FDA Part 11 Non-Repudiation Letter: What It Is, How to Write It, and Where to Submit

Section 11.100(c) of 21 CFR Part 11 requires that before using electronic signatures in FDA-regulated activities, the responsible organization certify in writing to the FDA that those electronic signatures are the legally binding equivalent of traditional handwritten signatures. This written certification is what practitioners call the non-repudiation letter or letter of certification.

Most organizations that have been using electronic signatures for years submitted one and moved on. But the FDA's October 2024 final guidance on electronic systems in clinical investigations brought renewed attention to the requirement. Q&A #29 specifically clarified who must submit a letter, when a CRO's own letter is required versus relying on the sponsor's, and whether one letter covers multiple studies. That guidance has since triggered a wave of organizations realizing they either never submitted a letter or aren't sure if their submission covered the right scope.

What Section 11.100 Actually Requires

The regulatory text at 21 CFR 11.100(b) states that persons using electronic signatures shall, prior to or at the time of such use, certify to the agency that the electronic signatures used on or after August 20, 1997, are intended to be the legally binding equivalent of traditional handwritten signatures. Section 11.100(c) specifies that the certification shall be signed with a traditional handwritten signature and submitted in paper form to the FDA.

The rule was written in 1997, before electronic submissions were routine for this type of filing. FDA now accepts submissions through both the Electronic Submissions Gateway (ESG) and traditional mail, but paper remains the stated default format for the certification letter itself.

The core purpose of the requirement is establishing non-repudiation at the organizational level. The letter creates a corporate commitment that individual signers within the organization can't later disavow their electronic signatures. It's the procedural acknowledgment that electronic signing carries the same legal weight as a handwritten signature under Part 11.

Who Must Submit

Any organization that uses electronic signatures in FDA-regulated activities must submit the certification. This includes:

• Sponsors of clinical trials using electronic signatures on study-related documents or submissions to FDA
• CROs: the 2024 guidance (Q&A #29) confirmed that CROs using their own electronic signature systems must submit their own letter, independent of the sponsor's
• Pharmaceutical manufacturers using electronic signatures on batch records, SOPs, and other GMP-regulated documents
• Medical device manufacturers using electronic signatures in their quality management system under QMSR or 21 CFR Part 820
• Clinical research sites using electronic signatures on FDA-regulated forms such as FDA 1572, delegation of authority logs, and GCP monitoring records

The certification requirement applies to the organization as a whole, not to individual signers. One submission from an organization covers all individuals who sign under that organization's FDA-regulated activities.

Does One Letter Cover All Studies?

Yes. The FDA's 2024 guidance Q&A #29 confirmed that one non-repudiation letter covers all the electronic signatures used by an organization across all studies, systems, and record types. You don't submit a new letter for each IND, each NDA, or each clinical trial you conduct.

The letter is organizational, not system-specific or study-specific. If you add a new e-signature platform or switch vendors, your existing letter still covers signatures made on the new system. What you do need to update is your system validation documentation for the new platform. The non-repudiation letter itself doesn't change unless the organization's legal name or responsible officer changes.

Do CROs Need Their Own Letter?

The 2024 guidance answered this directly. CROs are regulated entities under Part 11 in their own right when they use electronic signatures on FDA-regulated records in clinical investigations. A CRO is not simply an extension of the sponsor's organization.

If a CRO operates its own electronic signature system for GCP-regulated activities (monitoring visit reports, TMF documents, delegation of authority logs), the CRO must submit its own non-repudiation letter. The sponsor's letter covers the sponsor's employees and the sponsor's systems. CROs using their own platforms for regulated record-keeping are independent regulated entities with their own Part 11 obligations.

One exception: if the sponsor's letter explicitly names the CRO as covered and describes the CRO's role, the CRO may be covered. But this requires deliberate drafting and mutual agreement with the sponsor, and it still binds the sponsor to the CRO's electronic signature practices. Most CROs are better served by submitting their own letter.

