Innovation and Regulation: Danish Medicines Agency Insights

Background

The pharmaceutical industry is at a pivotal moment—advanced technologies are intersecting with stringent regulatory frameworks. At the 2025 ISPE Pharma 4.0™ Conference on 9 December 2025, Ib Alstrup, GxP-IT Medicines Inspector at the Danish Medicines Agency, shared compelling insights on this dynamic landscape. His presentation highlighted the risks, benefits, and strategic opportunities associated with evolving regulatory annexes, offering practical guidance on how these changes will shape the future of compliance and technology adoption. Most importantly, he emphasized how regulators are working to enable—not obstruct—digital transformation across the life sciences sector. As Alstrup put it, “Our role isn’t to choose the technology for you. It’s to create guardrails for the highway, not pick the vehicle.”

The Inspector’s Perspective: Enablers, Not Gatekeepers

Alstrup emphasized an important distinction in his role: inspectors do not dictate which technologies companies should use. Instead, they provide frameworks that enable innovation while ensuring patient safety and data integrity remain paramount. This philosophy was tested in a real-world scenario that serves as a cautionary tale for the industry.

During a good clinical practice inspection at a major pharmaceutical company, inspectors discovered that a critical electronic system was completely unvalidated. The company had accepted their cloud vendor’s assurances without conducting proper due diligence. The situation deteriorated when the vendor refused to engage with auditors. This created a compliance impasse that delayed product approval by four months. The financial implications were staggering, underscoring a fundamental principle: regulatory responsibility cannot be outsourced.

Regulatory Updates: Eight Principles Guiding the Future

The regulatory landscape is evolving rapidly. Alstrup’s team is currently revising two key documents. These include the widely-known “EudraLex, Volume 4: EU Guidelines for GMPs for Medicinal Products for Human and Veterinary Use. Annex 11: Computerised Systems”,1 which has grown from a modest four and a half pages to a comprehensive 19-page guidance document. The drafting process involves 24 individuals across 17 countries—a testament to the complexity and international scope of pharmaceutical regulation.

The revised Annex 11 centers on eight foundational principles:

1. Life cycle management ensures systems remain in a validated state from conception through retirement. Quality risk management serves as the central organizing principle, always prioritizing patient safety, drug quality, and data integrity.
2. Alternative practices are welcome. Regulators recognize there’s rarely one “right” way to achieve compliance, as long as equivalent assurance is provided.
3. Data integrity requirements emphasize robust access management, comprehensive audit trails, and clear system requirements.
4. System requirements stress the importance of maintaining accurate, current user requirements specifications (URS), a document that often becomes outdated but remains critical for validation.
5. Outsourced activities receive special attention: There is no regulatory distinction between in-house systems and cloud services. The regulated company retains full responsibility regardless of where systems are hosted.
6. Security finally receives proper treatment in the revision, reflecting the modern threat landscape.
7. No risk increase establishes that new technologies should not elevate overall risk profiles. Innovation must enhance, not compromise, compliance.
8. Cloud services means shared infrastructure, but not shared responsibility. The guidance on cloud services and outsourcing is unequivocal. Regulated companies must conduct thorough audits of service providers, implement effective oversight with meaningful metrics, and maintain a complete understanding of all required documentation. Although vendors can assist, they cannot substitute for the user’s own knowledge and accountability.

The Artificial Intelligence (AI) Frontier: Annex 22

Another document Alstrup’s team is revising is “EudraLex, Volume 4: EU Guidelines for GMPs for Medicinal Products for Human and Veterinary Use. Annex 22: Artificial Intelligence”,2 which will provide guidance specifically for AI applications. Currently, just four pages in its initial draft, this document is attracting significant attention, particularly regarding how it will address large language models (LLMs). With 5,600 comments already received from stakeholders worldwide, this is clearly where industry concern is concentrated.

Defining “Critical”: A Matter of Clarity

One of the key challenges in developing Annex 22 has been terminology. The document focuses on “critical” applications—those with direct impact on patient safety, product quality, and data integrity. However, health authority reviewers have confused this with “GMP critical,” missing the intended meaning. The working group is considering a shift to more explicitly risk-based language, focusing on high-impact, low-detectability scenarios rather than generic compliance terms. This would align more closely with how quality management system applications are evaluated and approved.

Drawing the Line: What’s In and Out of Scope

Annex 22 will make clear distinctions about which AI models fall under regulatory scrutiny.

In-Scope Models

In-scope models are machine learning systems used in manufacturing medicinal products or active substances that directly impact critical applications. These models share three defining characteristics: they’re trained rather than programmed, they’re static (i.e., unchanging unless deliberately retrained), and they produce deterministic outputs (i.e., the same input always yields the same result).

