The Complete 2026 Guide for Manufacturers, MAHs, and Pharmacies
The European Union’s Falsified Medicines Directive, commonly known as EU FMD, is one of the world’s most ambitious pharmaceutical safety frameworks. Born from the 2008 Heparin contamination crisis and a wave of counterfeit medicines surfacing in EU pharmacies, the Directive was adopted in 2011 and brought to operational life through Delegated Regulation (EU) 2016/161, which became fully enforceable on 9 February 2019. By February 2026, the European Medicines Verification System celebrated seven years of continuous operation, connecting over 2,900 Marketing Authorisation Holders, 4,000 wholesale distributors, 115,000 commercial pharmacies, and 6,000 hospital pharmacies across Europe.
For any pharmaceutical company manufacturing, importing, distributing, or dispensing prescription medicines in the European Economic Area, understanding EU FMD serialization requirements is essential. This guide walks through every requirement in detail, explains how the EMVS verification network operates, and outlines exactly what manufacturers and supply-chain partners must do to maintain compliance in 2026 and beyond.
What Is the EU FMD and Why It Was Created
The Falsified Medicines Directive (Directive 2011/62/EU) was the European Union’s legislative response to the growing threat of falsified medicines entering the legal supply chain. Counterfeit drugs, sometimes containing wrong doses, wrong active ingredients, or no active ingredient at all, were being detected in pharmacies across multiple member states.
The Directive aims to do three things simultaneously. It strengthens the controls on active substance manufacturing, even when produced outside the EU. It establishes a logo for legal online pharmacies to help patients identify legitimate online sellers. And, most importantly for the supply chain, it introduces mandatory safety features on prescription medicine packaging, namely a unique identifier and a tamper-evident device, verified through a Europe-wide repository system.
The European Commission’s 2024 evaluation report confirmed only 30 cases of falsified medicines in the legal supply chain between 2011 and 2024, with just 11 confirmed cases since 2019, demonstrating that the FMD framework has been effective at protecting patients.
The Three Core Requirements of EU FMD
Every Marketing Authorisation Holder (MAH) and manufacturer placing prescription medicines on the EU/EEA market must satisfy three mandatory requirements.
1. Unique Identifier (UI) on Every Pack Each saleable pack must carry a GS1-compliant 2D DataMatrix barcode containing four mandatory data elements. The Product Code (typically a GTIN or NTIN, depending on the member state), a randomized unique serial number, the batch or lot number, and the expiry date. The same data must also appear in human-readable form on the pack.
2. Tamper-Evident Device (Anti-Tampering Feature) Every prescription pack must carry a physical feature that allows the recipient to verify whether the pack has been opened or compromised. The Directive does not prescribe a specific technology. MAHs typically use shrink wraps, glued flaps with perforated tear strips, holographic seals, or embossed bands. The European Standard EN 16679:2014, “Tamper verification features for medicinal product packaging,” provides accepted guidance.
3. Data Upload and Point-of-Dispense Verification The serialized pack data must be uploaded to the EU Hub before the product is placed on the market. At the point of dispense, pharmacies and hospitals must scan the DataMatrix code and verify it against the relevant National Medicines Verification System (NMVS). Only authenticated packs may be dispensed to patients, and once dispensed, the unique identifier must be decommissioned to prevent reuse.
The Mandatory Data Elements in the 2D DataMatrix Code
Under Delegated Regulation (EU) 2016/161, the 2D DataMatrix code must encode the following data structure, all formatted according to GS1 Application Identifiers.
| Application Identifier | Data Element | Purpose |
| AI (01) | Product Code (GTIN or NTIN) | Identifies the specific marketed product |
| AI (21) | Serial Number | Randomized, unique to each pack |
| AI (17) | Expiry Date (YYMMDD) | Last day product is valid |
| AI (10) | Batch / Lot Number | Manufacturing batch identifier |
The serial number must be generated using a sufficiently randomized algorithm. Industry best practice targets a collision probability of less than 1 in 10 million, ensuring that no two packs ever carry the same identifier within the same Product Code.
