If your lab software supports products sold in both the United States and the European Union, two regulations shape how it has to work, and they are not interchangeable. Treating them as one requirement with two names is how you end up with a system that passes one audit and fails the other.
This guide is for the biotech or lab on the hook for a compliant system: the founders, quality and regulatory leads, and lab directors who decide what to commission and have to defend it in an audit. It covers where the two frameworks agree, where they diverge, and what the 2025 Annex 11 revision changes. The final section is for whoever builds the system, in-house or a vendor, and what to hold them to.
What each regulation governs
The fastest way to misread these two frameworks is to assume they cover the same ground. They start from different questions.
21 CFR Part 11: records and signatures
Part 11 became effective in 1997 as US organizations moved from paper to electronic systems. Its scope is specific: it defines the conditions under which the FDA will accept electronic records and electronic signatures as equivalent to paper and ink. It applies through what the FDA calls predicate rules, the underlying regulations that already require you to keep a record or apply a signature. If a predicate rule requires the record and you keep it electronically, Part 11 governs how.
Because it is a federal regulation, Part 11 is directly enforceable. An inspector can cite a specific section in a Form 483 observation or a warning letter. We cover the mechanics of audit trails, electronic signatures, and validation in our deeper guide on 21 CFR Part 11 and what your lab software needs.
EU Annex 11: the whole system
Annex 11 is not a standalone law. It is an annex to EudraLex Volume 4, the EU GMP guidelines, and the current version has been operative since 2011. Its scope is the computerised system as a whole when that system is used as part of a GMP-regulated activity. That includes the software, the infrastructure it runs on, the people who operate it, the suppliers who provide it, and the processes that keep it in a validated state over time.
Annex 11 is enforced through GMP inspection rather than as a separate statute, but the consequences are not softer for it. A serious Annex 11 finding can put a site's manufacturing authorisation at risk, which is a heavier outcome than a single records citation. So while Part 11 reads like a rule about records, Annex 11 reads like a rule about running systems responsibly.
Annex 11 vs Part 11, side by side
Here is how the two frameworks compare across the areas that affect how software gets built and operated.
| Area | 21 CFR Part 11 (US) | EU Annex 11 (EU) |
|---|---|---|
| Issuing body | US FDA | European Commission, within EU GMP |
| Legal nature | Binding federal regulation | Guideline enforced through GMP inspection |
| Primary focus | Electronic records and electronic signatures | The full computerised system and its lifecycle |
| Risk management | Not explicitly required in the rule | Required as a foundational principle |
| Supplier and service provider oversight | Not addressed | Formal agreements and supplier assessment required |
| Audit trails | Broad: secure, time-stamped trails for record actions | Risk-based: required for GMP-relevant changes and deletions |
| Electronic signatures | Highly prescriptive, including two-component logon | Addressed briefly, principle-based |
| Periodic review | Not required | Periodic evaluation of systems required |
| Validation | Expected, tied to record trustworthiness | Required across the system lifecycle |
Part 11 goes deep on a narrow surface. Annex 11 goes wide across the system. The five areas where they diverge each change something concrete about what you build or buy, so they are worth taking one at a time.
Where Annex 11 and Part 11 diverge
The overlap between the two frameworks is large. Both expect validation, access control, secure data retention, accurate copies of records, training, and protection against unauthorized changes. A system that handles those well is most of the way to both. The differences sit in five areas, and four of the five are things Annex 11 asks for that Part 11 does not.
Risk management as a starting point
Annex 11 opens with risk management and expects it to run through the whole lifecycle of the system. Decisions about validation depth, audit trail scope, and controls are supposed to follow from a documented assessment of risk to patient safety, product quality, and data integrity. Part 11 contains no explicit risk-assessment requirement in the text itself, although the FDA's enforcement approach has been risk-based in practice since its 2003 scope and application guidance.
For a builder, this means an Annex 11 system needs the risk rationale written down, not just the controls. An auditor will ask why you validated this function heavily and that one lightly, and the answer has to be a documented assessment rather than a developer's judgment call.
