Electronic signatures in clinical trials are legally valid under FDA 21 CFR Part 11, the EU Clinical Trial Regulation (CTR) 536/2014 with eIDAS, and ICH E6(R2)/(R3) Good Clinical Practice (GCP). They're used for informed consent forms (ICFs), case report forms (CRFs), protocol amendments, serious adverse event reports, and monitoring visit reports. To be compliant, e-signatures must include unique user identification, two-factor authentication, signature meaning capture, and immutable audit trails.
Key Takeaways — Updated for the October 2024 FDA Final Guidance
- FDA finalized 29 Q&As on electronic systems in clinical investigations in October 2024, replacing the 2003 guidance as the primary reference for Part 11 in clinical research.
- Q&A #29 in the 2024 guidance clarifies the non-repudiation letter requirement: one letter per organization, submitted before or concurrent with first use, covering all studies.
- Hybrid records (electronic health records used as source data that then flow into an EDC) are addressed directly: Part 11 applies at the EDC boundary, not to the underlying EHR.
- The 2024 guidance explicitly endorses a risk-based approach to validation, replacing prescriptive test script requirements with a documented risk assessment.
- Cloud and SaaS platforms are explicitly addressed: sponsors remain responsible for Part 11 compliance even when the regulated organization does not control the physical infrastructure.
- Nine major clinical trial document types require signatures, from ICFs to FDA 1572 forms.
- System validation (IQ/OQ/PQ under CSA) is a regulatory requirement, not optional.
This guide covers the regulatory requirements for e-signatures in clinical research: which document types need signatures, what FDA, EMA, and MHRA frameworks demand, how the October 2024 final guidance changed the landscape, and how to implement e-signatures in a way that survives an audit.
The October 2024 FDA Final Guidance: What Changed
For two decades, the primary FDA reference for electronic records in clinical research was the August 2003 guidance on Part 11 scope and application. In October 2024, FDA finalized a new guidance document: "Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations: Questions and Answers." Published in the Federal Register on October 2, 2024, this guidance supersedes the 2003 document for clinical investigation purposes and provides 29 Q&As covering topics that the 2003 guidance didn't anticipate.
For sponsors, CROs, and clinical research sites operating under FDA oversight, the 2024 guidance is now the controlling document. Here's what it actually says on the issues that matter most.
Non-Repudiation Letters: Q&A #29 Clarified
Under 21 CFR 11.100(c), any person or organization that uses electronic signatures in FDA-regulated clinical investigations must submit a written certification to FDA stating that their electronic signatures are intended to be the legally binding equivalent of handwritten signatures. This is the non-repudiation letter. Before the 2024 guidance, the scope of this requirement was ambiguous.
Q&A #29 in the 2024 final guidance addresses this directly. Key clarifications:
- One letter per organization is sufficient. A sponsor, CRO, or site doesn't need to submit a separate letter for each study, protocol, or application. One letter covers all studies conducted by the organization.
- Timing: before or concurrent with first use. The letter must be submitted before, or at the same time as, electronic signatures are first used on FDA-regulated clinical records. It's not retroactive.
- Paper submission required. The letter must be submitted on paper to the FDA in accordance with 21 CFR 11.100(c). It is not submitted electronically through a portal.
- CRO and site responsibility. CROs and investigator sites that use electronic signatures must each submit their own letter, or be covered by a sponsor's letter that explicitly extends coverage to them. Many sponsors handle this centrally.
Many organizations have been operating without this letter for years, treating it as a formality that could be addressed later. The 2024 guidance makes clear it's a prerequisite, not an afterthought. If your organization uses electronic signatures in FDA-regulated clinical research and has never submitted this letter, that's a compliance gap to address immediately.
Hybrid Records: Where Part 11 Actually Applies
Modern clinical trials increasingly use electronic health records (EHRs), wearables, and remote monitoring devices as sources of clinical data. This creates "hybrid" workflows where data originates in one system and flows into a sponsor's electronic data capture (EDC) platform. The question of which system needs to meet Part 11 has been genuinely unclear.
The 2024 guidance addresses this directly. FDA's position:
- Part 11 applies at the EDC boundary. Once source data is entered or imported into a sponsor's EDC system, that EDC system must meet Part 11 requirements. FDA will not require Part 11 compliance for the original EHR or real-world data source.
