If you run compliance at a contract research organization, you're in a complicated spot. You're not the sponsor. You're not the clinical site. But under the October 2024 FDA guidance on electronic systems, records, and signatures in clinical investigations, you're squarely on the hook for Part 11 compliance, for the systems you operate, the records you generate, and the signatures you capture.
That's not a new idea. What the 2024 guidance does is sharpen the edges. It names CROs explicitly as "regulated entities," clarifies what written agreements must cover, and introduces specific requirements like the non-repudiation letter that many CROs haven't fully worked through yet.
This post breaks down what Part 11 compliance actually means for CROs: the non-repudiation letter obligation, how dual-site accountability works in practice, what the TMF e-signature requirements look like for CRO monitoring workflows, and how delegation of authority logs become a compliance document in multi-site environments.
Key Takeaways
- CROs are explicitly named as "regulated entities" in the October 2024 FDA guidance, and any Part 11 obligation assumed in a written agreement is fully enforceable against the CRO directly.
- The non-repudiation letter is one per organization, not one per study, and is a hard prerequisite for any organization using legally binding electronic signatures.
- Sponsor oversight cannot be outsourced. The written agreement must grant the sponsor read access to the CRO's electronic records and audit trails on demand.
- CRO TMF documents (monitoring visit reports, deviation assessments, site qualification) typically involve multiple signature events per document. General-purpose e-signature tools rarely satisfy the multi-event, role-aware requirements.
- System qualification responsibility tracks the operator. If the CRO selected and runs the e-signature platform, the CRO owns validation, IQ/OQ/PQ, and the Part 11 traceability matrix.
What the October 2024 FDA Guidance Says About CROs
The FDA's October 2024 final guidance, "Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations: Questions and Answers," is the most detailed FDA statement on Part 11 in clinical research in more than two decades. It covers 29 Q&As across system validation, audit trails, hybrid records, cloud vendor qualification, and electronic signatures.
CROs appear by name in the guidance's scope definition. "Regulated entities," the guidance explains, refers to sponsors, CROs, clinical investigators, and IRBs "to the extent they are responsible for regulatory obligations under a predicate rule." The phrase "to the extent they are responsible" matters. It means Part 11 obligations track the written agreement between the sponsor and CRO.
Here's the practical consequence: any Part 11 obligation a CRO assumes in a written agreement is now fully enforceable against the CRO, not just the sponsor. When operating under such agreements, CROs are subject to the same regulatory actions as sponsors for any failure to perform those obligations. A 483 observation, a warning letter, or a clinical hold can land on the CRO, not just the sponsor, if the CRO's systems or records are the source of the compliance gap.
The Non-Repudiation Letter: One Per Organization
Q&A #29 in the October 2024 guidance introduces a specific procedural requirement that many CROs haven't addressed: the non-repudiation letter.
Any organization using electronic signatures that are intended to be the legally binding equivalent of a handwritten signature under Part 11 must submit a letter to FDA certifying that intent. The good news: you only need one letter per organization, covering all electronic signatures used within that organization. You don't submit a letter per study or per system.
But "one per organization" means the letter has to be submitted. A CRO that has been using electronic signatures for years without ever submitting a non-repudiation letter is out of compliance, regardless of how technically sound its signing systems are.
The letter goes to the relevant FDA center (CDER, CBER, CDRH, or CFSAN depending on your work) and states that the organization's electronic signatures are intended to be the legal equivalent of traditional handwritten signatures. It's not a complex document, but it's a hard prerequisite.
If your CRO operates across multiple divisions or legal entities, this needs a legal review. A letter submitted by the parent company may or may not cover subsidiary CRO operations. That depends on how the entities are structured and what systems each operates.
Dual-Site Accountability: Who Owns What
The most persistent confusion in CRO Part 11 compliance is accountability overlap. The sponsor holds ultimate responsibility for the clinical investigation. The CRO executes specific functions. ICH E6(R3) explicitly reinforces that sponsor oversight cannot be outsourced, even when the CRO performs the work.
What that means practically:
The sponsor must maintain the ability to audit the CRO's electronic systems.If the CRO's audit trail isn't accessible to the sponsor on demand, the sponsor can't fulfill its oversight obligation. The written agreement needs to specify that the sponsor has audit access to electronic records and audit trails, not just to CRO-prepared reports, but to the underlying system-generated records.
