Cloud Usage and GxP - Which Regulatory Requirements are Applicable?

The cloud or cloud-based services automatically become part of the lifecycle of a computerized system. In regulated industries, this leads to considerations in particular on how to handle the topics of IT security, validation, infrastructure qualification and the allocation of tasks during operational use.

Requirements for handling data in the cloud can be derived from GxP-relevant regulations. Thus, several GxP-critical aspects are affected when data is stored in the cloud:

  • Data availability, data security and data integrity
  • The suitability of the supplier or the cloud service provider
  • The management of outsourced activities
  • The storage/archiving of data or documentation

It‘s necessary to note that compliance with these requirements depends on both the company using the cloud services and the cloud provider itself. Ultimately, however, the regulated company remains responsible for the compliant operation of a cloud-based application. A thorough risk assessment, expert advice, and working with a trusted cloud provider are crucial to meeting the regulatory requirements associated with cloud use under GxP.

An introduction to this topic is provided in the article by Dr. Peter Schober, Principal Consultant at gempex GmbH:

Which GxP regulatory requirements are applicable to cloud usage?

At Knowledgede this German language article is available, which was published as an editorial in the newsletter "LOGFILE", issue 12/2023, GMP-Verlag Peither.

A fully comprehensive contribution to the topic is offered by the "GMP Compliance Adviser" of the GMP Verlag Peither. The platform is considered the largest standard work for quality management in the pharmaceutical industry.

For questions on the topic, Dr. Peter Schober is available via


This might interest you as well:
IT Validation