The short answer
The Nagoya Protocol is an international agreement that governs how companies access and commercially exploit genetic resources — plant specimens, microbial samples, cell lines, genomic data — sourced from signatory countries. It requires documented proof of lawful access (Prior Informed Consent, or PIC) and a formal agreement on how commercial benefits will be shared with the country of origin (Mutually Agreed Terms, or MAT).
For any pharmaceutical or agritech company using biological data from a biodiverse nation in its R&D pipeline, Nagoya compliance is not optional. It is a legal precondition for commercialising any resulting product in the EU and increasingly in other major markets.
"If my company uses plant genomic data from Madagascar in an AI drug discovery model, do we need Nagoya compliance documentation?" — Yes. This article explains exactly why, and what that documentation must contain.
Background: what problem is the Nagoya Protocol solving?
For most of the twentieth century, biological samples from biodiverse developing nations flowed freely into commercial R&D pipelines in wealthy countries. Source nations received little or nothing in return. Madagascar's rosy periwinkle — discovered in 1958 and used to develop the anti-cancer drugs vincristine and vinblastine — generated billions of dollars in pharmaceutical revenue. Madagascar received no benefit.
The Convention on Biological Diversity (1992) established that genetic resources are sovereign property of the nation in which they originate. The Nagoya Protocol (2010), which entered into force in 2014, operationalised this principle: it created a legal mechanism requiring prior consent and benefit-sharing agreements before any genetic resource can be accessed for commercial purposes.
As of 2026, 140 countries have ratified the Protocol, including the EU, UK, Japan, and most megadiverse nations.
What does compliance actually require?
There are three core requirements. Miss any one of them and the entire access arrangement is potentially unlawful.
1. Prior Informed Consent (PIC)
Before collecting or using genetic resources, a company must obtain formal written consent from the national competent authority — typically a government ministry. In Madagascar, this is MEDD (the Ministry of Environment and Sustainable Development) and its Directorate General for Environment and Forests (DGEF). The consent must specifically cover the intended use: research, commercial development, or both.
2. Mutually Agreed Terms (MAT)
The access arrangement must include a formal benefit-sharing agreement. Benefits may be monetary (royalties, milestone payments, upfront access fees) or non-monetary (technology transfer, training, co-authorship, infrastructure investment). The terms must be agreed before access takes place — not retrospectively.
3. Compliance Monitoring and Reporting
Under EU Regulation No. 511/2014 — the EU's implementation of the Nagoya Protocol — companies must exercise "due diligence" to verify that any genetic resource they use was accessed lawfully. In practice, this means maintaining documentation for every specimen or dataset: when it was accessed, from whom consent was obtained, what benefit-sharing was agreed, and how the material moves through the R&D chain.
Where do pharma and agritech companies get into trouble?
The most common compliance failures are not deliberate biopiracy — they are documentation gaps that accumulate through normal R&D processes.
| Failure mode | How it arises | Legal exposure |
|---|---|---|
| No PIC documentation | Material purchased from a third-party supplier; original collection circumstances unknown | EU due diligence violation; product may be blocked from market |
| Pre-2014 access, post-2014 commercial use | Compound isolated before Nagoya entered into force, but patent filed or product commercialised after | Complex legal grey zone; position of regulators is tightening |
| No MAT in place | Informal agreement with local researchers; no formal benefit-sharing contract | Access invalidated; potential injunctions on commercialisation |
| Chain-of-custody break | Material passed through multiple institutions without documented transfer | Due diligence cannot be demonstrated; regulatory investigation risk |
| Digital sequence information (DSI) gap | Genomic sequence data accessed from public databases without provenance; COP-16 Cali Fund creates new obligations | Emerging risk; DSI obligations expanding post-COP-16 (2024) |
The DSI question: does Nagoya apply to genomic data?
This is the most actively contested area of Nagoya law in 2026. Digital Sequence Information (DSI) — genomic sequence data — was not explicitly covered in the 2010 Protocol text. However, the COP-16 Cali Fund agreement (2024) established that companies deriving commercial benefit from DSI sourced from biodiversity-rich nations have benefit-sharing obligations, even if they never physically accessed a specimen.
For pharmaceutical and agritech AI platforms that train models on genomic databases, this creates a material and growing legal risk. The legal ground is moving in one direction: toward greater provenance requirements, not fewer.
What a compliant access arrangement looks like in practice
A fully compliant programme for accessing Madagascar's endemic plant genomics requires several things happening in sequence:
- A Framework Agreement with MEDD/DGEF establishing the legal basis for access and the benefit-sharing framework at a programme level.
- Species-level or collection-level IRCCs (Internationally Recognised Certificates of Compliance), recorded in the ABS Clearing-House (ABSCH) managed by the Convention on Biological Diversity.
- Community-level Prior Informed Consent and FPIC (Free, Prior and Informed Consent) where relevant traditional knowledge is associated with target species.
- Specimen-level provenance records — ideally with cryptographic chain-of-custody — linking every data record back to its collection event, the consent it was collected under, and the benefit-sharing terms that apply to its commercial use.
- An independent Ethics Review Board overseeing collection methodology and consent processes.
Very few commercial biodiversity data programmes have all of these in place. This is the compliance gap that represents both the most significant regulatory risk for buyers and the most significant commercial opportunity for a provider that builds the infrastructure correctly from the start.
IsoGentiX is designed from first principles to satisfy each of these requirements. Every specimen in the IsoGentiX database carries a GUID-linked, blockchain-verified provenance record that documents PIC, MAT terms, collection event metadata, and community consent status. The programme operates under a Framework MoU with Madagascar's MEDD, and all collection and benefit-sharing arrangements are overseen by an independent PERB (Project Ethics Review Board). This is not an add-on to compliance — it is the architecture of the platform.
Why compliance is a commercial asset, not just a legal checkbox
For a pharma or agritech company purchasing access to biodiversity data, Nagoya compliance documentation from the data provider serves a direct commercial function: it insulates the buyer from regulatory liability in the EU, UK, and other Nagoya-implementing jurisdictions.
A dataset that comes without provenance documentation — however scientifically rich — creates a legal liability that increases in proportion to its commercial value. A compound derived from an unprovenanced source that reaches product development will face regulatory scrutiny at the worst possible moment.
Conversely, a dataset with full, auditable provenance documentation — where every specimen's legal access history is traceable, certified, and independently verified — transforms compliance from a cost into a competitive advantage. It is data that a company can confidently build a commercial pipeline on.
That distinction — between data you can use and data you can commercialise — is increasingly where significant value lives in the biodiversity informatics market.