"GxP compliant" is one of the most overused phrases in regulated industry software marketing. It appears on vendor websites, RFP responses, and product pages — often without a citation, without a regulation version number, and without any acknowledgment that GxP covers four distinct regulatory frameworks with different text, different enforcement bodies, and different requirements for electronic records and signatures.
This guide takes a different approach. Instead of summarizing what GxP compliance means in general terms, it pulls the actual regulatory text from FDA 21 CFR Part 11, EU GMP Annex 11 (2025 draft revision), ICH E6(R3), and the applicable MHRA guidance — and shows exactly what each one requires for electronic records and electronic signatures. If you're evaluating a vendor's compliance claims, these are the citations to check against.
Key Takeaways
- GxP covers four frameworks: GMP (21 CFR Parts 211, 820/QMSR), GLP (21 CFR Part 58), GCP (21 CFR Part 312, ICH E6(R3)), and the overarching electronic records rule (21 CFR Part 11).
- Part 11 Section 11.10(e) mandates audit trails that "capture the date and time of operator entries and actions that create, modify, or delete electronic records." The word "delete" matters — soft deletes must be auditable.
- EU GMP Annex 11 Clause 12.1 (2025 draft) requires multi-factor authentication for access to GMP-critical electronic records — a stricter standard than Part 11's "at least two distinct identification components" at signing.
- ICH E6(R3) Section 5.5.3 requires sponsors to verify that electronic systems used in trials maintain data integrity and comply with applicable regulations — making sponsor oversight of site systems a regulated obligation, not just good practice.
- No third party issues a "GxP compliant" certification. Compliance is determined through inspection, and investigators use the regulatory text, not vendor marketing claims.
Framework 1: FDA 21 CFR Part 11 — The Foundation for All GxP Electronic Records
Part 11 is not a GxP-specific rule. It applies to any electronic record required by an FDA predicate rule, which includes GMP (21 CFR Parts 110, 211, 820/QMSR), GLP (21 CFR Part 58), GCP (21 CFR Part 312), and any other FDA regulation that requires recordkeeping. The predicate rule determines whether a record must exist; Part 11 determines what technical controls must govern that record if it's electronic.
The core requirements are in Subpart B (electronic records) and Subpart C (electronic signatures). Here's what the regulation text actually says for the most frequently audited sections:
Section 11.10(e): Audit Trail Requirements
The exact text: "Use of computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying."
Three things in this text that vendors frequently get wrong: First, the audit trail must be "computer-generated" and "independent" — meaning the user cannot control what gets logged. Second, changes "shall not obscure previously recorded information" — the original value must be preserved alongside the new value. Soft-deleting a record and making the original inaccessible violates this. Third, the audit trail must be "available for agency review and copying" — it must be exportable in a human-readable format on demand.
Section 11.200(a): Authentication at the Time of Signing
The exact text: "Electronic signatures that are not based upon biometrics shall: (1) Employ at least two distinct identification components such as an identification code and password. (i) When an individual executes a series of signings during a single, continuous period of controlled system access, the first signing shall be executed using all electronic signature components; subsequent signings shall be executed using at least one electronic signature component that is only executable by, and designed to be used only by, the individual."
The critical phrase is "when an individual executes a series of signings during a single, continuous period." This describes a session-based authentication model where the first signature in a session uses both factors, but subsequent signatures in the same session can use one factor. It does not permit a platform to skip authentication at signing entirely because the user authenticated at login. Signing and login are distinct events under this section.
Section 11.50: Signature Manifestation
The exact text: "Signed electronic records shall contain information associated with the signing that clearly indicates all of the following: (1) The printed name of the signer; (2) The date and time when the signature was executed; and (3) The meaning (such as review, approval, responsibility, or authorship) associated with the signature."
"Meaning" is where most general-purpose e-signature tools fall short. DocuSign, Adobe Sign, and similar platforms capture names, dates, and times. They do not require the signer to select a meaning from a regulated set (approve, review, author, verify) at the time of signing. Under Part 11, this isn't optional. The meaning must be "clearly indicated" on the signed record — not just logged internally.
