Skip to main content
B
bente_2159
Participant
September 9, 2025
Question

Compliance with European Medicines Agency guideline

  • September 9, 2025
  • 1 reply
  • 197 views

Dear all,

I would like to ask whether Acrobat Reader digital signature “certificates” meet the requirements for electronic signatures in clinical studies, in compliance with the EMA guidance (Guideline on Computerised Systems and Electronic Data in Clinical Trials, page 15).

I have pasted the relevant text from page 15.

Additionally, do you know if there is any official documentation from Acrobat Reader that confirms compliance with these requirements?

Thank you very much in advance for your assistance.

Best regards,
Bente

4.8. Electronic signatures
The system should include functionality to:
• authenticate the signatory, i.e. establish a high degree of certainty that a record was signed by
the claimed signatory;
• ensure non-repudiation, i.e. that the signatory cannot later deny having signed the record;
• ensure an unbreakable link between the electronic record and its signature, i.e. that the contents
of a signed (approved) version of a record cannot later be changed by anyone without the
signature being rendered visibly invalid;
• provide a timestamp, i.e. that the date, time, and time zone when the signature was applied is
recorded.
Electronic signatures can further be divided into two groups depending on whether the identity of the
signatory is known in advance, i.e. signatures executed in 'closed' and in 'open' systems.
For 'closed' systems, which constitute the majority of systems used in clinical trials and which are
typically provided by the responsible party or by their respective service provider, the system owner
knows the identity of all users and signatories and grants and controls their access rights to the system.
Regulation (EU) No 910/2014 ('eIDAS') on electronic identification and trust services for electronic
transactions is not applicable for 'closed' systems ('eIDAS' article 2.2). The electronic signature
functionality in these systems should be proven during system validation to meet the expectations
mentioned above.
For 'open' systems, the signatories (and users) are not known in advance. For sites located in the EU,
electronic signatures should meet the requirements defined in the 'eIDAS' regulation. Sites located in
third countries should use electronic or digital signature solutions compliant with local regulations and
proven to meet the expectations mentioned above.
Irrespective of the media used, in case a signature is applied on a different document or only on part of
a document (e.g. signature page), there should still be an unbreakable link between the electronic
document to be signed and the document containing the signature.

1 reply

MikelKlink
MikelKlink
Participating Frequently
September 10, 2025

What exactly do you mean by Acrobat Reader digital signature “certificates”

Do you mean digital signatures Adobe Acrobat can create locally? In that case this is not only a question about Adobe Acrobat but additionally about how the cryptographic key material of the signers is created and maintained. 

Or do you want to express something specific by the “certificates” you added?

B
bente_2159Author
Participant
September 10, 2025

I mean creating a digital signature in Acrobat Reader using a certificate to apply the signature. In our process, we lock the document after signing to ensure that no alterations can be made.

Can you point me to any official Adobe documentation or legal/security resources that confirm this approach complies with the EMA requirements for electronic signatures in clinical studies (Guideline on Computerised Systems and Electronic Data in Clinical Trials, section 4.8)?

 

 

MikelKlink
MikelKlink
Participating Frequently
September 10, 2025

As far as official Adobe documentation is concerned, the Adobe employees also active in this community forum are more qualified to give some pointers. I merely am a user who happens to know a bit about signatures.

 

Concerning the criteria you quoted, some remarks:

  • Authentication and non-repudiation: The mechanisms used by digital signatures as implemented in Adobe Acrobat are in line with these requirements as long as the issuance and handling of the X.509 certificates and private keys of the users also are. If the private keys of the users are stored in some public folder without secure encryption, though, they obviously are not.
  • Unbreakable link: A secure hash of the signed data is stored in the digital signature to establish such a link. Also in case of digital signatures in PDFs, they always refer to the whole PDF revision to which they were applied.
  • Timestamp: If the local time of the computers in question is not managed to be correct, you should apply digital timestamps in the course of signing.

 

That being said, this focuses on Adobe Acrobat as signing software. Which software do you want to use for validation of those signatures?

 

Also be aware of the soon-to-come transition to post-quantum cryptography. If your project is not extremely short-term only, you'll have to consider a strategy to keep the probative value of older, pre-PQC signatures in a PQ world.

 

quote

In our process, we lock the document after signing to ensure that no alterations can be made.

 

Please be aware that according to the PDF specification even locked documents may be updated to add validation related information and document time stamps.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices