Compliance with European Medicines Agency guideline

Report · Sep 09, 2025

Dear all,

I would like to ask whether Acrobat Reader digital signature “certificates” meet the requirements for electronic signatures in clinical studies, in compliance with the EMA guidance (Guideline on Computerised Systems and Electronic Data in Clinical Trials, page 15).

I have pasted the relevant text from page 15.

Additionally, do you know if there is any official documentation from Acrobat Reader that confirms compliance with these requirements?

Thank you very much in advance for your assistance.

Best regards,
Bente

4.8. Electronic signatures
The system should include functionality to:
• authenticate the signatory, i.e. establish a high degree of certainty that a record was signed by
the claimed signatory;
• ensure non-repudiation, i.e. that the signatory cannot later deny having signed the record;
• ensure an unbreakable link between the electronic record and its signature, i.e. that the contents
of a signed (approved) version of a record cannot later be changed by anyone without the
signature being rendered visibly invalid;
• provide a timestamp, i.e. that the date, time, and time zone when the signature was applied is
recorded.
Electronic signatures can further be divided into two groups depending on whether the identity of the
signatory is known in advance, i.e. signatures executed in 'closed' and in 'open' systems.
For 'closed' systems, which constitute the majority of systems used in clinical trials and which are
typically provided by the responsible party or by their respective service provider, the system owner
knows the identity of all users and signatories and grants and controls their access rights to the system.
Regulation (EU) No 910/2014 ('eIDAS') on electronic identification and trust services for electronic
transactions is not applicable for 'closed' systems ('eIDAS' article 2.2). The electronic signature
functionality in these systems should be proven during system validation to meet the expectations
mentioned above.
For 'open' systems, the signatories (and users) are not known in advance. For sites located in the EU,
electronic signatures should meet the requirements defined in the 'eIDAS' regulation. Sites located in
third countries should use electronic or digital signature solutions compliant with local regulations and
proven to meet the expectations mentioned above.
Irrespective of the media used, in case a signature is applied on a different document or only on part of
a document (e.g. signature page), there should still be an unbreakable link between the electronic
document to be signed and the document containing the signature.

Report · Sep 09, 2025

What exactly do you mean by Acrobat Reader digital signature “certificates”?

Do you mean digital signatures Adobe Acrobat can create locally? In that case this is not only a question about Adobe Acrobat but additionally about how the cryptographic key material of the signers is created and maintained.

Or do you want to express something specific by the “certificates” you added?

Report · Sep 09, 2025

I mean creating a digital signature in Acrobat Reader using a certificate to apply the signature. In our process, we lock the document after signing to ensure that no alterations can be made.

Can you point me to any official Adobe documentation or legal/security resources that confirm this approach complies with the EMA requirements for electronic signatures in clinical studies (Guideline on Computerised Systems and Electronic Data in Clinical Trials, section 4.8)?

Report · Sep 10, 2025

As far as official Adobe documentation is concerned, the Adobe employees also active in this community forum are more qualified to give some pointers. I merely am a user who happens to know a bit about signatures.

Concerning the criteria you quoted, some remarks:

Authentication and non-repudiation: The mechanisms used by digital signatures as implemented in Adobe Acrobat are in line with these requirements as long as the issuance and handling of the X.509 certificates and private keys of the users also are. If the private keys of the users are stored in some public folder without secure encryption, though, they obviously are not.
Unbreakable link: A secure hash of the signed data is stored in the digital signature to establish such a link. Also in case of digital signatures in PDFs, they always refer to the whole PDF revision to which they were applied.
Timestamp: If the local time of the computers in question is not managed to be correct, you should apply digital timestamps in the course of signing.

That being said, this focuses on Adobe Acrobat as signing software. Which software do you want to use for validation of those signatures?

Also be aware of the soon-to-come transition to post-quantum cryptography. If your project is not extremely short-term only, you'll have to consider a strategy to keep the probative value of older, pre-PQC signatures in a PQ world.

In our process, we lock the document after signing to ensure that no alterations can be made.

Please be aware that according to the PDF specification even locked documents may be updated to add validation related information and document time stamps.

Report · Sep 10, 2025

Thank you very much for your helpful response! Your explanation regarding authentication, non-repudiation, unbreakable links, and timestamps is greatly appreciated.

In our workflow, the certificates are stored locally by each signer, and we lock the PDF after signing to ensure no alterations are possible. We currently use Adobe Acrobat Reader for signing, though I’m not certain about any additional validation software in place at our site I believe this is Adobe Acrobat Reader.

Your insights have been very useful for understanding the technical side of digital signatures. I hope to hear from Adobe employees regarding official documentation confirming that this approach meets EMA requirements.

Thanks again for your guidance!

Report · Sep 10, 2025

Two remarks:

In our workflow, the certificates are stored locally by each signer,

I assume you mean not only the certificate (which contains the public key plus some public metadata) but also also the private key is stored locally on disc. This might become a problem if EMA guidelines are interpreted in a strict manner: Locally stored keys can potentially be copied (if you leave your computer without locking it) which may allow others to sign using your key. This potential may be taken as a way to repudiate a signature ("I haven't signed that! Someone must have copied my key!"). Better non-repudiation would be achieved by private keys on smart cards, tokens, or HSMs.

I’m not certain about any additional validation software in place at our site I believe this is Adobe Acrobat Reader.

I asked about the validation software because validation by Adobe Acrobat is not as strict as validation prescribed by ETSI for qualified EU signatures. If EMA compliance assumes validation along the ETSI validation specification, this might become a problem.