Major Evolutions of EU GMP Chapters 1 and 4: Towards a Reinforced Governance of Quality, Data, and Knowledge

European regulatory authorities have initiated a revision of Chapter 1 (Pharmaceutical Quality System) and Chapter 4 (Documentation) of the EU Guidelines for Good Manufacturing Practice (EU GMP). These chapters, which form the foundation of GMP compliance, have remained largely unchanged since 2011–2013. The revised texts, expected to become applicable in 2027, represent a significant paradigm shift: pharmaceutical quality is no longer limited to procedural compliance, but is now based on the scientific management of risks, data, and knowledge across the entire product lifecycle.

This article analyzes the objectives, key regulatory changes, and operational impacts of the revised Chapters 1 and 4, with a particular focus on quality systems, data governance, and implications for the Site Master File (SMF).

1. Regulatory Background and the Critical Role of Chapters 1 and 4

Chapters 1 and 4 of EU GMP Part I constitute the structural backbone of the pharmaceutical compliance framework.

• Chapter 1 – Pharmaceutical Quality System (PQS)
  Last substantially revised in 2013, this chapter defines the overarching quality system, including quality risk management, product quality review, and lifecycle control processes.
• Chapter 4 – Documentation
  Published in 2011, this chapter establishes requirements for GMP documentation and records, originally designed for a predominantly paper‑based environment.

Given the age of these chapters, combined with increasing digitalization, supply chain complexity, and recurring medicine shortages, regulatory authorities concluded that a substantial revision was necessary to maintain alignment with current industrial and technological realities.

2. Revision of Chapter 1: Strengthening Scientific Thinking within the PQS

2.1. Regulatory Context and Timeline

Stakeholder consultation on the revised Chapter 1 was conducted by the European Commission and PIC/S (Pharmaceutical Inspection Co-operation Scheme) between September and December 2025. Final publication is expected in 2026, followed by a transition period of 6 to 12 months, with enforcement anticipated in 2027.

2.2. Objectives of the Revision

The revision of Chapter 1 is driven by four primary objectives:

• Explicit alignment with ICH* Q9(R1) and ICH Q10 principles.
• Systematic integration of Quality Risk Management (QRM) and Knowledge Management.
• Formal inclusion of medicine shortage prevention as a quality system responsibility.
• Clarification of Product Quality Review (PQR) expectations

This revision clearly signals that companies are expected to demonstrate scientifically justified, data‑driven decision‑making within their PQS

*ICH: International Council for Harmonization

2.3. Reinforced Quality Risk Management

The revision of Chapter 1 significantly reinforces the role of Quality Risk Management (QRM) by requiring its systematic integration into all quality‑related decisions. While the 2013 version introduced QRM as a guiding principle, the revised text now requires that any decision potentially impacting product quality or medicine availability be explicitly based on a risk analysis aligned with the principles of ICH Q9(R1).

The expected level of rigor and formalization must be commensurate with the identified level of risk, establishing an approach grounded in prioritization and scientific justification. The revision also introduces explicit expectations regarding the management of human subjectivity, requiring the identification and mitigation of biases that may influence risk assessments.

Finally, the scope of QRM is expanded beyond product quality to include manufacturing process and supply chain risks, recognizing their direct impact on supply continuity and the prevention of medicine shortages.

2.4. Elevation of Knowledge Management

The revision of Chapter 1 elevates Knowledge Management to a structured and mandatory component of the PQS. Previously considered an enabling element, , Knowledge Management now becomes a critical lever for scientific control and must operate in close alignment with QRM.

Knowledge Management is expected to function as an early‑warning system, systematically capturing and exploiting information derived from deviations, technology transfers, development activities, and industrial experience throughout the product lifecycle. This approach aims to preserve critical knowledge despite organizational changes, ensure continuity of process understanding, and support decisions based on robust data and knowledge.

By strengthening the formalization and use of organizational knowledge, the revision of Chapter 1 directly contributes to quality and supply stability, reducing reliance on tacit knowledge and securing the transmission of key elements required for the sustainable performance of manufacturing systems.

2.5. Clarification of Product Quality Review Expectations

The revision of Chapter 1 introduces a stricter and more explicit framework for PQR, with the objective of reinforcing its scientific robustness and decision‑making value. A PQR is required even when no batches are produced during the review period; in such cases, a “zero-batch” PQR should still cover key elements such as stability data, complaints, and any regulatory changes.

