Recognising the importance of interoperability and security for products supporting eSIM based remote SIM provisioning, GSMA has developed a compliance framework for eSIM devices, eUICCs and subscription management servers, SM-DP+ and SM-DS.

Defining common requirements

Published by the GSMA as SGP.24, the eSIM compliance process describes a common set of compliance requirements for eSIM devices designed to the GSMA specifications.  The following key aspects of product conformance are required to be tested and certified:

  • Functional interoperability
  • eUICC security
  • eUICC production site security
  • Subscription Management site security

Demonstrating eSIM compliance

In order to benefit from industry best practice for certification, GSMA has worked with selected global industry bodies, recognised for their certification expertise.  These certification bodies provide test & certification for functional interoperability and for security.  This test and certification is needed for an eSIM product to declare compliance with the eSIM specifications.

  • Global Platform have validated an eUICC functional test suite based on the GSMA eSIM test specification, including the SIMalliance Interoperable Profile. GP also operate an associated GP certification programme.
    • Certification by GP, referencing the GSMA eSIM test suite is recognised as evidence of compliance for eUICCs designed to GSMA’s SGP.21 and SGP.22 core specifications.
  • GCF and PTCRB have both validated device functional test cases based on the GSMA eSIM test specification. They have also included the GSMA defined eSIM feature in their respective device certification programmes.
    • Certification of an eSIM enabled device from either GCF and PTCRB is recognised as evidence of compliance for devices designed to GSMA’s SGP.21 and SGP.22 core specifications.
  • GCF also operates a GCF standalone certification programme to test eSIM as a standalone functionality. This is also recognised as evidence of compliance for devices designed to GSMA’s SGP.21 and SGP.22 core specifications.
  • Certification for eUICC security is from Common Criteria, referencing the GSMA’s SGP.25 Protection Profile for embedded UICC for Consumer Devices.  This is registered as BSI-CC-PP-0100, and includes a requirement for certification to PP-0084.
  • GSMA’s respected Security Accreditation Scheme (SAS) is the key security accreditation for eSIM components handling sensitive data.

Audit based, SAS accredits eUICC production sites and subscription management server sites, ensuring robust data management processes are in place. eUICCs , SM-DP+ and SM-DS are all required to be SAS accredited in respect of data processing and operations.

  • A valid SAS accreditation is an important compliance requirement for eUICC, SM-DP+ and SM-DS.

For full details of eSIM compliance requirements, refer to GSMA PRD SGP.24.

Connecting to eSIM

Assurance and authentication for operational eSIM product is based on a private public key interface (PKI), as defined in the eSIM specifications. Details of the GSMA Root CI Public Key can be found  at this link, with eUICC, SM-DP+ and SM-DS all needing PKI certificates to authenticate within eSIM.

PKI certificates may be used by eUICC, SM-DP+ and SM-DS that have demonstrated compliance to the eSIM specifications.

Find out more

Download SGP.24, the eSIM Compliance Process.  This GSMA PRD, and its associated annexes provides full details of compliance requirements, the current valid specification versions for compliance and declaration templates.

For further information on the GSMA eSIM compliance process, please contact