Understanding Electronic Signatures: A Comprehensive Guide
What is an Electronic Signature?
An electronic signature is signature information attached to electronic documents to ensure their authenticity. While paper documents can be sealed with physical stamps or seals, electronic documents cannot accommodate such traditional methods. Therefore, electronic signatures have been legally recognized as equivalent to physical seals and stamps.
Electronic signatures broadly refer to any act of signing electronically using characters, symbols, marks, or other representations. In particular, a signature method that applies public-key cryptography to prove the creator of a document and ensure that the document has not been tampered with is called a “digital signature.”
Essential Requirements for Electronic Signatures
For a signature to be considered an electronic signature under Japanese law, it must satisfy the following two requirements:
- Proof of Identity (Authentication): The information must demonstrate that it was created by the person who applied the signature.
- Proof of Non-Tampering (Integrity): It must be possible to verify whether the information has been altered.
These fundamental requirements are aligned with international data integrity principles that have become increasingly important in pharmaceutical and other regulated industries.
Data Integrity and ALCOA/ALCOA+ Principles
In recent years, particularly in pharmaceutical and medical device industries, the concept of data integrity has gained significant attention. Data integrity ensures that data remains complete, consistent, and accurate throughout its entire lifecycle.
The FDA (U.S. Food and Drug Administration) and EMA (European Medicines Agency) have established the ALCOA Principles as the foundation for data integrity:
| Principle | Requirement | Description |
| Attributable | Attribution | Clear identification of who performed the action and when |
| Legible | Readability | Data must be readable and understandable throughout retention period |
| Contemporaneous | Simultaneity | Data must be recorded at the time of the event |
| Original | Originality | Original records or certified true copies must be retained |
| Accurate | Accuracy | Data must be accurate and free from errors |
Furthermore, the EMA has expanded these principles to ALCOA+ (also known as ALCOA CCEA) by adding four additional requirements:
| Additional Principle | Requirement | Description |
| Complete | Completeness | All data necessary to reconstruct events must be present |
| Consistent | Consistency | Data must be internally consistent without contradictions |
| Enduring | Durability | Data must remain accessible throughout required retention period |
| Available | Availability | Data must be retrievable when needed |
These principles apply to both electronic and paper records and have become essential requirements for regulatory compliance in pharmaceutical manufacturing, clinical trials, and quality control.
Common Misconception: 21 CFR Part 11 vs. Japan’s ER/ES Guidelines
Many people mistakenly believe that “21 CFR Part 11 and Japan’s ER/ES Guidelines define electronic signatures in the same way.” However, the definitions of electronic signatures in Japan’s ER/ES Guidelines and Part 11 are actually different.
Japan’s ER/ES Guidelines
Japan’s ER/ES Guidelines, issued on April 1, 2005 (Notification No. 0401022 from the Pharmaceutical and Food Safety Bureau of the Ministry of Health, Labour and Welfare), state in Section 4.(1): “Procedures for the management and operation of electronic signatures must be documented and properly implemented in accordance with the Act on Electronic Signatures and Certification Services (Act No. 102 of May 31, 2000).”
This clearly indicates that the definition aligns with that of the Electronic Signatures Act. The Electronic Signatures Act defines electronic signatures as those using public-key cryptography, which satisfies both requirements mentioned above:
- Identity proof (authentication)
- Non-tampering proof (integrity)
21 CFR Part 11
In contrast, 21 CFR Part 11, promulgated on March 20, 1997, and effective August 20, 1997, defines electronic signatures as actions that can only be performed by the true owner through a combination of user ID and password, or through biometrics.
This method satisfies only the first requirement mentioned above: identity proof. However, it does not provide non-tampering proof, which is the second requirement.
| Comparison Item | 21 CFR Part 11 | Japan’s ER/ES Guidelines |
| Issuing Authority | U.S. FDA | Japan MHLW |
| Effective Date | August 20, 1997 | April 1, 2005 |
| Electronic Signature Method | User ID + Password or Biometrics | Public-key cryptography (aligned with Electronic Signatures Act) |
| Identity Proof | ✓ Satisfied | ✓ Satisfied |
| Non-Tampering Proof | ✗ Not satisfied | ✓ Satisfied |
| Core Principles | System validation, audit trails, access control | Authenticity, Readability, Preservation (3 principles) |
In other words, electronic signatures as defined by Part 11 do not provide the “non-tampering proof” capability that is required by Japanese regulations.
PDF Format and Electronic Signatures
When saving electronic documents with electronic signatures, the PDF format is commonly used. This is because PDFs allow electronic signatures to be embedded within the same file, ensuring that links are not broken during transmission or storage.
