Electronic Signatures for Clinical Trials: Site Coordinator, Sponsor, and CRO Responsibilities

Electronic signatures in clinical trials aren't a single responsibility that belongs to one team. They're a layered obligation shared across three distinct parties: the sponsor who designs and oversees the trial, the CRO that often runs day-to-day operations, and the investigator site where patients are actually enrolled. Each party has specific, non-delegable duties under 21 CFR Part 11 and the FDA's October 2024 final guidance on electronic systems in clinical investigations.

Get the boundaries wrong, and you end up with a compliance gap that survives right up to an FDA inspection. This guide breaks down exactly what each party must do, where the responsibilities overlap, and where they don't.

What the 2024 FDA Guidance Changed About Electronic Signatures in Clinical Trials

The October 2024 final guidance ("Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations: Questions and Answers") replaced FDA's 2003 guidance and resolved two decades of ambiguity that had accumulated around cloud systems, hybrid records, and CRO accountability. The 29 Q&As aren't just clarifications. Several create new expectations that didn't exist in writing before.

Three changes matter most for understanding who is responsible for what:

• CROs are independently regulated. The guidance confirmed that when a CRO uses its own electronic systems for regulated clinical records, it operates as a regulated entity under Part 11, not simply as an agent of the sponsor. CRO accountability is not derivative of the sponsor's compliance.
• Cloud and SaaS platforms are squarely in scope. The guidance explicitly stated that Part 11 applies to cloud-based and SaaS platforms used in FDA-regulated clinical research, even where the regulated organization doesn't control physical infrastructure. Sponsors and CROs remain responsible for vendor qualification, regardless of where data is hosted.
• Hybrid records have a clear boundary. Part 11 compliance is assessed at the point where data enters the sponsor's electronic data capture (EDC) system. FDA will not require Part 11 compliance of underlying EHRs or other real-world data sources. But the transcription process from source to EDC must be documented and auditable.

The Sponsor's Responsibilities

The sponsor holds the broadest accountability. Even when everything is delegated, the sponsor can't delegate the obligation to ensure it's been done right. That's not a legal technicality. It's exactly what FDA investigators test when they ask sponsors to demonstrate their oversight of CRO and site systems.

System Selection and Vendor Qualification

When a sponsor selects an e-signature platform for the clinical trial, it's selecting a regulated system. That selection requires documented qualification: the sponsor needs to verify that the platform meets Part 11 Subpart B and Subpart C requirements before it's used on a live study. In practice, this means reviewing the vendor's IQ/OQ/PQ validation documentation, their 21 CFR Part 11 feature matrix, and confirming that the audit trail architecture uses tamper-evident mechanisms like SHA-256 hash chains.

If the sponsor is operating under EU regulations as well, Annex 11 adds formal vendor audit rights to this obligation. The sponsor must have the right to audit the vendor's quality system and must document that they've exercised it.

The Non-Repudiation Letter

Under 21 CFR 11.100(c), the sponsor must submit a written certification to FDA that its electronic signatures are the legally binding equivalent of handwritten signatures. One letter covers all studies. But a letter from the sponsor does not automatically cover CROs or investigator sites using their own e-signature systems. If the CRO is operating its own platform, the CRO must have its own letter.

For a full breakdown of the non-repudiation requirement and what the 2024 guidance clarified in Q&A #29, see our guide on the FDA Part 11 non-repudiation letter.

Written Agreement With the CRO

ICH E6(R3) and 21 CFR 312.52 require that any CRO obligations be captured in a written agreement. For electronic signatures, that agreement should specify: which party operates the e-signature system, audit trail format and access rights for sponsor review, the CRO's obligation to notify the sponsor of any system changes affecting Part 11 controls, and the scope of the CRO's non-repudiation certification.

Sponsors that rely on oral understandings or a generic quality agreement without these specifics will find the gap during an inspection. The 2024 guidance made sponsor oversight of CRO systems an explicit topic, not an implicit expectation.

Training Verification Across Sites

The sponsor is responsible for ensuring that investigator site staff are trained on the electronic systems the sponsor provides. When the sponsor provides the e-signature platform directly to sites (rather than sites using their own tools), the sponsor must document training completion before any Part 11-regulated document is signed. Training records should be retained in the trial master file and available for inspection.

The CRO's Responsibilities

CROs occupy a middle position that creates compliance risk when it's not managed explicitly. A CRO can be acting as a sponsor's agent for some purposes and as an independent regulated entity for others, sometimes in the same trial. The 2024 guidance disambiguated this in ways that should change how CROs structure their compliance programs.

