Does the EU AI Act apply to pharma manufacturers outside the EU?

Yes. The AI Act has extraterritorial reach: any AI system whose output is used in the EU — including by EU-based customers of Asian or American manufacturers — falls within scope. Vietnamese or Southeast Asian pharma sites supplying EU markets must comply if their AI systems affect product quality, safety decisions, or regulatory submissions for EU consumption.

What changed with the May 2026 EU AI Omnibus amendment?

The Omnibus agreement (7 May 2026) defers the high-risk AI obligations deadline for systems embedded in regulated products from 2 August 2026 to 2 August 2027. It also reduces documentation burdens for low-risk systems and clarifies that AI systems already CE-marked under MDR/IVDR do not need parallel AI Act conformity assessments if their existing Notified Body review covers the AI component.

What is the difference between an AI system and an AI model under the Act?

The AI Act distinguishes AI systems (deployed applications that generate outputs influencing decisions or environments) from General Purpose AI (GPAI) models (foundation models that can be adapted for many uses). Pharma manufacturers are primarily concerned with AI systems embedded in quality processes. GPAI model obligations (transparency, copyright disclosure) fall on model providers, not pharma deployers.

Is a predictive maintenance model a high-risk AI system?

Generally no, if it operates in advisory mode only — it recommends maintenance scheduling but does not directly control a critical process parameter or safety function. If the PdM output triggers an automated shutdown of a GMP-critical system without human-in-the-loop confirmation, that escalates the risk classification and requires a more rigorous conformity assessment.

What documentation is required for a high-risk AI system in pharma?

Article 11 requires technical documentation covering: system description and intended purpose, risk management process, training data characteristics, accuracy and robustness metrics, human oversight mechanisms, and post-market monitoring plan. This maps closely to GAMP 5 Validation Summary Report structure — manufacturers with existing GxP validation frameworks have a significant head start.

How does the EU AI Act interact with 21 CFR Part 11 and Annex 11?

They address overlapping but distinct requirements. 21 CFR Part 11 and Annex 11 govern electronic records and signatures in GxP contexts. The EU AI Act governs the AI system itself — its design, validation, transparency, and post-market monitoring. A pharma AI system must satisfy both: Annex 11 for its electronic record outputs, and the AI Act for its algorithmic behavior. See our 21 CFR Part 11 & Annex 11 guide for the electronic records layer.

What penalties apply for non-compliance with the EU AI Act?

Fines reach €30 million or 6% of global annual turnover (whichever is higher) for prohibited AI practices, €20 million or 4% for high-risk system violations, and €10 million or 2% for incorrect information to authorities. These are comparable in magnitude to GDPR penalties and signal that the EU intends enforcement to be material.

EU AI Act pharma manufacturing

EU AI Act for Pharma Manufacturing: Compliance Guide 2026

TL;DR: The EU AI Act is the world's first comprehensive AI regulation, and pharma manufacturing sits squarely in its high-risk tier. The Omnibus amendment of 7 May 2026 defers the primary enforcement deadline to August 2027 for systems in regulated products — but does not eliminate obligations. Manufacturers who understand the classification logic, documentation requirements, and overlap with existing GxP frameworks are in a strong position to comply without building a parallel compliance program from scratch. This guide covers exactly that. (~85 words)

Why This Regulation Matters More Than Most Pharma Compliance Announcements

Most regulatory updates in pharma manufacturing arrive as revisions to existing frameworks — a new Annex 1, an ICH Q guideline, an FDA draft guidance. They add requirements to a system that is already known. The EU AI Act is structurally different: it is a horizontal regulation that applies across sectors, written by technology policymakers rather than pharmaceutical regulators, and it creates obligations on the system itself rather than on the product the system helps to make.

The practical consequence is that a pharma quality director cannot simply hand the Act to the validation team and ask them to apply GAMP 5. The Act introduces concepts — conformity assessments, notified body involvement for AI specifically, post-market monitoring of model performance, transparency obligations toward operators — that require involvement from IT, legal, and regulatory affairs in addition to QA.

What makes this manageable is that the underlying intent of the Act — ensuring AI systems are accurate, robust, transparent, and under human oversight — maps very closely to what pharma GxP validation already requires. Manufacturers with mature GAMP 5 validation practices and good ALCOA+ data integrity controls are, in substance, 60–70% of the way to EU AI Act compliance. The gap is primarily documentation format and scope — not new technical requirements.

