After fourteen years, the EU's rulebook for computerised systems is being rewritten — and it grew from five pages to nineteen. If you are buying or validating an ERP, the draft already tells you where to build.
For fourteen years, a five-page annex governed every computerised system used in EU-regulated manufacturing. EU GMP Annex 11, last revised in 2011, predates the cloud ERP most Life Sciences companies now run, predates the audit-trail expectations inspectors now apply, and predates AI entirely. In July 2025 the European Commission and PIC/S published a draft revision that closes all three gaps at once. It is not a refresh. The annex expands from five pages to nineteen, and for an ERP buyer it reads less like a compliance update than a specification for what to build.
The draft went out for consultation that closed in October 2025. Final text is expected around mid-2026, with a transition period likely running into 2027. That timeline matters less than it looks, because the durable expectations are already legible in the draft — and an ERP you select or validate this year will still be in service when the rule lands. Designing to the draft is not premature. Waiting for the final text is.
Data integrity moved to the center. The 2011 annex treated data integrity as one concern among many. The revision makes it the organizing principle, with far more explicit expectations around attributability, completeness, the audit trail, and the lifecycle of a record from creation to retention. For an ERP, that is not abstract: it is a direct statement about how your system must record who did what, when, and on the basis of what authority — and whether you can produce that record on demand.
Lifecycle and periodic review are now expected, not implied. The revision treats a computerised system as something you keep in a validated state, not something you validate once at go-live. Configuration management, change control, and periodic review are spelled out. For a platform like Dynamics that ships a release wave twice a year, this is the difference between a validation that ages out and one that is maintained against a baseline.
Cloud and suppliers are explicitly in scope. The original annex barely contemplated outsourced infrastructure. The draft addresses cloud service providers and the supplier relationship directly, with expectations about how you assess and govern the third parties that run or touch your system. If your ERP is SaaS, your vendor is now part of your compliance posture in a way the old annex never articulated — and your supplier assessment of that vendor becomes an artifact an inspector can ask for.
AI and machine learning appear for the first time. The revision acknowledges AI/ML systems within computerised-systems expectations, which ties Annex 11 to the parallel draft of Annex 22 on artificial intelligence. An ERP that now ships AI agents is squarely inside this. The expectation is the familiar one — human oversight, attribution, an audit trail you can defend — applied to a new kind of actor.
System alarms, security, and configuration get sharper. The draft elaborates on areas the 2011 text left thin: alarms and their handling, access security, and the management of configuration over a system's life. These are exactly the areas where ERP implementations tend to go quiet, and exactly the areas where the revision now expects evidence.
The single most useful fact about the 2026 Annex 11 draft is that it does not stand alone. It is explicitly aligned to FDA's Computer Software Assurance thinking, to GAMP 5 Second Edition, to ICH Q9 on quality risk management, and to ISO 27001 on information security. That alignment is a gift to anyone building once for a global posture. A risk-based, design-stage validation approach that satisfies CSA in the United States now also satisfies the direction of EU expectation. You are not maintaining two methodologies for two regulators. You are building one defensible system and presenting it two ways.
This is the practical reason not to wait for the final text. The principles the revision is converging on — data integrity by design, lifecycle maintenance, supplier governance, human oversight of automation — are stable across every draft and every adjacent framework. The wording will move. The posture will not.
Do not treat Annex 11 as a document your validation consultant reads after go-live. Treat it as input to selection and configuration, before the decisions are made.
Assess your ERP vendor as a supplier, in writing, and keep the assessment — for a cloud platform, that means understanding the shared-responsibility boundary and what evidence the vendor will give you. Configure for data integrity rather than retrofitting it: attribution, an immutable audit trail, enforced segregation of duties, and electronic signatures bound to records, set up during the build. Bake periodic review into the operating model from day one, so each release wave is assessed against a validated baseline rather than discovered at inspection. And where your ERP now offers AI or agent features, decide your position on human oversight before you switch them on, not after.
For companies on Dynamics specifically, the alignment is favorable. Microsoft sits as your digital service provider with documentation and platform controls that do real work in your Annex 11 case, and the 2026 audit and AI-attribution features map directly onto the data-integrity expectations the revision is raising. The platform is moving in the same direction as the rule. The work is in configuring and evidencing it deliberately.
The 2026 Annex 11 revision is the most significant change to EU computerised-systems expectations in fourteen years, and it converges with CSA, GAMP 5, ICH Q9, and ISO 27001 rather than diverging from them. For an ERP buyer that is good news: build for data integrity, lifecycle maintenance, supplier governance, and human oversight of AI, and you are building for the final text whichever way the wording settles. The annex grew from five pages to nineteen. The right response is not to read nineteen pages of anxiety, but to design the system the nineteen pages describe.
Aperigon delivers Microsoft Dynamics 365 to Life Sciences companies — validated by design, inspection-ready on day one. If you are selecting an ERP or preparing for an EU inspection, start a conversation.