Category: Policy & Funding News

Reporting and briefings on external policy, regulatory, and funder developments affecting the research community worldwide.

  • EU CTR and CTIS Now Mandatory: Harmonised Trials

    The EU Clinical Trials Regulation (Regulation (EU) No 536/2014, the CTR) is now in full effect, and the Clinical Trials Information System (CTIS) is the single, mandatory entry point for clinical-trial applications across the European Union and the European Economic Area. The CTR replaced the earlier Clinical Trials Directive, moving from a country-by-country model to a harmonised one. This article is a neutral explainer of how the system works following the end of the transition period; it is not legal or regulatory advice.

    From directive to regulation

    The previous framework, the Clinical Trials Directive, was a directive — meaning each EU member state transposed it into national law, producing variation in how trials were authorised and overseen. Sponsors running multinational trials had to submit separately to each country, with differing requirements and timelines. The CTR is a regulation, applying directly and uniformly across member states, and was designed specifically to harmonise the assessment and supervision of clinical trials. For the focused overview, see our explainer on the EU Clinical Trials Regulation.

    What CTIS does

    CTIS is the IT backbone of the regulation. It provides a single online portal and database through which sponsors submit one application to run a trial in one or several EU/EEA countries, and through which regulators and ethics bodies coordinate their assessment. It also includes a public-facing component that improves transparency about authorised trials.

    • Single submission: one dossier for a trial spanning multiple member states.
    • Coordinated assessment: a reporting member state leads the scientific assessment shared across the countries concerned.
    • Two-part evaluation: a jointly assessed scientific part and a national part covering country-specific and ethical aspects.
    • Transparency: a public portal with information on authorised trials.

    The coordinated model means sponsors no longer duplicate a full application in every country; instead, a shared assessment is combined with country-specific evaluation.

    The transition period has ended

    The regulation became applicable in January 2022, but it included a phased transition to give the system and its users time to adapt. During that window, sponsors could in some cases still start trials under the old directive, and existing trials had a defined period to transition to the regulation and into CTIS. That transition has now concluded: CTIS is the mandatory route, and trials that were approved under the old directive were required to be brought under the CTR framework within the transition timeline.

    The end of the transition is significant because it means there is now a single regime in operation. New trials are authorised exclusively through CTIS under the CTR, and the legacy directive pathway is closed.

    How an application flows

    At a high level, a sponsor compiles a single application dossier and submits it through CTIS, indicating the member states in which the trial is to run. A reporting member state coordinates the scientific assessment (Part I), which is shared across the participating countries, while each member state evaluates the national and ethical aspects relevant to its territory (Part II). Defined timelines structure the process, and the outcome is a single decision per member state delivered through the system. Substantial changes and safety reporting during the trial are also managed within the same platform.

    This single-platform approach is intended to make multinational trials more predictable and to reduce duplicative administration, while maintaining rigorous scientific and ethical assessment in each country.

    Transparency and public access to trial information

    A notable feature of the CTR and CTIS is the emphasis on transparency. The system includes a public component through which information about authorised trials is made available, and the regulation sets expectations around the publication of trial information and, in time, results. This responds to long-standing calls to reduce so-called publication bias — the under-reporting of trials whose findings are inconvenient or negative — by making the existence and outcomes of trials more visible. Certain commercially confidential information and personal data are protected, so transparency operates within defined limits rather than as unrestricted disclosure.

    For the research community, this public visibility supports independent scrutiny and helps ensure the evidence base reflects the trials that were actually conducted, not only those that reported favourable results. It connects clinical-trials regulation to the broader open-science direction seen elsewhere in research policy.

    How it fits with GCP and global standards

    The CTR governs authorisation and oversight within the EU, while the conduct of trials continues to follow Good Clinical Practice. The modernised international GCP guideline is described in our explainer on ICH E6(R3) Good Clinical Practice, and the two operate together: the regulation defines how trials are approved and supervised in Europe, and GCP defines the quality and ethical standards for running them.

    The transparency dimension also connects to broader open-science expectations, since CTIS publishes information about authorised trials, supporting public visibility of clinical research. For neutral definitions of related terms, see our standards dictionary.