The Regulatory Timeline: What the Omnibus Changes

The original AI Act (entered into force August 2024) set the following key dates:

February 2025: Prohibited AI practices provisions effective
August 2025: GPAI model obligations effective; AI Office established
August 2026: High-risk AI system obligations effective (original)
August 2027: High-risk AI embedded in regulated products (MDR, IVDR, and by extension pharma products subject to CE marking)

The Digital Omnibus package, agreed by the European Council and Parliament on 7 May 2026, introduced three significant changes relevant to pharma:

First, the high-risk obligations deadline for AI systems embedded in regulated products (the most relevant category for pharma) moves from August 2026 to August 2027 — a 12-month deferral. This gives manufacturers one additional year for conformity assessment and technical documentation.

Second, the Omnibus reduces documentation and testing burdens for low-risk AI systems, allowing a lighter-touch conformity pathway. This matters for internal operational AI (scheduling optimization, demand forecasting) that does not directly influence product quality decisions.

Third, the Omnibus clarifies that AI systems already reviewed by a Notified Body under the Medical Devices Regulation (MDR) or In Vitro Diagnostics Regulation (IVDR) do not need a separate parallel AI Act conformity assessment — the AI Act obligations are folded into the MDR/IVDR review process. This avoids duplicative compliance work for medtech and diagnostics companies.

What the Omnibus does not change: The classification logic (Annex III still applies to safety-critical AI), the prohibition on certain AI practices, the requirement for technical documentation, and the penalty structure.

Classification: Is Your Pharma AI System High-Risk?

The AI Act's risk classification uses a two-axis logic: the nature of the system (what does it do?) and the context of use (who is affected, and how?). For pharma manufacturing, the relevant classification questions are:

Annex III, Point 3 — Critical Infrastructure: AI systems used to manage or operate critical infrastructure (energy, water, manufacturing that is deemed safety-critical) fall here. This is unlikely to apply to most pharma manufacturing AI unless the site is classified as critical national infrastructure.

Annex III, Point 5 — Product Safety Components: AI systems that are safety components of products regulated under EU harmonisation legislation — including pharmaceutical manufacturing equipment regulated under the Machinery Regulation or pressure equipment directives — are high-risk. An AI system embedded in an autoclave controller, for example, qualifies.

Annex III, Point 5b — Medical Devices and IVDs: AI systems that are themselves medical devices or IVDs, or that are safety components of medical devices/IVDs, are explicitly high-risk. This captures automated visual inspection (AVI) systems validated for sterile product release, AI-based diagnostic tools, and any AI component of a device subject to MDR.

Non-Annex III manufacturing AI: AI systems used purely for operational efficiency — scheduling, yield prediction, energy management — that do not directly influence product quality decisions or safety functions are not high-risk under the Act, though they remain subject to general AI Act obligations (accuracy documentation, basic transparency).

The practical decision tree for pharma:

Does the AI output directly influence a CQA, CPP, or patient safety decision? → High-risk, Annex III applies
Is the AI embedded in or is a safety component of a regulated device? → High-risk, Annex III applies
Is the AI purely operational/back-office with no quality impact? → Minimal risk, lighter obligations

High-Risk Obligations: The Six Requirements That Matter

For systems classified as high-risk, the AI Act specifies obligations under Articles 9–17. Mapped to pharma practice:

1. Risk Management System (Article 9) Continuous risk management throughout the AI system lifecycle — design, training, deployment, retraining, decommissioning. This is structurally identical to the GMP risk management requirement under ICH Q9. Manufacturers with ICH Q9-aligned risk management can map AI-specific risks (model drift, adversarial inputs, data quality degradation) into existing FMEA or risk register workflows.

2. Data and Data Governance (Article 10) Training, validation, and test datasets must be relevant, representative, free of errors to the extent possible, and complete for the intended purpose. For pharma AI, this means: documented data lineage, outlier handling procedures, and evidence that training data represents the full population of intended use cases (including edge cases and rare defects for AVI systems). Data quality at this level requires the GMP-compliant data infrastructure described in our Pharma Data Lake Architecture blueprint.

3. Technical Documentation (Article 11) Pre-market technical documentation covering: general system description, intended purpose, design choices rationale, training methodology, performance metrics with confidence intervals, known limitations, and human oversight design. Post-deployment: a log of all model updates, retraining events, and performance monitoring results. The GAMP 5 Validation Summary Report format accommodates most of this — gap is typically the "human oversight mechanism" section and the post-market monitoring plan.

