What makes a computerised system Annex-11-ready?
The 2025 draft of EU GMP Annex 11 expands from 5 pages to 19, with 17 sections and prescriptive sub-clauses on IAM, electronic signatures, periodic review, security, backup, and archiving. Scope is flat: “this annex applies to all types of computerised systems used in the manufacturing of medicinal products and active substances” (§1). Seed-to-sale, LIMS, yield spreadsheet: all in. Your vendor is now directly inspectable, and the 2011 “appropriate controls” hand-wave is over.
Here is what the draft requires of annex 11 computerised systems, how a properly-built seed-to-sale platform delivers it, and what to ask your vendor. See the EU GMP 2025 draft package for the full cluster.
What makes a computerised system Annex-11-ready?
An annex 11 computerised systems stack is ready when it ships seven control layers by default: approved URS with traceability matrix (§6); validated state per Annex 15 (§9); unique-account IAM with MFA (§11); re-authenticating e-signatures (§13); pen-tested and patched infrastructure (§15); physically AND logically separated backups (§16); read-only archival (§17). Periodic review (§14) is the recurring proof.
Five pages became nineteen. The GMP/GDP Inspectors Working Group and PIC/S Committee rewrote Annex 11 “to reflect changes in regulatory and manufacturing environments” (preamble). Consultation closed 7 October 2025; publication expected 2026, enforcement 2027-2028 (PIC/S commentary). Any annex 11 computerised systems asset touching a GMP activity is in scope. GrowerIQ is itself a computerised system under §1. Our platform was independently revalidated by RQC in December 2025 against EU GMP Annex 11 and PIC/S, and we continue to track the 17-section 2025 draft clause by clause ahead of the 2027-2028 enforcement window.
Red flags: vendor still cites Annex 11 (2011). CSV binder has no clause-by-clause map against the 2025 draft. Annex 11 computerised systems scoped as MES-only, excluding seed-to-sale.
User Requirements Specification and the traceability matrix (§6)
§6.1 requires the regulated user to approve requirements “regardless of whether a system is developed in-house, is a commercial off-the-shelf product, or is provided as-a-service.” §6.3: for SaaS, “the regulated user should carefully review and approve the document.” §6.5 requires “documented traceability between individual requirements, underlaying design specifications and corresponding qualification and validation test cases.” For annex 11 computerised systems, the inspector’s first ask is the matrix. For §6.5 traceability, GrowerIQ was independently validated as GxP-compliant by RQC in December 2025 under EU GMP Annex 11 and PIC/S. Your QA team can reference the RQC validation as third-party evidence during your own URS and traceability-matrix work; GrowerIQ does not substitute for LP-authored URS under §6.3, we provide the validated system and the supporting documentation the vendor review needs.
Red flags: vendor URS nobody on QA has approved (§6.3). No traceability matrix (§6.5 + §9.5). System reconfigured after validation, URS never updated (§6.4).
Supplier oversight and the new exit-strategy requirement (§7)
§2.6 keeps the regulated user “fully responsible” even when a vendor runs the system. §7.5 codifies nine contract items: SLAs/KPIs (iii), audit rights (iv), inspection support (v), release-testing (ix), and the new §7.5 viii: “Defines an exit strategy by which the regulated user may retain control of system data.” Exit strategy is where most annex 11 computerised systems contracts fail. For §7.5 viii exit strategy, GrowerIQ provides structured data export covering records, activity logs, electronic signatures, and attachments through the Reporting module. Specific contractual language on data return at termination is handled as part of your Master Services Agreement; ask your account team to walk through the current exit-strategy clause during renewal.
Red flags: SaaS silent on data return, or 30-day auto-delete (§7.5 viii). No SLA or KPI language (§7.3). Vendor never supports in-person inspection (§7.5 v).
Qualification and validation: the Annex 15 link (§9)
§9.1 hard-links annex 11 computerised systems validation to Annex 15. §9.3: you cannot validate on an unsupported OS. §9.6 names the test-plan skeleton: “access privileges, release of products and results, calculations, audit trails, error handling, handling of alarms and warnings, boundary and negative testing, reports and interfaces, and restore from backup.” Restore is also a §16.6 duty; document it before go-live.
