{"id":13484,"date":"2019-08-08T12:12:14","date_gmt":"2019-08-08T11:12:14","guid":{"rendered":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/?page_id=13484"},"modified":"2026-02-23T12:27:36","modified_gmt":"2026-02-23T12:27:36","slug":"what-is-m2m-compliance","status":"publish","type":"page","link":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/what-is-m2m-compliance\/","title":{"rendered":"M2M Compliance"},"content":{"rendered":"\n<p>Recognising the need to demonstrate product compliance to technical specifications in a common accessible way, GSMA has developed a compliance framework for M2M remote provisioning eUICCs and Subscription Management servers.<\/p>\n\n\n\n<p>The GSMA PRD&nbsp;SGP.16&nbsp;details the compliance requirements, and expected means to demonstrate compliance, for product designed to the M2M remote provisioning specifications, SGP.02 and SGP.01. SGP.16 also provides declaration templates to be completed and submitted to GSMA once an M2M remote provisioning product has proven its compliance by test and\/or certification<\/p>\n\n\n\n<p>The compliance requirements focus on security assurance, functionality and interoperability. The result of a successful SGP.16 declaration of compliance is a recognised achievement plus eligibility to use an M2M Digital Certificate (PKI). This is used for authentication between eUICCs and Subscription Management servers (SM-DP and SM-SR).<\/p>\n\n\n\n<p><strong>Compliance Overview<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1412\" height=\"546\" src=\"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/wp-content\/uploads\/2019\/08\/M2M.png\" alt=\"image\" class=\"wp-image-13490\" srcset=\"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/wp-content\/uploads\/2019\/08\/M2M.png 1412w, https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/wp-content\/uploads\/2019\/08\/M2M-300x116.png 300w, https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/wp-content\/uploads\/2019\/08\/M2M-768x297.png 768w, https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/wp-content\/uploads\/2019\/08\/M2M-1024x396.png 1024w\" sizes=\"auto, (max-width: 1412px) 100vw, 1412px\" \/><\/figure>\n\n\n\n<p><strong>Security Assurance by design<\/strong><\/p>\n\n\n\n<p>The eUICC IC\/hardware platform requirement is\u00a0Common Criteria\u00a0certification to the Security IC Platform Protection Profile with Augmentation Package Certification (PP-0084 or PP-0117). Certification to PP-0035 is also acceptable.<\/p>\n\n\n\n<p>All GSMA M2M compatible eUICCs that follow the industry GSMA eSIM Specifications (as defined in SGP.01 and SGP.02), need to prove their robustness. This means demonstrating compliance with the product security requirements and objectives, specified in SGP.05, with resistance against high-level attack potential.<\/p>\n\n\n\n<p>Currently, there are two permitted methodologies for eUICC manufacturers \u2013 shown below. They all require a certificate reference to demonstrate their security evaluation of resistance to high-level attack potential. The permitted methodologies are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Common Criteria PP-0089 Certification report reference<\/li>\n\n\n\n<li>GSMA eSA Certification reference, learn more about it\u00a0HERE.<\/li>\n<\/ul>\n\n\n\n<p><strong>Security Assurance in production and SM service location<\/strong><\/p>\n\n\n\n<p>GSMA\u2019s established\u00a0<a href=\"https:\/\/www.gsma.com\/solutions-and-impact\/industry-services\/\" target=\"_blank\" rel=\"noreferrer noopener\">Security Accreditation Scheme<\/a>\u00a0(SAS) has been adopted as the required security accreditation for M2M remote provisioning entities handling sensitive assets.\u00a0 These include MNO profile information and Digital Certificates.\u00a0SAS is an audit based scheme, and audit lead time should be considered when planning compliance.<\/p>\n\n\n\n<p><u>For eUICCs:<\/u>&nbsp;SAS-UP audits the handling of sensitive data during eUICC production.<\/p>\n\n\n\n<p><u>For SM-DP and SM-SR<\/u>: SAS-SM audits the robustness of processes for secure data management at the Subscription Management service location (eg datacentre or other hosting location).<\/p>\n\n\n\n<p><strong>Functional and interoperable<\/strong><\/p>\n\n\n\n<p>The GSMA M2M test specification,&nbsp;SGP.11,&nbsp;provides functional and interoperability test cases for M2M system operation.&nbsp; It is the basis for M2M testing for functional compliance and interoperability.<\/p>\n\n\n\n<p><u>For eUICC:<\/u>\u00a0\u00a0GlobalPlatform operates SGP.11 based test plans, with associated certification. This incorporates the TCA Interoperable Profile Test Suite (TCA Test Spec). M2M remote provisioning eUICCs declaring SGP.16 compliance must firs thave a GlobalPlatform Product Functional Certification.