Many CTUs are turning to SharePoint to shift from paper to electronic Trial Master Files - after all, it's accessible, familiar, and already part of their toolkit. But what are the major compliance challenges they will face along the way?
I recently spoke at a CTU forum about the reality of running an electronic Trial Master File (eTMF) using Microsoft SharePoint.
The message from the CTU managers I spoke to afterwards. was clear.
eTMF compliance with SharePoint is not simple.
The MHRA want evidence - of exactly where your data is located, how you will restore it in the event of an emergency, and that your configuration actually works as intended.
But too many CTUs who embark on building their own eTMF overlook the resource they need in place to keep their eTMF compliant within a shifting technical stack.
With this is mind - we’ve put together a short, practical guide to SharePoint eTMF compliance.
SharePoint is already in your Microsoft 365 stack. It’s got a familiar UI, comes with Office integration and quick collaboration tools. The tools for building a structured TMF may already be accessible to your team.
But it’s important to remember a compliant eTMF/eISF isn’t a document library - it’s a validated system with defined controls. And that’s where a lot of your extra work will come in for those using SharePoint..
With SharePoint, you own:
And if those foundations are weak, going “paperless” can increase risk and rework rather than reduce it.
If you’ve got an in-house manager or outside consultant working on building your eTMF solution with SharePoint - they need to give extra thought to proving it’s ‘fit for purpose’ from a regulatory point of view.
Don’t forget, from April 2026, the new MHRA clinical trial guidelines will fully adopt ICH GCP E6 (R3) - bringing a major step up in data governance requirements.
Your team will need to demonstrate how you:
These new guidelines are intended to make the compliance process more straightforward, but they’ve also been updated to reflect real concerns about security and data protection in an age of dangerous cyber-threats.
Because of this, when an MHRA inspector asks about your digital TMF, you will need to be ready to show:
If you can’t produce these on request, you are not inspection‑ready.
So, talking to our team (and those who’ve tried using SharePoint to manage their eTMF) I’ve focused on a few areas where developers may need to spend more time and resources on compliance with the platform:
Be prepared to replace vague “cloud” statements with a one‑page, auditable summary. Include:
The advice: Create a controlled Data Residency Register and update it whenever providers, tenants or sites change.
Microsoft keeps the platform running, but you own your data.
So, what does a credible pland for disaster recovery look like?
The advice: deploy a third‑party backup, perform quarterly restores into a test tenant, and file the reports inside the TMF.
You must validate both the standard features you rely on (versioning, permissions, audit trails, e‑signatures if used) and your configuration (sites/libraries/metadata), plus any flows/integrations. In practice that means:
The advice: Microsoft updates frequently. Assess impact and re‑test affected controls—don’t let your validated state drift.
If you recognise any of these gaps - or you simply don’t have the bandwidth to maintain the required level of security testing and validation on a shifting SharePoint stack – you should definitely consider using a flexible platform like Cognidox to build out your TMF.
For a growing company, ploughing time and energy into maintaining a complex validation and security testing regime to satisfy MHRA inspectors could be a serious waste of resources.
On the other hand, platforms like Cognidox are developed and maintained to meet these standards - so you can concentrate your efforts on managing clinical trials rather than software.
Building an eTMF with SharePoint can save costs for small units, but the burden of compliance is a constant nagging presence.
For example, every time Microsoft updates SharePoint - or you change a flow, plugin, or permission model - your validated state is broken. You will need to re-test and re-document it all.
Most development teams don’t have the time or regulatory expertise to manage that. And most businesses don’t realise how far short their setup falls - until they’re in front of an inspector.