Red flags: IQ/OQ/PQ skips restore from backup (§9.6 + §16.6). Production on end-of-life OS (§9.3 / §15.10 / §15.12 triple violation).
Identity and Access Management: §11’s eleven sub-clauses
§11 reads like a password-and-access policy written by an auditor and is where most LP deployments of annex 11 computerised systems fall short.
§11.1 requires unique personal accounts; shared writes are a data-integrity violation. §11.3 rules out token or smart card alone. §11.5 requires system-enforced password complexity. §11.6 mandates MFA on “remote authentication on critical systems from outside controlled perimeters.” §11.7 auto-locks after failed attempts. §11.8 forces inactivity logout the user cannot disable. §11.9 requires a sortable access log. §11.10 names segregation of duties and least privilege. §11.11 requires “recurrent reviews where managers confirm the continued access of their employees.” “Internal VPN only” is insufficient.
GrowerIQ supports unique personal accounts and role-based access that separates cultivation, manufacturing, QA, and administrative duties by default. For §11.6 MFA on remote access and SSO integration with your identity provider, ask for the current identity-integration options during vendor qualification. For §12 audit-trail depth, read Annex 11 audit trails: the new who/what/when/why rule.
Red flags: shared warehouse account across shift operators (§11.1). Remote access without MFA (§11.6). Admins who are also QA reviewers (§11.10). No annual, manager-signed access review (§11.11). Inactivity logout user-configurable or eight hours or more (§11.8).
Electronic signatures: re-authentication, unbreakable link, hybrid hash (§13)
§13 tightens three things in annex 11 computerised systems. §13.3 forces full re-authentication at login strength on every signature. §13.6 requires the rendered signature to show full name, username, role, meaning, timestamp with time zone. §13.8 requires an “unbreakable link”: a signed record that cannot be modified, or if changed “will clearly appear as unsigned.” §13.9 covers hybrid wet-ink, requiring a hash on the cover sheet. Click-to-sign on an existing session fails §13.3.
Red flags: click-to-sign with no re-auth (§13.3). PIN or smart card alone (§13.3). Editable signed record with no visible invalidation (§13.8). Wet-ink cover sheets with no record hash (§13.9).
Periodic review: the 12-item §14.2 checklist
§14.1 names periodic review as ongoing verification that annex 11 computerised systems “remain fit for intended use and in a validated state.” §14.2 enumerates the twelve-item scope. §14.3 sets frequency on a risk basis and mandates a final review at retirement.
| # | §14.2 item | Owner |
|---|---|---|
| i | HW, SW, config, platform, interfaces | IT, vendor |
| ii | System docs (URS, SOPs) | QA |
| iii | Change effect; unapproved changes | IT, QA |
| iv | Previous reviews, audits, CAPA | QA |
| v | Audit trail, access, risk | QA |
| vi | Incidents, deviations, threats | QA, IT |
| vii | Maintenance, support, SLAs | IT |
| viii | Vendor contracts, KPIs | Vendor mgmt |
| ix | Backup, restore, DR | IT, vendor |
| x | Archival adequacy | QA |
| xi | Data-integrity assessments | QA |
| xii | Regulatory changes | QA, RA |
Run it once a year for most GMP-critical systems; more often for higher-risk adjacent ones. QA owns, IT supports, QP authorises. For §14 periodic review, GrowerIQ can share the artefacts §14.2 i-xii calls for (system configuration snapshot, documented changes since last review, access log, incident summary, SLA and backup posture) when your QA team schedules the annual review. Request the current periodic-review inputs during your next vendor touchpoint.
Red flags: no periodic review (§14.1). Scope covers changes only (§14.2). Last review three years ago (§14.3). Migrated off a previous system with no final review (§14.3).
