Data integrity has been in regulators' spotlight for decades, and the expectations for ensuring data integrity are evolving and increasing. This is partly because of the various Data Integrity guidance documents that have been issued, but primarily due to the increasing number of inspection findings involving data integrity, reliability, and trustworthiness. Having a proper data lifecycle and data management program in place requires a mature governance data framework.
The rise in FDA 483 Observation and Warning Letter rates for data integrity violations is direct evidence of this trend. For QA, QC, and compliance professionals, understanding these trends isn't just about staying informed, but also about building proactive strategies that prevent costly regulatory actions and protect patient safety.
In 2025, both the FDA and EU regulators significantly elevated their expectations around data integrity, reflecting the increasing complexity of digital systems and the critical role of trustworthy data in pharmaceutical quality and patient safety. A summary of the most important and emerging aspects is as follows:
FDA 2025 – Key Data Integrity Focus Areas:
- Systemic Quality Culture
- FDA is shifting from isolated procedural failures to systemic issues, emphasizing the role of organizational culture in maintaining data integrity.
- Supplier and CMO Oversight
- Increased scrutiny of how companies manage contract manufacturers and suppliers, especially regarding data traceability and audit trails
- Audit Trails and Metadata
- FDA expects complete, secure, and reviewable audit trails. Metadata (e.g., timestamps, user IDs, audit trails) must be preserved and accessible.
- Remote Regulatory Assessments (RRAs)
- RRAs are now a permanent tool which requires companies to maintain data systems in an inspection-ready state at all times.
- AI and Predictive Oversight
- FDA has launched AI tools (e.g., Elsa) to identify high-risk inspection targets, increasing the need for data transparency and integrity.
- Resilient Data Systems
- Emphasis on data governance that includes accuracy, ownership, and lifecycle management. Failures should lead to learning, not repetition
To effectively navigate this newly regulatory environment, it's crucial to understand the data driving the FDA's new enforcement posture. The launch of the FDA's "radical transparency" initiative began with the release of a publicly accessible file containing over 200 recent redacted complete response letters (CRLs). This file serves as a map of the industry's most common vulnerabilities and the agency's current areas of focus.
EU 2025 – GMP Annex 11 & Chapter 4 Updates
On 7th July 2025, the European Commission, in collaboration with the Pharmaceutical Inspection Convention and the Pharmaceutical Inspection Co-operation Scheme (PIC/S), released four draft updates to EudraLex Volume 4:
- Revised and Expanded Annex 11 (Computerised Systems)
- IT Security as a core GMP requirement including firewalls, patching, and penetration testing
- Identity & Access Management controls, such as no shared accounts, smart card limitations
- Audit Trails & Electronic Signatures with stricter controls and higher expectations
- Revised Chapter 4 – Documentation
- Introduces data lifecycle management, metadata control, and hybrid system governance.
- ALCOA++ principles are now mandatory, not just best practice
- New Annex 22 – Artificial Intelligence
- Addresses AI-based decision systems in GMP environments, requiring validation, traceability, and integration into the Pharmaceutical Quality System (PQS)
- Management Responsibility
- Senior management is now explicitly accountable for system performance and data integrity
Annex 11 focuses specifically on the requirements for the use of Computerized Systems in GMP environments and the controls needed to ensure that systems are in compliance with GMP regulations. The new, draft version of Annex 11 released in 2025 reflects today's digital, cloud-integrated, and AI-assisted pharmaceutical environment with additional details in the new draft of Annex 22 on Artificial Intelligence. The draft represents the most significant overhaul to Annex 11 in over a decade. It reflects a shift toward a digitally transformed, risk-based regulatory expectation and has further aligned with the FDA's CSA Guidance, ISPE GAMP 5, ICH Q9, and ISO 27001.
The expansion of Annex 11 includes detailed infrastructure requirements and mandates for testing critical systems, aligning with the NIS2 Directive and the ISO 27001 standard. It offers a comprehensive list of directives for mandatory audit logging of all user interactions across GMP-relevant systems, which may require expensive upgrades to older systems but are critical for maintaining regulatory compliance.
The proposed update to Chapter 4 reflects a fundamental shift in how GMP documentation is conceptualized and managed. Rather than focusing solely on static documents, the revised chapter emphasizes the importance of data governance, metadata control, and system integration within the Pharmaceutical Quality System (PQS). The 2025 draft introduces the concept of the data lifecycle, requiring companies to maintain not only documents but also associated metadata, audit trails, and ownership responsibilities throughout their lifecycle. Hybrid systems, those combining paper and electronic records, are formally recognized and must be controlled under validated procedures.
While the 2011 version of Chapter 4 focused on handwritten and legible entries, the new draft mandates ALCOA++ principles and explicitly ties documentation systems into the Pharmaceutical Quality System (PQS).
Annex 22, a new document, introduces regulations regarding AI/ML systems in pharmaceutical manufacturing and applies to deterministic AI models, excluding areas such as generative AI and Large Language Models (LLMs). It recommends ALCOA++ principles, thorough validation and testing, and restrictions, although clear strategic governance principles are not its primary focus.
Conclusion
In summary, the FDA's focus on data integrity, the EU's update to Annex 11 and Chapter 4, and the newly introduced Annex 22 present both opportunities and challenges. Both regulatory bodies acknowledge the benefits of digital systems and recognize they are essential for protecting data integrity, product quality, and patient safety. However, they also signal a significant regulatory movement towards more meticulous control measures. Updates to current processes can be expensive and challenging, especially for small companies and organizations new to the use of AI in for GMP and MedTech scenarios. The entire industry must comply with regulatory requirements, and these new digital compliance standards add to the already extensive requirements set forth by the regulatory agencies.
ProPharma's information technology compliance services can help organizations assess their current state, revise risk and vendor management processes, and prepare internal stakeholders to act promptly in anticipation of additional regulatory changes that will be coming from various directions.
Author
TAGS: Quality & Compliance Data Integrity Artificial Intelligence (AI) Annex 11 Annex 22
