Technical articles

Validating Cloud & SaaS Solutions in GxP-Regulated Environments: Shared Responsibility, Vendor Qualification, and Continuous Compliance

16/07/2026

Cloud solutions offer a wide range of advantages to organisations seeking greater flexibility and innovation in their information systems. As more and more healthcare manufacturers adopt these technologies, they must remain particularly vigilant about how this choice affects regulatory and compliance obligations.

Historically, GxP validation of computerized systems has often been a barrier to digital transformation due to a lack of time and resources. Any change to an already validated system or qualified infrastructure automatically triggered new validation or qualification tasks. Updating even a single on-premises application could therefore tie up teams for weeks. Consequently, companies had to decide on their own when to introduce changes, carefully weighing each initiative against the associated validation workload. 

With cloud-based solutions, change requests may originate either from the IT service provider or from the company, inherently establishing a shared-responsibility model. To maintain GxP compliance, organizations must therefore fully understand this model, starting with the careful selection of a qualified vendor.

Outsourcing the information system is not without consequences. However, by adhering to regulatory guidance, manufacturers can expect greater flexibility while maintaining continuous compliance and stringent control over both product and patient risks.

1. Three Primary Outsourcing Models

With cloud solutions, an organisation can progressively transfer various layers of its information system to an external service provider. In practice, this is done through three main service models:

  • Infrastructure as a Service (IaaS)

In this model, the provider supplies the fundamental infrastructure and its security framework. The client rents these resources and manages them much like its own data center – without the capital expense or maintenance burden of physical equipment. The provider assumes responsibility for the availability and protection of physical or virtual servers, storage, and network components, as well as the security of the infrastructure itself. The client, in turn, remains accountable for the operating system, middleware, applications, configurations, and software-level security. Importantly, irrespective of the contractual terms, all data remain the sole property of the client.

  • Platform as a Service (PaaS)

Beyond basic infrastructure, the provider also delivers the operating system, development frameworks, databases and application-management tools. This allows the client to deploy and run its own applications without having to perform system administration. The company can therefore focus on application logic and business data, while the provider remains responsible for the infrastructure, operating systems, databases and middleware.

  • Software as a Service (SaaS)

Software as a Service (SaaS) is the most comprehensive and best-known of the three models. The software vendor assumes responsibility for every layer of the information system. The client simply subscribes to the application and accesses it over the internet. Except for limited, customer-specific configuration, the environment is fully operational upon delivery. The provider handles installation, upgrades, and incident management; the client’s role is confined to configuring its individual user environment.

Figure 1: Shared responsibility model

2. Shared-Responsibility Model for Regulatory Compliance in Outsourced Solutions

In GxP-regulated environments, the responsibilities of the cloud provider and the client are clearly delineated. The provider is accountable for the physical and logical security of the hardware, the availability of data centers and networks, and the upkeep and protection of the hosting facilities. In essence, every layer that underpins the application stack falls under the provider’s remit.

By contrast, the client is responsible for all business-level operations, namely, configuring applications, managing logical settings, and administering user access. It is the client’s duty to ensure ongoing GxP compliance, record all changes, preserve data integrity, and furnish the requisite evidence of conformity. Ultimately, application-level validation is inseparable from control of the underlying infrastructure; a compliant business service cannot rely on an uncontrolled or non-compliant foundation. Accordingly, the regulated company retains full responsibility for the end-to-end validation of its computerized systems. As AWS (2026) observes, “The customer retains control over data classification and GxP compliance, while the provider manages but does not validate infrastructure compliance” [1].

When responsibilities are divided, ambiguities can arise that jeopardize regulatory compliance. The contract must therefore eliminate such uncertainties through clear, precise clauses. For example, a security update initiated by the provider may alter critical configurations or interfaces. The client must be able to perform prompt impact assessments and verification testing or risk misalignment with GxP requirements.

Thus, the shared-responsibility model depends on close cooperation: the provider must notify the client within an agreed lead time and supply all technical documentation required for validation. The parties should also define in advance whether, and under which conditions, updates may be deferred.

According to the European Medicines Agency (EMA), “Responsibilities between the Cloud Service Provider (CSP) and the regulated company must be set out contractually – ideally in a formal quality agreement – covering data ownership, access to audit logs and reports, incident response, backup and restoration procedures, and notification requirements. Any gray areas or shared controls must be explicitly detailed in the quality annex” [2].

Cybersecurity is likewise a joint obligation. The regulated company must ensure the required security updates are applied, staff are trained in cyber-risk, and external IT suppliers are held accountable for the measures they take to protect the environment.

3. Qualification of Cloud and SaaS Providers

The relationship between a regulated company and its cloud-service provider has far-reaching compliance implications, directly influencing product quality, patient safety, data integrity, and business continuity. While supplier qualification is already mandatory across the life sciences sector, its criticality is heightened when the service is delivered via Cloud or SaaS. Annex 11 of the European Union Good Manufacturing Practices (EU GMP) highlights this point:

When a supplier or service provider is engaged, a written agreement must be in place defining the responsibilities of that supplier or service provider. The agreement should include a declaration that the supplier or service provider complies with GMP requirements or any other applicable regulatory requirements. The licence holder must retain overall responsibility for the computerized system, including all data entered or generated.” [3].

Initial qualification rests on two pillars: a formal audit and a detailed questionnaire. The audit, performed by the regulated company in line with its internal strategy, validates the provider’s certifications and operational robustness. The questionnaire offers a thorough view of the provider’s quality-management system, with particular emphasis on security, business-continuity planning, incident response, and change control. Together, these measures form the operational foundation of the qualification process.

Sector-specific expertise is a decisive criterion in selecting a service provider. A provider with no GxP-compliance experience must adapt its services to the healthcare sector; if it has not budgeted for the associated costs, service quality may suffer. The provider must also be able to supply any documentation that inspectors might request – from audit logs to incident reports. Should deficiencies arise, the regulated company, and it alone, will bear the consequences.

Once the provider is chosen and the contract executed, the regulated company must review the agreement and its annexes whenever the service offering or the regulatory landscape changes. Systematic change-impact assessments are essential to ensuring that cloud environments remain fully compliant with GxP requirements, while periodic quality reports should confirm the ongoing validity of certifications and control measures.

4. Ensuring a Continuous State of Compliance

Once the regulated company has migrated to a Cloud/SaaS model, backed by a sound contract and a dependable partner, how does it ensure that its computerized systems remain compliant? The International Society for Pharmaceutical Engineering (ISPE) sets out the guiding principles for continuous compliance:

Maintaining continuous compliance in GxP cloud environments obliges both the service provider and the regulated company to stay current with regulatory developments and to perform ongoing, risk-based evaluations and reviews of technical controls, change management, and incident-response processes” [4].

The first pillar is comprehensive documentation. Each technical or functional change request – whether initiated by the provider or by the company – is logged in a Change Request Document (CRD). The CRD describes the modification, justifies its necessity, and evaluates its impact on every affected domain. All resulting validation documentation must be archived and remain readily accessible. In the Cloud/SaaS context, rigorous document control remains essential to preserving the traceability required for regulatory inspections.

Regular audits constitute the second pillar. Conducted either by the company’s quality department or by specialized external firms, these audits verify, at any given point in time, current system compliance, review the quality management system, and examine specific functional aspects such as data security and the appropriateness of user roles and privileges. Their purpose is to ensure that the current situation, the documentation, and regulatory requirements are fully aligned. What is described in the validation records must precisely match what is implemented in production.

5. Digitalization for Enhanced Performance

To improve efficiency, international reference organisations such as the ISPE recommend using appropriate digital tools to automate recurring checks too burdensome to perform manually. By leveraging scripts or application lifecycle-management tools, regular tests can be scheduled to verify data integrity, software configuration, user access and roles, and security rules. Any anomaly detected is flagged immediately, thereby minimising the window of non-compliance risk [4].

6. Conclusion

Validating Cloud or SaaS solutions in a GxP context is a strategic undertaking that calls for a holistic, company-wide approach. The process engages not only the cloud provider but also the company’s business, Quality, and IT teams at every stage of validation.

First, mastering the shared-responsibility model is indispensable; without it, neither contractual nor operational oversight can be effective. Equally, the company must rigorously qualify its cloud providers and monitor the quality of their services. Once these prerequisites are satisfied, compliance evolves from a static milestone to a continuous activity, sustained through scheduled audits, automated monitoring, systematic testing, and close collaboration among all validation stakeholders, both internal (Business, Quality, IT) and external (cloud providers).

Organisations that institute agile, transparent, and shared governance across all parties can confidently accelerate their digital transformation while maintaining full alignment with regulatory expectations.

Need Assistance?

Need a reliable partner to migrate your regulated applications to the cloud with total peace of mind? Efor offers:

  • Thorough qualification and audits of your cloud and SaaS providers;
  • Full-scope GxP validation for IaaS, PaaS, and SaaS – covering infrastructure and applications alike;
  • Automated, continuous compliance monitoring;
  • Robust governance support and inspection-readiness services.

Contact us today and let’s secure your digital transformation together: solutionprojectdelivery@efor-group.com

Sources:

  1. Amazon Web Services (AWS) (2026). GxP Compliance on AWS: The Shared Responsibility Model. AWS Whitepaper. Available on: https://aws.amazon.com/compliance/gxp/
  2. ISPE (2022). GAMP® Good Practice Guide: Enabling Innovation – Critical Thinking, Risk-Based Approaches, and the Agile Methodology. International Society for Pharmaceutical Engineering.
  3. Commission Européenne (2011). Annexe 11 des Bonnes Pratiques de Fabrication – Systèmes informatisés. EMA/INS/GMP/Annex11. Available on: https://health.ec.europa.eu/system/files/2016-11/gmp_annex11_fr_0.pdf
  4. International Society for Pharmaceutical Engineering (ISPE). Continuous Compliance Monitoring in Cloud GxP Environments. ISPE GAMP® Guidance; 2025.