Security: §15’s twenty sub-clauses, the biggest expansion in the draft
§15 makes vendor security artefacts inspectable. Your auditor now asks for the pen-test report, patching SLA, DR plan with RTO, and replication architecture for your annex 11 computerised systems. “Our vendor does security” without documentation is a §2.6 + §15 compound gap.
| Clause | Control | Evidence |
|---|---|---|
| §15.3 | Training + phishing sims | Training records |
| §15.4 | MFA on DC physical access | DC attestation |
| §15.6 | Geo-separate replication | Architecture diagram |
| §15.7 | DR tested, named RTO | Plan + test record |
| §15.8-9 | Segmentation, firewall review | Inventory + log |
| §15.10-14 | Supported OS, timely patching | SLA + CVE policy |
| §15.15-17 | USB deactivated | Policy |
| §15.18 | Anti-virus, monitored | Coverage report |
| §15.19 | Pen testing internet-facing | Redacted summary |
| §15.20 | Encrypted remote access | TLS policy |
§15.6 requires replication “at a safe distance from the primary site”; same-region fails. §15.13 requires critical-CVE patches “in a timely manner … this might be immediately.” Unsupported platforms “should be isolated from computer networks and the internet” (§15.14). AI sub-systems inherit §15 plus Annex 22 obligations (see EU GMP Annex 22: AI in regulated cannabis manufacturing).
Red flags: no redacted pen-test report (§15.19, blocks EU-GMP on vendor oversight). No patching SLA (§15.13). Same-region replica (§15.6). DR plan with no RTO or never tested (§15.7). Admin access over unencrypted HTTP (§15.20). USB active by default on production servers (§15.17).
GROWERIQ PLATFORM
Your Annex 11 evidence pack, ready before auditors ask
GrowerIQ’s platform is independently validated as GxP-compliant by RQC against EU GMP Annex 11 and PIC/S. For the §15 artefact expectations the 2025 draft introduces on top of that (pen-test cadence, DR plan with named RTO, geo-separated replication, patching SLA), your QA team should request the current security and compliance overview as part of §2.6 vendor oversight. Our team works these items as part of the ongoing SOC 2 programme and will publish updates before the 2027-2028 enforcement window opens.
EXPLORE EU GMP
Backup and archiving (§16 and §17)
Backup (§16) under annex 11 computerised systems: §16.2 sets the cadence “hourly, daily, weekly and monthly … a week, a month, a quarter, and years.” §16.3 requires physical separation “at a safe distance”; §16.4 adds that backups must not sit on “the same logical network as the original data.” §16.5 extends scope to applications and configuration. §16.6 requires restore tests after any backup-process change. A backup in the same VPC fails §16.4. For §16 backup separation, GrowerIQ runs as a hosted service with automated backups and documented restore processes. Ask your GrowerIQ account team for the current backup-and-restore overview as part of vendor qualification; §16.3 and §16.4 separation claims should be verified against our current infrastructure documentation before being written into your CSV binder.
Archiving (§17) makes completed annex 11 computerised systems data effectively immutable. §17.1 protects GMP data “from deletion and changes throughout the retention period” by read-only or a dedicated archival system via a validated interface. §17.2 requires integrity verification “e.g. by means of a checksum.” §17.3 backs archives up to live-data standards. Retention follows Chapter 4 §4.77 (1 year after expiry or 5 years after QP certification, whichever is longer). See ALCOA++ data integrity for cannabis manufacturing (Annex 11 uses ALCOA+; Chapter 4 codifies ALCOA++).
Red flags: backups on same logical network as production (§16.4). No restore test in 12 months (§16.6). Application config not backed up (§16.5). Released batch records still editable (§17.1 plus §12.3 compound). Archival move with no checksum (§17.2).
How should I qualify my seed-to-sale vendor? The RFP checklist
Send the tables below to your vendor. Every line ties to an Annex 11 clause. Any unanswered row is an open §14.2 vi or §2.6 finding for your annex 11 computerised systems stack. Close it: 30 days for policy, 60-90 days for evidence.