Operating Your Own E-Signature System

If the CRO uses its own e-signature platform for regulatory documents (monitoring visit reports, protocol deviations, site initiation records, TMF documents), it operates that system as a regulated entity. The system must meet Part 11 independently of whatever the sponsor uses. The CRO must maintain validation documentation for its own system and be able to produce it on demand.

This creates a practical audit problem if the CRO's documentation package isn't sponsor-ready. During sponsor qualification audits of the CRO, sponsors increasingly ask to see IQ/OQ/PQ protocols for the CRO's electronic systems. CROs that can't produce them are creating a qualification barrier.

The CRO's Non-Repudiation Letter

Under the 2024 guidance, a CRO that operates its own e-signature system for FDA-regulated clinical records must have its own non-repudiation letter on file with FDA. The sponsor's letter does not cover the CRO unless the letter explicitly names them. This is not a technicality. FDA inspectors have cited the absence of a non-repudiation letter as a data integrity finding. If your CRO doesn't have one, submitting it is straightforward and there's no penalty for late submission. Submit it, and document the gap in your quality system.

TMF Signature Accountability

Clinical monitoring is a CRO-heavy function, and monitoring visit reports are Part 11-regulated records. Each monitor's signature on a visit report must use two-component authentication at the time of signing, capture the monitor's name, the date and time with time zone, and a signature meaning. The CRO's audit trail for monitoring records must be accessible to the sponsor. The sponsor has a right to review those records, and the CRO has an obligation to make them available.

Delegation of authority within the CRO for monitoring functions must also be documented. If a CRO monitor is authorized to sign specific document types under a sponsor protocol, that delegation should be captured in a way the sponsor can review.

Site Qualification and Technology Checks

CROs often conduct site qualification visits on behalf of sponsors. When that includes evaluating whether sites have a Part 11 compliant e-signature capability, the CRO needs to know what they're checking. The minimum verification set includes: whether the site's platform generates a Part 11 compliant audit trail, whether the site has submitted a non-repudiation letter, and whether site staff have been trained on the system before any regulated documents were signed.

For a detailed breakdown of CRO-specific Part 11 obligations under the 2024 guidance, see our guide on electronic signatures for CROs.

The Site Coordinator's Responsibilities

Site coordinators execute the day-to-day signing workflow. They aren't responsible for selecting the e-signature system or negotiating the written agreement with the sponsor, but they are responsible for using the system correctly. The most common Part 11 failures at investigator sites are operational failures, not system failures. And they almost always start with something a coordinator did or didn't do.

Unique Credentials, Always

The single most cited Part 11 failure at investigator sites is shared credentials. One username shared across three coordinators, or a PI's login used by staff to sign documents when the PI is unavailable. Both are fatal compliance failures. Part 11 Section 11.300 requires that unique user credentials cannot be shared or reused. When an audit trail shows two people signing different documents simultaneously under the same user ID, it's an automatic attribution failure.

Every staff member who will apply an electronic signature on an FDA-required document needs their own login. That's not negotiable. It's also the minimum requirement for the audit trail to be meaningful.

The Delegation of Authority Log

The delegation of authority log is the most compliance-sensitive document the site coordinator manages. The PI must personally sign the log each time a delegation is added, modified, or removed. It's not a document that can be signed once and left open-ended. If a coordinator takes on a new signing responsibility mid-trial, that addition must be dated, documented, and signed by the PI before the coordinator signs any document under that delegation.

The audit trail on the delegation log itself must meet Part 11 requirements. Every change to the log must generate an immutable audit entry showing who changed what, when, and why. Coordinators who update delegation logs in systems that don't generate audit trails are creating a compliance problem they may not discover until an inspection.

Authentication at Signing, Not Just at Login

Part 11 Section 11.200(a) requires that when a non-biometric electronic signature is used in a continuous signing session, the first signing event must use both identification components and each subsequent event must use at least one. In practice, this means a system should prompt the coordinator to re-enter a password (or use an authenticator app code) at each individual signing event, not just when they first logged in that morning.

Systems that authenticate at login and then allow unlimited signing without re-authentication don't satisfy this requirement. Coordinators who use such a system may not know they're out of compliance until a sponsor qualification audit flags it. The question to ask your platform vendor is direct: "Does re-authentication happen at each signing event, or only at session start?"

Training Before the First Signature

FDA investigators check training records for a specific pattern: they want to see that training on the e-signature system was documented before the first electronic signature was applied by each user. Training records dated after the first signature are a 483 finding, and it happens more often than it should because onboarding processes at busy sites don't always enforce the sequence.

The site's SOP for electronic signatures should explicitly sequence training before system access. The platform should ideally enforce this by requiring a training acknowledgment before a new user account is activated.

