eSIM – The necessity of compliance

“A compliance process for eSIM”. This has been a clear request during the development of eSIM.  But what does that mean, and why is it important?

 

Building and maintaining confidence in a new technology is essential. Agreeing a set of criteria that validate a product’s implementation of a technology is the first step in building that confidence.  The second step is to formalise and communicate the means of demonstrating compliance to the agreed criteria with a common compliance process.  This process needs to be accessible, achievable and recognisable as the mark of assurance for products and services that support the technology.

With the increasing and changing ways that consumers and organisations are purchasing and using mobile network devices, the eSIM establishes a twenty-first century means of provisioning devices with the operator data needed for use in a mobile network.  Providing an alternative to the pre-provisioned, varyingly sized, plastic SIM cards used today, eSIM capable devices are designed to be remotely provisioned with operator credentials.

Aware of the ever-increasing need for vigilance, the key compliance requirements for eSIM are not only the important functional interoperability, but also the assurance of security relating to the handling of operator credentials.  Security needs to be handled to at least the same level of confidence as a traditional SIM.  These considerations have led to three distinct criteria groups for eSIM compliance:

  • Functional interoperability, referencing test cases specifically designed to test eSIM functionality and interfaces
  • Platform security, referencing industry standard protection profiles for the UICC platform, as well as an additional protection profile specifically developed to address eSIM technology
  • Site security, ensuring robust physical and data security processes at sites that generate and encode the highly sensitive data loaded into an eSIM device.

Mindful of the importance of global accessibility, GSMA has reached out to respected global organisations in the fields of test and certification.  All have established processes that ensure fair and accessible means to demonstrate compliance:

  • For eUICCs: GlobalPlatform, SIMAlliance , Common Criteria and GSMA SAS
  • For Devices: Global Certification Forum (GCF) and PTCRB

The eSIM compliance process specifically references these programmes, as applicable to eSIMs, eSIM capable devices and eSIM infrastructure product.  The assurance provided by the compliance process is so critical to eSIM operation that eSIMs and eSIM infrastructure must demonstrate compliance before being issued with the X509 PKI certificates necessary to authenticate within the GSMA eSIM ecosystem.

Available to any eSIM product that has successfully completed the eSIM compliance programme, the GSMA eSIM logo is a mark of eSIM assurance for products supporting the technology.  This voluntary logo aims to help organisations promote their compliant eSIM enabled products.

An industry agreed assurance baseline of compliance criteria that references the eSIM specifications, is appropriate to the technology, and has globally accessible processes to demonstrate compliance.  These factors ensure a compliant product is globally recognised as one that will operate correctly; both functionally and securely.

Compliance is an assurance necessity for the expanding eSIM industry. The eSIM compliance process is an efficient and effective way to demonstrate eSIM product compliance, that is open and accessible to the industry.

For more information on:

  • The GSMA compliance process, including specific requirements and declaration templates, download SGP.24.

eSIM, including eSIM compliance, visit the eSIM pages of the GSMA website.