Currently, applications like MS-Word do not support embedding electronic signatures within the document file itself, making it difficult to guarantee that links will not be broken. This is one of the key advantages of using PDF format for signed documents.
PAdES Standard
For long-term preservation of electronically signed documents, the PAdES (PDF Advanced Electronic Signatures) standard has been established. PAdES is an international standard (ETSI TS 102 778) that extends PDF signature capabilities to support:
- Long-term validation of signatures
- Embedded certificate information
- Time-stamp integration for extended validity periods
- Verification information for maintaining signature validity beyond certificate expiration
The PAdES standard is particularly important for documents requiring long-term retention, such as medical records, construction documents, and intellectual property records.
Electronic Certificates and Certification Authorities
Without an electronic certificate issued by a Certification Authority (CA), an electronic signature cannot prove that the information was created by the person who applied the signature. While it is possible to claim authorship without a CA certificate, it cannot be proven definitively.
Limitations Without CA Certification
When electronic signatures are not accompanied by electronic certificates from a Certification Authority:
- Changes by third parties can be detected
- Changes by the signatory themselves cannot be identified
- Third-party time-stamps are required to detect unauthorized modifications by the document owner
Understanding Electronic Signatures as Digital Equivalents of Physical Seals
As mentioned earlier, electronic signatures are equivalent to physical seals in paper-based society. In paper-based systems, the importance of a document determines whether a simple seal (認印, mitome-in) is acceptable or whether a registered seal (実印, jitsuin) is required. The same principle applies in the electronic world.
Depending on the importance of the electronic document, you must decide whether to use:
- Electronic signatures with CA certification (equivalent to registered seals/jitsuin)
- Electronic signatures without CA certification (equivalent to simple seals/mitome-in)
Regulatory Requirements
Naturally, when regulatory authorities require electronic signatures with CA certification—such as in adverse event reporting for pharmaceuticals—those requirements must be followed without exception.
According to Japan’s ER/ES Guidelines, the following hierarchy applies:
- For regulatory submissions to authorities: Electronic signatures with CA certification are required
- For internal GxP documentation: Electronic signatures aligned with Electronic Signatures Act principles
- For routine business documents: Appropriate level of authentication based on risk assessment
Current Regulatory Landscape and Future Considerations
The regulatory environment for electronic signatures continues to evolve. Key developments include:
Recent Guidance Updates
- FDA’s 2018 guidance “Data Integrity and Compliance With CGMP: Questions and Answers” emphasizes data integrity requirements
- EMA’s data integrity guidance incorporates ALCOA+ principles
- Japan’s Pharmaceuticals and Medical Devices Agency (PMDA) has strengthened inspections focusing on data integrity since 2008
Cloud-Based Systems and Remote Authentication
With the increasing adoption of cloud-based systems and remote work, regulations are adapting to accommodate:
- Cloud storage of electronically signed documents
- Remote authentication methods including digital signatures on tablets
- Decentralized Clinical Trials (DCT) utilizing electronic informed consent
Integration with Modern Technologies
Electronic signature systems are increasingly integrated with:
- Blockchain for enhanced non-tampering proof
- AI-powered document management systems
- Advanced biometric authentication methods
- Automated compliance validation tools
Practical Considerations for Implementation
When implementing electronic signature systems, organizations should:
- Conduct Risk Assessment: Determine the appropriate level of authentication based on document criticality
- Establish SOPs: Document procedures for electronic signature management and operation
- Provide Training: Ensure all users understand regulatory requirements and proper usage
- Maintain Audit Trails: Implement comprehensive logging of all electronic signature activities
- Plan for Long-Term Preservation: Consider requirements for documents with extended retention periods
- Ensure Data Integrity: Implement ALCOA/ALCOA+ principles throughout the data lifecycle
Conclusion
Electronic signatures have become an essential component of modern business operations, particularly in regulated industries. Understanding the fundamental differences between various electronic signature standards, the requirements for data integrity, and the appropriate application of certification levels is crucial for maintaining compliance and ensuring document authenticity.
As digital transformation continues to accelerate, the importance of properly implemented electronic signature systems will only increase. Organizations must stay informed about evolving regulations and best practices to maintain the highest standards of data integrity and document authentication.
The key to successful implementation lies not only in selecting appropriate technology but also in establishing robust procedures, providing comprehensive training, and maintaining a culture of compliance that recognizes the critical role of electronic signatures in protecting data integrity and ensuring patient safety in regulated industries.
This article is based on current regulations as of January 2026. Regulatory requirements may change over time. Always consult with qualified legal and regulatory professionals for specific compliance guidance.
Comment