GxP Compliant Electronic Signatures: What the Regulations Require and How to Select a Platform

"GxP compliant electronic signatures" is one of the most overused claims in regulated industry software marketing. Every vendor says it. Few can tell you exactly what it means at the technical level, or how GMP, GLP, and GCP requirements differ from each other.

This guide explains what the regulations actually require, discipline by discipline, and gives you a practical framework for deciding whether a platform is genuinely GxP compliant or just applying the label.

What "GxP" Actually Means

GxP is a collective abbreviation for a family of regulations that share the same structure: Good (x) Practice, where x varies by discipline. The main categories in FDA-regulated industries are:

• GMP — Good Manufacturing Practice, covering pharmaceutical and medical device manufacturing (21 CFR Parts 210, 211, and QMSR)
• GLP — Good Laboratory Practice, covering non-clinical laboratory studies submitted to FDA (21 CFR Part 58)
• GCP — Good Clinical Practice, covering clinical investigations (21 CFR Parts 50, 54, 56, and the ICH E6(R3) guideline)
• GDP — Good Distribution Practice, covering drug and device distribution chains
• GVP — Good Pharmacovigilance Practice, covering post-market safety surveillance

All of these "predicate rules" require electronic records and signatures to meet 21 CFR Part 11 when those records are created, modified, maintained, archived, retrieved, or transmitted electronically, and when they're required by FDA regulation or submitted to FDA. Part 11 is the compliance layer that sits underneath all of them.

The Shared Foundation: What Part 11 Requires Across All GxP Disciplines

Before getting into discipline-specific differences, it's worth being precise about what Part 11 requires at the platform level. These controls apply equally to GMP batch records, GLP study data, and GCP clinical investigator documents.

Electronic Records (Part 11 Subpart B)

Section 11.10 lists the controls required for closed systems — the category that covers SaaS platforms where access is controlled by the system operator. The requirements include:

• System validation to ensure accuracy, reliability, and consistent performance
• Audit trails that capture who did what, when, to which record, and what the original value was — generated by the system, not the user, and not modifiable by users
• Access controls that limit system use to authorized individuals through unique credentials
• Operational system checks that enforce the sequencing of required steps and events
• Authority checks that allow only authorized individuals to use the system, electronically sign records, access specific operations, or create input or output
• Device checks to determine the validity of source data input or operational instructions
• Written policies holding individuals accountable for their actions under their electronic signatures (Section 11.10(j))

Electronic Signatures (Part 11 Subpart C)

Non-biometric electronic signatures — the kind used in virtually all GxP applications — must satisfy Section 11.200(a). The two-component requirement is the most frequently misunderstood: the two identification components must be used together at the time of signing. Using a username at login and not requiring re-authentication at the moment of signature doesn't satisfy this requirement. Each signing event requires both components.

Section 11.50 requires that when a signature is displayed or printed, it must show the signer's full name, the date and time the signature was applied (with time zone), and the meaning associated with the signature (reviewer, approver, author, or whatever role the signature carries in that workflow). Section 11.70 requires that the electronic signature be linked to the record in a way that makes it tamper-evident — a modification to the signed record should invalidate the signature or generate an audit trail entry that captures the modification.

GMP-Specific Requirements

GMP adds requirements on top of Part 11 that govern specifically how electronic signatures function within manufacturing workflows. The key predicate rule is 21 CFR Part 211 for drugs and the QMSR (21 CFR Part 820) for medical devices.

21 CFR 211.68 and Batch Record Signatures

Section 211.68(b) requires that input to and output from computers or related systems used in the production or control of drug products be checked for accuracy. For electronic batch records, this translates to signature-at-each-step requirements: the operator who performs a step signs off on it contemporaneously, and a second person (or reviewer) verifies. Reason-for-change fields are mandatory, not optional — every modification to a completed batch record entry must capture both the original value and the reason the change was made.

Audit Trail Review Under GMP

FDA's 2016 data integrity guidance and subsequent 483 citations have established a clear expectation: audit trails for GMP electronic records must be reviewed as part of the batch record review process before lot release. This isn't just a Part 11 requirement — it's a GMP quality system requirement. A platform that makes audit trail review burdensome or that doesn't generate a reviewable audit trail output will create practical compliance gaps in a GMP environment.