Which Products Are in Scope and Which Are Exempt
Not every medicinal product requires safety features under EU FMD. The Directive specifies clear scope rules.
In Scope (require both Unique Identifier and tamper-evident device). All prescription-only medicines (POM) in the EU/EEA, with limited exceptions defined in Annex I of the Delegated Regulation.
Out of Scope. Most over-the-counter (OTC) medicines, with the exception of certain products listed in Annex II that are specifically required to bear safety features even though sold without prescription (for example, omeprazole at certain strengths).
Special Cases. Veterinary medicines, medical gases, contrast agents, radiopharmaceuticals, parenteral nutrition, and certain hospital-only products may be exempt or subject to specific provisions.
MAHs must verify the scope status of every Stock Keeping Unit (SKU) they market and reconfirm whenever a product reclassification occurs.
The EMVS Architecture: How Verification Actually Works
The European Medicines Verification System is the technical backbone of EU FMD compliance. It operates as a federated, multi-tier database network rather than a single centralized system.
The EU Hub (Central Layer). Operated by the European Medicines Verification Organisation (EMVO), the EU Hub is the central data router. MAHs upload their pack data here, and the Hub distributes that data to the relevant national repositories where the product will be sold.
National Medicines Verification Systems (NMVS). Each member state operates its own NMVS, managed by a National Medicines Verification Organisation (NMVO). Examples include securPharm in Germany, NMVO Italia in Italy, French CIP-Medicrypt, and the Spanish SEVeM. These national systems are the operational endpoints where pharmacies and wholesalers actually verify and decommission packs.
The Verification Workflow.
- MAH manufactures a pack and assigns a unique identifier
- MAH uploads the pack data to the EU Hub before market release
- The EU Hub forwards the data to every relevant NMVS
- Pack moves through wholesale and distribution
- Pharmacist scans the DataMatrix code at dispense
- The pharmacy system queries the NMVS in real time
- NMVS confirms authenticity and the pharmacy decommissions the pack
- The decommissioned status is recorded back through the network
If a scan returns an unexpected result (already decommissioned, expired, recalled, or unknown), the pharmacy must investigate before dispensing.
Responsibilities by Supply Chain Role
Marketing Authorisation Holders (MAHs). Generate randomized serial numbers, ensure GS1-compliant printing on packs, apply tamper-evident features, upload pack data to the EU Hub before market release, manage updates, decommissioning, and recall events, and retain records of every operation involving the unique identifier.
Contract Manufacturers and Repackagers. Operate validated serialization lines, print compliant 2D DataMatrix codes, integrate with the MAH’s Level 4 enterprise serialization system, and ensure that aggregation data (where used) flows correctly to the MAH.
Wholesale Distributors. Perform risk-based verification of packs (especially for returned product, products received from non-MAH partners, and high-risk categories), decommission packs being exported outside the EEA or destroyed, and maintain records.
Pharmacies and Hospitals. Scan and verify every prescription pack at the point of dispense, investigate any verification alert before dispensing, decommission the unique identifier upon dispensing to the patient, and use FMD-compatible pharmacy management systems connected to the relevant NMVS.
Parallel Importers and Distributors. Where repackaging or relabeling occurs, apply equivalent safety features that meet FMD requirements, decommission the original UI, and upload new pack data for the destination market.
Printing and Quality Requirements for the 2D DataMatrix Code
The Directive may not specify exact print technology, but Annex II of the Delegated Regulation and supporting GS1 guidance set strict quality requirements.
The DataMatrix code must remain clearly readable throughout the product’s entire shelf life. Print quality is typically benchmarked against ISO/IEC 15415, with a recommended minimum grade of 1.5 (Grade C) for production lines. Module size, contrast, contrast uniformity, axial non-uniformity, unused error correction, and fixed pattern damage are all assessed by inline vision verification systems.
