• There are no suggestions because the search field is empty.
Search icon
Request audit
Contact us

Inside the EudraLex Annex 22: What’s New for AI in Pharma Manufacturing and Why These Revisions Matter

Software Solutions & Services Pharma & Biotech
person-image
Ward Neefs, Life Science Consultant at QbD Group
Learn what the new EudraLex Annex 22 means for AI regulation in pharma and how it could impact your daily operations and compliance efforts.
Inside the EudraLex Annex 22: What’s New for AI in Pharma Manufacturing
8:11

The adoption of AI in the pharmaceutical industry is accelerating, but at a much slower pace than in other industries. Why? Partly, because the inherent properties of AI models, and especially machine learning models, did not fit easily into the existing regulatory framework

The newly drafted Annex 22 aims to close this gap by expanding on Annex 11 and clearly defining regulatory expectations for safe and compliant integration of AI and ML solutions in the GMP industry. This new Annex details the views of regulators on model validation, performance monitoring, data quality, and human oversight.

The introduction of Annex 22 is accompanied by updates to:

  • Chapter 4: strengthens controls around digital documentation and traceability, and
  • Annex 11: revises standards for computerized systems to reflect modern AI integration and align it with Annex 22.
Together, these revisions create a harmonized, risk-based regulatory model designed to safeguard patient safety, product quality, and data integrity in an AI-powered pharma era.

In the sections ahead, we’ll take a closer look at Annex 22, break down its key provisions, and explore what these updates will mean for day-to-day operations in the industry.
 

Annex 22: The First AI-Focused GMP Guideline

With the introduction of Annex 22, the European Commission delivers the EU’s first AI-specific GMP framework, responding directly to the growing presence of machine learning and algorithmic decision-making in pharmaceutical manufacturing.

Scope

Annex 22 defines a narrow scope for the application of static and deterministic machine learning models within the pharmaceutical industry, specifically for critical applications with a direct impact on product quality, data integrity, or patient safety.

Let’s unpack this scope further:

  • First of all, this means that AI models for non-critical applications do not need to adhere to the requirements of this annex, nor do AI models that are explicitly programmed since these are not considered Machine Learning, i.e. are not trained on data.
  • Second of all, the scope is restricted to only static deterministic models, meaning that dynamic and/or non-deterministic models are not covered by the Annex’s regulations and should be excluded from critical GMP applications.

To clarify:

  • Static models are models that “do not adapt their performance during use by incorporating new data”, hence, this closes the door for any continuous learning systems.
  • Deterministic models are models that “provide identical outputs when given identical inputs”, hence, this closes the door for any probabilistic models for which the output tends to be unpredictable.

Figure 1: visual representation of the subgroup of AI models considered to be in scope of Annex 22.

 

As an effect of this scope, Large Language Models like ChatGPT and the likes, are considered not deemed suitable for use in Critical GMP applications.

Core Requirements

Pre-development requirements

Annex 22 assigns responsibility for all documentation to the regulated user and stresses the involvement of qualified personnel throughout the model’s lifecycle.

Initially, this SME process knowledge should be distilled into a detailed intended use description that should include a thorough characterization of the model’s input data sample space and an assessment of the limitations and possible biases in the input data.

A thorough analysis of this sample space should be carried out with a division into subgroups if applicable because it is important that these are sufficiently represented in the training and testing data in order to ensure good model generalization and prevent underperformance for certain parts of the input sample space.

Additionally, the involvement of a human user in the process (human-in-the-loop) and their responsibility when interacting with an AI model should be clearly defined.

Before any acceptance testing can be performed, suitable test metrics and acceptance criteria for model performance should be defined and approved, considering that the model to be implemented should at least as performant as the current process it is replacing.

From then on, the Annex does not talk about the model selection and training process and directs its focus on test data and testing requirements.

