GSMA has created a compliance framework for eSIM devices, eUICCs, and Subscription Management servers to ensure they meet the GSMA Remote SIM Provisioning specifications.
The eSIM Compliance Process is essential for safeguarding Remote SIM Provisioning digital infrastructures. It not only enhances customer confidence but also drives industry innovation. In the eSIM ecosystems, the GSMA Compliance Process acts as the regulatory framework that ensures every component, from software to hardware, meets rigorous security standards. It is the backbone that supports trust, security, and interoperability across global networks.
The eSIM Compliance Process outlines the requirements and provides templates for declaring compliance. These requirements focus on security, functionality, and interoperability. Successfully meeting these compliance requirements allows the use of an eSIM Digital Certificate for authentication between eUICCs and Subscription Management servers.
The database of GSMA eSIM Compliance Products is available within the GSMA Member Gateway Platform for GSMA members.
RSP Architecture Elements Certification Journey
eUICC Compliance Process
eUICC Compliance Process
Steps to follow for eUICC Compliance
1. IC Chip Security: Demonstrate that the eUICC has an IC chip with a PP-0084 Common Criteria certificate. This is a mandatory requirement that you need to fulfill by ensuring the chip has a PP-0084 Common Criteria certificate.
2. SW Security: Demonstrate that the eUICC has robust certified software. This is a mandatory requirement that you need to fulfill by demonstrating that the software has either a PP-0100 Common Criteria certificate or a PP-0100 eSA Scheme certificate. You can learn more about the eSA Scheme HERE.
3. Site Compliance: Ensure that your eUICC manufacturing plant is certified. This is a mandatory requirement that you need to fulfill by going through the GSMA SAS-UP audit process. Book an audit with one of the appointed GSMA auditors. For more information, please check GSMA SAS web page or contact [[email protected]](mailto:[email protected]).
4. Functional Compliance: Demonstrate that the eUICC has successfully passed the functional certification based on SGP.23-1 for Cosumer eUICC and SGP.33-1 for IoT eUICC. This is a mandatory requirement that you need to fulfill by going through the GlobalPlatform functional certification process using one of the test tools certified by GlobalPlatform. You can find more information about the GlobalPlatform functional certification for eUICC HERE.
5. Declaration Forms to GSMA: Follow the GSMA compliance process document and fill out and sign the eUICC information in SGP.24 Annexes A.1 and A.3 forms and send it to [[email protected]](mailto:[email protected]).
6. GSMA Database Visibility: Indicate the visibility of your product in Annex A.1. Options include:
Visible on GSMA Compliance Database to all GSMA Members
Visible on GSMA Compliance Database to all GSMA MNOs and MVNOs Members only
Not visible on GSMA Compliance Database (GSMA internal database only)
Not visible on GSMA Member Gateway temporarily. Date for publication on GSMA Compliance Database will be provided later.
In the first two options, the product name and company plus some minor information regarding your product will be visible to all GSMA members, but the declaration forms will only be visible to the selected group (All or MNO/MVNO). In the last two options, the product will only be visible to GSMA staff. Listing on the GSMA database is optional but recommended to ensure visibility of your certified produ
7. GSMA Issues the GSMA Compliance Confirmation: After verifying the information, GSMA will issue the GSMA Confirmation of Compliance Information document for your eUICC product.
8. Obtain Digital Certificate from GSMA Certificate Issuer: Contact one of the GSMA Certificate Issuers listed under the GSMA Certificate Issuers Page to obtain your Consumer PKI and TLS certificate. They will request information to establish a contract, confirm compliance from GSMA (previous step), and assign a key ceremony date to issue a certificate for your company.
9. Product to Market: Once the above steps are completed, you can use the PKI certificate on the declared SAS-UP site (within scope PKI management) for the production of the eUICC product declared to GSMA.
IMPORTANT NOTES:
Ensure you use the latest version and annexes of SGP.24, which can be found HERE under the SGP.24 tab.
Engage with the GSMA Certificate Issuer well in advance to complete their enrollment process, as this step may delay your overall time to market. Information on GSMA CIs can be found within the GSMA Certificate Issuers Page.
SM-XX Compliance Process
SM-XX Compliance Process
Steps to follow to declare SM-XX Compliance
1. Site Compliance: Ensure that your SM-DP+ and/or SM-DS implementation and hosting sites are certified. This is a mandatory requirement and must be done following the GSMA SAS-SM standards, methodology, and process. Book an audit with one of the appointed GSMA auditors. For more information, please check the GSMA SAS web page. or contact [[email protected]](mailto:[email protected]).
2. Functional Compliance: Demonstrate functional compliance based on SGP.23. This is a mandatory step that can be done using self-testing methods or available test tools on the market. Fill out the declaration forms SGP.24 Annex A.4 for SM-DP+ and/or Annex A.5 forms for SM-DS.
3. Declaration Forms to GSMA: Follow the GSMA compliance process document and fill out and sign the SM-DP+ information in SGP.24 Annexes A.1 and A.4 forms and SGP.24 Annexes A.1 and A.5 forms for SM-DS. Send the completed forms to [[email protected]](mailto:[email protected]).
4. GSMA Database Visibility: Indicate the visibility of your product in Annex A.1. Options include:
Visible on GSMA Compliance Database to all GSMA Members
Visible on GSMA Compliance Database to all GSMA MNOs and MVNOs Members only
Not visible on GSMA Compliance Database (GSMA internal database only)
Not visible on GSMA Member Gateway temporarily. Date for publication on GSMA Compliance Database will be provided later.
In the first two options, the product name and company plus some minor information regarding your product will be visible to all GSMA members, but the declaration forms will only be visible to the selected group (All or MNO/MVNO). In the last two options, the product will only be visible to GSMA staff. Listing on the GSMA database is optional but recommended to ensure visibility of your certified product.
5. GSMA Issues the GSMA Compliance Confirmation: After verifying the information, GSMA will issue a GSMA Confirmation of Compliance Information document for your SM-DP+ and/or SM-DS.
6. Obtain Digital Certificate from GSMA Certificate Issuer: Contact one of the GSMA Certificate Issuers listed under the GSMA Certificate Issuers Page to obtain your Consumer PKI and TLS certificate. They will request information to establish a contract, confirm compliance from GSMA (previous step), and assign a key ceremony date to issue a certificate for your company.
7. Product to Market: Once the above steps are completed, you can use the PKI and TLS certificate for your SM-DP+ or SM-DS products in the accredited SAS-SM sites to operate your SM-DP+ or SM-DS services.
IMPORTANT NOTES:
Ensure you use the latest version and annexes of SGP.24, which can be found HERE under the SGP.24 tab.
Engage with the GSMA Certificate Issuer well in advance to complete their enrollment process, as this step may delay your overall time to market. Information on GSMA CIs can be found within the GSMA Certificate Issuers Page.
eIM Compliance Process
Consumer Device (LPAd) Compliance Process
IoT Device (IPAd) Compliance Process
Find out more
Download here all the eSIM Consumer Specifications referred in this section, the eSIM Compliance Process, for full details of active compliance requirements, current specification versions and declaration templates.
For further information on the GSMA eSIM compliance process, please contact [email protected]
