M2M Compliance

Recognising the need to demonstrate product compliance to technical specifications in a common accessible way, GSMA has developed a compliance framework for M2M remote provisioning eUICCs and Subscription Management servers.

The GSMA PRD SGP.16 details the compliance requirements, and expected means to demonstrate compliance, for product designed to the M2M remote provisioning specifications, SGP.02 and SGP.01. SGP.16 also provides declaration templates to be completed and submitted to GSMA once an M2M remote provisioning product has proven its compliance by test and/or certification

The compliance requirements focus on security assurance, functionality and interoperability. The result of a successful SGP.16 declaration of compliance is a recognised achievement plus eligibility to use an M2M Digital Certificate (PKI). This is used for authentication between eUICCs and Subscription Management servers (SM-DP and SM-SR).

Compliance Overview

Security Assurance by design

The eUICC IC/hardware platform requirement is Common Criteria certification to the Security IC Platform Protection Profile with Augmentation Package Certification (PP-0084). Certification to PP-0035 is also acceptable.

M2M eUICCs design are expected to include design measures necessary to comply with the security objectives of GSMA SGP.05, with resistance against high-level attack potential. GSMA is currently investigating an alternative methodology for eSIM using an optimised approach for security evaluation of M2M remote provisioning eUICCs. In the interim, eUICC manufacturers are able to use an interim methodology with its associated Statement of Security Evaluation template.

Security Assurance in production and SM service location

GSMA’s established Security Accreditation Scheme (SAS) has been adopted as the required security accreditation for M2M remote provisioning entities handling sensitive assets.  These include MNO profile information and Digital Certificates. SAS is an audit based scheme, and audit lead time should be considered when planning compliance.

For eUICCs: SAS-UP audits the handling of sensitive data during eUICC production.

For SM-DP and SM-SR: SAS-SM audits the robustness of processes for secure data management at the Subscription Management service location (eg datacentre or other hosting location).

Functional and interoperable

The GSMA M2M test specification, SGP.11, provides functional and interoperability test cases for M2M system operation.  It is the basis for M2M testing for functional compliance and interoperability.

For eUICC:  GlobalPlatform operates SGP.11 based test plans, with associated certification. This incorporates the SIMalliance Interoperable Profile Test Suite (SIMalliance Test Spec). M2M remote provisioning eUICCs declaring SGP.16 compliance must first be GP qualified, using the GlobalPlatform M2M test suite.

For SM-DP and SM-SR: M2M remote provisioning Subscription Management developers are responsible for verifying correct functioning of all SM-DP and SM-SR interfaces, and system behaviour. Commercial SGP.11 test suites are available that fulfil this requirement. Alternatively, MNO based interoperability testing and other methods may be used, if all SGP.11 test scenarios for Subscription Management are covered.

Connecting to M2M remote provisioning

eUICC, SM-DP and SM-SR that have that have performed the pre-requisite test & certifications, submitted an SGP.16 declaration of eSIM compliance and received a confirmation are eligible to use GSMA PKI certificates. Details of the GSMA Root CI Public Key are at this link.

Find out more

Download SGP.16, the M2M Compliance Process, for full details of active compliance requirements, current specification versions and declaration templates.

For further information or in case of any questions on the GSMA M2M compliance process, please contact M2MCompliance@gsma.com