Recognising the need to demonstrate product compliance to technical specifications in a common accessible way, GSMA has developed a compliance framework for eSIM capable Devices, eUICCs and Subscription Management servers.
The GSMA PRD SGP.24 details the compliance requirements, and expected means to demonstrate compliance, for product designed to the eSIM specifications, SGP.22 and SGP.21. SGP.24 also provides declaration templates to be completed and submitted to GSMA once an eSIM product has proven its compliance by test and/or certification
The compliance requirements focus on security assurance, functionality and interoperability. The result of a successful SGP.24 declaration of compliance is a recognised achievement plus eligibility to use an eSIM Digital Certificate (PKI). This is used for authentication between eUICCs and eSIM Subscription Management servers (SM-DP+ and SM-DS).
Security Assurance by design
The eUICC IC/hardware platform requirement is Common Criteria certification to the Security IC Platform Protection Profile with Augmentation Package Certification (PP-0084 or PP-0117). Certification to PP-0035 is also acceptable.
All GSMA eSIM compatible eUICCs that follow the industry GSMA eSIM Specifications (as defined in SGP.21 and SGP.22), need to prove their robustness. This means demonstrating compliance with the product security requirements and objectives, specified in SGP.25, with resistance against high-level attack potential.
Currently, there are two permitted methodologies for eUICC manufacturers – shown below. They all require a certificate reference to demonstrate their security evaluation of resistance to high-level attack potential. The permitted methodologies are:
- Common Criteria PP-0100 Certification report reference
- GSMA eSA Certification reference, learn more about it HERE.
Security Assurance in production and SM service location
GSMA’s established Security Accreditation Scheme (SAS) is the required security accreditation for eSIM entities handling sensitive assets. These include MNO profile information and digital certificates. SAS is an audit based scheme, and audit lead time should be considered when planning compliance.
For eUICCs: SAS-UP audits the handling of sensitive data during eUICC production.
For SM-DP+ (and SM-DS): SAS-SM audits the robustness of processes for secure data management at the Subscription Management service location (eg datacentre or other hosting location).
Functional and interoperable
The GSMA eSIM test specification, SGP.23, provides functional and interoperability test cases for eSIM system operation. It is the basis for eSIM testing for functional compliance and interoperability.
For eUICC: GlobalPlatform operates SGP.23 based test plans, with associated certification. This incorporates the TCA Interoperable Profile Test Suite (TCA Test Spec). eSIM eUICCs declaring SGP.24 compliance must first have a GlobalPlatform Product Functional Certification.
For SM-DP+ (and SM-DS): eSIM Subscription Management solution developers are responsible for verifying correct functioning of all SM-DP+ interfaces, server and mutual authentication and profile download operations. Commercial SGP.23 test suites are available that fulfil this requirement. Alternatively, MNO based interoperability testing and other methods may be used, if all SGP.23 test scenarios for Subscription Management are covered.
For Devices: GCF and PTCRB have developed test plans based on SGP.23, with associated certification programmes. eSIM capable devices declaring SGP.24 compliance must first be GCF or PTCRB certified before submitting an SGP.24 declaration.
Self-assessment of eUICC Certified products updates
To notify Software changes on eUICC certified products there is a GSMA internal Operational procedure called EUM Self-assessment of eUICC Certified products updates. You can request this document by sending an email to RSPcompliance@gsma.com
The next steps need to be followed:
- GSMA send EUM the Self-assessment of eUICC Certified products updates
- eSIM vendors complete the Self-assessment of eUICC Certified products updates and send it to GSMA Compliance Team
- GSMA RSP Compliance Team analyses the proposed changes and:
- GSMA internal database is updated to reflect the change, the date and the new SW version resulted of the change.
- A Note within the IC2 database to indicate the update (in case the product was listed on IC2 previously)
- A revision of the previously issued ‘GSMA Confirmation of PKI Certificate Issuance’ is provided by GSMA (with a revision number). This will contain:
- A new ‘Declared build’ version
- A new date
- A note at the end indicating the additional changes have declared by the EUM as nor RSP, SAS neither TOE related features (the sentence will be further elaborated by the GSMA operations and legal teams)
Connecting to eSIM
eUICCs, SM-DP+ and SM-DS that have performed the pre-requisite test & certifications, submitted an SGP.24 declaration of eSIM compliance and received a confirmation are eligible to use GSMA PKI certificates. Details of the GSMA Root CI Public Key are at this link.
Find out more
Download here all the eSIM Consumer Specifications referred in this section, the eSIM Compliance Process, for full details of active compliance requirements, current specification versions and declaration templates.
For further information on the GSMA eSIM compliance process, please contact RSPCompliance@gsma.com