EU QP Declaration of API GMP Compliance – Turning Supplier Claims into Legal Accountability

This topic is part of the SG Systems Global regulatory & operations glossary.

Updated December 2025 • Qualified Person (QP), PQS, Supplier Qualification, EDQM CEP, COA, QRM, Data Integrity • QP/QPPV, Regulatory Affairs, QA, Supply Chain, CMC

The EU QP declaration of API GMP compliance is the formal statement, signed by a Qualified Person, that each active substance used in an EU/EEA medicinal product has been manufactured in accordance with GMP equivalent to EU standards. On paper it’s “just” a declaration; in practice it’s a legally loaded handshake between the QP, the marketing authorisation holder (MAH), regulators and the API supply chain. When a QP signs, they are asserting that the API manufacturing route, controls and GMP oversight are understood and acceptable—not simply that a supplier emailed a certificate. For MAHs and QPs, this declaration is where supplier qualification, audits, CEPs, COAs, and real-world quality performance converge into a single statement of accountability.

“When a QP signs an API GMP declaration, they’re not just trusting the supplier; they’re staking their name, licence and the MAH’s reputation on that judgement.”

1) What the EU QP API GMP Declaration Actually Is

The QP API GMP declaration is a formal document, referenced in EU marketing authorisation dossiers, in which a Qualified Person confirms that each API manufacturer used for the product operates in compliance with GMP standards equivalent to those of the EU. It typically identifies the API manufacturer(s), their site(s), the API in question, and the basis for the QP’s conclusion (e.g. audits, regulatory inspections, CEPs). The declaration is part of the legal framework underpinning batch certification and release: it connects the MAH’s choice of API suppliers with the QP’s obligation under EU law to ensure that medicinal products are manufactured and controlled in accordance with the requirements of their MA and GMP.

2) Legal & Regulatory Context – Why the Declaration Exists

The requirement stems from EU legislation (e.g. Directive 2001/83/EC and associated updates), which introduced strengthened control of APIs, especially from third countries, after quality crises and falsification concerns. Regulators concluded that finished-dose GMP alone is not sufficient; MAHs must be able to demonstrate control over API manufacture as well. The QP declaration is the mechanism that makes this explicit: it documents that someone with defined legal responsibility has verified API GMP compliance. It complements, but does not replace, other controls such as EDQM CEPs, inspections of API manufacturers and the requirement for API manufacturers to be registered or approved in certain jurisdictions.

3) Who Signs – The Role of the QP and the MAH

By design, the declaration is signed by a Qualified Person or by a person acting on the QP’s behalf under defined arrangements. The MAH remains ultimately responsible for the product and its supply chain, but regulators expect the QP to exercise independent professional judgement. In practice, this means the QP must have access to supplier qualification reports, API audit outcomes, regulatory correspondence, deviation and complaint data, and any CEP or DMF information. If organisational barriers prevent the QP from seeing how API suppliers are chosen and monitored, the declaration risks becoming a formality rather than a genuine assurance—which is exactly the scenario inspectors look to detect and challenge.

4) Relationship to CEPs, DMFs and Regulatory Inspections

CEPs and DMFs provide regulators with detailed information on API quality and control; they are important inputs to the QP’s assessment, particularly when issued by trusted authorities. However, they do not automatically prove that the API site is (and remains) GMP compliant. CEPs can be suspended or withdrawn; DMFs can be out of date; inspections may not cover the exact route or grade used. The QP declaration therefore cannot simply say “there is a CEP”; it should reflect up-to-date knowledge of GMP status, audit outcomes and the supplier’s performance. Regulators increasingly expect QPs and MAHs to monitor CEP and inspection status actively, not just file certificates and hope for the best.

5) Supplier Qualification – The Foundation Beneath the Signature

A robust supplier qualification process is essential to support the declaration. That process should include:

• Documented risk assessment of each API and supplier (route of administration, criticality, complexity, history, geography).
• Initial evaluation of the supplier’s QMS, GMP status and regulatory track record.
• On-site or remote audits with documented reports, follow-ups and CAPA tracking.
• Establishment of technical/quality agreements defining responsibilities, change notifications and data-sharing expectations.

For high-risk APIs, reliance solely on paper reviews or CEPs is unlikely to satisfy regulators. The QP declaration should be anchored in this supplier qualification framework, not treated as a separate, paper-only exercise.