Supplier and service provider oversight
Annex 11 expects formal agreements with suppliers and IT service providers, and it expects you to assess them. If you run on a cloud platform, use a third-party hosting provider, or build on a vendor's software, that relationship is in scope and the regulated company stays responsible for it. Part 11 says nothing about suppliers.
This matters for custom software in particular. When a lab commissions a build, the development partner becomes a supplier in the Annex 11 sense, and the lab needs documentation of how that partner works: their development practices, their change control, their validation support. A vendor who cannot produce that documentation creates an Annex 11 gap for the customer, regardless of how good the software is.
Periodic review
Annex 11 requires computerised systems to be periodically evaluated to confirm they remain in a valid state and compliant. Part 11 has no equivalent. A system that was validated three years ago and never reviewed since can satisfy Part 11 on paper while failing an Annex 11 expectation that someone checks, on a defined schedule, that the system still does what it is supposed to.
Audit trail scope
Both frameworks require audit trails, but they frame the requirement differently. Part 11 calls for secure, computer-generated, time-stamped audit trails covering operator actions that create, modify, or delete records, and it applies this broadly. Annex 11 takes a risk-based line: audit trails should capture GMP-relevant changes and deletions, with the scope driven by the risk assessment. In a system that handles both regulated and non-regulated data, Annex 11 lets you scope the trail to what matters, while Part 11 pushes toward covering the regulated records comprehensively.
Electronic signatures
This is the one area where Part 11 is clearly the more demanding of the two. Part 11 is prescriptive about signatures: each signing must capture the signer's name, the date and time, and the meaning of the signature, and non-biometric signatures require two distinct identification components with credentials re-entered at the moment of signing. Annex 11 covers electronic signatures in a single, principle-based section: they should have the same impact as a handwritten signature, be permanently linked to the record, and include the time and date. If you build to Part 11's signature rules, you will comfortably clear Annex 11's.
The pattern across these five areas is consistent. For electronic signatures, build to Part 11. For risk management, supplier oversight, periodic review, and lifecycle controls, build to Annex 11. Designing to the stricter requirement in each area gives you one system that satisfies both rather than two systems that each satisfy one.
The 2025 Annex 11 revision
Annex 11 had not changed since 2011, and that version predates mainstream cloud computing, SaaS lab platforms, and machine learning in regulated workflows. In July 2025 the European Commission published a draft revision that closes the distance, and it is a substantial rewrite rather than a touch-up. The draft grows Annex 11 from roughly 5 pages to 19, restructures it into 17 sections with a glossary, and brings several modern realities explicitly into scope.
The consultation on the draft revision closed in October 2025, and the final text is being adopted through 2026 with a transition period before enforcement. If you are commissioning a system now, design to the revised draft, because a system built only to the 2011 text will be dated before it ships.
Cloud and SaaS are named directly, and using a provider no longer shifts responsibility away from the regulated company, which is expected to oversee it. A companion document, the new Annex 22, covers the artificial intelligence and machine learning systems the 2011 text never contemplated. Cybersecurity becomes a core expectation, down to penetration testing, patch management, and incident response. Systems have to be managed across their whole life, from validation through change management to decommissioning, and ALCOA+ data integrity principles apply across data capture, access control, signatures, and audit trails. The scope also widens to take in systems with indirect impact on product quality or data integrity, so supporting tools no longer sit outside the rules.
All of this moves Annex 11 further from Part 11's records-and-signatures framing and toward treating computerised systems as governed assets across their whole life. For anyone building software today, it raises the bar on the things Annex 11 already asked for and Part 11 never did.
Building one system for both markets
You do not need two systems. One system, built to the stricter requirement in each area, satisfies both frameworks, and the decisions that make that possible happen early.
Match the stricter rule
For each area where the frameworks diverge, build to whichever is more demanding. Use Part 11's two-component signing everywhere, even where Annex 11 would accept less, and build the risk assessments, supplier documentation, and periodic review that Annex 11 requires even though Part 11 does not. One configuration then clears both.
One audit trail, one signature model
Build the audit trail and electronic signature capabilities once, to the higher standard, rather than maintaining market-specific versions. A single immutable, independently recorded audit trail that captures the original value, new value, user, timestamp, and reason satisfies Part 11's breadth and supports Annex 11's risk-based scoping. The same applies to signatures: one workflow that meets Part 11's requirements meets Annex 11's by default.