Most modern serialization lines integrate a thermal-inkjet or laser coder with an inline camera that grades every code in real time and rejects any pack failing to meet the threshold. This is a quality requirement in addition to a regulatory one. A pack with an unreadable code cannot be verified at dispense and may be quarantined or returned downstream.
Aggregation Under EU FMD: Voluntary But Strategic
Unlike some national mandates (for example, Turkey’s ITS), EU FMD does not legally require pack-to-case parent-child aggregation. However, many MAHs choose to implement aggregation voluntarily for several reasons. It speeds up wholesaler receiving by allowing a single case scan to commission the inferred contents. It improves recall granularity by enabling targeted withdrawal of specific cases or pallets. It aligns the EU operation with DSCSA requirements in the U.S., reducing system complexity for multi-market manufacturers. And it supports interoperability with countries (such as Saudi Arabia, UAE, and Russia) where aggregation reporting is mandatory.
For exporters and global manufacturers, aggregation is increasingly treated as a default capability rather than a market-specific add-on.
The Northern Ireland and UK Position Post-Brexit
Brexit changed the FMD landscape for the United Kingdom. Medicines authorized solely for Great Britain (PLGB) no longer require a Unique Identifier or pack data upload to the EMVS. However, medicines marketed in Northern Ireland under a PL or PLNI authorization continue to require both a unique identifier and a tamper-evident device, with pack data uploaded to the EMVS, due to Northern Ireland’s continued alignment with EU rules under the Windsor Framework.
MAHs distributing into both jurisdictions must therefore maintain dual labeling and serialization processes. Many continue to apply the FMD safety features to GB-only packs voluntarily to simplify supply chains and retain optionality.
Common Implementation Challenges and How to Solve Them
Master Data Inconsistencies. GTINs, NTINs, product names, dosage forms, and pack sizes must be perfectly synchronized between ERP, MES, serialization L4, and the EU Hub onboarding portal. Even minor mismatches trigger upload rejections. Establish a master data governance process before EMVS onboarding.
Print Quality Failures. Poor barcode grading is one of the most common operational issues. Invest in inline vision verification, schedule regular print head maintenance, and use validated label substrates.
EMVS Alerts and False Positives. Pharmacies sometimes generate alerts that turn out to be data errors rather than actual falsifications. MAHs should monitor their alert dashboards in the EU Hub portal, investigate root causes promptly, and implement Alert Management workflows.
Country-Specific Variations. Some NMVSs have national peculiarities (for example, Italy’s Bollino traceability sticker, France’s CIP code handling, Greece’s national requirements). A multi-country MAH must accommodate these without breaking core EU FMD compliance.
Returns and Saleable Stock Management. Once a pack has been decommissioned (even briefly), strict rules govern whether it can be re-commissioned. Misunderstanding these rules leads to costly product write-offs.
Parallel Trade Complexity. Parallel importers and distributors face additional repackaging, relabeling, and re-verification obligations that demand dedicated workflows and validated systems.
The Cost of Non-Compliance
Each EU member state defines its own penalties for FMD non-compliance, but the consequences are universally serious. Pharmacies that cannot scan and verify packs may be barred from dispensing them. Wholesale distributors that receive non-compliant product may be required to quarantine or return it. MAHs face product recalls, market withdrawal, fines, and reputational damage. In severe or repeated cases, marketing authorizations can be suspended.
Beyond regulatory consequences, the commercial cost is immediate. Pharmacies and hospitals will simply refuse to dispense unverifiable packs, leading to lost sales, reverse logistics expense, and frustrated patients.
What Is Coming Next: EU FMD in the Era of Digital Product Passports
The EU is now moving beyond pure FMD compliance toward a broader Digital Product Passport (DPP) framework under the Ecodesign for Sustainable Products Regulation. While DPPs target electronics, batteries, and textiles first, the pharmaceutical sector is being studied as a model and a future inclusion area.