 

Acceptance testing requirements


Test preparation

Testing should be planned and documented in an approved test plan including:

  • Intended use summary
  • Predefined metrics and acceptance criteria
  • References to test data and scripts
  • Step-by-step descriptions of testing and metric calculations

Any deviation must be documented, investigated, and justified.

Test data quality

The annex also puts a lot of emphasis on the importance of test data ‘quality’, and rightly so. To summarize, a test data set can be considered qualitative if ticking all boxes in following checklist:

  • Spans entire sample space as defined in intended use description and is representative of input data of actual use environment including any data pre-processing.
  • Contains sufficient data for all sample space subgroups to confidently estimate predefined test metrics
  • Labeled correctly (which should be meticulously verified)
  • Fully independent, meaning that the data used to test and assess model performance has no impact whatsoever on the model development, selection, training or validation process
  • Any cleaning, exclusion or artificial generation of test data is performed only if absolutely necessary and is documented and fully justified.

Test data independence

Access to test data must be controlled and traceable, with records of who accessed it, when, and how often.
Personnel involved in model training should not have access to test data. If unavoidable, a dual-review system should be in place where one person without prior access accompanies those who have seen the data.

Confidence and explainability

Finally, the acceptance of a model should consider the explainability and confidence of the model outputs. The annex expects the system to be able to capture the main features in test data that drive the decisions made by the system and that these should be reviewed for their relevance.

Additionally, the annex expects prediction or classification models to include the logging of confidence scores which, in a way, reflect the certainty and trustworthiness of the model output. Additionally, an appropriate threshold should be imposed on the confidence scores that ensures the model flags outputs as ‘undecided’ if the confidence score does not exceed the threshold.

Operational requirements

The annex mentions also some requirements for Machine Learning models during their operational use. For one, the model should be under configuration control and unauthorized changes should be prevented and detectable.

Furthermore, the entire system and process in which the model is implemented should be under change control and for any change to the model, system, process, input data, or its environment, this should be documented and evaluated for impact on model performance. In which case, retesting should be the default action and any choice to limit or omit retesting the model should be sufficiently justified.

The performance of a model can also deteriorate without the occurrence of deliberate changes such as environmental changes or unplanned input sample space changes; hence, the model should be monitored for its performance with respect to the pre-defined metrics mentioned before.

Additionally, if the model is used as input to a decision made by a human (human-in-the-loop) and if that is used as a justification for limiting the model testing, the process should be meticulously recorded and monitored.

 

Harmonized Integration: A Unified Framework

The real strength of the 2025 Eudralex revisions isn’t just in the content of Annex 22, it’s in how Annex 22, Chapter 4, and Annex 11 interlock to form a coherent, future-proof regulatory framework. Read more about the other parts here:

 

Supporting Cast: Revisions to Chapter 4 and Annex 11

Annex 22 is designed to operate in tandem with updates to two long-standing GMP chapters, each playing a critical role in managing the broader digital ecosystem that AI systems rely on.

 

Chapter 4 – Documentation

Chapter 4 has been revised to better reflect the digital-first reality of GMP operations. Key updates include:

  • New provisions for automated data capture and record generation, particularly from AI-enabled tools.
  • Stronger emphasis on traceability and auditability, ensuring that digitally generated or AI-influenced records maintain full compliance with ALCOA+ principles.
  • Integration of electronic records within the documentation system, with requirements for metadata tracking, version control, and secure access.

This revision ensures that digital documentation remains verifiable, attributable, and complete, even when generated or influenced by AI systems.

 

Annex 11 – Computerized Systems

Annex 11, which governs computerized systems within GMP environments, has been revised to reflect the sophistication of modern AI and cloud-based tools. Key updates include:

  • A clear alignment between Annex 11 and Annex 22, ensuring AI is treated as a subset of computerized systems, but one that demands unique controls and validation.
  • Enhanced focus on data integrity, particularly in hybrid systems where human and AI inputs may intermingle.
  • Updated requirements around electronic signatures, system security, data backup, and audit trails

These updates position Annex 11 as the technological backbone supporting Annex 22’s AI-specific guidance, forming a more comprehensive and forward-thinking compliance framework.

