Clear
Portrait of a black man presenting his ideas on a glass wall during a business meeting

Why IoT security compliance can’t wait and how eSIMs can help

Kigen Kigen
June 11, 2026

Written Feature for Kigen in MWL by Sean Jackson

Billions of connected devices have made the world a smarter place. But alongside the connectivity boom, a security debt has been quietly accumulating. Many of those devices were shipped without a reliable, long-term mechanism to keep them secure. Now, regulation is calling in that debt.

The EU Cyber Resilience Act (CRA) mandates that products with digital elements sold into the EU must be secure by design, must support security updates throughout their lifecycle for a minimum of five years, and must come with documented vulnerability management processes. Full compliance is required by December 2027 while reporting obligations begin on 11 September 2026. That is not a distant horizon. It is months away. And the latest industry data suggests most organisations are nowhere near ready.

Play video “Kigen”
How ready is your organisation for CRA compliance?

Just 22% of organisations describe themselves as highly prepared for this piece of legislation, according to the GSMA’s eSIM Survey Report 2026, meaning they can support over-the-air (OTA) security updates and have established processes to maintain them. A further 26% are partially prepared: they have the technical capability to push OTA updates, but their manufacturing processes do not yet meet full compliance standards.

The remaining 52% fall into more concerning territory. Twenty-seven per cent are actively challenged, with field devices that lack the memory and processing power needed to support five years of security patches. And 25% confess they have no capability at all to deliver field-based security updates.

To put this plainly: over half of IoT stakeholders surveyed cannot currently demonstrate the update capability that regulators will soon require them to prove.

The CRA imposes fines of up to €15 million or 2.5% of total annual worldwide turnover (whichever is higher) for serious non-compliance. Market access to the EU, and by extension markets applying equivalent standards such as the UK and potentially others, may be restricted for non-compliant products.

Vincent Korstanje, CEO of eSIM security firm, Kigen, observed that “Cybersecurity is becoming less about whether an organization can detect weaknesses and more about whether it can maintain trusted control of its connected estate over time. If the next generation of enterprise value sits in distributed devices, local intelligence, and real-time operational data, executives cannot afford to neglect the infrastructure required to authenticate, manage, and securely update those assets throughout their lifecycle.”

For engineering and product teams, the question is not whether to act; it is whether they can act in time before the mandate applies to their products.

The compliance conversation is changing

It would be easy to frame the CRA as a burden. But the survey suggests the industry is increasingly approaching cybersecurity compliance as something more constructive.

When asked how cybersecurity compliance drives business growth, only 10% of respondents characterised it as an obstacle that slows product development and increases time-to-market. The majority saw it differently, 29% described compliance as a primary driver, using certifications such as the US Cyber Trust Mark as active differentiators to attract customers and build brand trust. A further 33% view it as a secondary benefit that improves product quality, even if it does not sit at the front of their marketing message.

Cybersecurity is moving from an afterthought to a design requirement and a competitive advantage. In a market where connected devices increasingly interact with critical infrastructure, from energy grids and transport networks to medical systems, trust has real commercial value.

The IoT security challenge is structural

Understanding why so many organisations are unprepared requires understanding the nature of IoT devices themselves. Unlike smartphones or laptops, IoT devices are extraordinarily diverse. A smart meter buried in a field, a sensor on a shipping container, an automotive telemetry module, a medical monitoring device, these are not consumer electronics that users replace every two years. They are deployed for years, sometimes decades, often in remote or inaccessible locations, frequently on constrained hardware with limited memory, battery-dependent, and with intermittent connectivity.

Traditional security approaches, firewalls, password policies, perimeter defences, were designed for a world of static IT infrastructure. While IoT demands lightweight, scalable, remotely manageable security that can reach the device wherever it is deployed, and prove that it did so.

The survey reflects this structural tension. When asked about their biggest security concerns, respondents split almost evenly across three categories. A third cited the expanded attack surface created by remote provisioning and profile lifecycle activities such as downloads, activations and switching. The same number highlighted governance and access control challenges, specifically around roles, auditing and the separation of duties across partner ecosystems. While 30% pointed to supply chain compromise risks during eUICC handling, key injection and factory processes.

None of these are problems that can be solved if you have no ability to maintain security of the device remotely. They are architectural concerns that need to be designed in from the beginning.

eSIM as a cybersecurity asset

This is where the eSIM conversation changes character. Most discussions about eSIM focus on connectivity management: the ability to switch network profiles over the air, support multiple markets with a single device SKU, eliminate physical SIM logistics. These benefits are real. But there is a dimension of eSIM that is significantly underappreciated in product security discussions.