4. Automatic Logging (Article 12) High-risk AI systems must automatically log events sufficient to trace back decisions and identify anomalous behavior. In GMP terms: audit-trailed event logs at the AI inference layer, not just at the electronic record layer. This requires the AI deployment infrastructure (MLOps platform) to generate and store model inference logs with timestamps, input data hashes, and output values — separate from application-level audit trails.

5. Transparency and Information for Users (Article 13) Instructions for use must explain: intended purpose, level of accuracy, foreseeable misuse scenarios, human oversight requirements, and what the system cannot do. For pharma operators, this maps to the "user requirement specification" and "operator training" components of a GAMP 5 deployment — but must be formally documented as part of the AI Act technical file.

6. Human Oversight (Article 14) High-risk AI must be designed to allow effective human oversight — including the ability to override, interrupt, or stop the system. For pharma manufacturing AI, this means: operator review required before AI-generated decisions affect a released batch or a regulatory submission. Systems that automate decisions without a human decision point in the critical path need architectural changes to comply.

Overlap with Existing GxP Frameworks

The most efficient compliance path is not to build a parallel AI compliance program. It is to extend existing GxP infrastructure to cover AI-specific gaps:

GxP Framework	AI Act Requirement	Gap to Close
GAMP 5 validation lifecycle	Technical documentation (Art. 11)	Add AI-specific sections: training data lineage, model versioning, drift monitoring plan
ICH Q9 risk management	Risk management system (Art. 9)	Add AI-specific risk categories: model failure modes, data poisoning, concept drift
21 CFR Part 11 / Annex 11 audit trails	Automatic logging (Art. 12)	Extend audit trail to AI inference layer — MLOps logging, not just application logging
ALCOA+ data integrity	Data governance (Art. 10)	Apply ALCOA+ to training data and model artifacts, not only to electronic batch records
Change control procedures	Post-market monitoring	Include model retraining triggers in change control; define what constitutes a "significant change" requiring revalidation

For the 21 CFR Part 11 and Annex 11 layer, see our dedicated blueprint: 21 CFR Part 11 & Annex 11 Compliance Guide →

For the GAMP 5 AI validation framework, see: GAMP 5 Validation for AI/ML →

FDA Alignment: GAIP Principles (January 2025)

The FDA's January 2025 draft guidance on Considerations for the Use of Artificial Intelligence to Support Regulatory Decision Making introduced ten "Good AI Practice" (GAIP) principles that broadly align with EU AI Act requirements: human-centric design, risk-based approach, adherence to standards, clear context of use documentation, transparency, robustness, bias mitigation, validation evidence, real-world performance monitoring, and responsible stewardship.

The FDA/EMA joint statement issued in early 2025 signals convergence: both agencies expect the same substance from AI validation, even if the formal mechanisms differ. Companies building AI Act-compliant technical documentation that also addresses GAIP principles are building a single unified evidence package usable for both EU and US regulatory purposes. This convergence is one of the most practically useful developments for global pharma manufacturers in 2025–2026.

Practical Compliance Roadmap: 8 Steps

Step 1 — AI System Inventory (Weeks 1–2): List every AI/ML system in use across manufacturing, quality, and supply chain. Include vendor-supplied AI embedded in equipment (SCADA systems with anomaly detection, AVI platforms, LIMS with ML-based outlier detection). Classify each against the Annex III criteria.

Step 2 — Gap Assessment (Weeks 3–4): For each high-risk system, assess existing documentation against Article 11 requirements. Identify missing elements: typically training data documentation, post-market monitoring plan, and human oversight specification.

Step 3 — Data Infrastructure Audit: Verify that training data sources meet Article 10 requirements. If data is sourced from OT systems without traceability, this is a prerequisite project before AI Act compliance documentation can be completed.

Step 4 — Update Validation SOPs: Revise GAMP 5 URS/FRS/DQ/IQ/OQ/PQ templates to include AI-specific sections. Map to AI Act Article 11 structure so validation documents serve dual purpose.

Step 5 — Implement MLOps Logging: Deploy automatic inference logging at the AI system level. Tools: MLflow, Azure ML, AWS SageMaker, or AVEVA-native logging where applicable.

Step 6 — Define Human Oversight Checkpoints: For each high-risk AI system, document the human decision point. If none currently exists, redesign the workflow before the August 2027 deadline.