Together, they create a coherent, risk-based regulatory framework that actively governs AI use in GMP environments rather than merely tolerating it.

This integration scales the regulatory burden with the impact of the AI system on product quality, data integrity, and patient safety: a modern, flexible approach suited to emerging digital technologies.

 

Practical Impact for Pharma Stakeholders

With these changes now formalized, different stakeholders across the pharmaceutical ecosystem will need to adapt not only to new rules, but to a new mindset around AI and digital systems in GMP environments.

 

For Manufacturers and Quality Teams

  • Establish AI governance frameworks covering model selection, validation, and monitoring.

  • Adapt validation processes for iterative or non-deterministic AI systems.

  • Strengthen risk assessments, change control, and human oversight mechanisms.

For Regulatory Affairs and Compliance Professionals

  • Prepare for higher expectations around documentation completeness and traceability.

  • Ensure AI-related records meet full audit standards.

  • Enhance cross-functional collaboration between QA, IT, and data science teams.

For Technology Providers and AI Developers

  • Design systems aligned with GMP validation and lifecycle control.

  • Provide transparency and explainability tools.

  • Demonstrate awareness of Annex 22 requirements as a competitive advantage in vendor selection.

In short, compliance is no longer just about documentation; it’s about design. AI systems must be built for traceability, accountability, and auditability from the ground up.

Conclusions

The introduction of Annex 22 marks more than a regulatory update; it signals a cultural shift in how the pharmaceutical industry approaches machine learning in critical processes.

Gone are the days of treating AI as a “black box.” The European Commission has made it clear:
If AI influences patient safety, product quality, or data integrity, it must be transparent, bias-controlled, validated, traceable, and continuously monitored.

These guidelines don’t stifle innovation: they channel it responsibly, setting clear, risk-based expectations that empower companies to innovate confidently while maintaining the highest quality standards.

As other regulators worldwide look to the EU for leadership, Annex 22 could become a global benchmark for AI governance in GMP environments. Companies that prepare early — aligning systems, documentation, and quality practices — will be best positioned for compliance and for leadership in the next era of pharmaceutical manufacturing.

Ready for Annex 22: 2026? Let’s Future-Proof Your Compliance Strategy.

Don’t wait for the final release; start preparing today. Partner with QbD Group to assess your systems, validate AI models, and build a future-proof compliance strategy that keeps your organization inspection-ready.

 Need help navigating the Annex 22 revision? 

Get in touch with our compliance and validation experts.

 

Software Solutions & Services

Resources & References

[EU Commission: Stakeholders' Consultation on Eudralex Volume 4 (Annex 22, Chapter 4, Annex 11)]
[GMP Compliance News: Drafts of Annex 11, Annex 22, and Chapter 4 Released]
[NSF International: Overview of Revised EU PIC/S GMP on AI, Documentation, and Computerized Systems]
[RegASK: Summary of the EU GMP 2025 Updates on AI and Computerized Systems]
[BioSlice Blog: EU Consultation Announcement on New GMP Rules for AI in Pharma]

Stay ahead in life sciences

Keeping up with the fast-paced life sciences industry doesn’t have to be overwhelming.

Our newsletter delivers the latest insights, industry updates, and expert content directly to your inbox, helping you stay informed and make smarter decisions.

