Gloria Trujillo, eSIM Group Director, GSMA
As connected devices become increasingly embedded in day-to-day life, from the phones in our pockets to the sensors powering smart cities, the pressure on the mobile industry to deliver secure, reliable connectivity has never been greater. At the very centre of this effort is the embedded Universal Integrated Circuit Card (eUICC), a next-generation SIM technology that enables remote, secure management of mobile network profiles. With billions of devices now relying on eUICC, keeping this technology secure is absolutely critical to protecting the networks that keep our world connected against ever-evolving cyber threats.
Unlike traditional SIM cards that need to be physically swapped out to change network providers, eUICC makes things much more straightforward. It allows seamless transitions between providers without manual intervention, an essential feature for global IoT deployments, connected cars, and everyday consumer devices that operate across borders.
By 2030, GSMA Intelligence forecasts 38.7 billion total IoT connections worldwide, with eSIM technology projected to make up 37% of that market share. So, safeguarding these connections is crucial.
As adoption of connected devices continues and cyber threats grow more sophisticated, telecom providers must prove their technologies can withstand today’s security demands. That’s why GSMA’s latest milestone – certifying eUICC Protection Profiles for both consumer and IoT sectors under the internationally recognised Common Criteria framework – represents a significant step forward. This achievement sets a new benchmark for telecom security and will serve as the foundations for greater trust, interoperability, and innovation across the global connected ecosystem.
The Universal Language of Trust: Why Common Criteria Matters
In today’s diverse global landscape where security standards vary across borders, Common Criteria (CC) has emerged as the international standard for IT security evaluation (ISO/IEC 15408). This framework provides a universal approach to security that allows telecommunications innovations to operate across borders while maintaining consistent protection.
Common Criteria’s effectiveness comes from its global recognition through the Common Criteria Recognition Arrangement (CCRA), enabling manufacturers to sell certified products internationally with certificates recognised in most European countries. This recognition builds trust among customers, regulatory bodies, and industry partners worldwide.
The EU Cybersecurity Certification Scheme on Common Criteria (EUCC), which builds on this foundation, aims to harmonise security certification across the EU. For telecom providers operating in multiple regions, this unified approach simplifies compliance while ensuring consistent security standards.
Outside of the EU, Common Criteria is recognised across countries such as Canada, Australia, Japan, Korea and the United States, among others.
Breaking New Ground: Raising the Security Bar
The GSMA has recently accomplished a significant milestone by obtaining eSIM Protection Profile certification for both Consumer and IoT eUICC products with Common Criteria. This certified Protection Profile establish clear, verifiable security requirements that set a new benchmark for manufacturers and service providers.
This milestone resulted from our partnership with Germany’s Federal Office of Information Security (BSI) – an organisation respected for its stringent certification requirements and vital role in Germany’s secure digital landscape – alongside Deutsche Telekom Security GmbH, whose specialised assessment expertise proved invaluable throughout our certification journey.
“The certification of GSMA’s eSIM Protection Profiles represents a significant advancement in securing critical telecommunications infrastructure,” said Nevena Rupp, General Director Digitisation and Identities of the BSI. “In an era where connected devices are becoming ubiquitous, establishing rigorous, internationally recognised security standards is essential. This certification demonstrates how collaborative approaches between government agencies and industry can effectively address evolving cybersecurity challenges.”
The certified protection profile establishes a security framework for eUICC technology, outlining essential criteria products must satisfy. By achieving EAL4+ certification, the GSMA guarantees that eUICCs following this Protection Profile specification meet the rigorous standards required by this global framework.
Industry specialists from the GSMA eSIM Working Group, particularly those in the eSIM Security Group, have been instrumental in securing this certification. This team of experts continue to push for recognition within EU regulations, highlighting the teamwork driving GSMA’s security advances.
This achievement not only strengthens the GSMA’s leadership in telecom security but also highlights the growing importance of flexible, globally recognised certification pathways to encourage best practice. As the industry continues to evolve, manufacturers and service providers must navigate a complex landscape of security requirements – balancing the need for strict standards with the realities of product development and market access.
It’s for this reason the telecommunications sector relies on two complementary approaches to eUICC software certification: the GSMA’s eSA Scheme and Common Criteria. Together, these methodologies give manufacturers the flexibility to choose the path that best fits their needs while maintaining high security standards.
“We support the mobile ecosystem to be proactive in eUICC security to ensure robust protection and stay ahead of emerging threats,” said Alex Sinclair, Chief Technology Officer of the GSMA. “Common Criteria certification represents the next phase in protection for eUICC and it is far more than a technical milestone – it’s about ensuring trust in the infrastructure that connects us.”
Building Foundations for a Connected Future
Now that we’ve secured Common Criteria certification, our focus is shifting to the next objective: bringing the certified Protection Profile into the EUCC scheme. This move will ensure its officially recognised under the EU Cybersecurity Certification Framework, helping it reach a wider audience and making it easier for EUCC-aligned organisations to adopt.
We’re also developing clear pathways between eUICC products certified under our eSA scheme and those certified under EUCC. The goal is to make sure these certifications can be recognised across both frameworks, saving time, reducing duplication, and simplifying market access for manufacturers. We’ve already seen how this kind of standardised approach can speed up adoption in areas such as smart cities and connected vehicles.
This milestone is more than a certification; it’s a cornerstone of our broader commitment to the EU Cybersecurity Act and our mission to shape security standards that foster both protection and progress. As digital technologies evolve, the GSMA remains focused on building a resilient, interoperable security ecosystem where trust is embedded in design.
By aligning global standards, championing collaboration and encouraging best practice, we’re not just securing today’s networks, we’re laying the groundwork for a connected future where innovation thrives on a foundation of trust.