The GSMA IoT Security Guidelines, published and maintained by the GSMA Connected Living programme, set out security requirements for connected IoT devices. They cover device hardening, data protection, access control, secure update mechanisms, and incident response. For eRedCap device designers, these guidelines are directly relevant and increasingly mandatory.
EU Cyber Resilience Act Alignment
The EU Cyber Resilience Act (CRA) introduces binding security requirements for IoT products placed on the European market, with obligations applying from 2027. The CRA’s requirements – including a minimum five-year security update obligation, incident reporting, and vulnerability management – align substantially with the GSMA IoT Security Guidelines. Device designs meeting GSMA guidelines are well-positioned for CRA compliance.
SGP.32 and the Security Layer
SGP.32 (the GSMA IoT eSIM specification) addresses the SIM management security layer: cryptographic authentication for all profile operations, verifiable audit trails, and tamper-evident profile management. For eRedCap devices incorporating SGP.32-compliant eUICC hardware, the SIM security layer is addressed at the specification level. See the SGP.32 page for detail.
Secure Over-the-Air Updates
One of the CRA’s core requirements is the ability to deliver security updates remotely throughout a device’s supported life. For eRedCap devices, this requires both an application-layer OTA update mechanism (device firmware) and an SGP.32-capable eUICC for SIM profile updates. Designing both layers from the start is substantially more cost-effective than retrofitting them.