When the number of manufactured batches is limited, the revised text requires the integration of trend data from previous review periods to ensure continuity of analysis and early detection of weak signals. Product grouping remains permitted but is now subject to documented scientific justification, explicitly excluding any approach based solely on a “worst‑case product.” Finally, the periodicity of PQRs may be adjusted under specific operational conditions, if criteria and justifications are formally defined within documented procedures.

3. Revision of Chapter 4: From Documentation to Data Governance

3.1. A Structural Revision

Stakeholder consultation for Chapter 4 took place between July and October 2025. Publication is expected in mid‑to‑late 2026, in line with the revisions of Annex 11 (Computerized Systems) and the introduction of Annex 22 (Artificial Intelligence).

The revised text has undergone significant expansion, with a volume close to double that of the 2011 version. This evolution reflects the regulators’ intent to fully integrate current digital realities and to adapt the GMP framework to the increasingly complex technological environments now used within the pharmaceutical industry.

3.2. Objectives of the Revision

The revision of Chapter 4 primarily aims to adapt GMP requirements to modern digital environments and to strengthen the reliability of data used within PQS. Its objective is to evolve traditional Good Documentation Practices into a structured data governance framework, covering the entire lifecycle of GMP data, regardless of format or medium.

The revision also introduces a risk‑based approach, built on the distinction between data criticality and data risk, enabling the implementation of proportionate and scientifically justified controls. Finally, it ensures enhanced regulatory alignment with Annex 11 and Annex 22, providing a consistent framework for computerized systems, automation, and artificial intelligence technologies.

3.3. Introduction of Data Governance as a Core GMP Requirement

One of the most structural evolutions introduced by the revision of Chapter 4 lies in the formal establishment of data governance as a mandatory GMP requirement. The revised chapter moves away from a purely document‑centric approach and acknowledges that pharmaceutical operations are primarily driven by data, which must be governed throughout their entire lifecycle, from creation, processing, review, and retention to destruction rather than being merely archived.

Data governance now becomes a formal component of the PQS, on the same level as deviation management, change control, or CAPA processes.

The revision also introduces the principle that data governance must be risk‑based, in direct alignment with the requirements of Chapter 1. Organizations are now required to clearly distinguish between:

• data criticality, reflecting the potential impact of the data on product quality and patient safety, and 
• data risk, reflecting the vulnerability of the data to loss, alteration, or undetected manipulation. 

This structuring distinction forms the foundation of data governance and enables the definition of a scientifically justified control framework adapted to each data type.

Finally, Chapter 4 reinforces requirements related to the definition of data responsibilities and accountability, mandating a clear identification of roles associated with data integrity, regardless of the technologies used or organizational boundaries involved. This approach aims to ensure consistent and sustained data control in increasingly complex and digitalized environments.

3.4. Risk‑Based Control of Documentation Systems

Building on this governance framework, the revision of Chapter 4 clarifies how the distinction between data criticality and data risk must be applied operationally to documentation systems. Documentation is no longer managed uniformly; each data set must now be subject to a combined assessment of its criticality and risk level.

This dual assessment enables the adjustment of control measures to the actual risk profile of the data. Highly critical data or data presenting elevated risk require reinforced controls, such as robust audit trails, appropriate electronic signatures, and targeted independent reviews. Conversely, simpler controls may be considered for lower‑risk data, provided that a scientifically sound and documented justification is available.

The revision also strengthens the formal accountability of regulated users, including when data are generated, processed, or hosted by external service providers, automated systems, or artificial intelligence technologies. This accountability cannot be delegated and must be formally demonstrated.

Finally, hybrid systems combining paper and electronic media are now explicitly recognized as high‑risk environments. Although they remain permitted, their use must be strictly controlled through detailed descriptions of interfaces, data flows, and implemented controls to ensure data integrity throughout the entire data lifecycle.

3.5. Formal codification of ALCOA++

The revised chapter formally codifies the ALCOA++ principles as regulatory requirements. Data must be attributable, legible, contemporaneous, original, accurate, complete, consistent, enduring, available, and traceable throughout their retention period. These requirements apply regardless of data format, explicitly including electronic, hybrid, and multimedia records such as images, videos, and audio files.

For the first time, multimedia records (e.g., images, videos, audio files) are explicitly recognized as GMP documentation and are subject to the same integrity and governance requirements as traditional records.

3.6. Signatures in GMP documentation

The regulatory role of signatures in pharmaceutical documentation has been significantly strengthened in the revision of Chapter 4, explicitly defining them as a legally binding expression of the signatory’s intent. This represents a major shift compared with the 2011 version, where signature requirements were limited and primarily descriptive.