Identity, access, signatures
| Ask | Clause |
|---|---|
| Unique, personal accounts for write access? | §11.1 |
| MFA on remote access from outside controlled perimeters? | §11.6 |
| System-enforced password complexity and rotation? | §11.5 |
| Non-user-configurable inactivity logout with re-auth? | §11.8 |
| Sortable access log; SoD; annual manager review? | §11.9-11 |
| Full re-auth at login strength on every signature? | §13.3 |
| Signatures permanently linked; edit visibly invalidates? | §13.8 |
| Manifestation shows name, role, meaning, timestamp, TZ? | §13.6 |
| Hybrid wet-ink uses hash on cover sheet? | §13.9 |
Security, backup, archiving
| Ask | Clause |
|---|---|
| Redacted pen-test report for internet-facing production? | §15.19 |
| OS patching SLA with expedited critical-CVE lane? | §15.10, §15.13 |
| Replication to geographically separate secondary? | §15.6 |
| DR plan with named RTO + last test date? | §15.7 |
| All remote access over encrypted protocol? | §15.20 |
| MFA on physical access to DC? | §15.4 |
| Backups physically AND logically separated? | §16.3, §16.4 |
| Last documented restore test? | §16.6 |
| Released batch records read-only; archival checksum-verified? | §17.1, §17.2 |
Validation and vendor management (annex 11 computerised systems evidence pack)
| Ask | Clause |
|---|---|
| URS template + traceability matrix? | §6.1, §6.5 |
| IQ/OQ/PQ covers access, audit trails, calculations, alarms, restore? | §9.6 |
| Data-export / offboarding on termination? | §7.5 viii |
| Customer release-testing of new versions; on-site inspection support? | §7.5 v, ix |
| 12-item input pack for §14.2 review? | §14.2 i-xii |
Frequently Asked Questions
Is my spreadsheet a computerised system under Annex 11?
Yes if it performs a GMP activity. §1 covers “all types” with no size cut-off. Spreadsheets need URS, validation, access control, and audit trail like any other annex 11 computerised systems asset.
When does the 2025 draft become enforceable?
Publication expected in 2026; PIC/S commentary points to 2027-2028 enforcement. Plan vendor review for 2026 and CSV refresh before 2027.
Does Annex 11 require MFA for internal users?
For remote access from outside controlled perimeters, yes (§11.6). On-site, MFA is not explicit, but §11.1, §11.8, and §11.10 still apply.
Does Annex 11 apply to AI features?
Yes; Annex 22 adds AI-specific obligations on top (see EU GMP Annex 22: AI in regulated cannabis manufacturing). AI plugs INTO an Annex-11-compliant platform; it does not replace it.
Next 90 days
Week 1: send the RFP checklist to your vendor. Week 2: open a gap log scored by clause. Weeks 3-12: close the top five. Across annex 11 computerised systems, IAM, pen-test artefacts, and exit strategy are the three that most often block EU-GMP certification.
Visit EU GMP, GACP and GPP for cannabis to explore EU GMP. To see GrowerIQ across annex 11 computerised systems, book a seed-to-sale demo.
This article summarises publicly-available draft guidelines; it is not legal advice.
Ready to qualify your seed-to-sale vendor against Annex 11?
See how GrowerIQ’s RQC-validated platform supports your Annex 11 computerised-system layer: independently validated as GxP-compliant (December 2025), unique-account role-based access, re-authenticated electronic signatures, one-click Master Batch Record, and Document IQ for SOP and validation-document control. Your QA team walks away with a clear answer to §2.6 vendor oversight.
REQUEST DEMO
Last updated: April 2026
Recommended For You
Portugal’s Cannabis Exports Triple: 42 Tonnes to Germany and Growing as Europe’s Processing Hub
April 22, 2026UK Medical Cannabis Prescriptions Surge 262%: 80,000 Patients and a GBP 500M Private Market
April 21, 2026Poland: Europe’s Quiet Cannabis Giant with 105,000 Patients and 5 Tonnes Dispensed in 2025
April 20, 2026About GrowerIQ
GrowerIQ is changing the way producers use software - transforming a regulatory requirement into a robust platform to learn, analyze, and improve performance.
To find out more about GrowerIQ and how we can help, fill out the form to the right, start a chat, or contact us.