An eSIM is not simply a connectivity component. It is a hardware-backed identity and trust anchor. The secure element at its core provides cryptographic functions that enable a device to authenticate itself to networks and services with private keys that cannot be extracted or spoofed.

This is not a software abstraction, it is a physical security capability embedded in the device from manufacture. In an IoT world that is moving away from passwords and perimeter models toward certificate-based, zero-trust architectures, that hardware root of trust is foundational infrastructure.

For CRA compliance specifically, the eSIM’s secure channel capability means that security updates can be delivered end-to-end with encryption and verification to the device, with proof of receipt. This directly addresses the two compliance obligations that matter most: the ability to push a security patch to a device, and the ability to prove that you did.

The GSMA’s IoT SAFE standard, which builds on the eSIM’s hardware Root of Trust to provide standardised cloud authentication for IoT devices, is gaining attention in this context. Currently, only 16% of those surveyed have committed to implementing it, with 49% still evaluating. That evaluation pipeline is significant as it suggests the industry recognises the direction of travel, even if implementation is still maturing.

SGP.32 eSIM standard is built for the hardest problem

Legacy eSIM standards were a poor fit for modern IoT. They were often locked to specific operators and vendors, struggled to operate on constrained devices with limited memory, and employed complex interconnect processes that added cost and friction.

SGP.32 was designed specifically to address these shortcomings. It supports more scalable interfaces, enables both direct and indirect profile downloads, and allows enterprises to manage connectivity profiles remotely without requiring a direct user acceptance or request from the device – ideal for largely dispersed and unattended or hard to reach devices. Critically, it supports devices that are resource-constrained, intermittently connected, and deployed at scale across multiple geographies, which are precisely the categories where security update delivery has historically been hardest.

In practical terms, SGP.32 supports a “build once, ship anywhere” model, while providing the remote management infrastructure that security patching requires. For manufacturers grappling with the CRA’s five-year update mandate, this is directly relevant: SGP.32-based eSIMs, when implemented on a certified platform, can serve as the secure, auditable delivery mechanism that compliance demands.

Providers building on this foundation have taken the standard further. Kigen’s eSA-certified eSIMs, addressing both SGP.32 IoT and SGP.22 Consumer needs, add the capability to seek dynamic security patches from a remote management agent and to log those operations in a way that supports audit and compliance reporting through tools such as Kigen Pulse, which provides traceable records of what update was delivered, when, and how it was authorised. This kind of documentation is exactly what the CRA’s reporting obligations will require from September 2026.

The survey confirms the market is moving in this direction. SGP.32 is already the leading standard choice among those with a clear roadmap position, cited by 27%, ahead of both the legacy SGP.02 (14%) and the consumer SGP.22 standard (22%).

The next 24 to 36 months

The survey also asked respondents to identify which next-generation security capabilities they expect to require for eSIMs over the next two to three years. The answers paint a picture of an industry beginning to think seriously about long-term resilience.

The most-cited priority, selected by 29%, is strong hardware-backed identity for provisioning and operations, phishing-resistant, passkey-style authentication for administrators managing sensitive provisioning systems. This aligns directly with the move away from password-based security models that has characterised enterprise IT for years and is now arriving in IoT.

Tied at 22% each are two capabilities with very different drivers. AI-driven automated security patching with the ability to prioritise, stage, roll out and verify updates at scale without manual orchestration reflects the operational reality of managing millions of heterogeneous devices across global deployments. While post-quantum cryptography (PQC) readiness is increasingly being mandated for specific high-stakes applications, particularly in automotive, where connected vehicles interacting with critical transport infrastructure represent an acute long-term risk vector.

The window is narrow, but still open

The CRA is not punitive by design. It reflects a genuine policy intent to raise the baseline of connected product security for consumers and critical infrastructure alike. The September 2026 reporting deadline gives organisations a defined starting point. The December 2027 full compliance date gives a runway.

“The EU Cyber Resilience Act is aimed at bringing lifecycle security, vulnerability handling, and ongoing updates much closer to the center of commercial responsibility for products with digital elements,” commented Korstanje. “The encouraging reality is that CRA-ready, auditable, and verifiable approaches to secure remote connectivity and updates are already within reach, including those enabled by companies such as Kigen.”

But engineering cycles are long. Redesigning a device’s security architecture, integrating new eSIM infrastructure, establishing audit logging pipelines, and testing CRA-compliant update processes across a product fleet takes months.

Organisations that begin in earnest today have a realistic path to readiness. Those who wait for a high-profile enforcement action to make the stakes concrete will find themselves in a much harder position.