The European Medicines Agency (EMA) made its Guideline for the Notification of Serious Breaches of Regulation (EU) No 536/2014 or the Clinical Trial Protocol effective on 31 January 2022. This guideline was drafted five years ago, with the final version adopted in early December 2021. There's a lot to discuss here, but let's turn our attention to requirements for service providers and sites to notify the sponsor of suspected serious breaches: Per Section 6.1, "suspected serious breaches should be promptly reported to the sponsor by investigators and by service providers in order for the sponsor to perform further investigation and assess if the breach qualifies as serious breach."  This point is reiterated in subsequent sections:

• 6.2:  "The delegated party performs the tasks set out in paragraph 6.1, as transferred by the sponsor as per written contract.  In addition, the delegated party keeps the sponsor informed about the management of all the breaches related to the clinical trials of that sponsor."
• 6.3: "Service providers...should have a written process in place to identify the occurrence of a (suspected) serious breach; should promptly communicate to the sponsor or delegated party a (suspected) serious breach..."
• 6.4:  "The principal investigator should have a process in place to ensure that...site staff or service providers delegated by the principal investigator/institution are able to identify the occurrence of a (suspected) serious breach; a (suspected) serious breach is promptly reported to the sponsor or delegated party..."

When we perform qualification audits of CROs or other vendors, we sometimes observe that serious breach SOPs state that the vendor will notify the sponsor of a serious breach after the vendor has investigated and confirmed that the breach is serious. In these cases we always recommend that the vendor contract or quality agreement include stricter notification requirements.  The vendor should always be required to notify the sponsor immediately of any suspected serious breach.  This requirement ensures compliance with the newly-effective EMA guideline, but it also helps ensure that any serious breach investigation can be guided by the sponsor. Vendors typically do not have the access required to fully investigate a suspected serious breach in a clinical trial. Consider a site management organization (SMO), for example, that investigates a fraud allegation against one of its sites. They have access to that site's source data and eCRF data, but not to data from other sites in the study that might enable investigation of trends and outliers. Similarly, a CRO that investigates a data integrity issue may not directly contract with the laboratory that is providing the data. The sponsor is almost always the common point among all the parties in a serious breach investigation.  Even when that is not the case, the sponsor is responsible per GCP for performing a root cause analysis of "noncompliance that significantly affects or has the potential to significantly affect human subject protection or reliability of trial results" (5.20.1 Addendum). Of course, the sponsor can always transfer that responsibility to a CRO or vendor, but if that responsibility is not explicitly transferred in writing, it remains with the sponsor. Bottom line:  All clinical trial service providers must report serious breaches promptly to the sponsor or the delegated party.  During vendor qualification, ensure that vendor SOPs require prompt notification; if not, ensure this requirement is specified in the Master Services Agreement or Quality Agreement unless the sponsor has transferred its obligations for investigating and reporting serious breaches to the vendor.