The public consultation period for several draft standards related to the Cyber Resilience Act (CRA) concluded in April 2026 – including prEN 18330, prEN 40000 and prEN 50764. This marks a significant milestone in the European Commission’s roadmap towards full CRA applicability by the end of 2027.
As the focus now shifts to the review of consultation feedback, European Standardisation Organisations (ESO) face a critical responsibility: delivering standards that ensure a high level of cybersecurity and assurance, while remaining technically coherent, risk-based, and proportionate, while avoiding unintended disruption to established European markets.
As the representative body for the global SIM, eSIM, and secure element (SE) industry, the Trusted Connectivity Alliance (TCA) fully supports the objectives of the CRA and the development of a clear, actionable, and future‑proof cybersecurity framework for Europe. TCA members provide foundational secure element–based technologies that underpin trust, authentication, and security across a wide range of European digital infrastructures. These components are highly standardized, technologically mature, and already subject to well‑established security certification and conformity assessment frameworks.
In this context, TCA’s CRA Working Group reviewed the CRA draft standards and submitted feedback through the appropriate standardisation channels. While TCA welcomes the progress reflected in the draft standards, the organization requests further clarification on several key points to ensure that the CRA is implemented effectively and without a disproportionate impact on trusted hardware components.
Secure element (SE) technologies and CRA assumptions
A central observation from TCA is that certain general assumptions embedded in the CRA and its supporting standards do not fully reflect the technical and operational reality of SEs, including UICCs and eUICCs. Without appropriate clarification, some requirements risk being misapplied to products for which they were not designed, potentially creating compliance obligations that are unworkable or redundant, despite the long‑standing role of these products as trusted security anchors.
To address this, TCA highlights three key areas where refinement is essential.
1. Avoiding duplication of certification and conformity assessment
CRA compliance mechanisms should recognise and enable reuse of established global certification frameworks under which products are already certified and placed on the market worldwide. Introducing additional, EU-specific conformity assessment requirements would create unnecessary duplication, increasing cost, delay, and complexity. This would place European manufacturers – particularly those bringing products to market globally – at a competitive disadvantage in both price and time-to-market in non-EU markets, without delivering additional differentiating cybersecurity benefits. Wherever suitable global schemes exist, they should be supported and leveraged rather than replicated.
Protection Profiles serve as an industry’s advanced risk analysis and assurance methodology tailored to specific product classes. The CRA should explicitly recognise such schemes as valid and sufficient where they demonstrably cover relevant cybersecurity requirements.
For example, the GSMA’s established eUICC Security Assurance (eSA) scheme can serve as a robust, reliable and efficient conformity assessment process to ensure that an eUICC product meets key cybersecurity requirements under the CRA.
The following TCA white paper further elaborates on this approach – Exploring GSMA’s eUICC Security Assurance (eSA) Scheme for Cyber Resilience Act Conformity Assessment
2. Recognising the UICC and eUICC as components
TCA would like to highlight that UICCs and eUICCs are components to be integrated into final products, not standalone consumer products on their own. They are integrated into a wide variety of end‑products and platforms and are customised according to the requirements of device manufacturers and service providers. They are not marketed directly to end users.
As such, the CRA essential requirements are not always applicable, nor appropriate. They cannot always be satisfied and in some scenarios, the device can be more efficiently relied on to provide final CRA compliance. When considering CRA compliance, the full integration of components within the intended final product should be taken into account. Where essential requirements are not met by individual components in this scenario, there should be no barrier to the component nor the final product achieving CRA compliance, even if a waiver needs to be applied to such a component that recognizes their compliance within the context of the final product. This is necessary to ensure that vendors can use the CE mark which indicates their components are suitable for use within CRA compliant products.
3. Clarifying security update obligations for non-updatable components
In the draft standard, CRA Annex I requires manufacturers to provide security updates to address vulnerabilities over a product’s lifespan. Yet UICCs only have very limited remote software update capability and so this requirement is unworkable.
Clarification is needed whether in situations such as this, where an essential requirement cannot be met with strong and reasonable justification, the product is considered non-compliant or whether the requirement is not applicable. If it is the former, then this will lead to significant market disruption affecting hundreds of millions of classic UICCs in use throughout Europe.
A call for constructive alignment
To avoid ambiguity over the framing of CRA standards and disproportionate compliance impacts, TCA strongly encourages the relevant standardisation organisations to listen to the industry and work collaboratively on finding a solution. The CRA represents a real opportunity for Europe to lead the way in terms of global cybersecurity regulation and our collective ability to iron out the finer details will be critical to its success.