EU GMP Annex 11
Best for: Pharmaceutical manufacturers, CMOs, and CROs operating computerized systems in EU GMP-regulated facilities. If you manufacture medicinal products for the EU market, or export finished products or APIs to EU member states, Annex 11 applies to every computerized system involved in manufacturing, quality control, and batch release. No company size or revenue threshold applies.
| Mandatory? | Mandatory for pharmaceutical manufacturers in/exporting to EU |
| Who validates? | EMA/national authority GMP inspection ยท No self-assessment |
| Renewal | No fixed cycle; tied to GMP inspection schedule |
| Scope | Computerized systems in pharmaceutical manufacturing and QC |
๐ European Commission, published within EudraLex Volume 4 (EU Guidelines for Good Manufacturing Practice). Enforcement is carried out by national competent authorities (e.g., MHRA in the UK pre-Brexit, BfArM/ZLG in Germany, ANSM in France) and coordinated through the European Medicines Agency (EMA). ยท EU GMP Annex 11 (2011) Official source โ
Get Started
module "..." {
source = "eugmpannex11.compliance.tf/terraform-aws-modules/<module>/aws"
version = "<version>"
}What Compliance.tf Covers vs. What You Handle
What Compliance.tf automates
- Audit Trail Completeness: Seven CloudTrail controls verify regional coverage, read/write event capture, S3 object-level logging, and security trail configuration. Together they map directly to the system-generated audit trail requirements in Annex 11 Section 9.
- Encryption at Rest: Five controls check encryption on API Gateway caches, backup recovery points, CloudTrail log files, CodeBuild artifacts, and CodeBuild S3 logs, with KMS customer-managed key usage validated where applicable.
- Encryption in Transit: Two controls confirm that CloudFront distributions enforce encryption to custom origins and reject deprecated SSL protocols (SSLv3, TLSv1.0).
- Backup and Recovery: Three controls confirm that backup plans meet 35-day minimum retention, recovery points are not prematurely expired, and manual deletion of recovery points is disabled.
- Configuration Management: Validates that AWS Config is enabled in all regions and that the configuration recorder delivers logs without failure.
What you handle
- Audit Trail Completeness: Identify which S3 buckets contain GMP-relevant data. Write the audit trail review procedure, train QA staff on it, and document the scope rationale in your validation records.
- Encryption at Rest: Key management procedures, rotation schedules, IAM-based key access restrictions, and a documented encryption strategy tied to your system risk assessment per Annex 11 Section 1.
- Encryption in Transit: Application-layer communications, VPN tunnels, and data exchange interfaces with contract partners fall outside this benchmark. Document permitted cryptographic protocols in your system security policy.
- Backup and Recovery: Periodic restoration testing and documentation per Section 7.2. Confirm retention periods match your product-specific requirements, which may exceed 35 days for products with long shelf lives. Maintain a business continuity plan per Section 16.
- Configuration Management: Build a formal change control procedure per Section 10 that integrates AWS Config data into your change assessment process. Document configuration baselines for validated systems and complete impact assessments before changes are approved.
Controls by Category
Audit Trail (Section 9) (1 control)
Incomplete audit trail coverage is the most common Annex 11 finding in cloud environments. Section 9 requires a system-generated record of all GMP-relevant changes and deletions, capturing who changed what, when, the old and new values, and why. Missing S3 object-level logging or gaps in multi-region trail coverage leaves no traceable history for GMP-critical data stores, which inspectors will flag as a direct deficiency.
Data Integrity and Encryption at Rest (Sections 7.1, 7.2) (4 controls)
When examining cloud-hosted validated systems, inspectors ask to see evidence that stored data is protected with customer-managed keys, not default service encryption. Sections 7.1 and 7.2 require controls that maintain data integrity throughout the retention period, which extends to backups and log archives. Build artifacts and cached API responses are frequently overlooked gaps that surface during inspection.
Data Storage and Business Continuity (Sections 7.2, 16) (1 control)
Expect requests for backup retention policy documentation, restoration test records, and confirmation that backup data cannot be manually deleted or tampered with. Section 7.2 requires regular backups with integrity checks and restoration capability; Section 16 requires business continuity arrangements. A 35-day minimum retention aligns with typical batch review and release timelines, but validate this period against your own product lifecycle requirements.
Monitoring and Incident Management (Section 13) (1 control)
The first thing an assessor checks here is whether alarms actually do something. Section 13 requires incident reporting, assessment, and root cause identification. A CloudWatch alarm with no configured action is invisible to your incident management process and provides no defensible evidence during inspection.
Additional Controls (40)
AWS Secrets Manager (1)
AWS Step Functions (1)
Amazon CloudWatch Logs (1)
Amazon DynamoDB (3)
Amazon DynamoDB Accelerator (1)
Amazon EBS (2)
Amazon EFS (2)
Amazon EKS (1)
Amazon ElastiCache (1)
Amazon Kinesis (1)
Amazon OpenSearch Service (3)
Amazon RDS (3)
Amazon Redshift (4)
compliance.tf moduleRedshift clusters should have automatic snapshots enabledcompliance.tf moduleRedshift clusters should have audit logging and encryption enabledcompliance.tf moduleRedshift clusters should have required maintenance settingscompliance.tf moduleAmazon S3 (8)
compliance.tf moduleS3 buckets should have default encryption enabledcompliance.tf moduleS3 buckets should have default encryption enabled using KMScompliance.tf moduleS3 buckets should have lifecycle policies configuredcompliance.tf moduleS3 buckets should have MFA delete enabledcompliance.tf moduleS3 buckets should have object logging enabledS3 buckets with versioning enabled should have lifecycle policies configuredcompliance.tf moduleS3 buckets should have versioning enabledcompliance.tf moduleAmazon SageMaker (3)
Elastic Load Balancing (2)
Related Frameworks
21 CFR Part 11 โ ๐ข High overlap (65%)
FDA 21 CFR Part 11 addresses electronic records and electronic signatures in FDA-regulated industries. The two frameworks share substantial overlap on audit trails, data integrity, and access control. Annex 11 is broader in scope, covering business continuity, periodic evaluation, and supplier management for computerized systems, which Part 11 does not explicitly require.
NIST 800-53 Rev 5 โ ๐ก Medium overlap (35%)
NIST 800-53 Rev 5 provides general security and privacy controls that map to Annex 11 requirements for access control (Section 12), audit trails (Section 9), and change management (Section 10). The overlap is partial because NIST does not address pharmaceutical-specific requirements like batch release or periodic system evaluation.
ISO/IEC 27001:2022 โ ๐ก Medium overlap (30%)
ISO 27001:2022 Annex A controls for cryptography, logging, and change management share some requirements with Annex 11 Sections 7, 9, and 10. However, ISO 27001 is an information security management system standard and does not address GMP-specific data integrity expectations like ALCOA+ principles.