QMSR Implementation: February 2026

The FDA's Quality Management System Regulation took effect February 2, 2026, replacing the Quality System Regulation (21 CFR Part 820) with a framework that incorporates ISO 13485:2016 by reference. For medical device companies, the QMSR represents the first major structural change to the GMP framework in decades.

There's an important nuance for electronic signatures under QMSR. ISO 13485 does not include signature requirements that parallel Part 11. As a result, Part 11's electronic signature controls technically apply only where predicate rules require electronic recordkeeping — not automatically to all QMSR records. However, Part 11's electronic record controls (Subpart B) still apply wherever electronic records are required. Organizations migrating from the old QSR framework should work through this distinction carefully: the signature requirements haven't disappeared, but their applicability depends on which specific QMSR provisions require signed records.

GCP-Specific Requirements

Good Clinical Practice in the US is governed by FDA regulations (21 CFR Parts 50, 54, 56) and the ICH E6(R3) Good Clinical Practice guideline. GCP has three requirements that don't appear in GMP or GLP in the same form.

The Non-Repudiation Letter: A GCP-Specific Obligation

Section 11.100(c) requires that before using an electronic signature in an FDA-regulated activity, an organization must certify in writing to FDA that its electronic signatures are legally binding. This is the non-repudiation letter. While technically required across all Part 11 contexts, it's most consistently raised in GCP inspections because the 2024 FDA final guidance on electronic systems in clinical investigations (the 29 Q&As guidance) addressed it in detail. Q&A #29 clarified that one letter covers all clinical trials and FDA submission types for that organization — but each organization must submit its own. A CRO cannot rely on its sponsor's letter.

For a complete breakdown of the non-repudiation letter requirement, see our guide on the FDA Part 11 non-repudiation letter.

Delegation of Authority Logs

Clinical trials require formal documentation of who is authorized to do what at each site. The delegation of authority log (sometimes called the delegation log or DoA) captures the principal investigator's delegation of specific tasks to sub-investigators and other staff. In electronic systems, this document itself must meet Part 11 requirements — it must be signed electronically by the PI, include the date of delegation, and have a tamper-evident audit trail. The October 2024 FDA guidance confirmed that delegation logs are within scope for Part 11 even when they're maintained separately from the electronic data capture system.

ICH E6(R3) and Risk-Based Quality Management

ICH E6(R3) introduced a risk-based quality management approach that shifts how sponsors and CROs think about electronic systems. Under the R3 framework, the critical systems are those that affect subject safety and data integrity — and those are the systems where electronic signature and audit trail controls must be most rigorously maintained. A platform used for critical GCP records (informed consent, protocol amendments, adverse event reports) receives higher scrutiny than one used for administrative correspondence.

GLP-Specific Requirements

21 CFR Part 58 governs Good Laboratory Practice for non-clinical laboratory studies. GLP has a specific provision that doesn't appear in GMP or GCP: the study director designation. The study director is the single point of study control under GLP, and their electronic signature on the final report and amendments carries specific regulatory weight. Section 58.35 requires that the study director approve the study protocol, any amendments, and the final report. In electronic systems, each of these signature events must meet Part 11 Subpart C requirements — two-component authentication at the time of signing, with the signature meaning clearly captured.

GLP inspections are conducted by FDA's Good Laboratory Practice Program and tend to focus on raw data integrity and study reconstruction capability. An audit trail that can't support a complete reconstruction of what happened to a study record — including all modifications, who made them, when, and why — is a GLP audit trail failure.

EU GMP Annex 11: What It Adds for Multi-Regional Organizations

Organizations that operate under both FDA and EU regulations must satisfy Annex 11 of the EU GMP Guidelines (updated in the 2025 draft revision) in addition to Part 11. The two frameworks share most core principles but differ in important ways.

Annex 11 requires formal risk assessment documentation before system implementation, not just validation testing. It places explicit supplier/vendor audit obligations on the regulated user — the organization must assess the vendor's quality system and maintain oversight of any outsourced services. For cloud and SaaS platforms, this means formal vendor qualification including inspection rights and audit trail access verification.

The 2025 draft revision expanded Annex 11 significantly, adding explicit requirements for multi-factor authentication (aligned with Part 11 Subpart C), AI-generated record attribution (aligned with the January 2026 FDA-EMA joint AI guidance), and cybersecurity controls for computerized systems handling GMP records. For most modern SaaS platforms, the authentication and audit trail provisions are already satisfied by Part 11 compliance — but the vendor qualification and oversight documentation requirements may need additional attention.