The Site's Non-Repudiation Letter

Investigator sites using their own e-signature systems for FDA-required records (rather than using a sponsor-provided platform) need their own non-repudiation letter on file with FDA. Many site coordinators aren't aware of this obligation because it sits at the organizational level, not the study level. But when a sponsor qualification checklist asks whether the site has submitted a non-repudiation letter, a blank answer creates a qualification problem.

For small sites without a dedicated regulatory affairs function, the non-repudiation letter is typically handled by the PI or site director. It's a single letter, submitted once, covering all studies conducted at that site. For a step-by-step guide, see 21 CFR Part 11 for small clinical research sites.

Where the Three Responsibilities Overlap

Several compliance areas require active coordination across all three parties. Getting them right requires explicit agreement, not assumption.

Audit Trail Access

Regardless of who operates the e-signature system, the sponsor must be able to access and review the audit trail for any trial record. This means audit trail exports must be possible in a format the sponsor can read independently of the platform. When a CRO or site uses a platform the sponsor doesn't control, the written agreement must specify export format, access rights, and response time for audit trail requests during an inspection.

Same-day readiness is now the practical standard. The April 2026 one-day inspection pilot created an environment where sponsors and sites may have under 24 hours from inspection notice to investigator arrival. Audit trail exports that require three business days to generate are an inspection readiness failure.

Change Notification

Any change to an e-signature system that could affect Part 11 compliance must be communicated to all parties who rely on that system. If the CRO upgrades its platform, the sponsor should be notified and given the opportunity to review updated validation documentation. If the site switches platforms mid-trial, the sponsor and CRO must be informed, and the transition must be documented with evidence that the new system was qualified before regulated documents were signed on it.

Incident Response

A compromised credential at an investigator site isn't just a site problem. It's a data integrity event that may affect trial records the sponsor is responsible for submitting to FDA. All three parties need a documented understanding of the escalation path when a Part 11-related incident occurs: what the site reports to the CRO and sponsor, when, and how the event is documented and corrected.

The Documents Most Likely to Fail at Each Level

Based on the pattern of FDA 483 observations and sponsor qualification findings, these are the document types where compliance failures cluster by party:

At the Investigator Site

• Delegation of authority logs: unsigned by PI at the time of change, or signed by a coordinator under improperly delegated authority
• Informed consent forms: signed under a shared login, or signed without the required two-component authentication at the signing event
• Adverse event reports: signed late, with timestamps that don't match the event timeline documented in source records
• FDA Form 1572: signed with a system that doesn't generate a compliant audit trail, or stored in a non-Part 11 environment after signing

At the CRO

• Monitoring visit reports: signed by monitors without re-authentication at signing, or stored in systems without immutable audit trails
• Protocol deviation documentation: missing signature meaning on the face of the document, or signed before the deviation review process was complete
• Site qualification records: documenting site compliance with electronic system requirements but without verification evidence

At the Sponsor

• IND amendments and protocol amendments: signed by authorized personnel but without the supporting validation documentation for the platform used
• Trial master file records: managed on a platform the sponsor hasn't formally qualified, or with audit trail access rights not documented in the CRO agreement
• Vendor qualification packages: missing or incomplete for the e-signature platform in use, especially when the platform was adopted before the 2024 guidance formalized cloud system qualification expectations

A Practical Verification Checklist for Each Party

Before your next FDA inspection or sponsor qualification visit, run through these checks by role:

Sponsors

1. Have you submitted a non-repudiation letter to FDA under 21 CFR 11.100(c)?
2. Do you have a current IQ/OQ/PQ validation package for every e-signature platform used in your trials?
3. Does your written agreement with each CRO specify audit trail format, access rights, and change notification obligations?
4. Can you produce an audit trail export for any trial record within the same day?
5. Do you have documented evidence that site staff were trained on sponsor-provided systems before their first signature?

CROs

1. Has your organization submitted its own non-repudiation letter?
2. Do you have validation documentation for every electronic system you operate for regulated clinical records?
3. Does your quality agreement with sponsors specify audit trail access rights, response times, and change notification?
4. Have you trained your monitoring staff that re-authentication is required at each individual signing event?
5. Are your site qualification procedures updated to verify Part 11 compliance of site e-signature systems?

Investigator Sites

1. Does every staff member who signs regulated documents have their own unique login?
2. Is your PI signing the delegation of authority log each time a delegation changes?
3. Does your e-signature platform require two-component authentication at each signing event?
4. Are training records dated before the first signature for every current system user?
5. Has your site submitted a non-repudiation letter if you operate your own e-signature system?

Electronic signatures in clinical trials work when all three parties treat their obligations as distinct and non-delegable. The sponsor oversees the system of systems. The CRO operates its own systems with independent accountability. The site uses whatever platform is in scope correctly, every time. When any of the three operates as if the other two are handling it, that's exactly when inspectors find the gap.