Experts from the GSMA, STMicroelectronics and Vodafone outline how rigorous compliance and certification processes are supporting the rollout of eSIM products.
In 2025, the market for embedded SIMs (eSIMs) is set to see strong growth. One of the engines of this expansion is the GSMA’s new IoT eSIM specification, which is now being commercialised. By reducing fragmentation, the new specification will reduce the cost of deploying eSIMs for IoT applications, compared with proprietary solutions
With new players participating in the eSIM market, the GSMA hosted a webinar in which experts from the GSMA, STMicroelectronics and Vodafone outlined the value of eSIM compliance and certification, and the processes involved. The benefits of standardisation, which include new business opportunities and interoperability, are also set to be big themes at the forthcoming eSIM Summit at MWC25 Barcelona.
Shoring up eSIM security
One of the biggest drivers for eSIM compliance and certification is, of course, security – end users want assurance that the eSIMs they are relying on haven’t been compromised. The security requirements set by GSMA compliance and certification apply to software, hardware, production site and server implementation. During the webinar, Gloria Trujillo Gonzalez, eSIM Working Group Director, GSMA, outlined the schemes run by the GSMA covering eUICC software security and production site and server implementation security.
The GSMA runs two types of security accreditation schemes (SAS) – SAS for UICC[1]/eUICC Production (SAS-UP) and SAS for Subscription Management (SAS-SM), which both help to reduce the risk of disclosure of authentication parameters. Gloria Trujillo Gonzalez explained that SAS-UP also minimises the risk of the loss or theft of branded cards and logos, and SIM clones, while SAS-SM reduces the risk of fake entities being accepted as authorised and then sending authorised profile management requests to the eSIM.
Last year, the GSMA certified 69 sites for SAS-UP (with just over half of these sites in Asia) and 42 sites for SAS-SM (with 37% of these in Europe and 27% in Asia). Each certification involves a four-to-five-day on-site audit by GSMA-appointed auditors.
To support eUICC software security, the GSMA runs the eSIM Security Assurance (eSA) scheme , which Gloria Trujillo Gonzalez explained applies to the combined hardware and software components implementing eUICC holding profiles for remote provisioning, excluding the specific profiles themselves. In conjunction with chip certification, eSA guards against a variety of risks, including physical attacks, logical attacks, unauthorised profile/platform management, eUICC cloning, identity tampering and unauthorised access to the mobile network. To date, 12 products have completed eSA certification, while the process is ongoing for a further 20 products.
Ensuring eSIMs and the ecosystem works as intended
Security isn’t the only driver for compliance and certification. Stephen Packer, eSIM Working Group Director, GSMA, outlined how GlobalPlatform certifies the functionality of eUICCs, and the Global Certification Forum (GCF) and the PTCRB (PCS Type Certification Review Board) certifies the functionality of the corresponding devices. The functionality of eSIM servers is checked via self-testing or a third-party test tool.
Guido Abate, Secure Mobile Standardisation Manager, STMicroelectronics, introduced GlobalPlatform as an organisation, explaining how the functional certification scheme for the eUICC works – it uses test cases developed by the GSMA eSIMWG3 eSIM Test Group, which are validated within the GlobalPlatform’s functional certification program, and are then applied for every eUICC design. Since the inception of the GlobalPlatform eSIM certification programme in 2018, GlobalPlatform has certified 27 eUICC M2M and 110 eUICC consumer products, Guido Abate told the webinar
To ensure that new devices will work with networks, the GCF certifies more than 600 device models annually, explained Hajo Schulze, Head of Section Device Certification at Vodafone GmbH, and director of the GCF board, which has more than 350 member companies, including most major mobile and IoT global brands.
The GCF runs an eSIM RSP (remote SIM provisioning) certification process designed around the GSMA’s eSIM documentation, thereby ensuring correct functionality and interoperability. In 2024, the GCF certified a total of 197 devices for RSP, up from 170 in 2023 and 134 in 2022. The ongoing growth in the number of GCF RSP certified devices highlights “that eSIM is more and more getting also into the low tier segment of the devices.” Hajo Schulze noted.
He went on to explain that Vodafone supports GCF Certification because it enables the operator to eliminate a lot of defects, while device testing would be costly and time consuming for individual operators to perform. He noted that the GCF covers the vast majority of Vodafone’s test cases, while driving standardised test methods and test equipment. In essence, the GCF process delivers a “test once – use anywhere” benefit for the entire industry, Hajo Schulze added.
Bringing it all together
The final piece of the puzzle is the eSIM Compliance Process, which is designed to ensure the quality of eSIM products by verifying their compliance with GSMA industry specifications for eSIM products. This process involves the issuance of digital certificates or confirmation of compliance, giving compliant eSIM products secure access to the GSMA eSIM ecosystem.
Working in tandem, the compliance and certification processes run by the GSMA, GlobalPlatform and the GCF ensure that the eSIM products and solutions are secure, and can be easily deployed by mobile operators and their customers across the world.
For more information about eSIM compliance and certification, see the recording of the webinar and attend the eSIM Summit at MWC25 Barcelona.
[1] Universal Integrated Circuit Card – the software component of the eSIM.