-
The GSMA Specifications
-
While the GSMA (the Global System for Mobile Communications Association) certification is not obligatory for eUICC hardware and SIMs, most providers do follow the GSMA industry and security standards. Moreover, they may pass independent security evaluations and certifications from other recognized organizations to demonstrate reliability of their products.
The GSMA certification programs, such as the GSMA SAS (Security Accreditation Scheme) and SGP.02 compliance, cover the certification and security evaluation of eUICC modules and devices. Adhering to the GSMA specifications, manufacturers, mobile network operators, and service providers can ensure that their eUICC-enabled devices and services are compatible with each other and meet certain quality and security standards.eUICC-enabled SIM protocols ensure security and integrity for data transfer, while the distribution channels may contain a ‘business logic’ that is sometimes quite demanding in terms of device connections control. The GSMA provides 3 basic solutions to deal with the challenge.
-
a. eSIM for M2M
The GSMA’s Embedded SIM Specification for M2M (eSIM for M2M) deals with “business-to-business to consumer” channels. This specification provides a framework for the architecture, technical implementation, testing, security, and compliance of eUICCs and eSIMs for M2M and IoT use cases, ensuring interoperability, reliability, and security in IoT deployments.
Architecture Specifications in M2M are controlled with SGP.01 which outlines the components and interfaces involved in the provisioning and management of eUICC profiles in M2M devices.
Technical Specifications are represented by SGP.02. It provides the necessary technical details and requirements for eUICC technology implementation, including aspects such as profile management, security, and interoperability.
Test Specifications are carried out by SGP.11 eSIM Test Specifications that involve testing procedures and requirements for further evaluation of compliance and performance of eUICC-capable M2M devices. This may include criteria for profile management, network connectivity, security, and OTA provisioning.
Compliance Certification is related to SGP.16 M2M eSIM Compliance. This standard lays out the requirements and procedures for obtaining compliance certification, ensuring adherence to industry standards and specifications.
Security Specifications include:SGP.08 which focuses on the security evaluation flow for eUICC.
SGP.18 which enables security evaluation requirements based on the PP-0117 (Protection Profile 0117) for integrated eUICCs.
GSMA eUICC security assurance specifications give the security assurance requirements and processes for eUICCs.
SGP.05 M2M defines the protection profile specifications for M2M eSIMs, including security requirements and guidelines for the design and implementation of secure eUICC solutions.
SGP.14 eUICC PKI Certificate Policy V2.0 shares certificate policy for Public Key Infrastructure (PKI) certificates used in eUICCs.
-
b. eSIM Consumer Specifications
Consumer solution is a ‘direct-to-consumer’ channel. This solution is required when the end user can choose the operator providing connectivity. Overall, it implies a relatively high level of end user interaction, taking into account that one is familiar with operating the interface, with easily choosing between network providers. The solution works for companies utilizing devices aimed at the consumer market. Learn more.
Architecture Specifications:SGP.21 eSIM Architecture Specification defines eUICC architecture and gives implementation guidelines. The specification covers eUICC structural and functional aspects, such as the data models, data structures, and protocols used for managing subscriptions and profiles.
SGP.31 eSIM IoT Architecture and Requirements Specification is also focused on architecture as well as requirements in terms of using eUICC in IoT deployments.
Technical Specifications include:
SGP.22 eSIM Technical Specifications covers details of eUICC functionality like protocols, commands, and data structures.
SGP.32 eSIM IoT Technical Specification involves unique requirements and features such as profile management, security and authentication protocols, storage and management of device identifiers, certificates and more.
Test Specifications are represented by:
SGP.23 eSIM Test Specifications provide basic requirements and procedures in order to ensure eUICC interoperability and compliance. It’s a standardized testing framework evaluating eUICC functionality and entailing Profile management, connectivity, security, and OTA testing.
SGP.26 eSIM Test Certificates give a formal recognition of compliance and interoperability for eUICC-capable devices, proving that they passed necessary tests related to functionality, security, and performance criteria.
Compliance Specifications are associated with SGP.24 which outlines the compliance process for eUICC-capable devices and the basic requirements to reach this compliance.
Security Standards include the following groups:SGP.08 (discussed in M2M above)
SGP.18 (discussed in M2M above)
GSMA eUICC Security Assurance Specifications give the security assurance requirements and processes for eUICCs.
SGP.25 eUICC for Consumer Device Protection Profile V1.0 implies protection profile for eUICCs used in consumer devices, focusing on security and privacy aspects.
SGP.14 eUICC PKI Certificate Policy V2.0 shares certificate policy for Public Key Infrastructure (PKI) certificates used in eUICCs.
-
c. eSIM IoT Specifications
Consumer IoT is referred to as the new GSMA eUICC IoT Specification published in Q2 2023. These include Remote SIM provisioning standards SGP 31 and SGP 32. The aim of Consumer IoT is simply to overcome the challenges faced by 2 existing standards and to make profile provisioning for IoT devices as seamless as possible. These standards support eUICC use cases focused for constrained devices such as devices without UIs, operating on LPWAN technologies etc. It removes the complex integrations and gives control back to the customer. Find more information on GSMA website.
-
-
Other eUICC Standards
-
Beyond the GSMA, other organizations and standards bodies play a role in shaping the eUICC landscape. For example, the European Telecommunications Standards Institute (ETSI) engages in consumer IoT standardization activities, encompassing radio layer specifications in 3GPP (Third Generation Partnership Project) and service-level specifications in oneM2M. ETSI's work contributes to advancements in smart M2M communications, IoT semantic interoperability, and context information management. Learn more.
Additionally, the Trusted Connectivity Alliance (formerly SIM Alliance) defines technical specifications for eUICC Profile Package interoperability formats. These specifications ensure that compliant eUICCs can effectively install profile packages across different devices and platforms, fostering interoperability and simplifying deployment processes. Learn more.As the IoT landscape continues to evolve, adherence to these standards and specifications is essential to foster secure, scalable, and interoperable eUICC-enabled IoT deployments. Compliance with industry-recognized security standards, such as Common Criteria (CC) certification, ensures that eUICCs meet stringent security requirements and undergo rigorous evaluation processes. Learn more.
-
New technologies such as eUICC often go a long way to become highly adaptable and compatible with mass market requirements. As the IoT technology landscape remains versatile and even erratic, the vast combinations of the many technological options lead to challenges in compatibility and interoperability that customers need to overcome. The ongoing standardization and specifications of new technology sets can help ecosystems grow seamlessly together. eUICC marks a key technology in this regard, wherein standardization bodies such as the GSMA provide a strong initiative and foundation for the secure deployment and management of eUICCs in IoT devices.