6) Technical/Quality Agreements and Information Flow

Quality agreements between MAHs (or manufacturers) and API suppliers are the operational glue linking GMP practice to QP declarations. They should specify:

• Scope (APIs covered, grades, sites).
• Responsibilities for GMP, documentation, change control and deviations.
• Notification timelines for changes that could impact quality or regulatory filings.
• Audit and inspection rights, including access to reports and CAPAs.

For the QP, these agreements are critical: they define how information on changes, quality issues and regulatory events will reach the organisation in time to adjust declarations, batch certification decisions and, if necessary, regulatory submissions. Agreements that are generic, unsigned, or ignored in practice weaken the credibility of any API GMP declaration built on them.

7) Evidence Base – What the QP Should Have on File

Before signing, a QP should be able to access a portfolio of evidence for each API source, typically including:

• Supplier qualification and audit reports, with CAPA status.
• Current CEPs or DMF references where applicable.
• Regulatory GMP certificates or inspection reports from EU/PIC/S, FDA or equivalent NRAs, where available.
• COA trending and routine QC verification data.
• Deviation, OOS/OOT, complaint and recall history involving that API.
• Change-control records showing how API changes are assessed and implemented.

The exact depth should be risk-based, but the key principle is that the QP must be able to justify the declaration with specific, current evidence—not simply point to the existence of an SOP or a supplier logo on a slide.

8) Risk Management – QRM Applied to APIs and Sites

API GMP declarations should be grounded in structured quality risk management. Factors to consider include:

• Route of administration and patient population (sterile injectables vs oral OTC).
• API complexity (small molecule vs biological vs highly potent or narrow TI).
• Supply-chain complexity (single vs multiple sites, intermediates, brokers).
• History of defects, shortages, inspection findings and CEP/DMF changes.

Higher-risk APIs may demand more frequent audits, greater reliance on direct inspections and tighter QP scrutiny; lower-risk APIs may allow more reliance on indirect evidence. Regulators expect to see that the intensity of oversight matches the risk profile—not that all APIs are treated the same regardless of impact.

9) Data Integrity – Trusting the Data Behind the Declaration

The credibility of any QP declaration depends on the integrity of the data it rests on. That includes:

• COAs: Are they verified, are methods equivalent, is testing independent and properly documented?
• Audit reports: Are observations reported honestly, are CAPAs tracked, do follow-ups verify effectiveness?
• Regulatory correspondence: Are inspection reports, warning letters or other notices captured and assessed?
• Internal records: Do deviations, NCs and complaints involving that API reflect reality, with reliable audit trails in electronic systems?

If data from labs, suppliers or internal systems cannot be trusted—because of weak data integrity controls—then the QP declaration is structurally unsound. Inspectors increasingly link DI findings to concerns about the validity of API oversight, even if the declaration exists on paper.

10) Change Control – When the API Process or Site Changes

Supplier processes, sites and controls evolve; QP declarations must evolve with them. Effective change control should ensure that:

• API suppliers notify the MAH/manufacturer of relevant changes in advance.
• Changes are assessed using QRM for impact on quality, specifications and regulatory filings.
• Additional data (comparability, impurity profiles, stability) are generated where needed.
• Declarations, batch release procedures and variations/notifications are updated accordingly.

Finding out about a major API route change, plant change or solvent switch during an inspection—or worse, through a quality defect—is exactly what QP declarations are supposed to prevent. Regulators will ask how your QMS makes sure that doesn’t happen in practice.

11) Multi-Sourcing and Parallel Suppliers

Many MAHs qualify multiple API suppliers for the same active to mitigate supply risk. Each source may have different processes, impurity profiles, polymorphs or physical properties. QP declarations must capture this reality: they should confirm GMP compliance and the suitability of each route and site for the finished product. Multi-sourcing may require separate audits, source-specific controls and careful evaluation of interchangeability. Treating CEPs or DMF references as proof that “all sources are the same” is a frequent weakness. Regulators expect MAHs to understand and manage the technical diversity behind their multi-source strategies, not just the regulatory paperwork.

12) Inspections – How Authorities Test the Declaration

During GMP inspections, EU authorities (and others) will test API GMP declarations by asking:

• How were API suppliers selected, qualified and approved?
• What is the audit status of each supplier? When were they last audited?
• How are CEPs, DMFs and inspection reports tracked and assessed?
• How are API-related deviations, complaints and quality signals trended and acted on?
• What does the QP see and review before signing the declaration?