Subscribe to our newsletter
Circles-banner-short

Discover more expert content

preview_image
Whitepaper

The Essential CSV & Digitalization FAQ for Life Sciences Companies

Get clear answers to real CSV questions from clients & experts. Download our FAQ and stay compliant, audit-ready, and confident in your Software Validation Strategy.
Read More
preview_image
Whitepaper

Digitalization in the Pharmaceutical Industry: And How to Stay Compliant

Digitalization and Pharma 4.0 drive digital transformation. Explore the role of CSV in pharma's digital journey.
Read More
preview_image
Case study

Building a Unified QMS for a Non-Profit Lab Organization

A non-profit lab organization unified its quality management processes by implementing a validated SAAS QMS, enhancing compliance and efficiency across departments.
Read More
preview_image
Case study

Agile Validation Support for a Global Life Sciences Organization

Discover agile validation support for life sciences, enhancing compliance and efficiency through a scalable, on-demand model tailored to your IT validation needs.
Read More
preview_image
Whitepaper

Audit Trail Review in GxP Environments

Learn how to implement a risk-based Audit Trail review strategy to enhance software compliance in GxP environments.
Read More
preview_image
Whitepaper

A Complete Guide to Computer System Validation

This guide aims to bring context and define the necessary and appropriate strategies for the validation of computerized systems. Download now.
Read More
preview_image
Whitepaper

Digital Health - Exploring the landscape and future opportunities

This whitepaper informs you about digital health, key technology pillars, and new opportunities to anticipate future trends in your healthcare sector.
Read More
preview_image
Whitepaper

How to keep computerized systems in the operational phase

Ensure compliance and efficiency with best practices for maintaining computerized systems in the operational phase. Download our expert whitepaper now!
Read More
preview_image
Webinar

From Requirements to Code: a unified MDSW development cycle that covers all requirements

Watch our webinar on demand to master medical device software development. Learn about IEC standards, cybersecurity, AI integration, and FDA expectations.
Read More
preview_image
Whitepaper

Mobile health on the rise: exploring the regulatory landscape for reimbursement

This whitepaper will help you navigate the maze of the DTx regulatory environment, highlighting several important countries and regulations.
Read More
preview_image
Whitepaper

GAMP 5 Software Validation Approach for GMP, GCP and GLP regulations

Learn how to comply with GMP, GCP, and GLP regulations using the GAMP 5 Software Validation Approach. Download the whitepaper for more insights.
Read More
preview_image
Webinar

Getting Started: Overcoming Initial Obstacles in Medical Device Software Development

Watch our webinar on demand and learn about regulatory obstacles, MDR, AI Act, and best practices for medical device software development and market entry.
Read More
preview_image
Whitepaper

Standards and regulations for software used in Medical Devices

Explore the essential standards and regulations for software used in Medical Devices, including IEC 62304 and IEC 82304. Download now.
Read More
preview_image
Whitepaper

Annual Product Quality Review in Pharma

Want to learn more about the importance, benefits, and key challenges related to the Annual Product Quality Review in Pharma? Then read on quickly!
Read More
preview_image
Whitepaper

21 CFR Part 11 compliance checklist

Want to assess whether a computer system generates electronic records and uses electronic signatures, and whether the system complies with Part 11 of 21 CFR? Download this free checklist.
Read More
preview_image
Webinar

Second edition of GAMP 5: A Risk-Based Approach to compliant GxP Computerized Systems

This webinar on demand will tell you more about the second edition of GAMP 5.
Read More
preview_image
Webinar

Verification & Validation of Artificial Intelligence/ Machine Learning Medical Devices

Explore the impact of Artificial Intelligence and Machine Learning on medical device validation and verification processes.
Read More
preview_image
Whitepaper

GAMP categories for computerized systems: what are they and what are they for?

In this whitepaper, you will learn what GAMP is, what GAMP categories are for, and where to start if you are facing computerized systems validation.
Read More
preview_image
Whitepaper

EUDRALEX Volume 4 Annex 11 Compliance Checklist

Assess your computer system's compliance with EudraLex Volume 4 Annex 11 guidelines using our checklist. Download now for GMP assurance.
Read More
preview_image
Whitepaper

From V-model to Agile: how to embrace automation as part of the computerized system validation approach

This white paper explores why IT is shifting to agile, focuses on the prevalent Scrum methodology, and concludes with guidance on adapting system validation processes.
Read More
Discover all