identity and access management, security, backup and recovery, alarms, archiving, and periodic review.

What used to live in the domain of "good IT practice" is now codified as GMP obligation. That matters because AI doesn't enter a regulated environment in isolation. It enters through systems, through workflows, through cloud platforms, through access controls, through audit trails. If those foundations aren't solid, it doesn't matter how good the model is. You have a governance problem that no amount of model performance will fix.

The shift in Annex 11 also signals something important about how regulators are thinking. Validation is no longer a project deliverable, something you do once, sign off on, and file away. It's becoming ongoing lifecycle assurance. The system must remain controlled, documented, and reviewable throughout its operational life. This applies across GxP, not only GMP. Whether you're in GCP, GLP, GBP, or GDP, the core expectations are the same: patient safety, product quality, and data integrity. Annex 11 is the foundation for all of it.

Annex 22: Validating intelligence, not just software

If Annex 11 governs the system, Annex 22 governs the intelligence inside that system. And that distinction is new. For the first time in GMP, regulators are addressing how you validate model behavior, the model itself, how it performs, how it fails, what it can and cannot be trusted to do.

This is a conceptual step that many people in the industry are still getting their heads around. When an AI model starts making predictions or classifications in a regulated production process, the validation question changes: from "does this system behave correctly?" to "is this model-based outcome reliable?" And that requires a different kind of thinking. Three words matter here: predictable, auditable, explainable. If you can't demonstrate all three, you don't have a defensible AI use in GMP.

Annex 22 is not a standalone document, it sits on top of Annex 11. You need both. They were initially intended to be merged into one document, but it became clear quickly that the AI-specific requirements deserved their own dedicated annex. The separation is deliberate, but so is the connection.

The design constraint most organizations haven't internalized yet

Here's the part that tends to surprise people when they first read it carefully. For critical GMP use cases, the current draft of Annex 22 is oriented toward static, deterministic models. This means:

  • The model does not update or self-learn once released into production
  • Given the same input, it produces the same output, every time
  • Any change to the model must go through formal change control and trigger a revalidation assessment
  • Generative AI and large language models cannot serve as autonomous decision-makers in critical GMP processes

If you're planning to deploy an AI system in a critical GMP context and that system uses a self-learning or probabilistic model, you have a regulatory problem that needs to be resolved before deployment, not after.

Adaptive or generative models may still have a role in non-GxP or lower-criticality processes, but the requirements there are different. The starting point is always the same: define the intended use and risk profile first, then determine what kind of model is appropriate.

The three principles that haven't changed

Despite everything that's evolving, some things are stable. Regulators still come back to the same three fundamentals, and they apply just as directly to AI as they do to any other computerized system.

Quality must be designed in, not tested in. You can't build an AI system, watch it fail in production, and then document your way out of the problem. The controls need to be part of the design from the start.

Retrospective validation isn't allowed. If the system is already running in a regulated process without a validation package, you're already in a non-compliant situation. Getting the documentation in order after the fact doesn't make the system validated.

Each phase of the lifecycle must be controlled. This includes the parts that companies often overlook: how will the model be monitored over time? What triggers a revalidation? What happens when it's decommissioned? These questions need answers before go-live, not after.

The regulatory benchmark, when an inspector walks in is: Is the system fit for its intended use? Has it been controlled through its lifecycle? Is it at least as safe and reliable as the process it replaces?

Where to start

If you're trying to figure out what to do with all of this, here's the honest answer: start with your foundations, not with your AI ambitions. Before selecting a model or a vendor, ask whether your underlying digital environment is mature enough. If those fundamentals are shaky, AI will inherit those weaknesses, and amplify them.

From there, the next step is defining intended use with real precision, exactly which process, which decision points, which inputs and outputs, which acceptance criteria, and which humans remain in the loop. That definition is the starting point for everything else: validation scope, model selection, governance structure, and the documentation package your QA team will need to defend in an inspection. The regulation isn't trying to block AI, it's defining the conditions under which AI can be trusted. And those conditions are achievable, if you approach them in the right order.

Want to know where you stand?
Ebook - GxP Ai Readiness Assessment (1)

We built the GxP AI Readiness Checklist specifically for this moment: 50 structured questions covering regulatory compliance, validation, human-in-the-loop controls, auditability, data quality, cybersecurity, and more. It's a practical self-assessment, but it's a solid way to see where your gaps are before they surface during an inspection.

Download the GxP AI Readiness Checklist

Understanding Annex 11 and Annex 22 is the first step. The harder question is what this means in practice: Where can AI genuinely support regulated processes? Where does it need to stop? And how do you design AI workflows that stay inside GxP boundaries? 

In the next article, we move from regulation to design and look at what pharma can and cannot do with AI under Annex 22, using concrete examples to show where the line is drawn.

Read next: What Pharma Can (and Cannot) Do with AI Under Annex 22

 
Thomas Van Dorpe

Thomas Van Dorpe

More of Thomas Van Dorpe articles

Get in touch