Electronic source, or eSource, is no longer an emerging capability in clinical research. By 2026, regulators increasingly assume that some portion of trial data will originate electronically, whether through EHR-to-EDC integration, ePRO, wearable devices, eConsent, centralized imaging platforms, or direct data entry into an eCRF. The regulatory focus has shifted from whether electronic systems are used to how they are governed.
The expectation is clear. Electronic data must be attributable, legible, contemporaneous, original, accurate, and complete. What has evolved is the depth of scrutiny around metadata, audit trails, access control, validation, and life cycle management.
Recent guidance from the FDA on electronic systems and records, the finalized ICH E6(R3) Good Clinical Practice guideline, and the EMA’s framework for computerized systems collectively define what inspection readiness looks like in 2026. Together, they reinforce that electronic source data must be transparent, reconstructable, and controlled across its full life cycle.
Clear Definition of What Constitutes Source Data
Regulators will first ask where the source lives. For each critical data element, sponsors and investigators must be able to identify the first permanent record and the system in which it resides.
If data are entered directly into an eCRF by an authorized originator, the eCRF may serve as the source. If paper transcription occurs, that paper record remains source and must be retained. If data originate in a wearable device, central laboratory database, or EHR interface, the originating system must be defined and documented as the source.
By 2026, it is not sufficient to state that data are “electronic.” Protocols, data management plans, and trial master file documentation must clearly map endpoints and safety variables to their respective source systems. Regulators expect this mapping to be pre-specified and maintained throughout the study.
Authorized Data Originators and Attributable Records
Electronic systems must clearly associate each data element with an authorized originator. That originator may be an investigator, delegated site staff member, subject entering ePRO data, a laboratory instrument, or another validated system.
The key requirement is attributable data. Each entry must be traceable to a uniquely identifiable user or system account. Shared logins, generic credentials, or poorly aligned delegation logs remain frequent inspection findings.
In practice, this means system permissions must align with delegation of authority logs. User access should be role-based, documented, and periodically reviewed. Device-generated data must be traceable to the specific device and configuration used at the time of capture.
Audit Trails and the Ability to Reconstruct Events
Audit trails are central to regulatory expectations in 2026. However, simply having an audit trail is not enough. Regulators expect that audit trails are secure, computer-generated, time-stamped, and capable of reconstructing the sequence of events for any critical data element.
Every modification must preserve the original entry and capture who made the change, when it occurred, and why it was made. Metadata are no longer secondary artifacts; they are part of the evidentiary record.
ICH E6(R3) places particular emphasis on planning the review of metadata and audit trails as part of ongoing oversight. The extent of review should be risk-based and aligned with the criticality of the data. Higher-impact endpoints and safety data require proportionally greater scrutiny.
Inspection readiness now includes the ability to produce human-readable audit trail outputs promptly. Organizations should be able to demonstrate how audit trails are reviewed during monitoring, quality control, and quality assurance activities.
Risk-Based Data Governance
One of the most important regulatory evolutions reflected in ICH E6(R3) is the emphasis on data governance as an active process rather than a static policy.
Sponsors and investigators are expected to manage data integrity, traceability, and security across the full life cycle of trial data. This includes defining data criticality, aligning oversight activities with risk, and documenting rationale for decisions about review frequency and depth.
In 2026, regulators are less focused on uniform checklists and more focused on whether controls are proportionate and justified. Organizations should be able to explain why certain metadata are reviewed routinely while others are reviewed selectively, based on risk assessment.
Data governance frameworks must also address system changes, version control, user management, and cross-system integrations.
Fit-for-Purpose Validation and System Security
Computerized systems used in clinical trials must be validated for their intended use. This validation should be risk-based and proportionate to the importance of the system and the data it handles.
Validation documentation should clearly demonstrate that both standard functionality and protocol-specific configurations, such as edit checks and custom workflows, function as intended. Integrations and data transfers between systems must be treated as validated processes.
Security controls are equally important. Access management, password policies, backup procedures, disaster recovery testing, and change control must be documented and periodically reviewed. The expectation is not excessive documentation but demonstrable control.
Systems must also ensure that data remain protected against unauthorized access, loss, or alteration throughout their retention period.
Record Retention and Inspection Access
Even as data flows become decentralized, investigators retain responsibility for the records under their control. Contracts with vendors cannot create barriers to inspection access.
Regulators expect that electronic source data, including vendor-hosted systems, are accessible during inspections without compromising subject privacy or study blinding. Archiving strategies must preserve both the data and relevant metadata in a retrievable and readable format for the required retention period.
Decommissioning plans for systems must ensure that data integrity and accessibility are preserved after system retirement or migration.
Preparing for 2026 and Beyond
Electronic source data expectations in 2026 reflect a broader shift toward transparency, traceability, and risk-based governance. Regulators are not seeking perfection. They are seeking clarity, proportionality, and control.
For sponsors, this means designing studies with source data mapping, validation, and metadata review in mind from the outset. For CROs and sites, it means aligning operational workflows, user management, and system validation practices with the reality of inspection scrutiny.
When electronic source data are defined clearly, governed actively, and supported by validated systems, they do more than satisfy regulators. They reduce rework, improve data quality, accelerate decision-making, and strengthen confidence in early-phase and late-phase development alike.
In 2026, electronic source is no longer a differentiator. It is an expectation. The organizations that treat it as a core component of trial integrity, rather than an IT detail, will be best positioned for regulatory success.