The CRO owns system qualification for the systems it operates.A CRO using an e-signature platform it selected and manages is responsible for qualifying that system: validation documentation, IQ/OQ/PQ, risk assessment, change control. The sponsor isn't going to qualify the CRO's internal platform for them. If the platform can't produce a validation package, that's the CRO's problem during an inspection.
Records generated by the CRO may end up in a hybrid record environment.The 2024 guidance addresses hybrid records, where some study data is in paper and some is electronic. The EDC boundary rule matters here. FDA will generally apply Part 11 controls from the point at which data enters the sponsor's EDC system. But the CRO's records before that point, source documents, monitoring reports, query logs, have their own integrity requirements. The CRO can't assume that FDA's EDC-boundary approach absolves its pre-EDC records of data integrity obligations.
TMF E-Signature Requirements for CRO Monitoring Workflows
The Trial Master File is where CRO-specific Part 11 challenges get specific. CROs are responsible for the CRO portion of the TMF: monitoring visit reports, site qualification reports, protocol deviation assessments, serious adverse event follow-up correspondence, and audit reports.
Each of these documents involves at least one electronic signature event. Most involve multiple. ICH E6(R3) requires that the TMF be maintained in a way that allows reconstruction of the trial, which means every signature on every TMF document needs to meet Part 11 requirements to be legally defensible.
For CRO monitoring workflows, that creates specific requirements:
Monitoring visit reports.A clinical research associate (CRA) drafts the report, a supervisor reviews and approves it, and the signed report goes into the TMF. Each signing event needs re-authentication, a timestamped audit trail entry, and a signature meaning that captures the signer's role (author vs. reviewer). A general-purpose e-signature tool that captures a single signature at document completion doesn't satisfy the two-event requirement.
Protocol deviation and serious adverse event records. These documents often require sign-off from multiple roles: the CRA who identified the event, a clinical lead, and sometimes a medical monitor. The sequence matters. A system that allows the final approval signature before the initial identification signature is out of order for GCP purposes.
Site qualification and initiation documents. CRO-generated site qualification reports are TMF documents. When signed electronically, they need the same audit trail integrity as any other Part 11 record. The system needs to capture who signed, when, from what role, and with what meaning, and the audit trail needs to be exportable for sponsor review and FDA inspection.
The sponsor's read access requirement.Sponsors have a non-delegable obligation to oversee the TMF, including the CRO's portion. Your written agreement should explicitly grant the sponsor read access to the audit trail for CRO-held electronic records. During an FDA inspection of the sponsor, investigators may ask to see the CRO's TMF records and their associated audit trails. If that access has to go through a manual CRO request process, you have an inspection readiness problem.
Delegation of Authority Logs in Multi-Site CRO Environments
Delegation of authority logs are a GCP requirement that becomes a Part 11 issue the moment you go electronic. The principal investigator at each site must maintain a DOA log documenting every study team member, their role, the tasks they're authorized to perform, and the date they were delegated those tasks.
For a CRO managing 20 or 50 sites, DOA log management is a significant operational task. When done electronically in a Part 11-compliant system, it also becomes a Part 11 records management task.
The specific requirements for electronic DOA logs under Part 11:
Each entry must be signed by the PI.That's an individual signature event requiring re-authentication under 11.200. The PI can't just approve a batch of delegation entries at login. Each new team member added to the log, and each role change, is a separate signing event.
Changes to the DOA log must preserve the original entry.If someone's role changes or a team member leaves the study, the original entry must remain visible in the record with the original signature. The change is an addendum, not an overwrite. A platform that modifies the underlying record when a DOA entry changes is non-compliant.
The audit trail must show every modification.Who added the entry, when, what role was granted, who later modified it, why, all of that needs to appear in the audit trail. During an inspection, FDA investigators frequently pull DOA logs alongside staff training records to verify that team members were authorized to perform the tasks they performed on the dates they performed them. If the DOA log audit trail is incomplete or missing entries, that's a finding.
