In relation to possible cyberattacks, the Agency draws special attention to the following:
If such situations develop, we expect affected sponsors, based on the information received (e.g. from CROs, investigators) and their own subsequent investigations, to assess whether the security breach falls within the sponsor’s legal responsibility to report a serious non-compliance, as prescribed in the Regulation on Clinical Trials of Medicinal Products in Human Medicine (Article 26, item 23, Serious breach) and, if confirmed, to report it immediately. The breach report must be updated regularly if new significant information is received.
If the attack concerns systems for which the investigator is responsible (e.g., an electronic health care system, a part of an eTMF to which the investigator has access, etc.), the investigator is expected to immediately notify the relevant sponsors to ensure that the affected sponsors can comply with the above-mentioned obligation to report a serious non-compliance.
Compliance with the obligation may be subject to future inspection.