    What it means for sponsors and sites

    For sponsors, the end of the transition removes the option of the legacy pathway and concentrates all trial activity in one system, which favours organisations that have built familiarity with CTIS and its document and timeline requirements. For sites and investigators, the harmonised model means the ethical and national assessment of a trial in their country proceeds within a coordinated EU process rather than in isolation. Sponsors running trials in several member states benefit most from the single submission, but even single-country trials in the EU now flow through CTIS. As with any large system, users continued to adapt their internal processes — document preparation, role management within the portal, and response to assessment questions — to work efficiently within the platform.

    The takeaway

    The EU has moved decisively to a single, harmonised system for clinical trials: one regulation applying directly across member states, one mandatory portal in CTIS, and a coordinated assessment that replaces country-by-country duplication. With the transition period over, CTIS is the only route for trial applications in the EU and EEA. Authoritative detail is published by the European Medicines Agency and the European Commission at ema.europa.eu, which sponsors and investigators consult for binding requirements.

  • GDPR Enforcement 2025: How DPAs Applied the Rules

    The EU General Data Protection Regulation (GDPR) has been in force since 2018, and its enforcement is carried out by independent national data-protection authorities (DPAs) across the EU and EEA, coordinated through the European Data Protection Board (EDPB). This article offers a neutral, aggregate recap of the themes that characterised GDPR enforcement through 2025. It deliberately discusses patterns and principles rather than naming particular organisations or framing specific outcomes as accusations, and it is not legal advice.

    How GDPR enforcement is structured

    GDPR is enforced primarily by national DPAs, each supervising organisations within its jurisdiction. For cross-border processing, the regulation uses a one-stop-shop mechanism: a lead supervisory authority, usually where the organisation has its main establishment, coordinates with other concerned authorities. Where authorities disagree, the EDPB can issue binding decisions to ensure consistent application. For the underlying framework, see our overview of the GDPR.

    This structure matters because it shapes how enforcement unfolds: many significant cross-border matters involve coordination between a lead authority and others, and EDPB consistency mechanisms help align interpretation across countries.

    Recurring themes in enforcement

    Across the body of enforcement activity, several themes recur as areas where authorities have focused. Described in aggregate, these include:

    • Lawful basis and transparency: whether organisations correctly identify and communicate the legal basis for processing, and whether privacy information is clear and accessible.
    • Consent: whether consent, where relied upon, is freely given, specific, informed and unambiguous, and as easy to withdraw as to give.
    • Data-subject rights: how organisations handle requests for access, erasure, rectification and objection within required timeframes.
    • Security and breach handling: whether appropriate technical and organisational measures are in place, and whether breaches are notified appropriately. See our explainer on data breaches.
    • International transfers: the safeguards applied when personal data move outside the EEA.

    These themes reflect the GDPR’s core principles — lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability — and enforcement activity tends to cluster around them.

    The role of the EDPB and consistency

    A defining feature of recent years has been the EDPB’s role in promoting consistent interpretation. Through guidelines, opinions and, where necessary, binding decisions in dispute-resolution procedures, the Board has helped align how authorities approach questions such as the calculation of administrative fines and the assessment of cross-border cases. The EDPB has, for example, issued guidance intended to harmonise the methodology authorities use when determining the level of fines, supporting a more consistent approach across the bloc.

    This coordination is significant for organisations operating in multiple member states, because it reduces — though does not eliminate — divergence in how the same rules are applied in different countries.

    Tools beyond fines

    Administrative fines attract the most attention, but DPAs have a wider toolkit. Authorities can issue warnings and reprimands, order an organisation to bring processing into compliance, impose temporary or definitive limitations on processing (including bans), and order the rectification or erasure of data. In many matters, corrective orders — requiring changes to how data are handled — are as consequential as monetary penalties, because they directly alter business practices. Describing enforcement only in terms of fine totals therefore understates the range of regulatory action.

    What organisations took from it

    In aggregate, the enforcement picture through 2025 reinforced the importance of demonstrable accountability: maintaining records of processing, conducting data-protection impact assessments where required, ensuring a valid lawful basis, honouring data-subject rights promptly, and being able to evidence appropriate security measures. The accountability principle — being able to show compliance, not merely assert it — runs through the regulation and through how authorities assess organisations.