Validate once, map to both
A risk-based validation approach following a framework like GAMP 5 produces evidence that serves both frameworks. The same requirements traceability, test protocols, and validation reports that demonstrate Part 11 trustworthiness also demonstrate Annex 11 validation, as long as you map them to both. The work is in the mapping and the documentation, not in running validation twice.
What to require from whoever builds it
Annex 11 makes you, the regulated company, responsible for your suppliers. Whoever builds or hosts your system, an in-house team or an outside vendor, has to give you documented oversight: their development practices, their change control, and a validation support package. If they cannot produce that, it becomes your Annex 11 gap at inspection, not theirs, no matter how good the software is. Ask for it before you sign, not at audit time.
Data integrity sits underneath all of it, and the Annex 11 revision raises it further with ALCOA+. Records that are attributable, complete, and tamper-evident from the data model up clear the integrity expectations of both rules, and bolting that on later rarely works, the same way audit trails cannot be retrofitted cleanly. For why this is an architecture decision rather than a feature, see our guide on compliance in lab software.
For the team building it
If you are the one building the system, in-house or for a client, the split tells you where to spend effort. Build audit trails and electronic signatures to Part 11's standard, since that clears Annex 11 too, and design them in from the start because neither retrofits cleanly. Produce validation evidence once and map it to both frameworks rather than validating twice. And treat the supplier documentation as a deliverable: your client needs your development practices, change control, and validation package to close their own Annex 11 obligations. We hold custom LIMS and ELN builds to this standard, and our guide to choosing a 21 CFR Part 11 compliant ELN goes deeper.
Conclusion
Part 11 and Annex 11 overlap more than they differ, but the differences are what trip teams up. Part 11 is exacting about records and signatures. Annex 11 asks you to run the whole system responsibly across its life, with the risk management, supplier oversight, and periodic review that Part 11 never mentions. Build to the stricter of the two in each area and one system covers both markets. The 2025 revision raises the EU bar around cloud, AI, and cybersecurity, so the gap between a system designed for both and one retrofitted later keeps widening.
Building software for both US and EU markets? Dual-market compliance is an architecture decision, not a checklist you run before launch. We help biotech and life sciences companies design LIMS and ELN systems that hold up to both FDA and EU GMP scrutiny. to talk through your requirements.
Frequently Asked Questions
What is the difference between EU Annex 11 and 21 CFR Part 11?
21 CFR Part 11 is a US FDA regulation that defines how electronic records and electronic signatures must work to be trustworthy. EU Annex 11 is a section of the EU GMP guidelines that governs the whole computerised system used in a regulated activity, including risk management, supplier oversight, and periodic review. Part 11 is narrower and signature-focused. Annex 11 is broader and covers the system lifecycle.
Do I need to comply with both Annex 11 and Part 11?
If your product is manufactured or tested for both the US and EU markets, then yes. A company running a lab system that supports FDA-regulated records and EU GMP activities is subject to both frameworks at once. A single modern validation approach can satisfy both from one system.
Is EU Annex 11 a law?
Annex 11 is guidance within EudraLex Volume 4, the EU Good Manufacturing Practice guidelines, rather than a standalone statute. It is enforced through GMP inspections and is a condition of holding a manufacturing authorisation. In practice, failing Annex 11 carries the same weight as failing a binding regulation.
What is changing in the 2025 Annex 11 revision?
The revised Annex 11 expands from roughly 5 pages to 19 and adds requirements for cloud and SaaS oversight, artificial intelligence and machine learning systems, cybersecurity controls such as penetration testing and patch management, full lifecycle management, and ALCOA+ data integrity principles. The draft was published in July 2025 and the final version is being adopted through 2026.
Which is stricter, Annex 11 or Part 11?
Neither is stricter across the board. Part 11 is more prescriptive about electronic signatures and applies audit trail requirements broadly. Annex 11 covers more of the system lifecycle and requires risk management, supplier assessment, and periodic review, which Part 11 does not. To serve both markets, build to the stricter requirement in each area.
Last updated: June 10, 2026