Framework 2: EU GMP Annex 11 — What the 2025 Draft Adds
EU GMP Annex 11 is the European equivalent of Part 11 for pharmaceutical manufacturing and clinical trials under the EU regulatory framework. The EMA published a draft revision in 2025 that significantly expanded the original 2011 text. The 2025 draft is not yet binding, but regulatory inspectors in EU member states have begun incorporating its requirements into inspections. Planning for the 2025 draft now is the practical approach.
Clause 12.1 (2025 Draft): Multi-Factor Authentication
The 2025 draft text: "Access to computerized systems used in GxP-critical processes shall be controlled using multi-factor authentication. Authentication mechanisms shall be commensurate with the criticality of the data and the operations performed."
This is meaningfully stricter than Part 11's two-component requirement. Part 11 Section 11.200(a) requires two identification components at signing. The 2025 Annex 11 draft requires multi-factor authentication for access to GMP-critical systems — meaning MFA applies at login, not just at signing. Organizations operating under both FDA and EU GMP jurisdiction need to satisfy both standards. The practical implication: MFA at login AND authentication at signing.
Clause 9 (Audit Trails): Scope Expansion
Annex 11 Clause 9 states: "Consideration should be given, based on a validated risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system-generated 'audit trail'). For change or deletion of GMP-relevant data the reason should be documented."
Note the phrase "reason should be documented." This maps directly to Part 11's practical requirement for reason-for-change capture — but Annex 11 frames it as risk-based rather than absolute. In practice, EU inspectors treat reason-for-change as mandatory for any GMP-critical data modification. The 2025 draft strengthens this by requiring the audit trail to cover "all GMP-relevant changes and deletions" — expanding the scope beyond what legacy systems often capture.
Framework 3: ICH E6(R3) — GCP Electronic Records for Clinical Investigations
ICH E6(R3) is the current Good Clinical Practice guideline, finalized in 2023 and in full implementation as of 2026. It replaced E6(R2) with substantially expanded guidance on electronic systems, data governance, and the roles of sponsors, CROs, and investigator sites. Relevant sections for electronic records and signatures include:
Section 5.5.3: Sponsor Oversight of Electronic Systems
ICH E6(R3) text: "When computerized systems are used to generate, modify, maintain, archive, retrieve, or transmit clinical trial data, the sponsor should ensure, and document as appropriate, that: (a) The computerized systems are suitable for their intended purpose; (b) Validated processes exist to ensure the integrity and reliability of the data; (c) The systems conform to applicable regulatory requirements for electronic records and signatures."
This places sponsor responsibility explicitly over site systems. Under E6(R3), a sponsor cannot simply instruct sites to use a "Part 11 compliant" tool and consider oversight complete. The sponsor must have a documented basis for concluding that the system is suitable, validated, and regulatory-conformant. This requires vendor qualification audits, written agreements covering e-signature controls, and periodic re-evaluation — not a one-time vendor selection decision.
Section 4.9.0: Investigator Site Electronic Records
E6(R3) requires investigator sites to maintain source data that is "attributable, legible, contemporaneous, original, accurate, and complete." These are the ALCOA+ principles applied explicitly to GCP records. Electronic signatures on GCP records — FDA Form 1572, delegation of authority logs, protocol amendments, serious adverse event reports — must satisfy both the ALCOA+ requirements and the Part 11 authentication standards.
For a full breakdown of how these requirements apply to investigator site documents, see our guide on 21 CFR Part 11 for small clinical research sites.
Framework 4: MHRA and Post-Brexit Divergence
Since January 2021, the UK Medicines and Healthcare products Regulatory Agency (MHRA) has operated independently of EMA. UK GMP guidance now references MHRA's own version of Annex 11, which as of 2026 tracks closely but not identically with the EU GMP version. UK-specific clinical trials regulations are also diverging from EU CTR 536/2014.
For organizations with UK trial sites or UK GMP facilities: verify whether the e-signature platform has been assessed against MHRA requirements specifically, not just EMA requirements. MHRA inspectors have issued 483-equivalent deficiency findings for audit trail gaps that were assessed under the EU Annex 11 standard without MHRA-specific verification.
