Current state: 2026.
QMSR effective 2 February 2026 · EU AI Act Annex III applicable 2 August 2026 · ICH E6(R3) operative since January 2025 · ISO/IEC 42001 adoption under watch · AI-specific GMP guidance under watch. The convergence of regulated-AI governance frameworks — what is live, changing, or watch-listed in 2026.
Current state: 2026.
What's live · what just changed · what's in transition2026 brings several important governance transitions into the same operating window. QMSR effective in February. EU AI Act Annex III applicable in August. ICH E6(R3) operative across regions. ISO/IEC 42001 is becoming a practical reference point in AI management-system discussions. AI-specific GMP guidance under watch. Inspection and audit readiness should be tracked against these changes without treating projections as confirmed regulatory trends.
QMSR effective Feb 2 2026.
Final rule Federal Register 2 February 2024. Effective 2 February 2026. Replaces 21 CFR 820 with a regulation that incorporates ISO 13485:2016 by reference plus FDA-specific overlays (UDI, eMDR, complaint files §820.198, labelling §820.45, objective evidence §820.10). 24-month implementation runway closed. Existing device manufacturers should verify transition expectations against FDA communications and their own quality-system scope.
ICH E6(R3) operative.
Step 4 reached 6 January 2025. Operative across ICH regions through 2025. Principles-based GCP, sponsor-investigator oversight, decentralised-trial language, risk-based monitoring, electronic-systems alignment with §11 / Annex 11. Annex 1 (interventional) finalised; Annex 2 (non-traditional / decentralised) in development.
EU AI Act Annex III.
Regulation 2024/1689. Entered into force 1 August 2024. Annex III high-risk obligations applicable 2 August 2026; Annex I high-risk (safety components of regulated products including medical devices) applicable 2 August 2027. Risk-impact assessment, technical documentation, transparency, human oversight, robustness, cybersecurity.
ISO/IEC 42001 adoption curve.
Published December 2023. Through 2026, ISO/IEC 42001 is best read as a management-system reference for organisations preparing AI governance evidence. Supplier and tender use should be confirmed case by case rather than assumed as a settled baseline.
AI-related GMP expectations watch.
EU GMP computerised-system and AI-related expectations should be tracked through official EudraLex updates. Until additional official text is published, AI/ML lifecycle controls should be treated as a watch area: data governance, training-data integrity, monitoring, retraining, and post-deployment review.
ICH Q9(R1) dominant.
R1 (January 2023) is a central quality-risk reference for modern audit and inspection thinking. Subjectivity management, knowledge-base risk, digitalisation expectations now read into change-control, deviation, validation-scoping decisions. The lens through which auditors read everything else.
ALCOA+ baseline.
MHRA GxP DI (2018), FDA Data Integrity Q&A (2018), PIC/S PI 041-1 (2021) read together as a practical data-integrity baseline. Routine audit-trail review, periodic system-access review, and electronic-paper hybrid controls should be documented according to the applicable jurisdiction and predicate rule.
QMSR language retrofit.
A plausible QMSR transition gap is that procedures still reference pre-QMSR 21 CFR 820 clause language. Pre-2026 procedures using §820.30 (design controls), §820.50 (purchasing controls), §820.100 (CAPA) without ISO 13485 §7.3, §7.4, §8.5 cross-reference. This is not just a find/replace exercise; teams need a controlled clause map and evidence that procedure intent still matches the new regulatory grammar.
CAPA effectiveness.
A recurring quality-system concern is that CAPAs closed without effectiveness verification, without measurable success criteria, without 6-12 month post-implementation metrics. ISO 13485 §8.5.2/3 unchanged in QMSR transition; the audit gap is implementation, not regulation.
AI governance gap.
Emerging finding: AI / ML systems deployed in regulated operations without integrated governance evidence. AI risk register sitting outside the Q9(R1) risk register; AI change-control parallel to the QMS change-control SOP; model retraining performed without documented release. The 42001 integration test.
Audit-trail review.
A recurring data-integrity concern is that audit trails exist but the review evidence is weak or inconsistent. The 2018 MHRA / FDA Data Integrity expectation was unambiguous; teams should be able to show that audit-trail review is not only written into SOPs but performed and recorded.
Combination products.
Sponsors who built §820-shaped device QMSs have to bridge them onto QMSR / ISO 13485 grammar while maintaining the §211 drug-product side. The DHF-to-PQS bridge is a practical transition risk that should be checked in internal audits.
FDA & EU distance work.
Post-COVID, FDA Mutual Reliance and EMA distance-assessment frameworks remain operational alongside on-site inspections. Hybrid inspection and distance-assessment practices remain relevant; teams should be able to retrieve and explain records remotely as well as on site.
AI & medical-product governance.
Regulated-AI governance and medical-product governance are increasingly connected in the same evidence conversation. EU AI Act Annex III obligations applicable 2 August 2026 overlap with EU MDR / IVDR, FDA QMSR for AI/ML SaMD, ICH E6(R3) for AI-augmented trials. The practical question is whether one evidence system can explain both axes without creating parallel governance records.
EMA AI Reflection.
EMA's reflection work on AI in the medicines lifecycle is an important source to monitor for pharmaceutical development, manufacturing, and pharmacovigilance. Public pages should distinguish EMA reflection material from legal obligations.
FDA AI/ML Action Plan.
FDA's AI/ML-Based Software as a Medical Device Action Plan and the Predetermined Change Control Plan (PCCP) framework continue maturing through 2026 — the regulated path for adaptive ML systems in devices, parallel to the EU AI Act high-risk track.
Annex 11 revision.
Annex 11 and related EU GMP computerised-system expectations should be tracked through official EudraLex updates. Alignment with quality-risk management, supplier control, data integrity, and AI/ML lifecycle controls remains the practical watch area.
Source register.
official anchors · interpretation separatedQMSR final rule.
Federal Register final rule amending the Quality System Regulation; effective date and FDA-specific overlays should be read from the rule text.
21 CFR Part 820.
Current legal text for FDA device quality-system requirements; use this as the live clause anchor for QMSR references.
Q9(R1) quality risk management.
Step 4 guideline for quality-risk-management concepts, subjectivity, formality, and knowledge management.
Q10 pharmaceutical quality system.
Pharmaceutical quality-system reference for management responsibility, lifecycle quality, CAPA, and continual improvement.
Q12 lifecycle management.
Step 4 guideline for established conditions, post-approval change management, and product lifecycle management.
21 CFR Part 11.
Electronic records and electronic signatures rule; use with predicate-rule context and FDA scope guidance.
Data integrity Q&A.
FDA questions-and-answers guidance on data integrity and CGMP; useful for ALCOA+ and audit-trail interpretation.
EudraLex Volume 4.
Official EU GMP page for Annex 11 and related GMP annexes; AI-specific GMP claims should be checked here before publication.
EU AI Act.
Regulation (EU) 2024/1689 official text; used for AI Act timing, high-risk system references, and governance boundaries.
ISO/IEC 42001.
AI management-system standard landing page. Full standard text is paid; public iFeed content should not quote unavailable clauses.
Computer Software Assurance.
FDA guidance PDF for production and quality-system software; useful for CSA and CSV evidence-readiness discussion.
GAMP 5, second edition.
Industry guidance landing page. Treat as implementation guidance, not a regulation; full guide access is controlled by ISPE.