<\/p>\n\n\n\n<p><u>For SM-DP and SM-SR<\/u>: M2M remote provisioning Subscription Management developers are responsible for verifying correct functioning of all SM-DP and SM-SR interfaces, and system behaviour. Commercial SGP.11 test suites are available that fulfil this requirement. Alternatively, MNO based interoperability testing and other methods may be used, if all SGP.11 test scenarios for Subscription Management are covered.<\/p>\n\n\n\n<p><strong>Connecting to M2M remote provisioning<\/strong><\/p>\n\n\n\n<p>eUICC, SM-DP and SM-SR that have that have performed the pre-requisite test &amp; certifications, submitted an SGP.16 declaration of eSIM compliance and received a confirmation are eligible to use GSMA PKI certificates. Details of the GSMA Root CI Public Key are&nbsp;at this&nbsp;<a href=\"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/gsma-root-ci\/\">link<\/a>.<\/p>\n\n\n\n<div style=\"max-width:75%; margin: 0 auto;\">\n<div data-tid=\"messageBodyContainer\">\n<div data-tid=\"messageBodyContent\">\n<div>\n<div>\n<p><strong>Self-assessment of eUICC Certified products updates<\/strong><\/p>\n<p>To notify Software changes on eUICC certified products there is a GSMA internal Operational procedure called EUM Self-assessment of eUICC Certified products updates. You can request this document by sending an email to <a title=\"mailto:m2mcomplaince@gsma.com\" href=\"mailto:M2Mcomplaince@gsma.com\">M2Mcomplaince@gsma.com<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<div style=\"max-width:75%; margin: 0 auto;\">\n<div data-tid=\"messageBodyContainer\">\n<div data-tid=\"messageBodyContent\">\n<p>The next steps need to be followed:<\/p>\n<ol>\n<li>GSMA send EUM the <strong>Self-assessment of eUICC Certified products updates<\/strong><\/li>\n<li>eSIM vendors complete the <strong>Self-assessment of eUICC Certified products updates <\/strong>and send it to GSMA Compliance Team<\/li>\n<li>GSMA RSP Compliance Team analyses the proposed changes and:<\/li>\n<\/ol>\n<ul>\n<li>GSMA internal database is updated to reflect the change, the date and the new SW version resulted of the change.<\/li>\n<li>A Note within the IC2 database to indicate the update (in case the product was listed on IC2 previously)<\/li>\n<li>A revision of the previously issued \u2018GSMA Confirmation of PKI Certificate Issuance\u2019 is provided by GSMA (with a revision number). This will contain:\n<ul>\n<li>A new \u2018Declared build\u2019 version<\/li>\n<li>A new date<\/li>\n<li>A note at the end indicating the additional changes have declared by the EUM as nor RSP, SAS neither TOE related features (the sentence will be further elaborated by the GSMA operations and legal teams)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n\n\n\n<p><strong>Find out more<\/strong><\/p>\n\n\n\n<p>Download <a href=\"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/esim-m2m-specifications\/\">here <\/a>all the eSIM M2M Specifications referred in this section, all the SGP.16, the M2M Compliance Process, for full details of active compliance requirements, current specification versions and declaration templates.<\/p>\n\n\n\n<p><strong>lf-assessment of eUICC Certified products updates<\/strong>For further information or in case of any questions on the GSMA M2M compliance process, please contact&nbsp;<a href=\"mailto:M2MCompliance@gsma.com\" target=\"_blank\" rel=\"noopener noreferrer\">M2MCompliance@gsma.com<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recognising the need to demonstrate product compliance to technical specifications in a common accessible way, GSMA has developed a compliance framework for M2M remote provisioning eUICCs and Subscription Management servers. The GSMA PRD&nbsp;SGP.16&nbsp;details the compliance requirements, and expected means to demonstrate compliance, for product designed to the M2M remote provisioning specifications, SGP.02 and SGP.01. SGP.16 [&hellip;]<\/p>\n","protected":false},"author":36,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","footnotes":""},"tags":[],"class_list":["post-13484","page","type-page","status-publish","hentry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v22.8 (Yoast SEO v24.4) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>M2M Compliance - eSIM<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/what-is-m2m-compliance\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"M2M Compliance\" \/>\n<meta property=\"og:description\" content=\"Recognising the need to demonstrate product compliance to technical specifications in a common accessible way, GSMA has developed a compliance framework for M2M remote provisioning eUICCs and Subscription Management servers. The GSMA PRD&nbsp;SGP.16&nbsp;details the compliance requirements, and expected means to demonstrate compliance, for product designed to the M2M remote provisioning specifications, SGP.02 and SGP.01. SGP.16 [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/what-is-m2m-compliance\/\" \/>\n<meta property=\"og:site_name\" content=\"eSIM\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/gsma\/\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-23T12:27:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/wp-content\/uploads\/2019\/08\/M2M.