Out-of-Scope Models

Out-of-scope models include dynamic systems that continuously adapt their performance, models producing probabilistic outputs, and, notably, generative AI and LLMs for critical applications.

The LLM Dilemma: Three Paths Forward

LLMs present a unique regulatory challenge. Their propensity for “hallucinations”—confidently providing incorrect information—and their algorithmic training to always provide answers rather than admitting uncertainty or lack of information make them particularly problematic for critical pharmaceutical applications. Currently, generative AI and LLMs are excluded from critical applications in the draft guidance. However, the working group recognizes this creates tension with innovation and is actively debating three potential approaches:

• Option 1—Maintain the ban: Continue excluding LLMs from critical applications, accepting the impact on innovation in exchange for certainty about patient safety.
• Option 2—Human-in-the-loop: Allow LLMs in critical applications but require human oversight. The challenge here is practical: How effective can human review truly be when dealing with large volumes of AI-generated content? Research suggests humans become less vigilant over time when reviewing AI outputs, particularly when accuracy is typically high.
• Option 3—Technical guardrails: Accept LLMs in critical applications but rely on robust technical controls and validation frameworks to ensure safety and reliability.

The message from regulatory authorities is clear: they’re committed to enabling digital transformation while maintaining the rigorous standards that protect patients. The key for pharmaceutical companies is understanding that innovation and compliance aren’t opposing forces, but complementary imperatives.

For noncritical applications, the human-in-the-loop approach is currently suggested, though its practical limitations are acknowledged. The question of how to effectively review AI-generated recommendations at scale remains unresolved.

A Global Conversation

The Annex 22 working group comprises 24 members from five continents, reflecting the truly international nature of pharmaceutical regulation. Heat maps of public comments reveal intense interest in how LLMs will be addressed, with this topic generating the most feedback. Internal debates continue even within member states, particularly around cloud services and the appropriate regulatory stance toward emerging AI technologies. The group is actively monitoring advancements in LLM reliability, especially regarding hallucinations and output consistency, as these technologies continue to evolve rapidly.

Looking Forward: Action and Adaptation

Several critical tasks lie ahead for the regulatory community. These include defining critical needs and the inclusion of cloud services and AI. The definition of “critical” needs requires refinement to focus clearly on risk-based criteria. In-scope and out-of-scope model applications must be explicitly outlined to eliminate confusion. The pros and cons of allowing LLMs with human oversight or technical guardrails in critical applications require thorough evaluation and documentation. Perhaps most importantly, regulators must continue monitoring technological advancements while fostering ongoing discussion among member states about the appropriate stance toward cloud services and AI in regulated contexts.

Conclusion

The message from regulatory authorities is clear: they’re committed to enabling digital transformation while maintaining the rigorous standards that protect patients. The key for pharmaceutical companies is understanding that innovation and compliance aren’t opposing forces, but complementary imperatives. As Alstrup’s real-world example illustrates, the costliest mistakes happen when companies treat validation as a checkbox exercise or attempt to shift responsibility to vendors. The most successful digital transformations will be those that embed compliance thinking from the beginning, maintain robust vendor oversight, and never lose sight of the ultimate goal: safe, effective medicines for patients.

The regulatory landscape is evolving to accommodate new technologies, including cloud computing and AI. The debates around LLMs in critical applications demonstrate the careful balance regulators must strike between encouraging innovation and protecting patients. With 5,600 comments on Annex 22 and working groups spanning five continents, the pharmaceutical industry is collectively wrestling with questions that will shape the future of drug development and manufacturing. The fundamental principle remains unchanged: patient safety comes first, and with it comes a responsibility that cannot be delegated, outsourced, or offloaded. But within that framework, there is growing recognition that properly validated, controlled, and monitored modern technologies can enhance both innovation and compliance. The question isn’t whether AI and cloud computing belong in pharmaceutical operations, but how to integrate them safely and effectively.

The pharmaceutical industry’s digital future is being written right now in regulatory working groups spanning five continents. As Alstrup’s insights reveal, the path forward demands rigorous validation, clear accountability, and honest conversations about the limitations of emerging technologies. Whether it’s a cloud vendor refusing audits or an AI model confidently generating false information, the risks are real and measured in patient lives. Regulators aren’t blocking progress—they’re building frameworks that enable safe innovation. For pharmaceutical companies, the challenge is clear: embrace digital transformation while never forgetting that in this industry, cutting corners doesn’t just risk compliance; it risks lives.