Notification of serious or repeated non-compliance with good clinical practice in clinical trials

Updated 16 August 2025

During a clinical trial, a sponsor may become aware of serious breaches of the rules for the conduct of that clinical trial, including breaches of the version of the protocol applicable at the time of the breach.

According to Regulation (EU) No 536/2014, such serious breaches must be reported by the sponsor of the trial to the Member States in question to enable them to take any measures required. Notification must be made through the common European portal CTIS (Clinical Trial Information System) without undue delay and no later than seven days after the sponsor becoming aware of the breach.

A serious breach means a breach likely to affect to a significant degree the safety and rights of a subject or the reliability and robustness of the data generated during the clinical trial.

Reference is also made to 'Guideline for the notification of serious breaches of Regulation (EU) No 536/2014 or the clinical trial protocol' (EMA/698382/2021) and module 5 under Sponsor Workspace of EMA's online training.

The Danish Medicines Agency’s handling of serious breaches

Upon receipt of information of a serious breach, the Danish Medicines Agency will consider whether the deviation meets the definition of a serious breach. Where the Danish Medicines Agency

agrees with the sponsor and categorises the deviation as 'serious', the Agency will review the CAPA plan forwarded by the sponsor to assess whether it is adequate or whether additional measures are required. The Danish Medicines Agency may decide that more information must be added to the sponsor's report before a final assessment can be made, or that additional measures must be included in the CAPA plan to ensure effective solution of the issue and prevention of new, similar breaches. Moreover, the Danish Medicines Agency may require a change to the protocol and, in particularly serious cases, the Agency may put a temporary stop to the trial or decide that a GCP inspection is required.

Where the Danish Medicines Agency (or another Member State concerned) has justified grounds for considering that the requirements set out in the Regulation are no longer met, it may take the following measures: a) revoke the authorisation of a clinical trial, b) suspend a clinical trial or c) require the sponsor to modify any aspect of the clinical trial. The Member State concerned must inform all Member States concerned and the Danish Research Ethics Committees on Medical Products through the EU portal CTIS.

If the serious breach involves research ethical issues, the Danish Medicines Agency will make its assessment in consultation with the Research Ethics Committees on Medical Products.

Procedures for handling of serious breaches are available at the Commission and EMA websites: https://www.ema.europa.eu/en/documents/scientific-guideline/guideline-notification-serious-breaches-regulation-eu-no-5362014-or-clinical-trial-protocol_en.pdf

The following list includes breaches, which the Danish Medicines Agency expects to be reported:

    • If an investigator or other parties involved (e.g. a service provider) fail to report SAEs or SUSARs, and such failure may impact the safety profile of the product.
    • Substantiated suspicion (for instance after audit completion) of manipulation of data (fraud).
    • Systematic deviations, for example in connection with processes concerning consent, randomisation, blinding, incident assessment, reporting of data, etc.
    • Systematic deviations across sites.
    • Dosing errors, for instance due to misinterpretation of laboratory data, calculation errors or other matters.

Appendix 1 of the above guideline includes examples of serious breaches. The examples are divided into categories such as breaches relating to investigational medicinal products, reporting of unexpected serious adverse reactions, suspicion of potential fraud, issues relating to unblinding, randomisation, source data, etc.

To avoid delay in relation to serious breaches, the sponsor must have in place systems and contracts ensuring that service providers and investigators report such breaches to the sponsor within a short timeline.

Notification to sponsors and investigators affected by cyber attacks on clinical trial data

In connection with several recent cases of cyber attacks on systems holding data from clinical trials, the Danish Medicines Agency calls attention to the following:

The Agency expects affected sponsors to assess, on the basis of the information received (for example from the contract organisation) and own follow-up investigations, whether the security flaw falls under the sponsor’s statutory responsibility to report serious breaches as stated above. The report must be updated regularly if new significant information is received.

If the attack concerns the systems that the investigator is responsible for (e.g. patient records, electronic Trial Master File, etc.), we expect the investigator to promptly inform relevant sponsors to ensure the concerned sponsors can fulfil the above-mentioned obligation of reporting serious breaches.

The fulfilment of the obligation may be the subject of future inspection.

Clinical Trial Information System (CTIS)

When reporting a breach via CTIS, attention should be paid to the following:

  • A brief and precise description of the breach must be provided in the structured fields of the CTIS notification, including a 'Description of the serious breach and impacts on trial” and ”Actions taken and planned (including timelines) to investigate and correct the breach and to prevent the reoccurrence of that or a similar breach'. A pdf file comprising a supplementary statement may be attached. According to the EMA's transparency rules, all information in the two fields mentioned above will be published, whereas the attached description will not be made public.

    The breach must be described in the structured fields, which means that reference may not simply be made to a pdf file. If this is not the case, a Request for Information (RFI) will be issued.

  • Specification of Most Affected Member State (MAMS). According to the applicable guideline, the sponsor is required to specify which EU Member State is 'most affected' by the serious breach.  

    If a MAMS has not been specified, an RFI will be issued.

  • Attention should be paid to RFIs issued as well as to Notices and Alerts. During the authorities' assessment of the serious breaches reported, the primary communication between the Agency and the sponsor will be via RFIs (similar to the authorisation process). Note that a notice will appear under 'Notices and Alerts' when the Agency has issued an RFI.

    RFIs are generally subject to a ten-day deadline.

  • Serious breaches are assessed in cooperation with all Member States which have been notified as Member State Concerned (MSC) in connection with the clinical trial.
  • If the breach reported is not considered to meet the definition of a serious breach by MAMS, in cooperation with the other MSCs, the sponsor will be asked to withdraw the breach reported.
  • Also serious breaches which occurred only outside the EU/EEA must be reported, but only if such breach affects, to a significant degree, the safety and rights of a trial participant in the EU, or if the breach to a significant degree affects the reliability and robustness of the data.

 

Change log:

August 16, 2025 - no substantive changes, alligned with Regulation (EU) 536/2014 and with references to CTIS