SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Alliance urges EU to rethink cyber rules for SIM tech
Data Protection Network Security IoT Security

Alliance urges EU to rethink cyber rules for SIM tech

Thu, 14th May 2026 (Today)
Sean Mitchell
SEAN MITCHELL Publisher

Trusted Connectivity Alliance has urged European standards bodies to revise draft Cyber Resilience Act standards affecting secure element technologies, warning that the current texts could impose unsuitable compliance requirements on SIM-related components.

The industry body, which represents companies involved in SIM, eSIM and secure element technologies, has submitted feedback on several draft standards under the European Union's Cyber Resilience Act, including prEN 18330, prEN 40000 and prEN 50764. Its intervention focuses on how the rules could apply to secure elements such as UICCs and eUICCs, which have distinct technical and operational characteristics.

The Cyber Resilience Act is intended to create a common cybersecurity framework for digital products sold in Europe. For secure element manufacturers, the detail of the supporting standards matters because these components sit inside a wide range of devices and are already covered by existing security assurance processes.

Three concerns

Trusted Connectivity Alliance identified three areas where it wants further clarification from the European Standardisation Organisations reviewing consultation responses.

The first is the risk of duplicating certification and conformity assessment. Products in this market are already certified under global schemes, and the alliance argued that new EU-specific requirements could add cost, delay and complexity without improving cybersecurity outcomes.

This is particularly sensitive for European manufacturers selling globally. If companies must complete overlapping approval processes for the same technologies, they could be put at a disadvantage on price and time to market outside the EU, with little practical gain from the extra compliance burden.

The alliance pointed to existing protection profiles and industry assurance frameworks as models that should be recognised within the CRA structure, saying they already provide product-specific risk analysis and assurance methods for technologies such as eUICCs.

Among the examples cited was the GSMA's eUICC Security Assurance scheme, which it said could serve as a conformity assessment route for eUICC products under the CRA if explicitly recognised in the standards.

Component status

The second issue is the legal and technical treatment of UICCs and eUICCs as components rather than finished consumer products. The alliance said these items are integrated into final products and tailored for device makers and service providers, rather than sold directly to end users.

That distinction affects how the CRA's essential requirements should apply. Some obligations, it argued, may be inappropriate or impossible to assess at the component level because compliance can depend on the final device into which the component is integrated.

The standards should therefore provide a route for both component makers and final product manufacturers to demonstrate compliance in context. Without that, components could be blocked from use in CRA-compliant end products even when the overall device meets the regulation's aims.

The group also raised the question of CE marking for components used within compliant products. Where a requirement does not apply directly to a component, it argued, that should not prevent the component from being accepted for inclusion in a compliant end product.

Update rules

The third concern relates to security update obligations. Draft CRA standards require manufacturers to provide security updates to address vulnerabilities during a product's lifespan, but the alliance said that approach does not fit all secure elements.

Classic UICCs in particular have very limited remote software update functionality, making the requirement difficult or impossible to meet in practice. The alliance said the standards need to clarify whether such cases should be treated as non-compliance or as situations in which the requirement is simply not applicable.

That point has broad market implications because of the number of classic UICCs already in use across Europe. A strict reading of update obligations, the group argued, could disrupt a large installed base of products that continue to serve as trusted security anchors in communications systems.

Trusted Connectivity Alliance said it supports the overall aims of the Cyber Resilience Act and backs the creation of a clear cybersecurity framework for Europe. Its concern is that broad assumptions in the legislation and draft standards may not reflect the design and deployment of mature secure element technologies.

These technologies already underpin trust, authentication and security in many digital systems and are subject to established certification and conformity assessment structures. In the alliance's view, the challenge for standards writers is to align the CRA with that existing landscape rather than layer on requirements that do not fit the products concerned.

“The CRA represents a real opportunity for Europe to lead the way in terms of global cybersecurity regulation and our collective ability to iron out the finer details will be critical to its success,” said the Trusted Connectivity Alliance.

Related stories
Genetec urges tighter identity controls for security systems
Cambridge Wireless unveils 2026 conference on AI & security
Sitehop launches SAFEcore Edge for remote network security
Wireless Broadband Alliance sets Wi-Fi security rules
2N urges tougher cyber rules for access control devices
Top stories
Opswat named leader in G2 managed file transfer report
Intruder finds exposed MySQL databases in 26% of firms
Virgin Media O2 pledges support for 500,000 homes
SurePay launches free IBAN check for Dutch taxpayers
ReliaQuest spots ClickFix attack using PySoxy proxy