- Transcription creates a new record. When data is transcribed from paper or an EHR into an EDC, the EDC entry is the Part 11-governed electronic record. The transcription process itself must be documented and auditable.
- Direct data capture is preferred. For digital health technologies (wearables, ePRO, remote monitoring) that feed data directly into a sponsor's system, the entire data path must be validated and the receiving system must meet Part 11.
This clarification matters for decentralized trial designs that rely heavily on patient-reported outcomes and wearable device data. The EHR itself doesn't need to meet Part 11, but everything from the EDC inward does. For a deeper look at decentralized trial requirements, see our guide on decentralized clinical trials and e-consent.
Risk-Based Validation: The 2024 Standard
The 2003 Part 11 guidance on validation was interpreted by many organizations as requiring extensive upfront documentation for every system function. The 2024 guidance endorses a risk-based approach:
- Document a risk assessment first. The validation approach should be based on a justified, documented risk assessment considering the intended use of the system, the importance of the data, and the potential impact on participant safety and trial results.
- Higher risk functions require more rigorous testing. Functions that directly affect participant safety or data integrity (e.g., audit trail generation, signature binding) require more rigorous validation than lower-risk functions (e.g., report formatting).
- Cloud systems require vendor qualification. For cloud-based and SaaS e-signature platforms, sponsors must assess and document that the vendor's infrastructure meets Part 11 requirements. This typically means reviewing vendor-provided validation packages, SOC 2 Type II reports, and IQ/OQ/PQ documentation.
This aligns with FDA's Computer Software Assurance (CSA) approach. If you're still running traditional CSV programs with exhaustive test scripts for every feature, the 2024 guidance is a signal that FDA accepts a leaner, risk-prioritized approach — provided the risk assessment is documented.
Cloud and SaaS Systems: Explicit Guidance
The 2024 final guidance addresses cloud-hosted and SaaS e-signature platforms explicitly, which the 2003 guidance did not. Key points:
- Sponsors and CROs remain responsible for Part 11 compliance even when using a third-party cloud platform they don't physically control.
- Vendor audits or qualification reviews are expected before use in FDA-regulated studies. A vendor's SOC 2 certification is a data security assessment, not a Part 11 compliance validation.
- Audit trails generated by cloud systems must meet Part 11 requirements. The fact that the audit trail lives on a vendor's infrastructure doesn't change what it must contain.
Purpose-built Part 11 platforms like Certivo address this by providing complete validation documentation packages, including IQ/OQ/PQ protocols and a Part 11 traceability matrix, so sponsors can satisfy their vendor qualification obligations without building the documentation from scratch. For the technical detail on what Part 11 compliance actually requires, see our guide on what makes an e-signature platform FDA compliant.
Regulatory Requirements by Jurisdiction
United States: FDA and 21 CFR Part 11
In the United States, FDA 21 CFR Part 11 governs electronic records and electronic signatures used in clinical trials. Any electronic record that satisfies an FDA predicate rule requirement, and any electronic signature applied to such a record, must comply with Part 11. The relevant predicate rules include 21 CFR Part 312 (Investigational New Drug Applications), 21 CFR Part 812 (Investigational Device Exemptions), and 21 CFR Part 50 (Protection of Human Subjects).
Part 11 requirements that directly affect clinical trial e-signatures:
- Unique identification: Each signer must have a unique user identity that's never shared or reassigned (Section 11.100).
- Two-component authentication: Non-biometric signatures must use at least two distinct identification components, such as a username and password, used together at the time of signing (Section 11.200).
- Signature meaning: Every signature must include the printed name of the signer, the date and time with time zone, and the purpose of the signature (Section 11.50).
- Audit trail: A secure, computer-generated, time-stamped audit trail must record every signature action (Section 11.10(e)).
- Signature-record linking: The signature must be bound to the record so it can't be copied, removed, or transferred (Section 11.70).
- Non-repudiation letter: Organizations must certify in writing to FDA that their electronic signatures are the legally binding equivalent of handwritten signatures (Section 11.100(c), clarified in Q&A #29 of the 2024 guidance).