Why "GxP Compliant" Is a Claim, Not a Certification

There is no third-party certification body that issues a "GxP compliant" certificate for an electronic signature platform. The compliance determination is made by the regulated user organization, not by FDA or EMA, and not by an external auditor. What vendors can provide are:

• Validation documentation (Installation Qualification, Operational Qualification, Performance Qualification protocols and executed test scripts) — this is what FDA investigators ask for when they want to verify that a system is compliant
• A 21 CFR Part 11 feature matrix mapping each regulatory requirement to specific system controls
• Audit trail architecture documentation showing how the hash chain is constructed and how tamper evidence is enforced
• SOC 2 Type II reports covering security and availability controls
• Vendor qualification packages that satisfy Annex 11 supplier oversight requirements

A vendor that claims GxP compliance but can't produce these documents is making an unverifiable claim. The regulated user organization — not the vendor — bears the compliance obligation. If FDA cites your organization for a Part 11 violation, "the vendor said it was compliant" is not a defense.

10 Questions to Ask Any GxP Platform Vendor

When evaluating electronic signature platforms for GxP environments, these questions cut through the marketing and get to the technical substance:

1. Is two-factor authentication required at each signing event? Not just at login — at the moment each signature is applied.
2. What are the two authentication components? Password + TOTP (authenticator app) is the current gold standard for Part 11 Section 11.200(a).
3. How is signature meaning captured? The platform must capture a specific meaning (reviewer, approver, etc.) alongside the signer's name, date, and time.
4. How is the audit trail protected from modification? What is the tamper-evident mechanism? SHA-256 hash chains are the technical standard.
5. Can you produce an audit trail export in under five minutes? Same-day inspection readiness now requires this.
6. Do you provide IQ/OQ/PQ validation documentation? Under CSA, the test scripts must still be complete for high-risk Part 11 functions.
7. What does your 21 CFR Part 11 feature matrix map to? Ask to see the specific regulatory citations mapped to specific platform controls.
8. How do you handle system changes and revalidation? Under CSA, change-triggered revalidation is still required for high-risk functions.
9. What vendor qualification documentation do you provide for Annex 11 compliance? Required for EU GMP organizations.
10. How is AI involvement in records captured in the audit trail? Required by the January 2026 FDA-EMA joint AI guidance for organizations using AI-assisted GxP workflows.

2026 Regulatory Developments That Affect GxP Electronic Signatures

Several 2026 regulatory developments are reshaping the GxP electronic signature landscape.

The QMSR implementation(February 2, 2026) requires medical device companies to revisit which electronic records require Part 11 signatures under the new ISO 13485-aligned framework. The answer isn't always the same as under the old QSR — organizations should review their predicate rule mapping.

The EMA-PIC/S joint consultation(February 2026) on a revised data management concept paper is aligning EU data integrity expectations more closely with FDA's. For multi-regional organizations, the practical effect is convergence: systems that satisfy FDA's Part 11 are increasingly likely to satisfy EU requirements as well, though the Annex 11 vendor oversight provisions remain an EU-specific requirement.

FDA inspection trends in 2026 show increased attention to the SOP layer — investigators are citing Section 11.10(j) for missing written policies even when the system itself is technically sound. GxP organizations need both a compliant platform and a documented SOP framework. For a breakdown of the specific SOPs required, see our guide on electronic signature SOPs for FDA Part 11.

Conclusion

GxP compliant electronic signatures start with FDA 21 CFR Part 11 as the non-negotiable foundation, then layer on discipline-specific requirements from the predicate rules of GMP, GLP, GCP, and EU GMP Annex 11. A genuinely GxP compliant platform must enforce two-component authentication at each signing event, capture signature meaning, maintain a tamper-evident hash-chained audit trail, support complete audit trail reconstruction, and come with validation documentation that covers the specific Part 11 functions.

The claim "GxP compliant" requires specific technical evidence to back it up. When evaluating platforms, ask for the validation documentation, the Part 11 feature matrix, and the audit trail architecture documentation — not just a compliance marketing page.

For a full technical breakdown of Part 11 compliance requirements, see our guide on FDA 21 CFR Part 11 compliance. For the ALCOA+ data integrity framework that governs audit trail content, see ALCOA+ audit trail software requirements. For a discipline-by-discipline comparison of GMP, GLP, and GCP signature obligations, see GxP electronic signature requirements. To see how Certivo satisfies these requirements, visit our compliance page.