For the broader set of Part 11 obligations specific to CROs, including system qualification requirements and audit trail access provisions from the 2024 guidance, see the full treatment of CRO compliance.

What the Letter Must Include

FDA published sample language in Appendix H to the ESG Technical Conformance Guide. The required elements are:

• Organization identification: the full legal name of the organization making the certification
• Regulatory citation: explicit reference to 21 CFR 11.100(b) or 11.100(c)
• The certification statement: a clear declaration that the organization intends all electronic signatures executed by its employees, agents, or representatives to be the legally binding equivalent of traditional handwritten signatures
• Scope of activities: a description of the FDA-regulated activities for which electronic signatures will be used (you can be broad: "in connection with regulated activities conducted by [Organization Name]")
• Handwritten signature: the letter must be signed with a traditional handwritten signature by a responsible officer or equivalent who has authority to make this commitment on behalf of the organization
• Date and company letterhead: the letter must be dated and printed on official company letterhead

FDA's sample language from Appendix H reads roughly: "Pursuant to Section 11.100(b) of Title 21 of the Code of Federal Regulations, this is to certify that [Organization Name] intends that all electronic signatures executed by its employees, agents, or representatives are the legally binding equivalent of traditional handwritten signatures."

The letter doesn't need to be long. One to two paragraphs on company letterhead with these elements is sufficient. FDA is not evaluating the quality of the prose. It's confirming that the organizational commitment exists in writing.

Where to Submit

FDA maintains a dedicated submission process for non-repudiation letters through its Letters of Non-Repudiation Agreement page on FDA.gov. Submissions can go via two routes:

• Electronic Submissions Gateway (ESG): the preferred route for organizations already set up for electronic submissions to FDA. Look for the non-repudiation agreement submission type within the ESG interface.
• Paper mail: FDA's published address for non-repudiation agreements. The submission address has changed over the years (FDA issued a Federal Register notice updating it in 2023), so always verify the current address at FDA.gov before mailing. Sending to an outdated address creates a documentation gap.

FDA does not typically issue a formal acknowledgment letter for non-repudiation certifications. Keep a copy of exactly what you submitted, any delivery confirmation, and the date. Your electronic signature SOPs should reference where the certified copy is maintained and when the submission was made. During an FDA inspection, this is part of your Part 11 documentation package.

What If You Haven't Submitted One Yet

Correct it as soon as you identify the gap. FDA hasn't historically issued 483 observations solely for missing non-repudiation letters. The more common data integrity findings are technical deficiencies in the e-signature system itself. But the absence of a letter is a compliance gap under the regulation, and it surfaces during inspections when investigators review your overall Part 11 compliance documentation.

If you've been using electronic signatures without having submitted the certification:

1. Submit the letter immediately with the actual current date. Don't attempt to backdate it
2. Document the finding and correction in your quality system as a CAPA, noting when the gap was identified and when remediated
3. Update your electronic signature SOPs to include the non-repudiation letter as a required step in the system qualification process for any new e-signature platform or regulated activity

For most organizations, the non-repudiation letter is a one-time submission that gets filed, documented, and then maintained as part of the compliance record. The ongoing compliance work is in maintaining the technical controls, validation documentation, and SOPs that make the electronic signature system actually satisfy Part 11's substantive requirements.

The Letter as Part of Your Part 11 Program

The non-repudiation letter is the procedural acknowledgment that electronic signatures carry legal weight in your organization. The substance of Part 11 Subpart C is what makes them technically enforceable: unique user credentials, two-component authentication at the time of signing, signature meaning displayed on the signed record, and cryptographic binding of the signature to the record.

Organizations that understand the non-repudiation letter as one element of a complete Part 11 program, rather than a standalone checkbox, tend to fare better in data integrity inspections. The letter establishes organizational intent. The technical controls and SOPs prove that the intent was backed by a system that actually delivers it. If you're evaluating whether your current platform supports the full set of requirements, the Certivo compliance overview covers how each technical control maps to the specific sections of Part 11.