Ensuring compliance with the specification

The technical basis for GSMA M2M Remote Provisioning for embedded UICC (eUICC) is described by GSMA SGP.01 and SGP.02.  These technical specifications provide the necessary details to enable remote provisioning solution providers to develop GSMA compliant Remote Provisioning product, and Subscription Management services.

Aside from the specifications describing technical implementation, it is beneficial for a technology to have a commonly agreed means to recognise the compliance of developed products.

GSMA has developed such a compliance programme for M2M Remote Provisioning for eUICC.  Its purpose is to describe the key test and accreditation expectations for eUICC and Subscription Management solutions that have been designed to SGP.01 and SGP.02.

Products that successfully fulfil the compliance requirements are eligible to purchase GSMA Digital Certificates, used to authenticate with other M2M remote provisioning system elements.

Compliance Process Overview

The GSMA M2M compliance process is SGP.16, and lists the following areas for compliance with the GSMA M2M specifications:

  • Functional interoperability of all entities
  • Security of provisioning entities
    • By design (for eUICC)
    • In production (for eUICC)
    • At the operational location (for SM-DP and SM-SR)

The outcome of a successful compliance submission is eligibility for the Digital Certificate (PKI), needed for system authentication between the eUICC and M2M remote provisioning subscription management entities, SM-DP and SM-SR.


Demonstrating compliance

In order to benefit from industry best practice for certification, GSMA has worked with specific global certification bodies that are:

  • Recognised in the eUICC industry for test and certification expertise in either functional interoperability or security,
  • Accessible to all organisations planning to operate in the GSMA defined M2M remote provisioning environment.

The test and certification from these organisations, together with defined areas of vendor owned testing, form the basis for an M2M remote provisioning product to declare compliance with the M2M specifications.

Functional interoperability:

GSMA has developed an M2M test specification, SGP.11.  This provides test cases for each of the entities defined in the eUICC remote provisioning ecosystem, and for all test scenarios judged as key for a compliant product. Each test case references one or more requirements from the SGP.02 technical specification, with testing scopes covering:

  • Interface interoperability
  • System behaviour testing

For eUICC:  The SGP.11 requirements applicable to eUICC have been integrated into the test & certification programme of GlobalPlatform.

  • GlobalPlatform has developed an SGP.11 based M2M test plan and certification programme for functional interoperability testing.
  • Embedded UICC wishing to declare SGP.16 compliance must first be GP qualified to the GlobalPlatform M2M test suite.

For SM-DP and SM-SR: In order to declare SGP.16 compliance, vendors are required to develop and execute their own SGP.11 based test plans.

  • These vendor owned test plans will typically use either simulated testing via commercially available test equipment, or MNO based interoperability testing.
  • Whichever methodology is selected the vendor owned test plan must reference the SM-DP and SM-SR test requirements from SGP.11.

Security of provisioning entities:


Product Security by design

The security of the embedded UICC design is required to be assured on two levels:

At the hardware level: certification to BS-CC-PP-0084, or its predecessor, BS-CC-PP-0035.  This is the industry recognised security IC Protection Profile.

At the embedded UICC functional level: BSI-CC-PP-0089.  This is a protection profile developed specifically for the embedded UICC.

Methodologies and certification are available through Common Criteria laboratories and Certification Bodies with competence in the SOG-IS Smartcard technical domain.

Security in operation

GSMA’s long established, industry respected, Security Accreditation Scheme (SAS) has been adopted as the required security accreditation for M2M entities handling sensitive assets, and provisioning assets; including MNO profile information and Digital Certificates.  SAS is an audit based scheme and the preparation time for audit should be taken into account when planning a compliance campaign for eUICC, SM-SR and SM-DP.

For eUICC production: a SAS-UP audit comprehensively reviews the handling of sensitive data during eUICC production.  A valid GSMA SAS-UP accreditation is required in order to declare SGP.16 compliance.

For SM-DP and SM-SR operational location: a SAS-SM audit assesses the robustness of processes affecting secure data management at the Subscription Management datacentre.  A valid GSMA SAS-SM accreditation is required in order to declare SGP.16 compliance.

Connecting to M2M remote provisioning

Assurance and authentication for operational M2M remote provisioning is based on a GSMA root public key interface (PKI), as defined in the M2M specifications. eUICC, SM-DP and SM-SR all need a PKI Digital Certificate to operate within GSMA M2M remote provisioning.

The end result of a successful SGP.16 compliance declaration is a GSMA confirmation for PKI issuance.  This is accepted by the GSMA M2M CI as proof of eligibility for a Root PKI certificate.  Details of the M2M Root CI can be found at this link.


  • The PKI certificate will not be issued by the Root CI without proof of eligibility.
  • Organisations intending to apply for a PKI certificate are advised to initiate contract discussions with the M2M Root CI in advance, in order to avoid delays once their compliance process is successfully completed.
  • The CI is generally able to issue test certificates for test purposes, contact the CI for details.