CRO central monitoring staff may also appear in DOA logs at the CRO level. If your CRO has a central monitoring team that reviews data across sites, those individuals may need to be documented in a CRO-level authorization record. The exact structure depends on your SOPs and the written agreement with the sponsor, but the same Part 11 requirements apply.
The System Qualification File: CRO's Responsibility
When the sponsor audits the CRO, or when FDA inspects, one of the first requests is the system qualification file for any electronic system used to generate, maintain, or sign regulated records. For a CRO, this typically means:
- The e-signature platform used for monitoring workflows and TMF documents
- Any EDC system the CRO operates (though this is increasingly sponsor-provided)
- Any CTMS used to track site activities and generate management reports
- The eTMF system if the CRO maintains it
Each system needs a validation package: a system description, a risk assessment, IQ/OQ/PQ protocols, test execution evidence, a summary report, and a Part 11 traceability matrix showing how each technical requirement in 21 CFR 11.10 is satisfied by the system.
The 2024 guidance adopts a risk-based validation standard. The depth of validation should match the risk of the system to patient safety and data integrity. For an e-signature platform used for TMF documents and monitoring reports, the risk level is high. A cursory validation based on the vendor's SOC 2 report doesn't satisfy FDA's expectations for a high-risk GCP system.
The practical implication: if your CRO's e-signature platform can't provide a validation package, and many general-purpose tools can't, the CRO has to build one internally. That's expensive and time-consuming. It's also rarely complete enough to satisfy a qualified FDA investigator who knows what to look for.
Purpose-built Part 11 platforms provide the validation package as part of the product. The CRO reviews and approves the package for its specific configuration, adds site-specific test evidence, and retains the completed package as part of the system qualification file. That's the right approach.
What to Look For in a CRO E-Signature Platform
CROs have specific needs that go beyond what a basic Part 11 checklist covers:
Multi-site user management.A CRO managing 50 sites needs fine-grained role-based access. Not every user can see every site's records, and the access control configuration needs to be auditable. If an access control change doesn't appear in the system audit trail, that's a gap.
Sponsor read access with audit trail visibility. The platform needs to support sponsor read-only access to records and audit trails without requiring the sponsor to have full CRO system access. This is a specific feature, not a default capability in general-purpose tools.
Exportable audit trails. For inspections and sponsor audits, you need to be able to export a complete, human-readable audit trail for any document or set of documents within a date range. The export needs to include every field: user identity, timestamp with time zone, action taken, record affected, and previous value for any modified field.
Non-repudiation at the signature level.Each electronic signature needs to be cryptographically linked to the signed record in a way that's detectable if the record is modified post-signature. SHA-256 hash chaining on audit trail entries satisfies this. Access controls on a database do not.
Signing sequence enforcement.CRO workflows often have defined approval sequences: author before reviewer, CRA before supervisor. The platform should enforce these sequences, not just recommend them. A system that allows out-of-sequence signing creates a GCP documentation gap that's hard to defend during an inspection.
Getting Compliant
If your CRO hasn't fully worked through the October 2024 guidance, the place to start is the non-repudiation letter. It's a discrete action item that either is or isn't done. If it's not done, do it.
From there, the work is structural: review every written agreement with sponsors to confirm it clearly assigns Part 11 obligations and grants the sponsor audit access to your electronic records and audit trails. Review your system qualification files for every platform used to generate or sign regulated records. And evaluate whether your e-signature platform can actually support the CRO-specific requirements above: multi-site access control, sponsor read access, exportable audit trails, signing sequence enforcement.
The CRO-specific angle matters. General FDA Part 11 guidance is written for sponsors. The CRO's position, operating delegated functions under written agreements, managing TMF content for multiple sponsors, handling DOA logs across dozens of sites, creates compliance requirements that aren't obvious from the regulation text alone.
For the broader clinical trials e-signature framework, see the electronic signatures in clinical trials guide. It covers the full October 2024 guidance in detail including the hybrid records boundary rule and cloud vendor qualification requirements. The clinical trial document management and e-signature requirements post covers site and sponsor TMF obligations in depth.
The Certivo compliance page shows how a purpose-built Part 11 platform satisfies each technical requirement, including the multi-site access control, hash-chained audit trail, and validation package requirements that CRO environments specifically need.