The European Union’s Cyber Resilience Act (CRA) aims to safeguard consumers and businesses by introducing a stringent range of security requirements for all products with digital elements. Products must also undergo a conformity assessment before being placed on the market in order to demonstrate compliance with these requirements.
As a global industry association whose members include leading providers of secure connectivity solutions for consumer, IoT and M2M devices – spanning Tamper Resistant Element (TRE) technologies including SIM, eSIM, integrated SIM, embedded Secure Element (eSE) and integrated Secure Element (iSE), as well as hardware and software provisioning and other personalisation services – Trusted Connectivity Alliance (TCA) applauds efforts to enhance cybersecurity across the connected world.
TCA also advocates that the requirements under the CRA should not be determined solely by the physical form factor of the UICC (e.g., plastic SIM cards, soldered chips, embedded or integrated solutions). Instead, conformity assessments should be based on the core functionalities that the product delivers, particularly those that are critical to its intended use and associated risk profile.
Among these core functionalities, network authentication and user authentication are essential. Any product that performs these functions – regardless of whether it is a traditional SIM card, an eUICC, or another form – should be subject to the same level of security assessments under the CRA.
TCA welcomes the opportunity to demonstrate how the security capabilities defined in the GSMA Security Assurance (eSA) scheme – along with its supporting infrastructure – are well aligned with the cybersecurity requirements set out in international regulations such as the CRA. TCA is committed to supporting effective and efficient mechanisms for demonstrating such conformance.
Applying Security Assurance Principles under the Cyber Resilience Act
TCA believes that the GSMA’s established and proven eSA scheme represents a strong foundation and a promising reference for developing conformity assessment approaches tailored to UICC products. Building on the principles, methodologies, and assurance levels defined in eSA could enable a consistent and efficient path toward meeting CRA requirements across the UICC ecosystem.
To support this position, TCA has published a paper – Applying Security Assurance Principles under the Cyber Resilience Act – providing industry participants with:
- A high-level overview of the GSMA eSA scheme and its benefits.
- A detailed technical analysis of how the GSMA eSA scheme addresses essential security requirements defined within the CRA.
- A recommended option for how the GSMA eSA scheme could be integrated within the CRA conformity assessment framework for eUICC products.
TCA looks forward to supporting the EU in defining practical and robust solutions for the full range of eUICC and UICC products. In line with this commitment, TCA will continue to publish recommendations covering any type of SIM product.
To download the paper, click here.