Inspectors may request supplier audit reports, quality agreements, change-control records and PQR data. Inconsistent answers between QP, QA and procurement—or gaps between declared and actual oversight—undermine both the declaration and the site’s wider credibility.

13) Interaction with Other Regions and Global Supply Chains

EU QP declarations of API GMP compliance are increasingly relevant outside Europe, as other regulators (e.g. MHRA, Health Canada, TGA) adopt similar expectations or explicitly reference EU practices. In a world of mutual recognition and reliance on GMP inspections, weaknesses in API oversight identified in one region can trigger questions elsewhere. MAHs supplying multiple markets should therefore design a global API governance model where the EU QP declaration is just one visible output of a common framework—rather than a special, Europe-only process tacked onto a fragmented supply strategy.

14) Consequences of Weak Declarations or Poor Oversight

Weak or unsupported API GMP declarations can lead to:

• Critical inspection findings and regulatory action (e.g. restrictions, variations, import bans).
• Product recalls or market withdrawals linked to API defects.
• CEP suspensions, supply disruptions and forced re-sourcing.
• Personal and professional consequences for QPs (loss of credibility, regulatory scrutiny).

In incident investigations, regulators often look upstream: if an API issue contributed to a defect, they will ask whether the QP declaration and supplier qualification reflected reality at the time. A declaration that exists but is not backed by governance may be worse than no declaration at all, because it demonstrates awareness without effective action.

15) Implementation Roadmap – Making Declarations a Natural Output of the PQS

For organisations that want to strengthen EU API declarations, a pragmatic roadmap includes:

• Creating an API register mapping each product to each API supplier, site, CEP/DMF status and audit status.
• Standardising risk-based supplier qualification, audit and re-qualification processes across regions.
• Integrating API QRM, audit outcomes, change-control and performance trending into QP review workflows.
• Ensuring digital systems (QMS, ERP, quality agreements, supplier databases) support up-to-date visibility for QPs.
• Training QPs, QA, procurement and regulatory staff on their specific roles in supporting and maintaining declarations.

The goal is for the QP API GMP declaration to emerge naturally from routine governance and data flows—not to be assembled by hand at the last minute using incomplete, scattered evidence.

16) FAQ

Q1. Is an EDQM CEP alone enough to justify a QP API GMP declaration?
No. A CEP is a strong piece of evidence but does not by itself guarantee ongoing GMP compliance or suitability for a specific finished product. QPs and MAHs still need supplier qualification, audits, performance monitoring and change-control assessments to support the declaration.

Q2. Does the QP have to audit every API supplier personally?
Not necessarily. Audits can be performed by qualified teams or third parties under a controlled framework. However, the QP must have access to audit reports and conclusions and must be satisfied that the overall supplier qualification process is robust and proportionate to risk.

Q3. What happens if an API supplier’s GMP status deteriorates after a declaration is made?
The MAH and QP must reassess risk, consider halting use of the affected API, update declarations and, where necessary, notify regulators and customers. CEP suspension, negative inspection outcomes or serious defects typically trigger change-control, further audits and, sometimes, re-sourcing.

Q4. Do EU QP API GMP declarations apply to APIs manufactured within the EU as well as outside?
Yes. The requirement to ensure API GMP compliance applies regardless of geography. However, the evidence mix may differ: EU-based API sites may be inspected more frequently by EU/PIC/S NRAs, while non-EU sites may require greater direct audit effort and additional documentation.

Q5. What is a practical first step to improve the robustness of our API GMP declarations?
Build or update an API–supplier matrix that includes risk ratings, CEP/DMF status, last audit date, inspection history and key performance indicators. Use that matrix to plan risk-based audits and to inform QP reviews, ensuring declarations reflect a current, evidence-based view of each API supplier.

Related Reading
• API & Supplier Control: EDQM CEP | COA | Supplier Qualification | Quality Agreements
• PQS & Risk: Pharmaceutical Quality System (QMS) | Quality Risk Management (QRM) | PQR/APR | Deviation / NC | CAPA
• Data & Governance: Data Integrity | Audit Trail | PIC/S PE009 | 21 CFR 211 | Qualified Person (QP) Release