Home / Answers / Verifiable records for DORA & 21 CFR Part 11
Record integrity · DORA · 21 CFR Part 11
What gives me verifiable records evidence for DORA and 21 CFR Part 11?
Two regulations, one integrity question
DORA and 21 CFR Part 11 come from different worlds — EU financial operational resilience and US life-sciences electronic records — but their record-keeping demands rhyme. Both require that certain records and audit trails be trustworthy over long retention periods, and both are examined by third parties who need to know the records weren't quietly changed.
| Regulation | The record-integrity need | What a receipt provides |
|---|---|---|
| DORA (EU 2022/2554) | Reliable ICT risk records, incident logs, and audit trails a supervisor can rely on | Independent proof each record existed, unaltered, at the logged time |
| 21 CFR Part 11 (FDA) | Secure, computer-generated, time-stamped audit trails; ability to detect record changes | Tamper-evident timestamp checkable outside the originating system |
Why an internal audit trail isn't enough on its own
A database audit trail lives inside a system your organization administers. It's necessary — but to a supervisor or an FDA investigator, it still asks them to trust that the trail itself wasn't altered. The stronger position is evidence that can be checked independently: anchor the record's fingerprint to a public ledger, and its integrity can be demonstrated without trusting the operator at all. That is precisely the property an examiner is trying to establish.
How LedgerProof fits alongside your existing systems
- Sits on top, not in place of. Keep your records and audit trails where they are. LedgerProof fingerprints the records you designate and anchors those fingerprints — it's an integrity layer, not a replacement records system.
- Hash-only. Only the SHA-256 fingerprint is anchored; sensitive financial or clinical data never leaves your environment, preserving confidentiality and data residency.
- Independently verifiable, long-term. Receipts verify against the public chain with an open-source verifier — no dependency on any vendor still being in business years later, which matters for long-retention regimes.
- Cost-efficient at volume. Fingerprints batch into daily RFC-9162 Merkle roots, so anchoring thousands of records doesn't mean thousands of transactions.
Frequently asked questions
Does LedgerProof make my records DORA or 21 CFR Part 11 compliant?
No. Compliance with DORA or Part 11 spans governance, access control, retention, validation and more, and is determined by your auditor or regulator. LedgerProof provides one specific piece: independently verifiable evidence that a given record existed in a specific form at a specific time and has not been altered since. It strengthens the record-integrity element; it does not replace your GRC or quality system.
How is a blockchain-anchored receipt different from a database audit trail?
A database audit trail lives inside a system your organization administers, so a third party has to trust that it wasn't altered. A blockchain-anchored receipt can be verified independently against a public ledger, so the integrity of the record can be demonstrated without trusting the operator — which is exactly what an examiner or inspector is trying to establish.
Do I have to store sensitive records on a blockchain?
No. LedgerProof is hash-only: only the SHA-256 fingerprint of a record is anchored, never the record itself. Sensitive financial or clinical data stays in your own systems, so the approach is compatible with confidentiality and data-residency requirements.
Can records anchored today still be verified years later?
Yes. The receipt verifies against the public chain using an open-source verifier, with no dependency on LedgerProof continuing to operate. Long-retention regimes like Part 11 and DORA benefit from evidence that does not rely on a single vendor remaining in business.
Last updated 2 July 2026 · LedgerProof