    For those seeking to understand the rules themselves rather than commentary on outcomes, the authoritative sources are the regulation’s own text, national DPA guidance, and EDPB materials published at edpb.europa.eu. Neutral definitions of related privacy terms are collected in our standards dictionary.

    Reading enforcement data carefully

    A final neutral note concerns how enforcement statistics should be read. Aggregate figures — numbers of decisions, total penalty amounts, or counts of complaints — circulate widely, but they require context. A high total in one period may reflect a small number of large matters rather than a broad pattern; a low total may reflect a focus on corrective orders rather than fines. Differences between member states can stem from caseload, the nature of the organisations established in a jurisdiction, or procedural timing rather than from differing strictness. For this reason, responsible analysis treats enforcement data as one input among several and avoids inferring conclusions about any individual organisation from aggregate trends. The constructive takeaway for organisations is forward-looking: align practices with the regulation’s principles and maintain the documentation needed to demonstrate that alignment.

    The accountability principle in focus

    If a single idea characterises how authorities approach assessment, it is accountability. The GDPR does not merely require organisations to comply; it requires them to be able to demonstrate compliance. In practice this means maintaining a record of processing activities, documenting the lawful basis for each processing purpose, conducting and recording data-protection impact assessments for higher-risk processing, and keeping evidence of the technical and organisational measures in place. When authorities examine an organisation, the ability to produce this documentation is often as important as the underlying practices themselves.

    Accountability also shapes governance. Many organisations are required to designate a data-protection officer, and the regulation encourages structured governance such as data-protection-by-design and by-default, where privacy considerations are built into systems from the outset. These structural expectations recur across enforcement themes because they underpin every other obligation — a lawful basis, honoured rights and adequate security all depend on having the governance to manage them.

    A neutral bottom line

    GDPR enforcement in 2025 is best understood not through individual headline cases but through the patterns: sustained attention to lawful basis, transparency, consent, data-subject rights, security and international transfers; growing consistency driven by the EDPB; and a corrective toolkit that extends well beyond fines. The regulation’s principles remained the constant reference point against which authorities assessed organisations.

  • NSPM-33 implementation: 18 months in

    National Security Presidential Memorandum 33, issued in 2021 and operationalised through implementation guidance during 2022-2024, requires US federal research-funding recipients to disclose certain affiliations, support, and resources from foreign sources, with the aim of identifying conflicts of commitment and undue foreign influence. The major federal agency rollouts (NIH, NSF, DOE, DOD, NASA, USDA) became binding through 2024 and 2025. We are now 18 months into substantive implementation. This post is a status report.

    What NSPM-33 requires

    The disclosure requirements run across three axes. Current and pending support: applicants must disclose all sources of support for ongoing and planned research activities, including foreign sources, with structured detail. Biographical sketch: applicants must list all affiliations, including foreign ones, in a structured format. Conflicts of interest and commitment: applicants must disclose financial conflicts of interest, foreign relationships, and any obligations to entities that could constitute conflicts of commitment.

    The structure is mostly common-form across agencies — the Common Forms work coordinated by NSTC’s Joint Committee on the Research Environment produced templated disclosure formats — though agency-specific variations persist. The CASRAI NSPM-33 entry tracks the common-form versions.

    What worked

    Three things have worked better than was expected at rollout.

    First, institutional infrastructure. Most major research universities built the disclosure-collection and -review infrastructure during 2022-2024 in anticipation of binding requirements. By the binding date, most had functional systems: faculty-facing tools for disclosure entry, research-administration review workflows, integration with proposal-submission pipelines. The smaller and less-resourced institutions struggled more, but the AAU- and APLU-coordinated capacity-building efforts substantially closed the gap.

    Second, the common-form approach. The Common Forms work was widely criticised during development for being slow and produced-by-committee. The result has held up well: a researcher applying to multiple agencies can use the same biographical sketch and current-and-pending-support disclosures with only minor agency-specific extensions. The pre-Common-Forms world had every agency requiring its own format; the post-Common-Forms world has substantial harmonisation.

    Third, the compliance posture. The major agencies have, on the whole, used the disclosure requirements as compliance tools rather than enforcement weapons. The early concerns about a wave of investigations leveraging disclosure inconsistencies as the predicate for action have largely not materialised. Where investigations have proceeded, they have done so in cases with substantive concerns beyond disclosure failures alone.

