EU Annex 11 Compliance: Electronic Records Requirements for GxP Systems

Any pharmaceutical, biotech, or clinical organization operating under EU GMP regulations and using computerized systems to create, process, or store GxP data must comply with EU GMP Annex 11. It is the European equivalent of FDA's 21 CFR Part 11 for electronic records, though the two frameworks differ meaningfully in scope and approach.

This guide covers what EU Annex 11 requires, how it differs from 21 CFR Part 11, and what compliance looks like in practice for quality and IT teams in regulated environments.

What is EU Annex 11?

EU GMP Annex 11 is a supplementary guideline to the EU Guidelines for Good Manufacturing Practice for medicinal products. Published by the European Commission, Annex 11 provides specific requirements for computerized systems used in GxP-regulated activities.

The current version of EU GMP Annex 11 was issued in January 2011 and became effective June 2011. The European Commission opened a stakeholder consultation in July 2025 to update Annex 11, reflecting rapid advances in digital technologies and AI systems in pharmaceutical manufacturing. An updated version is expected in the coming years, but the 2011 version remains legally binding until a new version is published.

Annex 11 applies to all computerized systems used as part of a GMP-regulated activity. This includes manufacturing execution systems (MES), electronic batch records, laboratory information management systems (LIMS), QMS software, SCADA systems, and any other system whose data affects product quality or patient safety decisions.

EU Annex 11 vs. FDA 21 CFR Part 11: key differences

Both Annex 11 and 21 CFR Part 11 address electronic records and electronic signatures in regulated environments. Their scope and approach differ in important ways.

Scope: 21 CFR Part 11 focuses specifically on electronic records and electronic signatures. Annex 11 covers computerized systems more broadly, including system lifecycle, supplier assessment, data integrity, disaster recovery, and business continuity. Annex 11 is operationally more comprehensive.

Supplier assessment: Annex 11 explicitly requires that regulated companies assess their software suppliers, including auditing supplier quality systems where appropriate. Part 11 has no explicit supplier assessment requirement.

Risk management: Annex 11 explicitly requires a risk management approach throughout the system lifecycle. Risk-based decisions determine the depth of validation and the controls applied. Part 11 is more prescriptive in its requirements without an explicit risk management framework.

Data integrity: Annex 11 Clause 7 places significant emphasis on data integrity, including requirements for ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate) and controls to prevent unauthorized data alteration. While Part 11 addresses audit trail requirements, Annex 11 goes further in addressing the overall data governance environment.

According to SimplerQMS's comparative analysis published in 2026, Part 11 focuses on requirements for electronic records and signatures, while Annex 11 covers computerized systems more broadly, including access controls, business continuity, and supplier evaluation.

The structure of EU Annex 11

Annex 11 is organized into three sections: general, project phase (system validation), and operational phase.

General requirements

The general section establishes that risk management must be applied throughout the system lifecycle. It requires that all parties involved with computerized systems, including the regulated company, third-party suppliers, and cloud service providers, have clearly defined responsibilities documented in formal agreements.

Project phase: system validation

Annex 11 requires that all GxP computerized systems be validated. Validation must be planned, documented, and approved before system go-live. Key project phase requirements include:

Validation documentation: A validation plan, user requirements specification (URS), functional specifications where appropriate, and validation testing protocols with results. All validation activities must be documented and traceable to requirements.

Supplier assessment: The regulated company must evaluate the supplier's quality system and development practices. Where the supplier operates under a recognized quality standard (such as ISO 9001 or ISO 27001), this may reduce but not eliminate the assessment burden. For high-risk systems, on-site supplier audits may be required.

Data migration: When data is migrated from paper or legacy systems to a new computerized system, the migration must be validated. Data accuracy, integrity, and completeness after migration must be verified.

Operational phase requirements

Once a system is live, Annex 11 requires ongoing controls to maintain the validated state.

Access controls: User access must be restricted based on roles and responsibilities. The system must prevent unauthorized access, and user accounts must be managed through a formal process. Shared or generic logins are not acceptable in GxP environments.

Audit trails: Computer-generated audit trails must record all GxP-critical data creation, modification, and deletion with the identity of the operator and a timestamp. Audit trails must be retained for at least as long as the records they protect, and they must be available for review and printout.

Electronic signatures: Where electronic signatures replace handwritten signatures, they must be unique to the individual, require both an identifier and password (or equivalent), and be permanently linked to the record they authenticate. This aligns with the ALCOA principle of attributability.

Printouts: Where paper printouts of electronic records are required, they must be clearly identified as printouts and must include all relevant information, including who created the record and when.

Incident management: All system failures, including data entry errors, hardware failures, and software bugs with GxP impact, must be documented and investigated. The impact on batch records, product quality decisions, and regulatory submissions must be assessed.