European Union: EU Clinical Trials Regulation 536/2014
The EU Clinical Trials Regulation (CTR) 536/2014, fully applicable since January 2022 with the launch of the Clinical Trials Information System (CTIS), governs clinical trials in EU member states. The regulation doesn't prohibit electronic signatures, and the CTIS portal is designed for electronic submission of clinical trial applications.
For electronic signatures within clinical trial processes in the EU, the eIDAS Regulation (910/2014) provides the legal framework. eIDAS recognizes three tiers:
- Simple Electronic Signature (SES): Any data in electronic form attached to or logically associated with other data used by the signatory to sign. The broadest category.
- Advanced Electronic Signature (AES): Uniquely linked to the signatory, capable of identifying them, created using data under their sole control, and linked to the signed data so that any change is detectable.
- Qualified Electronic Signature (QES): An AES created by a qualified signature creation device and based on a qualified certificate. A QES has the legal effect of a handwritten signature across all EU member states.
For most clinical trial documentation, an Advanced Electronic Signature is sufficient. But some member states or ethics committees may require Qualified Electronic Signatures for specific documents like informed consent forms. Organizations running multi-country trials in the EU should assess signature requirements country by country. For a detailed comparison of EU and US frameworks, see our guide on eIDAS vs. the ESIGN Act.
United Kingdom: MHRA
Following Brexit, the UK Medicines and Healthcare products Regulatory Agency (MHRA) established its own regulatory framework while maintaining substantial alignment with international standards. The MHRA accepts electronic signatures for clinical trial documentation provided the signatures are attributable, the system maintains adequate audit trails, and the electronic records are equivalent in content and meaning to their paper counterparts. The MHRA has been notably progressive in encouraging digital technologies in clinical trials, including remote consent and electronic source data.
ICH E6(R3): Good Clinical Practice
The International Council for Harmonisation (ICH) guideline E6(R3) on Good Clinical Practice (GCP), finalized in 2023, replaces E6(R2) as the international standard for clinical trial conduct. Unlike E6(R2), E6(R3) explicitly embraces technology-enabled trial conduct, including electronic records, remote monitoring, and digital health technologies.
E6(R3) doesn't mandate electronic signatures, but it establishes principles that directly govern their use. The guideline emphasizes proportionate oversight and fit-for-purpose system controls rather than prescriptive requirements. This aligns with FDA's risk-based approach in the 2024 final guidance. Organizations implementing electronic signature systems for GCP studies should document how their risk assessment approach satisfies both E6(R3) principles and Part 11 technical requirements.
Which Clinical Trial Documents Require Signatures?
The volume and variety of documents requiring signatures in a clinical trial is substantial. This table categorizes the major document types by who signs them and the regulatory basis for the requirement.
| Document | Signers | Regulatory Basis |
|---|---|---|
| Informed Consent Form (ICF) | Patient/subject, investigator or designee | 21 CFR 50, ICH E6 4.8, EU CTR 536/2014 Art. 29 |
| Protocol and amendments | Sponsor, principal investigator | 21 CFR 312.23, ICH E6 6.0 |
| Case Report Forms (CRFs) | Investigator or authorized delegate | 21 CFR 312.62, ICH E6 8.3 |
| Serious Adverse Event (SAE) reports | Investigator, medical monitor | 21 CFR 312.32, ICH E6 4.11 |
| Monitoring visit reports | Clinical research associate (CRA) | ICH E6 5.18.6 |
| Delegation logs | Principal investigator | ICH E6 4.2 |
| Lab certifications and normals | Laboratory director | ICH E6 4.9, 21 CFR 312.62 |
| Financial disclosure forms | Investigator, sub-investigators | 21 CFR 54 |
| FDA 1572 (Statement of Investigator) | Principal investigator | 21 CFR 312.53 |
Each document has its own requirements for content, timing, and retention. An e-signature platform for clinical trials needs to handle these varying requirements while keeping a consistent compliance framework across all document types. For a detailed breakdown of the site-level document management picture, see our guide on clinical trial document management and e-signature requirements.