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1412\" \/>\n\t<meta property=\"og:image:height\" content=\"546\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@GSMA\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"4 minutes\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"M2M Compliance - eSIM","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/what-is-m2m-compliance\/","og_locale":"en_US","og_type":"article","og_title":"M2M Compliance","og_description":"Recognising the need to demonstrate product compliance to technical specifications in a common accessible way, GSMA has developed a compliance framework for M2M remote provisioning eUICCs and Subscription Management servers. The GSMA PRD&nbsp;SGP.16&nbsp;details the compliance requirements, and expected means to demonstrate compliance, for product designed to the M2M remote provisioning specifications, SGP.02 and SGP.01. SGP.16 [&hellip;]","og_url":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/what-is-m2m-compliance\/","og_site_name":"eSIM","article_publisher":"https:\/\/www.facebook.com\/gsma\/","article_modified_time":"2026-02-23T12:27:36+00:00","og_image":[{"width":1412,"height":546,"url":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/wp-content\/uploads\/2019\/08\/M2M.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_site":"@GSMA","twitter_misc":{"Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/what-is-m2m-compliance\/","url":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/what-is-m2m-compliance\/","name":"M2M Compliance - eSIM","isPartOf":{"@id":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/what-is-m2m-compliance\/#primaryimage"},"image":{"@id":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/what-is-m2m-compliance\/#primaryimage"},"thumbnailUrl":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/wp-content\/uploads\/2019\/08\/M2M.png","datePublished":"2019-08-08T11:12:14+00:00","dateModified":"2026-02-23T12:27:36+00:00","breadcrumb":{"@id":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/what-is-m2m-compliance\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/what-is-m2m-compliance\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/what-is-m2m-compliance\/#primaryimage","url":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/wp-content\/uploads\/2019\/08\/M2M.png","contentUrl":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/wp-content\/uploads\/2019\/08\/M2M.png","width":1412,"height":546,"caption":"Flowchart illustrating the process for eUICC certification. Includes stages: eUICC + IC Security (SGP.05) and eUICC Production Security (SAS-UP), leading to SGP.16 Declaration. Two paths show interoperability tests, ending in live operation eligibility with eSIM PKI certification."},{"@type":"BreadcrumbList","@id":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/what-is-m2m-compliance\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/"},{"@type":"ListItem","position":2,"name":"M2M Compliance"}]},{"@type":"WebSite","@id":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/#website","url":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/","name":"eSIM","description":"Rich Communications | HD Voice | VoLTE","publisher":{"@id":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/#organization","name":"eSIM","url":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/#\/schema\/logo\/image\/","url":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/wp-content\/uploads\/2019\/04\/GSMA_logo_colour_web.jpg","contentUrl":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/wp-content\/uploads\/2019\/04\/GSMA_logo_colour_web.jpg","width":1000,"height":1000,"caption":"eSIM"},"image":{"@id":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/gsma\/","https:\/\/x.com\/GSMA"]}]}},"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/wp-json\/wp\/v2\/pages\/13484","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/wp-json\/wp\/v2\/users\/36"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/wp-json\/wp\/v2\/comments?post=13484"}],"version-history":[{"count":24,"href":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/wp-json\/wp\/v2\/pages\/13484\/revisions"}],"predecessor-version":[{"id":19000,"href":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/wp-json\/wp\/v2\/pages\/13484\/revisions\/19000"}],"wp:attachment":[{"href":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/wp-json\/wp\/v2\/media?parent=13484"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gsma.com\/solutions-and-impact\/technologies\/esim\/wp-json\/wp\/v2\/tags?post=13484"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}