News
AI and Algorithms Regulations in Pharma

AI and Pharma: Key Regulations and How to Implement Them

Algorithms and AI are not just buzz words anymore. They are unavoidable these days, and that also goes for pharma. From identifying potential drug candidates to supporting clinical trial design, optimising manufacturing and distribution processes, analysing (diagnostic) images, guiding preventive maintenance of equipment, and collecting and accessing information – AI is already playing a big role, and that role is increasing rapidly.

At the same time, the use of algorithms and AI poses risks and requires careful consideration. For example, sensitive (personal or commercial) data could be shared with third parties without realising it. Or results generated by algorithms could be used even though they are wrong or ill-informed. These are no trivial issues, especially when patient safety, product quality, or data integrity is at stake.

That is why the EU has introduced several regulations over the last years to force organisations to consider and mitigate these risks, while also facilitating the use of algorithms and AI. These can be broken down into two categories: general regulations, and pharma-specific regulations.

General Regulations

There are several regulations that apply to many categories of data and IT systems, including algorithms and AI used in pharma. The most prominent regulations in this category to consider are:

  • The Artificial Intelligence Act (AI Act) for users and deployers of AI systems. Requirements increase depending on the risk of the AI system, and may include risk assessments, risk and quality management processes, human oversight, testing and validation, and transparency.
  • The General Data Protection Regulation (GDPR) for processing personal data. The GDPR imposes several obligations, such as data minimisation, impact assessments, organisational and technical security measures, and contractual obligations.
  • The Network & Information Security Directive (NIS2) for organisations classified as ‘essential’ or ‘important’. This includes most pharma companies, and requires them to meet certain cybersecurity requirements and take measures to defend against unauthorised access and manipulation.
  • The Digital Services Act (DSA) for online platforms and online service providers, which can include patient engagement platforms and research platforms. Large ‘gatekeeping’ platforms may also be subject to the Digital Markets Act (DMA).

Pharma-specific Regulations

Finally, there are several regulations specific to the pharmaceutical industry that also impact the use of algorithms and AI. These include:

  • The Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR) for AI systems in the sphere of healthcare, such as systems for diagnostics, patient monitoring, or personalized medicine. When a system is in scope of one of these regulations, CE certification is required, and a number of product safety measures must be taken.
  • The Clinical Trials Regulation (CTR) for designing and conducting clinical trials in the EU (for GCP regulated companies). The CTR contains requirements for transparency, bias, and fairness.
  • Eudralex Volume 4 Annex 11 for the use of computerised systems and electronic data in drug manufacturing and quality control (for GMP regulated companies). Annex 11 includes rules for risk management, validation, audit trails, and various other data integrity and security requirements.
  • Guideline 2013/C 343/01 for storing, transporting, and handling medicinal products (for GDP regulated companies). AI systems that are used for logistics or distribution may need to comply with this Guideline.

What to Do?

Compliance with applicable regulations is required for any company, and especially for pharma companies. After all, algorithms and AI can have a significant impact on your data and decisions – and could lead to effects on patient safety, product quality, or data integrity.

Start by understanding which regulations apply to your processes. After that, list all required measures. It often works best to identify common requirements among the regulations first and then list all remaining requirements. Finally, prioritise the required measures based on risk and cost/effort of implementation, and start implementing them. Read more about a structured approach to compliance with data regulations here.

Although compliance is required, compliance should not be the end goal. This is about your data, your decisions, your patients, and your business. By staying in control of the technology you are using, you gain the benefits and mitigate the risks.

Working with external experts in the EU helps to ensure compliance and control. Need help or advice with algorithms or AI? Vivenics has technical and compliance experts ready for any challenge. You can reach us on +31 (0)88 8483 100 or via gdprteam@vivenics.com.

Back To Top