What the 2024 Guidance Changed for CROs
Contract research organizations occupy a specific position in the 2024 guidance because they often use electronic systems on behalf of sponsors while maintaining their own infrastructure. The guidance addresses this split responsibility:
- CROs must have their own non-repudiation letter or be explicitly covered by a sponsor's letter. "We work for the sponsor and they handle it" is not a sufficient answer during an FDA inspection of a CRO's facilities.
- System qualification must be documented by the CRO for any electronic record system the CRO operates, even if the sponsor provides the system. The CRO's vendor qualification file must show they assessed the system against Part 11 requirements.
- Audit trail access must be contractually guaranteed. If the sponsor needs to retrieve audit trail data from a CRO-operated system years after a study closes, the data access arrangement must be documented in the contract. FDA can request audit trails from sponsors, who must be able to produce them even for systems they no longer operate.
For CROs evaluating platforms, the practical question is: does the platform provide audit trail data export in formats the sponsor can review independently, and does the vendor provide validation documentation suitable for both CRO and sponsor qualification files?
Implementation Best Practices
Getting e-signatures right in clinical research means paying attention to both technical controls and organizational processes. These practices reflect the 2024 FDA guidance as well as successful implementations across pharmaceutical sponsors and CROs.
1. Submit the Non-Repudiation Letter Before You Start
This sounds obvious, but many organizations start using electronic signatures in FDA-regulated studies without ever sending the Section 11.100(c) certification letter. Q&A #29 in the 2024 guidance makes the timing requirement explicit. One letter per organization is sufficient, but it must be submitted before or concurrent with first use. Write the letter, submit it, and keep the submission confirmation in your compliance files.
2. Select a Purpose-Built Platform
General-purpose e-signature tools built for business contracts often lack the controls needed for clinical trial compliance. Look for immutable audit trails with hash-chain integrity verification, configurable signature meaning capture (approval, review, acknowledgment, authorship), role-based access control with individual accountability, two-component authentication at the moment of signing (not just at login), and compliance documentation to support validation activities. Platforms designed for regulated industries, like Certivo, build these controls into the core architecture rather than bolting them on as afterthoughts.
3. Validate Using a Risk-Based Approach
Under the 2024 FDA guidance, your validation approach should start with a documented risk assessment. Identify which system functions directly affect participant safety and data integrity. Those functions need rigorous testing with documented results. Lower-risk functions can be handled with less intensive testing. Cloud vendors should provide their own IQ/OQ/PQ documentation and a Part 11 traceability matrix. Your job is to review and approve those documents, not build them from scratch.
4. Define Signature Workflows Before Deployment
Map out which documents require signatures, who must sign, in what order, and what the signature means in each context before configuring your system. Clinical trial workflows get complex: sequential approvals (investigator signs before sponsor), parallel signatures (multiple sub-investigators signing simultaneously), conditional routing (SAE reports escalated to medical monitor), and delegation of authority with documented oversight. Getting this right upfront reduces configuration errors, training burden, and compliance risk.
5. Implement Strong Identity Verification
In clinical trials, signature attribution is non-negotiable. Every signer must be positively identified before receiving signing authority. For internal staff (sponsors, CROs, monitors), this typically means organizational identity management integrated with the e-signature platform. For investigators and site staff, a solid onboarding process must verify identity before issuing credentials. And for patients signing informed consent electronically, identity verification must comply with 21 CFR 50 and local regulations, which may require a witness or in-person step.
6. Train All Signers and Document the Training
Section 11.10(i) of 21 CFR Part 11 requires that personnel using electronic record and signature systems have appropriate training. Every investigator, coordinator, monitor, and data manager must receive documented training on the e-signature platform before using it. Training records must be maintained as part of the trial master file. The platform itself should support training acknowledgment capture so there's a verifiable record that each individual was trained before executing their first electronic signature.
7. Establish SOPs for Electronic Signature Use
Written standard operating procedures must cover who is authorized to sign which document types, the process for requesting and granting system access, password and credential management policies, delegation of signing authority, incident management for compromised credentials, and how access is revoked when personnel leave the study. These SOPs should be reviewed and updated as part of your regular quality management process.
Common Challenges and How to Address Them
Investigator Resistance
Some investigators, particularly those used to paper-based processes, will push back on electronic signatures. Pick a platform with an intuitive interface that minimizes the learning curve. Provide hands-on training rather than written instructions alone. Show the time savings (signature cycle times dropping from days to minutes). And make sure reliable technical support is available during the transition period.