Change control: All changes to a validated computerized system, including software updates, configuration changes, and infrastructure modifications, must go through a formal process change notification and impact assessment before implementation. Changes with significant impact on validated functions require re-qualification testing.

Periodic review: Validated systems must be periodically reviewed to confirm they remain in a validated state. Review frequency should be risk-based, considering the system's criticality, change history, and incident record.

Backup and recovery: Data backup procedures must be established, tested, and documented. Recovery procedures must demonstrate that backed-up data can be restored accurately. Business continuity plans must address the loss of access to computerized systems.

Archiving: When a system is retired or data archived, the organization must ensure archived data remains accessible, readable, and integrity-protected for the required retention period.

Data integrity under Annex 11

Data integrity has become one of the most scrutinized areas during EU GMP inspections. Annex 11 Clause 7.1 states that data should only be entered or amended by persons authorized to do so. Annex 11 also requires that any alteration to GxP data does not obscure the original entry. This means overwrites are not acceptable: the system must retain the original value, the new value, who made the change, when, and the reason.

The ALCOA+ framework provides the practical standard for data integrity assessment: data must be Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, and Available.

Inspectors from the MHRA, EMA, and national competent authorities have issued a significant number of data integrity-related findings in recent years. Common findings include: audit trail features disabled or not reviewed, shared login credentials, ability to overwrite data without creating an audit record, and inadequate backup and recovery testing.

Cloud systems and Annex 11

Cloud-based SaaS systems for GxP use fall fully within Annex 11's scope. The 2011 version already addressed remote access and third-party service providers. Annex 11 Clause 17 specifically states that when using external service providers or cloud services, a formal agreement must exist covering responsibilities for computerized systems and data.

Key due diligence areas for cloud GxP systems under Annex 11 include: physical and logical data security, data residency and jurisdiction, audit trail completeness, backup procedures and recovery testing, and the vendor's own quality management system maturity.

The European Commission's 2025 consultation on updating Annex 11 explicitly cites AI systems and cloud computing as areas requiring updated guidance, according to the EU health authority consultation page.

How Cloudtheapp supports EU Annex 11 compliance

Cloudtheapp is an FDA-validated, cloud-based QMS built for GxP-regulated industries. The platform includes full audit trail functionality across all 60+ applications, role-based access controls, electronic signatures compliant with 21 CFR Part 11 and EU Annex 11 principles, and a complete validation package with every release.

For organizations managing EU GMP compliance alongside FDA requirements, Cloudtheapp provides a single validated platform covering both regulatory frameworks without requiring separate systems for each jurisdiction.

To see how Cloudtheapp addresses Annex 11 technical requirements, schedule a demo with a solutions engineer.

Frequently asked questions

Does EU Annex 11 apply to clinical trial systems?

Annex 11 primarily addresses GMP activities. Clinical trial electronic records fall under ICH E6(R3) Good Clinical Practice and specific EMA guidance on computerized systems in clinical trials. However, where a clinical site operates under GMP (such as an investigational medicinal product manufacturer), Annex 11 applies to those GMP activities.

How does Annex 11 define a computerized system?

Annex 11 defines a computerized system as a set of software and hardware components that together fulfill certain functionalities. The definition is broad enough to include standalone instruments with embedded software, networked laboratory systems, enterprise platforms, and cloud applications.

Is validation required for commercial off-the-shelf software under Annex 11?

Yes. All GxP computerized systems require validation regardless of whether they are custom-built or commercially available. Commercial software typically benefits from vendor-supplied validation documentation, but the regulated company remains responsible for demonstrating that the system is fit for its intended use in the specific environment.

What happens during an EU GMP inspection for Annex 11?

Inspectors typically request validation documentation, ask to observe audit trail functionality in the live system, review access control records, and assess whether change control has been applied to all system modifications. Data integrity is a primary focus, and inspectors may request to see audit trail reviews that were performed by quality staff during routine operations.

How often must Annex 11 periodic reviews be conducted?

Annex 11 does not specify a fixed frequency. Reviews must be conducted periodically, with the frequency determined by a risk-based assessment considering the system's criticality, change history, and incident record. Annual review is common for high-criticality systems; biennial review may be appropriate for stable, lower-risk systems.

Please complete the form to access the Case Study

Please complete the form to access the Case Study

You will receive the webinar link via email once your request has been approved

Sign Up for Cloudtheapp

New to Cloudtheapp?

Access to try Cloudtheapp can be granted after you request a demo to learn how it can transform your operations.

Existing Customer User?

You can proceed with signing up.

New to Cloudtheapp?

Access to try Cloudtheapp can be granted after you request a demo to learn how it can transform your operations.

Existing Customer User?

You can proceed with signing up.

Please complete the form to access the Case Study

Please complete the form to access the Case Study

Please complete the form to access the Case Study

Please complete the form to access the Case Study

Please complete the form to access the Case Study