Electronic vs. digital signatures: on the road to eConsent
Electronic signature and digital signature are often used interchangeably, but they are not the same thing. The distinction matters in clinical research, where the level of assurance a signature needs to provide varies significantly depending on the nature of the study and the regulatory framework that applies.
Electronic signatures
An electronic signature (eSignature) is a broad term covering any electronic method used to indicate agreement or sign-off on a document. This includes scanned handwritten signatures, typed names, or finger or stylus input on a screen. eSignatures demonstrate that a document was reviewed and approved, but they provide limited assurance about the identity of the signatory or the exact time of signing. In some contexts they can be legally repudiated. For lower-risk studies, this level of assurance is often sufficient.
Digital signatures
Digital signatures go further by using encryption and cryptographic algorithms to bind the signature to both the document and the individual. This makes them much harder to repudiate and significantly more resistant to fraud. The FDA's own regulatory text defines a digital signature precisely along these lines: an electronic signature based on cryptographic methods of originator authentication, computed using a set of rules and parameters such that the identity of the signer and the integrity of the data can be verified. In US terminology, "digital signature" tends to refer specifically to this cryptographic approach. In the UK and EU, the equivalent terms are advanced and qualified eSignatures, which carry increasingly higher levels of legal assurance.
US requirements
In the United States, electronic signatures in general commerce are governed by the ESIGN Act and the Uniform Electronic Transactions Act (UETA). Compliance requires:
- Clear intent to sign from all parties
- Consent to conduct business electronically
- Association of the signature with a record that reflects the process of its creation
- Retention of records for accurate reproduction
For life sciences and clinical research, 21 CFR Part 11 adds further requirements. These include:
- Validation that the system produces accurate and reliable records
- The ability to generate human-readable copies for FDA inspection
- Two unique identifiers to protect each signature (such as username and password)
- Access controls including automatic logout after inactivity
- Timestamps on all signing events and data changes
- Passwords entered uniquely at each signing point (no auto-population)
- Multi-signatory capability within the same platform
- A non-repudiation agreement with the FDA on file
UK and EU requirements
The UK retained EU eIDAS regulation through the European Union Withdrawal Act 2018. Under eIDAS, electronic signatures exist on a three-tier spectrum, and the tier determines both the technical bar a system has to clear and the legal weight the resulting signature carries.
| Tier | What it requires | Legal weight |
|---|---|---|
| Basic (simple) | Minimal technical requirements, e.g. a typed name or ticked box | Lowest, easiest to challenge |
| Advanced | Uniquely linked to the signatory, capable of identifying them, created using data the signatory can control | Higher, harder to repudiate |
| Qualified | An advanced signature created via a qualified device and certificate from an accredited trust service provider | Highest, legally equivalent to a handwritten signature across the EU |
UK GDPR and the Data Protection Act 2018 operate alongside these requirements for anything involving personal data.
What this means in practice
The appropriate signature type for your study depends on the risk level, regulatory jurisdiction, and what has been agreed with your ethics review body. Matching the tier to the study is not just a legal formality: using a qualified signature for a low-risk observational survey adds friction and cost that buys no real benefit, while using a basic signature for a high-risk interventional trial leaves a gap an auditor or regulator will eventually find.
The key questions to ask are:
- Can you reliably trace the identity of each signatory?
- Is there a timestamp tied to each event?
- Is the method documented in your protocol?
- Is the level of assurance proportionate to the risk of the study?
Getting this right at the design stage is considerably easier than demonstrating compliance retrospectively during an audit. A platform that defaults to the highest tier everywhere avoids under-provisioning, but it's worth checking that decision was made deliberately rather than inherited from whatever the vendor set up first, since the cost and friction of an unnecessarily high tier is a real, ongoing overhead on every participant interaction, not a one-off configuration choice.