    What is broken

    Three implementation problems persist.

    First, retroactive disclosure. The requirements ask for disclosure of historical affiliations and support, often going back several years. Researchers have variable recollection and variable access to records of those years. Honest mistakes — forgotten honorary positions, misremembered dates, inaccurate amounts on past awards — produce disclosure inconsistencies that institutions then have to investigate and resolve. The investigation overhead is substantial; the underlying integrity concerns are usually minor.

    Second, international-collaboration chilling. The disclosure requirements have, in our community’s observation, produced a chilling effect on international collaboration, particularly with collaborators in countries that the US identifies as competitor jurisdictions. Researchers report declining collaboration invitations they would previously have accepted, in part to avoid the disclosure overhead, in part out of caution about how the disclosed activity might later be interpreted. The chilling effect is hard to measure but is widely reported.

    Third, the institutional-versus-individual line. The disclosure requirements ask the individual researcher to disclose their affiliations, but many “foreign affiliations” are institutional arrangements (university-to-university partnerships, MOUs, joint programmes) that the individual researcher discovers only when asked to disclose them. The institutional research administration knows the partnerships; the individual researcher often does not. Surfacing institutional partnerships in individual-disclosure workflows is an unsolved UX problem.

    The ORCID interlock

    One concrete improvement that NSPM-33 implementation has driven is tighter integration with ORCID as the canonical record of researcher affiliations. ORCID 4.0’s affiliation history with ROR IDs and date ranges is the natural source for the biographical-sketch component of NSPM-33 disclosures; agencies are increasingly accepting ORCID-derived biographical sketches and several are piloting direct ingestion from ORCID at submission. The CASRAI ORCID implementation guide has been updated with the NSPM-33 patterns.

    The longer-term value of this integration is that it incentivises researchers to maintain a current and complete ORCID record, which has benefits well beyond compliance. The institutions that have invested in ORCID adoption are well-positioned for NSPM-33 compliance; the institutions that have not are pushing researchers to maintain disclosure information in institutional systems that diverge from ORCID, creating a synchronisation problem.

    The CRediT angle

    NSPM-33 does not require CRediT roles in disclosures, but the disclosure framework’s interest in “all sources of support” includes contributions to research activities. A researcher who contributed to a foreign-funded project — even without being a PI — has a disclosure obligation. The CRediT role framework provides a vocabulary for characterising those contributions, and several institutional implementations now use CRediT-aligned controlled vocabularies in their disclosure forms.

    What’s still pending

    Three institutional adjustments are still in motion 18 months in.

    First, training and culture. The disclosure requirements need to become routine, the way IRB compliance has become routine. Most institutions still treat disclosure as a special workflow with episodic attention; the maturity target is that disclosure is built into hiring, promotion, sabbatical, and proposal workflows as a routine compliance item.

    Second, institutional-individual reconciliation. The institutional partnerships and the individual disclosures need to be reconciled systematically. Several institutions have built dashboards that show, for each researcher, the institutional partnerships their disclosed affiliations imply, with prompts for confirmation. This is the right direction; it is not yet widely deployed.

    Third, cross-institutional data sharing. When a researcher moves between US institutions, their disclosure history needs to travel with them. The current state is that it does not, reliably; the new institution rebuilds the disclosure profile from scratch. This is wasteful and produces unnecessary inconsistencies. ORCID-anchored disclosure portability is the right architectural answer; institutional adoption is the missing piece.

    What CASRAI recommends

    For research-administration offices, the priority for 2026 is to consolidate the operational maturity of disclosure workflows: routine integration with proposal submission, ORCID-anchored biographical sketches, institutional-partnership reconciliation, training programmes that treat disclosure as a standard compliance item. The CASRAI institutional research-security guide walks through the maturity model.

    For researchers, the operating posture is to keep ORCID current, to maintain a personal log of affiliations and support that supports disclosure, and to treat disclosure as part of professional practice rather than as exceptional compliance.

    For agencies, the priority is to continue the common-form harmonisation work and to consider further ORCID integration. The 2026 update to the Common Forms is in development and the indications are positive.

    Related dictionary entries