The revised text requires the implementation of a formal signature management policy, integrated within the data governance system. This policy must establish a clear link between the signatory’s identity, role, signature meaning (review, approval, authorization), and associated responsibilities, covering the attribution, management, and revocation of signature rights throughout their lifecycle.

A key principle of the revision is the priority given to electronic signatures for electronically generated data. Hybrid practices involving printing electronic records for manual signature are now explicitly discouraged and considered high‑risk. Where such practices persist, the organization must clearly define which signature carries legal value and justify this choice through documented rationale.

The revision also strengthens expectations regarding signatory qualification, requiring technical competence commensurate with the approved content, rather than mere organizational authority. Finally, the requirement for precise timestamping, including both date and time, supports traceability and reliable reconstruction of quality‑related events.

3.7. Data Integrity as a Pillar of the Quality System

Data Integrity is explicitly recognized as a central regulatory requirement, rather than an implicit concept limited to good documentation practices in the revised version of Chapter 4. Data integrity is now a required outcome that must be achieved, demonstrated, and maintained within the PQS.

This requirement is systematically embedded within the PQS, meaning that data integrity must be addressed through risk management, deviation handling, CAPA processes, and periodic reviews. The focus has shifted from retrospective auditing to a proactive approach aimed at preventing data‑related risks throughout the data lifecycle.

The revision also clarifies responsibilities by imposing explicit designation of Data Owners, accountable for the integrity, consistency, and availability of critical data. This accountability applies equally when data are generated or hosted by computerized systems, external service providers, or automated technologies.

Finally, the revised text explicitly addresses human factors and system complexity as potential sources of data integrity risk. It emphasizes the need for active detection mechanisms, such as targeted independent reviews and contemporaneous verification, to identify and control risks of data alteration, deletion, or falsification before they impact product quality or patient safety.

4. Practical Implications for the Site Master File

Compliance with the revised chapters requires substantial updates to the SMF.

4.1. Impacts Related to the Revision of Chapter 1

Implementation of the revised Chapter 1 requires substantial evolution of the PQS. Sites must formally describe a structured Knowledge Management system covering the full lifecycle of products and processes. This is accompanied by reinforced expectations regarding the control of subjectivity in risk assessments, including mechanisms to limit human bias and improve decision‑making robustness.

Furthermore, the scope of the PQS explicitly expands to include supply shortage prevention strategies, which must be addressed as quality risks in their own right. Finally, PQR processes must be adapted to incorporate the new regulatory requirements, particularly in relation to non‑production periods, trend analysis, and scientifically justified product grouping.

4.2. Impacts Related to the Revision of Chapter 4

The revision of Chapter 4 drives a profound transformation of documentation management, now centered on comprehensive data governance. Sites are required to explicitly describe a Data Governance system covering the entire data lifecycle, regardless of data format or medium, and fully integrated into the PQS.

Regulatory expectations also include formal recognition of the Validation Master Plan (VMP) as a master document, subject to the same control and revision requirements as other strategic quality documents. Explicit integration of ALCOA++ principles is now a prerequisite to demonstrate compliance of documentation practices. Finally, increased attention is placed on the management of hybrid systems, multimedia records, and advanced technologies, including automation and artificial intelligence, which must now be fully governed, controlled, and justified within the quality system.

Conclusion

The 2025–2026 revisions of EU GMP Chapters 1 and 4 represent the most structural evolution of European GMP requirements in over a decade. They convey a clear regulatory message: pharmaceutical quality is now based on the scientific control of risk, data, and knowledge.

Beyond regulatory compliance, these requirements offer an opportunity to strengthen quality system robustness, secure medicine availability, and sustainably improve industrial efficiency for the benefit of patients.

Need assistance?

Through its in‑depth knowledge of European regulatory requirements and a pragmatic, risk‑based approach, Efor supports pharmaceutical manufacturers with the following services:

• Training and upskilling of your teams to the new EU GMP Chapter 1 and 4 revisions and requirements
• Impact assessment of Chapters 1 & 4 revisions on your current Pharmaceutical Quality System (PQS)
• Risk-based gap analyses of data governance, knowledge management, and PQS processes
• Design and implementation of PQS remediation roadmaps that prioritise high-impact, low-disruption actions
• Developing or updating governance documents (Quality Manual, SOPs, data-integrity policies)
• Ongoing compliance monitoring and readiness support for inspections and audits

Contact us to transform new Chapter 1 and 4 requirements into drivers of sustainable performance: solutionprojectdelivery@efor-group.com