For MAHs, this signals that today’s investment in robust FMD serialization infrastructure will serve as the foundation for future regulatory layers, including sustainability tracking, ingredient origin transparency, and electronic Product Information (ePI). The EMVS Forum 2026 in March brought together approximately 200 regulators, policymakers, and enforcement networks across Europe to discuss the evolution of the framework, including stronger AI-driven enforcement and tighter cross-border coordination.
Forward-looking MAHs are already aligning their FMD platforms with future DPP-readiness, EPCIS 2.0 interoperability, and AI-driven alert management. The companies that treat EU FMD as a living capability rather than a one-time project will be the ones best positioned for the next decade of European pharmaceutical regulation.
Frequently Asked Questions
Q1. When did EU FMD come into force? The Falsified Medicines Directive (2011/62/EU) was adopted in 2011, and its safety features provisions, governed by Delegated Regulation (EU) 2016/161, became fully enforceable on 9 February 2019 across all EU/EEA member states.
Q2. Which products fall under EU FMD safety features? All prescription-only medicines (POM) marketed in the EU/EEA are in scope by default. A small number of OTC products listed in Annex II of the Delegated Regulation also require safety features, while most OTC products are exempt.
Q3. What information must be encoded in the 2D DataMatrix code? The Unique Identifier must encode the Product Code (GTIN or NTIN), a randomized serial number, the batch or lot number, and the expiry date, all formatted according to GS1 Application Identifiers and also printed in human-readable form on the pack.
Q4. What is the EMVS and how does it work? The European Medicines Verification System is a federated network consisting of the EU Hub (operated by EMVO) and national repositories (NMVS) in each member state. MAHs upload pack data to the EU Hub, which routes it to the relevant national systems for verification at the point of dispense.
Q5. Is aggregation mandatory under EU FMD? No. The Directive deliberately leaves pack-to-case aggregation voluntary. However, many MAHs implement aggregation voluntarily to improve operational efficiency, recall granularity, and alignment with DSCSA and other global mandates.
Q6. What tamper-evident device must I use? The Directive does not prescribe a specific technology. MAHs may select from shrink wrap, glued flaps with perforations, holographic seals, embossed bands, or other features that comply with European Standard EN 16679:2014.
Q7. Does EU FMD still apply in the United Kingdom after Brexit? For medicines authorized solely for Great Britain (PLGB), the Unique Identifier and EMVS upload are no longer required. For medicines marketed in Northern Ireland under PL or PLNI authorizations, full EU FMD safety features and EMVS upload remain mandatory under the Windsor Framework.
Q8. What happens if a pharmacy scans a pack and gets an alert? The pack must not be dispensed until the alert is investigated. The pharmacy contacts the MAH (or its representative) to determine whether the alert reflects a falsification, a data error, or a system issue. MAHs are required to monitor their alert dashboards and respond promptly.
Q9. How long must I retain serialization records under EU FMD? Marketing Authorisation Holders must retain records of every operation involving the unique identifier for at least one year after the expiry date of the pack, or for five years after the pack was released to the market, whichever is longer.
Q10. Can I use the same serialization platform for both EU FMD and US DSCSA compliance? Yes. Leading serialization platforms support both regimes from a single codebase, including SAP ATTP, TraceLink, Systech UniTrace, Antares Vision, Movilitas, and rfxcel. Multi-market platforms reduce IT complexity and total cost of ownership significantly for global manufacturers.
Q11. How does a parallel importer comply with EU FMD? Parallel importers must decommission the original Unique Identifier before repackaging or relabeling, apply a new compliant 2D DataMatrix code and tamper-evident device, and upload the new pack data to the EU Hub for the destination market. They are subject to validated repackaging procedures and full audit recordkeeping.Q12. How can I prepare my FMD infrastructure for the upcoming Digital Product Passport era? Adopt EPCIS 2.0 capable platforms, ensure clean master data governance, build AI-ready alert and analytics layers, and choose vendors with active roadmaps covering DPP, ePI, and sustainability data. Treat FMD serialization as the foundation of a broader pharmaceutical digital identity strategy rather than a standalone compliance task.
