How the updated GMP regulations and EU Cyber Resilience Act will affect laboratories
Mar 23, 2026
Article
en
Discover how the updated GMP regulations and the EU Cyber Resilience Act (CRA) will impact laboratories. Learn what changes are coming, how to prepare your equipment and software, and how Metrohm supports labs in staying compliant.
Share via email
Recent years have seen a surge in the number of cyberattacks on critical infrastructure and companies. This development has put cybersecurity in the spotlight. As a result, governments worldwide are introducing legislation intended to strengthen cybersecurity. The most prominent legislation is the Cyber Resilience Act (CRA) of the European Union [1]. Other examples are the U.S. Cyber Trust Mark or the China Cybersecurity Law [2,3].
These legislations led to an update of the GMP regulations, which will affect laboratories in the regulated environment worldwide. This blog article is based on an interview with Stefan Gohr, Head of Enterprise Services at Metrohm International Headquarters. It presents the key changes, explains how they affect laboratories, gives guidance to laboratory managers about first steps, and informs how Metrohm is preparing to meet the requirements of the CRA.
Click to go directly to a topic:
- Cyber Resilience Act (CRA) in a nutshell
- CRA leads to changes in GMP regulations
- How will the CRA and GMP update affect laboratories?
- What can laboratories do to prepare and ensure compliance?
- How does Metrohm ensure compliance with the Cyber Resilience Act?
- How Metrohm supports customers who need to replace non-compliant systems
Cyber Resilience Act (CRA) in a nutshell
The Cyber Resilience Act (CRA) was released in 2024 by the European Union and approved in autumn of the same year. The purpose of the CRA is to increase cybersecurity by raising security standards for products sold in the European market.
The CRA applies to products which contain digital elements. This includes not only software but also devices which can exchange data with other systems.
This new law will be implemented in two steps:
- September 2026: Suppliers must begin reporting cybersecurity vulnerabilities to Enisa, the European Union Agency for Cybersecurity.
- December 2027: Products that do not comply with the CRA can no longer be sold within the EU.
Especially this second step will have more profound consequences for laboratories, as they may no longer be able to receive replacements or spare parts.
CRA leads to changes in GMP regulations
Under the CRA, suppliers must implement vulnerability management processes. This includes regular security updates to products, and if security gaps are detected, they must be closed immediately.
This conflicts with the long-standing practice in the regulated environment of updating validated systems only when necessary. However, cybersecurity cannot be neglected in the regulated environment, as these companies produce critical goods.
For these reasons, the GMP committee updated Chapter 4 «Documentation» and Annex 11 «Computerised Systems» [4]. Consultation on these updates ran from July to October 2025, and the revised guidelines are expected to take effect already in 2026.
How will the CRA and GMP update affect laboratories?
The CRA and updated GMP guidelines will affect validation processes and might require the replacement of current equipment.
First, more frequent software updates and security updates can lead to more revalidations of the system. Laboratories will have to develop strategies for implementing security patches and system updates, covering not only the operating system (for example Windows), but also critical laboratory software. According to the revised GMP guidelines, regulated laboratories should follow recommendations provided by the suppliers. Recommended measures are separate security updates and a dedicated testing environment.
Second, the CRA will prohibit the sale of non-compliant analytical devices and software. While devices and software sold before December 2027 are exempt, any updates to such products must be compliant. For some suppliers, adapting older products to the new regulations might be too complex and too costly. As a result, they may discontinue products and declare end of support by 2027.
Regulated laboratories which want to keep using non-compliant devices longer will have to establish an emergency IT environment, completely isolating these devices from their network and the internet. With analytical instruments integrated with LIMS and ERP systems, this approach is impractical and may compromise data integrity.
Non-regulated laboratories can carry out their own risk assessment and decide whether to keep using non-compliant devices to bridge a gap until new investments are possible. However, they should be aware that delaying replacements increases security risks, as security gaps become larger over time.
What can laboratories do to prepare and ensure compliance?
Laboratories can take several steps to prepare for the updated GMP guidelines and Cyber Resilience Act (see Figure 1).
- Evaluate current equipment and software to identify potential gaps.
- Develop a strategy for implementing security updates to minimize revalidation efforts.
- Establish a dedicated test environment to ensure updates do not disrupt operations.
The updated GMP guidelines and the CRA will increase workload and costs in regulated laboratories. Starting the planning process now and establishing a roadmap will help laboratories to prepare for these changes.
Evaluate current equipment in the laboratory
The first step is to evaluate all devices and software currently in use. Laboratories should also contact suppliers, such as Metrohm, about their compliance plans for specific products.
Key questions to address are:
- Are devices and software still supported by the supplier?
- Do suppliers have the CRA and updated GMP guidelines on their radar? What is their process for managing product vulnerabilities? How do they intend to provide security updates?
- Will the supplier continue to support devices or software after December 2027?
If the answer to any of these questions is negative, laboratories should allocate budgets for replacements or develop strategies on how to isolate the system in collaboration with their IT department. If multiple systems are affected, a roadmap should be established for the replacement or isolation based on the criticality of the system for operations.
SBOM and HBOM – handy indicators of readiness
When evaluating current software solutions, laboratories should check whether the software bill of materials (SBOM) is available. The SBOM, mandated by the CRA, lists essential information about all components used to build the software, including third-party components. It helps identify whether the software contains components with known vulnerabilities.
Typically, the SBOM is provided as a text file in the installation directory or listed in the product documentation. If no SBOM is available, laboratories should treat this as a warning sign that the product may not be ready for the Cyber Resilience Act. In such cases, it is recommended to contact the vendor and confirm whether a SBOM will be provided before enforcement begins.
