ePrivacy and GPDR Cookie Consent by Cookie Consent

Commission Implementing Regulation (EU) 2025/1466 brought a seismic shift in regulatory expectations on February 12, 2026. This has transformed how pharmacovigilance outsourcing is governed across the European Union. It’s not just another compliance regulation; it has reshaped vendor management, data privacy and operational transparency.

This solidifies the oversight of outsourced PV activities and aligns the process with international data standards, viz. IDMP, MedDRA and Standard Terms.

How are Marketing Authorisation Holders (MAHs) affected by Regulation 2025/1466?

Emphasizing that the new rules target the oversight and transparency of these relationships rather than just the ability to outsource would sharpen the business impact. In this scenario, delegation arrangements, both parties’ responsibilities, and audit and inspection activities should be clearly documented.

MAHs should establish quality systems for performance of PV activities in accordance with Article 8(1) of Implementing Regulation (EU) No. 520/2012. As per this, these quality systems should also be audited. 

The third party that is set out to carry PV tasks wholly or partially, with MAHs, should be audited by or on behalf of MAHs by competent authorities, irrespective of whether mentioned in the subcontract or not. Subcontractors should have clarity about their obligations set in subcontracts. However, a subcontract’s limitations should not affect the performance of audits and inspections. 

PSMF regulations to be enforced

As per this regulation, the Pharmacovigilance System Master File (PSMF) should not contain every minor deviation in the PV system. Instead, it should only document significant deviations, their impact, and how they are being addressed until they are resolved. The PSMF is the main document describing an MAH’s pharmacovigilance system.

MAH’s obligations for monitoring Eudravigilance and reporting safety signals

Eudravigilance stores ICSRs, suspected ADRs, clinical trial safety reports, and post-marketing safety reports. The European Medicines Agency and national regulatory bodies continuously monitor the data in the EudraVigilance database. This database is also available to MAHs to fulfill their pharmacovigilance obligations. 

As marketing authorisation holders have gained more experience monitoring EudraVigilance data, regulators have recognized the need to clarify expectations around signal validation and the timely communication of validated safety signals to the relevant authorities.

Facilitating interoperability of systems to prevent duplication

To facilitate interoperability of systems, avoid duplication of encoding activities for the same information, and enable easy exchange of information, the Regulation takes into account developments in international standards used by MAHs. National competent authorities and Agency for the performance of PV activities, as well as the need for certain updates to terminology.

Risk-based audit strategy

MAHs must conduct regular, risk-based, independent audits of their pharmacovigilance quality system to verify compliance, assess effectiveness, and ensure that all PV activities are periodically reviewed.

Data privacy: Most pivotal part of the regulation

PV data is among the most sensitive information processed in the life sciences sector. It includes health-related special category data, medical records, genetic information, and detailed patient narratives. To safeguard privacy, ICSRs within EudraVigilance are stored in a pseudonymized form, with access limited to authorized users through robust security measures such as multi-factor authentication. Pharmacovigilance activities must continue to comply with the principles of data minimization, purpose limitation, confidentiality, and accountability under the GDPR.

Two GDPR provisions are particularly relevant to pharmacovigilance partnerships:

  • Article 32 (Security of Processing): Agreements must specify safeguards for the secure exchange of safety data, including encryption, access controls, audit logging, and continuity planning.
  • Article 28 (Processor Obligations): Vendor arrangements require a Data Processing Agreement that defines data types, processing responsibilities, audit rights, and authorization requirements for sub-processors.

Summing it up

Commission Implementing Regulation (EU) 2025/1466 marks a significant evolution in the European pharmacovigilance landscape. Beyond introducing new compliance requirements, it reinforces accountability, transparency, and oversight across outsourced PV operations. From strengthening vendor governance and risk-based auditing to clarifying signal management responsibilities and tightening data privacy controls, the regulation raises the bar for how Marketing Authorisation Holders manage their pharmacovigilance systems.

For MAHs, compliance will require more than updating contracts or procedures. It demands a proactive approach to quality management, vendor oversight, EudraVigilance monitoring, and GDPR-aligned data governance. Organizations that act early to align their processes with the new requirements will not only reduce regulatory risk but also build more resilient and efficient pharmacovigilance operations.