Find out more

Download SGP.16, the eSIM Compliance Process.  This GSMA PRD, and its associated annexes provides full details of compliance requirements and current valid specification versions for compliance.  It also includes the declaration templates necessary to make a compliance declaration.

For further information or in case of any questions on the GSMA M2M compliance process, please contact M2MCompliance@gsma.com



The importance of Embedded SIM certification to scale the Internet of Thing As a provider of connected devices why should you care about test and certification of Embedded SIM? Because it enables your devices to reach market faster since they do not need...

Read more | See all Resources

Webinar Highlights: Changing of the SIM Card – Are You Ready for Remo Remote SIM Provisioning is one of the most exciting technologies in the M2M market and has the potential to accelerate the delivery of millions of connected devices across the g...

Read more | See all Resources

Remote Provisioning Architecture for Embedded UICC Technical Specification This document provides a technical description of the GSMA’s ‘Remote Provisioning Architecture for Embedded UICC’. Download...

Read more | See all Resources

Architecture for Embedded UICC Test Specification v3.1 These test specifications are to be used by test labs to develop test for the principal components and interfaces of the GSMA’s Remote Provisioning Architecture for Embedded UI...

Read more | See all Resources

The GSMA IoT Webinar Series 2016-17 This webinar series explores key initiatives to accelerate the delivery of new connected services and devices in the Internet of Things (IoT). Topics will be explored and discuss...

Read more | See all Resources

Simplifying the adoption of compliant M2M solutions The recent backing of the GSMA Embedded SIM Specification from a large number of global auto manufacturers suggests that it is on the way to becoming the de-facto standard mechan...

Read more | See all Resources

Mobile IoT Case Study: How Asia Pacific Intelligently Connects to IoT This report shows how LTE-M and NB-IoT are being deployed in the Asia Pacific region. Drawing on interviews with mobile operators and their partners, the report describes six ver...

Read more | See all Industry News

Mobile IoT Toolkit The Mobile IoT Toolkit is designed for mobile network operators and IoT developers to quickly get started with IoT solutions development and deployment. For further information o...

Read more | See all Industry News

IoT Takes Centre Stage as Mobile World Congress Rolls into View Mobile World Congress is approaching again – running from 25 February to 28 February in Barcelona – and IoT is naturally remaining centre stage. The 8th Mobile IoT Summit is ...

Read more | See all Industry News

Top 5 IoT Innovations at CES 2019 that Caught our Eye As operators expand their commercial horizons ever more broadly with the rise of IoT – becoming not only the providers of connectivity, but connected services themselves – th...

Read more | See all Industry News

5G and Mobile IoT Prove Natural Partners for the Year Ahead Svetlana Grant, IoT Programme Director, GSMA There are times when some in the industry quietly wish 5G had been given another name.  The capability leap is simply not comparable...

Read more | See all Industry News

LTE-M Commercialisation Case Study: How AT&T and Telstra Connect Milli This paper outlines how two of the world’s leading mobile operators – AT&T and Telstra – are using LTE-M technology to roll out innovative new services. In...

Read more | See all Industry News

8th Mobile IoT Summit February 24, 2019 *Please note that as maximum capacity has been reached, online registration has now closed Join the 8th Mobile IoT Summit to hear the latest industry updates from senior IoT expe...

Read more | See all Internet of Things Events

MWC Barcelona 2019 February 24, 2019 Join the GSMA’s Internet of Things programme at MWC Barcelona 2019 to discover and shape the future of the IoT. Through a series of seminars, exhibitions and technology sho...

Read more | See all Internet of Things Events

MWC19 Barcelona Seminar: The Internet of the Skies – Conne February 26, 2019 Tuesday, 26 February 2019, 11:00 – 12:30 Seminar Theatre 1, Hall 1, South Entrance (Level 1), Fira Gran Via – Download Directions – This GSMA seminar explores real life cas...

Read more | See all Internet of Things Events

MWC19 Barcelona Seminar: Future Proofing the Internet of Thi February 26, 2019 Seminar Theatre 1, CC1.5, Hall 1, South Entrance (Level 1), Fira Gran Via – Download Directions – Without security, today’s vision for the Internet of Things cannot...

Read more | See all Internet of Things Events

MWC19 Barcelona Seminar: Operator Capability – Unlocki February 26, 2019 Seminar Theatre 1, CC1.5, Hall 1, South Entrance (Level 1), Fira Gran Via – Download Directions – Learn about pioneering IoT industry achievements in China. The IoT i...

Read more | See all Internet of Things Events

MWC19 Barcelona Seminar: Beyond Connectivity – Operato February 27, 2019 Wednesday, 27 February 2019,  13:30 – 15:30  Seminar Theatre 1, Hall 1, South Entrance (Level 1), Fira Gran Via – Download Directions – This GSMA seminar explores new mob...

Read more | See all Internet of Things Events