For hardware, the equivalent to the SBOM is the HBOM (hardware bill of materials). An HBOM file is necessary for any device containing firmware. Suppliers will have to provide the HBOM file in a digital format. It is recommended to contact suppliers and ask for the file or for the date when it will become available.
Develop a strategy for implementing security updates
The updated GMP regulations and the CRA stipulate regular security updates. To minimize validation efforts and the risk of production stops, laboratories should develop an implementation strategy.
Separate security updates are critical to reduce the effort of revalidations. Regular software updates provide a mixture of new features and security updates. This would require full validation. In contrast, separate security updates fix only security issues without adding new features. As their scope is smaller, validation becomes faster and less complex.
Fast validation is desirable, because critical security issues should be fixed as quickly as possible. Waiting six to nine months until a complete revalidation is done is, in the case of a critical security issue, not acceptable.
Establish a test environment
Installing security updates always carries the risk of system failure, which can result in a production stop. To mitigate this risk, laboratories should consider establishing a test environment.
In this scenario, security packages are first installed on the test system and key functionalities needed for daily operations are thoroughly tested. Only after the functionalities affected by the security update have been successfully tested on the test environment will the security update be deployed to the production environment. Figure 2 shows the difference between a laboratory with a test environment and one without test environment.
Larger organizations may consider implementing three environments: development/qualification, test, and production. The development/qualification environment is used for method development and validation. The test environment mirrors the production environment, for example, it uses the same network and firewalls. Lastly, daily operations, such as QC for product releases, run on the production environment.
Installing an additional test environment comes at additional costs and requires more IT resources, particularly for client/server systems. Learn more about the importance of a scalable, cost-efficient system in the free White Paper:
How does Metrohm ensure compliance with the Cyber Resilience Act?
Metrohm started preparing for these regulations some time ago to ensure that we will fulfill CRA and GMP requirements for vendors when the regulations become enforced. We can guarantee OMNIS, our platform software, will meet the requirements. The SBOM file is already available in the installation directory, and we publish a declaration of cybersecurity with every release This declaration can be found in the Metrohm Knowledge Base. The HBOM files are in preparation.
Customers can expect regular OMNIS updates and security patches. Customers with an OMNIS maintenance contract will be contacted by us directly. For the other customers, we are evaluating different information options.
Different OMNIS versions for different needs
Industry requirements for software updates vary. In some sectors, regular automatic updates, similar to updates of mobile apps, are acceptable. However, in regulated environments, such automatic updates are undesirable. Additionally, laboratory networks may not be connected to the internet.
Therefore, Metrohm offers two versions of OMNIS. They differ in support and service guarantees, see Table 1 for the differences.
| Feature | Standard version | Long-Term Support (LTS) version |
|---|---|---|
| Software support guarantee | Support guarantee expires after release of next version | Support guaranteed for 5 years from release |
| Service guarantee | Serviceability of all parts guaranteed until release of next version | Serviceability of all parts guaranteed for 5 years from release |
| IQ/OQ support | IQ/OQ not available | Fully documented computer system qualification with full documentation according to FDA 21 CFR Part 11 and EudraLex, Volume 4, Annex 11 available |
| Re-qualification | Re-qualification not available | Re-qualification available |
| Security updates | Rolled out regularly | Deployed manually according to strategy defined by customer |
How Metrohm supports customers who need to replace non-compliant systems
Hardware and software which will no longer be supported by suppliers will have to be replaced, as isolating them from the company network is only a temporary solution. Changing to a new product, especially a new software solution, presents various challenges. To support customers in the transition to OMNIS, Metrohm has established the Metrohm Enterprise Services team. This team offers specialized consulting and implementation services adapted to the customer’s specific needs and situation.
Metrohm Enterprise Services also offers maintenance contracts for OMNIS, ensuring vulnerability and security patch management. Together with the customer’s IT and security experts, they develop a strategy for deploying security patches. A service manager will oversee the implementation and maintenance of this strategy for the lifetime of OMNIS at the customer’s site.
Conclusion
The updated GMP guidelines and CRA will change how regulated laboratories work. Laboratories can start preparing for these changes by evaluating their current equipment and software. Some systems may require replacement, because they will no longer be supported when the CRA and revised GMP Annex 11 are enforced.
Regular security updates will become the standard as cybersecurity is an ongoing process. This shift will require changes to the process how laboratories update, re-validate, and maintain their analytical systems. Additional testing environments may have to be installed to ensure continuous operation.
Only solutions that fulfill the updated GMP regulations and CRA, such as OMNIS, will ensure laboratories stay compliant. To support the transition to OMNIS, Metrohm has established Metrohm Enterprise Services, which works closely with customers, helping them to deploy and maintain a secure OMNIS environment tailored to their specific security strategy.
Further resources
White Paper: Why switch to OMNIS Client/Server (C/S)?
Blog: Introduction to Analytical Instrument Qualification
References
[1] European Commission. Cyber Resilience Act. Shaping Europe’s digital future. https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act (accessed 2025-12-18).
[2] Federal Communications Commission. U.S. Cyber Trust Mark. Federal Communications Commission (FCC). https://www.fcc.gov/CyberTrustMark (accessed 2025-12-18).
[3] Creemers, R.; Webster, G.; Triolo, P. Translation: Cybersecurity Law of the People’s Republic of China (Effective June 1, 2017). DigiChina, 2018.
[4] European Commission. Stakeholders’ Consultation on EudraLex Volume 4 - Good Manufacturing Practice Guidelines: Chapter 4, Annex 11 and New Annex 22 - Public Health. Public Health. https://health.ec.europa.eu/consultations/stakeholders-consultation-eudralex-volume-4-good-manufacturing-practice-guidelines-chapter-4-annex_en (accessed 2025-12-18).