Multi-Country Regulatory Variation
For multinational trials, e-signature requirements vary by country. Some ethics committees won't accept electronic informed consent. Certain national authorities may require specific signature types (such as QES under eIDAS). The practical approach: survey regulatory requirements in each participating country before the trial starts, build the most stringent requirements into your baseline configuration, and document country-specific deviations with supporting regulatory justification.
Electronic Informed Consent
Electronic informed consent (eConsent) is one of the most sensitive applications of e-signatures in clinical trials. The FDA issued guidance on electronic informed consent in 2016, and acceptance has grown significantly since, particularly with the rise of decentralized trials. Key considerations: presenting all required elements of informed consent clearly and understandably, ensuring the subject has adequate time to review and ask questions, capturing the subject's electronic signature with date and time, providing a copy of the signed consent document, and maintaining a complete audit trail of the consent process.
Integration with EDC and CTMS Systems
E-signatures in clinical trials don't operate in isolation. They need to integrate with Electronic Data Capture (EDC) systems for CRF signing, Clinical Trial Management Systems (CTMS) for monitoring reports, and document management systems for the Trial Master File. When evaluating a platform, assess its integration capabilities: API availability, support for standard data formats, and the ability to maintain audit trail continuity across system boundaries.
Long-Term Record Retention
The EU CTR 536/2014 Article 58 requires retention of clinical trial master file records for 25 years after trial completion. Many domestic FDA studies also have retention requirements extending well beyond the active trial period. E-signature platforms must support long-term record retention in formats that remain readable — not just today but decades from now. PDF/A format for signed documents, SHA-256 hash-chained audit trails for integrity verification, and verified export capabilities are the practical requirements.
Audit Readiness
Regulatory inspections of clinical trials routinely review electronic systems and signatures. To stay audit-ready, maintain current system validation documentation consistent with the 2024 FDA guidance, keep all audit trail data for the required retention period, ensure electronic records can be exported in human-readable formats for inspector review, keep training records current, document completion of the non-repudiation letter submission, and conduct periodic self-inspections of your e-signature processes.
The pre-inspection checklist for audit trail readiness is a useful starting point for site-level self-assessment.
The Future of E-Signatures in Clinical Research
Several trends are accelerating adoption. Decentralized clinical trials (DCTs) depend on remote processes including electronic consent and remote monitoring, making paper signatures impractical. ICH E6(R3), finalized in 2023, explicitly embraces technology-enabled trial conduct. The October 2024 FDA final guidance modernizes the regulatory expectations for cloud systems, digital health technologies, and risk-based validation. And the industry's move toward risk-based quality management favors automated controls and digital audit trails over manual paper processes.
The regulatory direction is clear: electronic processes aren't just acceptable but preferred, provided the right controls are in place. The 2024 guidance removes much of the ambiguity that kept some organizations on paper. The risk of staying on paper — operational inefficiency, delayed inspections, and the impossibility of conducting decentralized trials at scale — now outweighs the perceived risk of electronic adoption.
Conclusion
Implementing electronic signatures in clinical trials now means working within a well-defined regulatory framework. The October 2024 FDA final guidance resolved the major ambiguities: non-repudiation letters are required and one per organization is enough; hybrid records are governed at the EDC boundary; cloud systems require vendor qualification; and validation should be risk-based and documented.
Start with a platform designed for regulated use. Validate it using a documented risk assessment. Submit your non-repudiation letter before your first electronic signature touches an FDA-required record. Define your workflows before deployment. Train every signer and keep the records. Build audit readiness into daily operations, not last-minute inspection prep.
For a deeper look at the foundational regulation, read our guide on FDA 21 CFR Part 11. For EU-specific requirements, see our guide on the EU Clinical Trial Regulation 536/2014. For data integrity frameworks, see our ALCOA+ data integrity guide. To understand what a purpose-built platform must technically provide, see our breakdown of what makes an e-signature platform FDA compliant. To see how a purpose-built platform handles these requirements, explore Certivo's compliance capabilities or review the free Part 11 compliance checklist.