Step 7 — Conformity Assessment: Work with Notified Body (for MDR/IVDR-linked AI) or complete self-assessment for Annex III systems not embedded in a regulated device. Compile technical file.

Step 8 — Post-Market Monitoring Plan: Define KPIs for model performance monitoring (accuracy drift threshold, false-negative rate upper limit), retraining triggers, and change control procedures for model updates.

Vietnam Context: Export Markets Drive Compliance

For Vietnamese pharmaceutical manufacturers, the EU AI Act is relevant through the export lens. Sites targeting EU GMP certification — required for export to EU markets — will encounter AI Act requirements during inspections when AI systems are in use for quality-critical decisions. The PIC/S accession roadmap Vietnam is pursuing brings EU GMP standards progressively into domestic regulation; AI-specific requirements will follow. Manufacturers building export capability now — particularly those with EU GMP-certified sites or partnerships with European CDMOs — should begin AI system inventories and gap assessments in 2026 rather than 2027. The compliance work overlaps substantially with the ISA-95 automation documentation and GxP validation frameworks already required for WHO GMP.

Summary: Three Actions Before August 2027

The Omnibus deferral gives pharma manufacturers breathing room, but not permission to defer planning. Three actions to take now: complete an AI system inventory and classify each system against Annex III; update GAMP 5 validation templates to cover AI Act Article 11 documentation requirements; and implement MLOps-level inference logging for any high-risk system currently in production. Everything else — conformity assessment, post-market monitoring plan, human oversight documentation — flows from these foundations.

For the full GxP validation framework that underpins AI Act compliance, see the GxP Compliance & Validation Playbook →.

References

EU AI Act — Regulation (EU) 2024/1689, full text: https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
Omnibus amendment agreement, Council of the EU, 7 May 2026: https://www.consilium.europa.eu/en/press/press-releases/2026/05/07/artificial-intelligence-council-and-parliament-agree-to-simplify-and-streamline-rules/
Arnold Porter — EU Digital Omnibus Pharma/Medtech implications: https://www.arnoldporter.com/en/perspectives/advisories/2026/02/eu-digital-omnibus-what-the-proposed-reforms-mean-for-pharma-and-medtech
FDA Draft Guidance — AI to Support Regulatory Decision Making (Jan 2025): https://www.fda.gov/about-fda/artificial-intelligence-drug-development/guiding-principles-good-ai-practice-drug-development
EMA/FDA Joint AI Principles: https://www.ema.europa.eu/en/news/ema-fda-set-common-principles-ai-medicine-development-0
ISPE GAMP Guide: Artificial Intelligence (July 2025): https://ispe.org/publications/guidance-documents/gamp-guide-artificial-intelligence
Clifford Chance — AI Act intersection with pharma compliance: https://www.cliffordchance.com/insights/resources/blogs/healthcare-and-life-sciences-insights/2025/11/ai-meets-regulation-at-the-intersection-of-eu-ai-act-and-pharma-compliance-strategy.html
EU AI Act for Pharma/Life Sciences compliance guide: https://sakaradigital.com/blog/eu-ai-act-enforcement-life-sciences/
Intuition Labs — EU AI Act pharma compliance overview: https://intuitionlabs.ai/articles/eu-ai-act-pharma-compliance
Harvard Law — Future of EU Medical AI regulation analysis: https://petrieflom.law.harvard.edu/2026/03/05/simplification-or-back-to-square-one-the-future-of-eu-medical-ai-regulation/

Cluster Progress

ID	Title	Status
N2.P	AI & Data Science Hub	✅ Written
N2.1	EU AI Act for Pharma Manufacturing	✅ Written
N2.2	Predictive Maintenance Pharma GMP	⬜
N2.3	Computer Vision QC for Pharma	⬜
N2.4	Digital Twin for Pharma Manufacturing	⬜
N2.5	PAT Integration with AI/ML	⬜
N2.6	Pharma Data Lake Architecture	⬜

Checklist triển khai

Áp dụng theo từng bước để đảm bảo tính tuân thủ GMP và khả năng vận hành ổn định.

TYPE 2 — Expert synthesis based on industry-standard GMP guidelines, regulatory publications and real-world pharmaceutical automation deployments in Vietnam and Southeast Asia. Transparency note: This resource reflects the author's professional experience and publicly available regulatory guidance. Readers should verify specific requirements with their qualified regulatory consultants.