Back to all articles
Compliance Apr 22, 2026 · 9 min read
A practical guide to 21 CFR Part 11 e-signatures in 2026
What changed in the FDA’s 2025 guidance update, what auditors actually look for, and how to implement compliant e-signatures without slowing your team down.
The FDA’s 2025 draft guidance update on Part 11 introduced subtle but important shifts in how e-signatures should be implemented and audited.
What actually changed
- Cloud-based signature solutions are now explicitly acceptable (previously implicit).
- Two-factor authentication is now strongly recommended for "high-risk" transactions.
- Signature manifestation requirements are clarified — the meaning must be unambiguous.
- Audit trail expectations have been formalized for SaaS QMS deployments.
The 7 controls auditors will check
Based on 50+ recent inspection observations, these are the controls auditors examine in priority order:
- Unique user identification — no shared accounts.
- Two distinct identification components (typically password + token).
- Periodic password changes with complexity requirements.
- Loss management — lockout and reissue procedures.
- Unauthorized use safeguards — automatic logout.
- Initial and periodic testing of devices/tokens.
- Audit trail showing who, what, when, and why.
Quays does this out of the box
All seven controls are built into the platform. SAML SSO, MFA, automatic timeout, full audit trail with reason codes — no custom configuration required.
MG
Written by
María González
Head of Compliance
Keep reading
Compliance 9 min read
SOC 2 + ISO 27001: how we got both certifications without doubling the work
Feb 4, 2026
Product 6 min read
Introducing AI Compliance Intelligence: scan your QMS like CVE scanners scan code
Apr 28, 2026
Comparisons 12 min read
Quays vs Qualio vs MasterControl: an honest comparison
Apr 14, 2026