Compliance

Recognising the need to demonstrate product compliance to technical specifications in a common accessible way, GSMA has developed a compliance framework for eSIM capable Devices, eUICCs and Subscription Management servers.

The GSMA PRD SGP.24 details the compliance requirements, and expected means to demonstrate compliance, for product designed to the eSIM specifications, SGP.22 and SGP.21. SGP.24 also provides declaration templates to be completed and submitted to GSMA once an eSIM product has proven its compliance by test and/or certification

The compliance requirements focus on security assurance, functionality and interoperability. The result of a successful SGP.24 declaration of compliance is a recognised achievement plus eligibility to use an eSIM Digital Certificate (PKI). This is used for authentication between eUICCs and eSIM Subscription Management servers (SM-DP+ and SM-DS).

Overview

Security Assurance by design

The eUICC IC/hardware platform requirement is Common Criteria certification to the Security IC Platform Protection Profile with Augmentation Package Certification (PP-0084). Certification to PP-0035 is also acceptable.

The eSIM eUICC design are expected to consider the security objectives defined in GSMA SGP.25, with resistance against high-level attack potential. GSMA is investigating an alternative methodology for eSIM using an optimised approach for security evaluation of eSIM capable eUICCs.

Security Assurance in production and SM service location

GSMA’s established Security Accreditation Scheme (SAS) is the required security accreditation for eSIM entities handling sensitive assets. These include MNO profile information and digital certificates. SAS is an audit based scheme, and audit lead time should be considered when planning compliance.

For eUICCs: SAS-UP audits the handling of sensitive data during eUICC production.

For SM-DP+ (and SM-DS): SAS-SM audits the robustness of processes for secure data management at the Subscription Management service location (eg datacentre or other hosting location).

Functional and interoperable

The GSMA eSIM test specification, SGP.23, provides functional and interoperability test cases for eSIM system operation.  It is the basis for eSIM testing for functional compliance and interoperability.

For eUICC:  GlobalPlatform operates SGP.23 based test plans, with associated certification. This incorporates the SIMalliance Interoperable Profile Test Suite (SIMalliance Test Spec). eSIM eUICCs declaring SGP.24 compliance must first be GP qualified, using the GlobalPlatform eSIM test suite.

For SM-DP+ (and SM-DS): eSIM Subscription Management solution developers are responsible for verifying correct functioning of all SM-DP+ interfaces, server and mutual authentication and profile download operations. Commercial SGP.23 test suites are available that fulfil this requirement. Alternatively, MNO based interoperability testing and other methods may be used, if all SGP.23 test scenarios for Subscription Management are covered.

For Devices: GCF and PTCRB have developed test plans based on SGP.23, with associated certification programmes.  eSIM capable devices declaring SGP.24 compliance must first be GCF or PTCRB certified before submitting an SGP.24 declaration.

Connecting to eSIM

eUICCs, SM-DP+ and SM-DS that have performed the pre-requisite test & certifications, submitted an SGP.24 declaration of eSIM compliance and received a confirmation are eligible to use GSMA PKI certificates. Details of the GSMA Root CI Public Key are at this link.

Find out more

Download SGP.24, the eSIM Compliance Process, for full details of active compliance requirements, current specification versions and declaration templates.

For further information on the GSMA eSIM compliance process, please contact RSPCompliance@gsma.com