Where "GxP Compliant" Claims Fall Short of the Regulatory Text
Most vendor compliance claims fail on at least one of these regulatory text checkpoints:
| Regulatory Requirement | Citation | Common Vendor Gap |
|---|---|---|
| Audit trail must be computer-generated and independent of user control | 21 CFR 11.10(e) | Admin users can disable logging or purge audit entries in the database |
| Record changes shall not obscure previously recorded information | 21 CFR 11.10(e) | Soft-delete removes records from view; original value not preserved alongside new value |
| Two identification components required at signing (not just at login) | 21 CFR 11.200(a) | Platform authenticates at login only; signing does not require a second authentication event |
| Signature manifestation must include meaning | 21 CFR 11.50(b)(3) | Platform captures name and date but not meaning; no signer-facing meaning selection at signing |
| Multi-factor authentication for access to GMP-critical systems | EU GMP Annex 11 Clause 12.1 (2025 draft) | MFA optional or only available on enterprise plans; not enforced at the system level |
| Reason-for-change documented for GMP-relevant data modifications | EU GMP Annex 11 Clause 9 | Platform allows record changes without capturing the reason; reason field is optional |
| Sponsor must document that site systems satisfy regulatory requirements | ICH E6(R3) Section 5.5.3 | Sponsor provides no written system qualification for site e-signature tools; no vendor audit performed |
2026: FDA and EU Regulatory Text is Converging
The February 2026 EMA-PIC/S joint consultation on data management concept papers represents the clearest convergence signal in recent regulatory history. The consultation text explicitly references ALCOA++ principles — including Traceable as the tenth principle — in language that maps closely to Part 11's Section 11.10(e) requirements. The practical effect: what FDA required for electronic audit trails in 1997 and what the EU is codifying in 2026 are arriving at nearly the same technical specification.
For multi-regional organizations, this convergence simplifies compliance architecture. A system that genuinely satisfies Part 11's audit trail requirements — immutable, computer-generated, tamper-evident, hash-chained, with original-value preservation and reason-for-change capture — will satisfy the 2025 Annex 11 draft audit trail requirements as well. The authentication requirements diverge slightly (Annex 11 MFA at login vs. Part 11 two-component at signing), but the audit trail architecture can be unified.
For a full breakdown of the ALCOA++ Traceable principle and what it requires for audit trail software, see our guide on ALCOA++ data integrity and the tenth principle.
Evaluating a Vendor's GxP Compliance Claims: The Regulatory Text Test
Ask any vendor making a "GxP compliant" claim to answer these questions against the actual regulatory text:
- Show me where in the audit trail original values are preserved alongside new values (11.10(e) original-value requirement).
- Demonstrate that authentication is required at the time of each signature, not just at login (11.200(a) at-signing requirement).
- Show me the signer-facing meaning selection at signing — what options appear and can they be customized to match our SOPs (11.50(b)(3) meaning requirement).
- Can the audit trail be exported in a human-readable format for FDA inspection within five minutes, filtered by date range, user, or record type (11.10(e) availability requirement)?
- Is multi-factor authentication enforced at login for access to GxP-critical records, not just optional (Annex 11 Clause 12.1)?
- Can you provide the IQ/OQ/PQ validation documentation or CSA risk assessment that supports the GxP compliant claim (Part 11 system validation requirement)?
- What written qualification documentation can you provide for our sponsor to satisfy ICH E6(R3) Section 5.5.3 oversight requirements?
Vendors who can answer these questions with specific demonstrations and documentation are genuinely compliant. Vendors who respond with general statements about being "built for regulated industries" or "used by leading pharma companies" are citing marketing, not the regulatory text.
Related Guides
- GxP Compliant Electronic Signatures: What the Regulations Require and How to Select a Platform
- GxP Electronic Signature Requirements: What GMP, GLP, and GCP Each Demand
- ALCOA+ Audit Trail Software Requirements: Complete Life Sciences Guide
- Electronic Signatures in Clinical Trials: 2024 FDA Guidance Update
- FDA 21 CFR Part 11: Complete Compliance Guide