Clear
SGP32 eSIMs OEMs eSA certified eSIMs Kigen for Cybersecurity resilience act readiness

Getting ready for CyberSecurity Resilience Act with Kigen eSIMs

Bee Hayes-Thakore Bee Hayes-Thakore
April 30, 2026
EU CRA act compliance will be one of the biggest factors in market access for IoT manufacturers. How do Kigen eSA-certified eSIMs help prepare for it?

At the start of 2021, I read the work by Hollie Hennessy at Which? on broadband routers that could no longer receive security updates. The figure was striking: 2.4 million UK households were affected by routers that could not be properly supported with updates. That was a stark reminder that, as an industry, too many devices were being sold without a simple, reliable way to keep them secure over time.

At Kigen, security-by-design has been central to our mission in delivering secure eSIM technology. In 2022, reflecting on this growing concern, Kigen joined forces with the World Economic Forum’s Council on the Connected World, towards a consensus on baseline cybersecurity provisions for consumer IoT devices. 

Nearly five years on, it is no surprise that we are supportive of a wider regulation that is now moving this into focus for every device maker selling into Europe with the European Union Cyber Resilience Act (CRA).

KPMG estimates the average cost of a significant cyber attack for an individual UK business at £194,729, and the wider cost to the UK economy at £14.7 billion, or 0.5% of GDP.

So, what is the EU CRA?

 
According to the CRA, manufacturers deploying connected devices on the European market must provide security updates for identified vulnerabilities throughout each device’s lifetime, starting in 2027. Prior to this, already reporting vulnerabilities and producing verifiable logs and documentation is required beginning of September 2026. So, unsurprisingly, there is a timely need to consider how as a manufacturer, distributer or supplier of any IoT product, your business can adopt CRA-compliant approaches.


If a hardware or software product connects directly or indirectly to another device or network, and it is sold in the EU, security can no longer be treated as a one-time design feature. Manufacturers need to support products with security updates throughout their lifecycles, manage vulnerabilities, and demonstrate that security is built into the product from design through post-sale support.

This is a major shift for CISOs, product managers, and engineering leaders. The question is not only, “Can we ship this product securely?” The question is now, “How can we keep this product secure, update it when needed, and prove what we have done?”

As mandated by the EU CRA, reporting of vulnerabilities will be required, along with documentation in place from 11 September 2026. Products must receive security updates throughout their expected lifecycle, with a minimum of 5 years of support.

That is important because the cost of non-compliance is real. 

It’s essential to note that the EU CRA is not arriving in isolation. Its principles are resonated in the US NIST and Executive Order (EO) 14028 regulations too.

Importance of CRA compliance for IoT manufacturers

Source: Kigen FutureofSIM conversation on CRA for manufacturers

For manufacturers, cyber resilience is now both a compliance issue and a business performance issue. A product that cannot be updated securely can create regulatory exposure, customer risk, support costs, and lasting damage to brand trust.

Why manufacturers need a better approach to security updates

Many connected products already use OTA or FOTA update methods. The problem is that traditional approaches often create a second challenge: the update system itself becomes expensive and complex to run.

In many cases, manufacturers need to build or manage:

  • custom infrastructure for secure update delivery,
  • separate cloud services,
  • logging and audit systems,
  • orchestration tools,
  • and compliance reporting workflows.

Source: CRA website guidance for manufacturers: secure-by-design supports cyber resilience.

That creates costs not only at launch, but across the full product lifetime. Every new cloud dependency, integration, or custom process adds to operational overhead. It also makes it harder for product and security teams to keep a clear audit trail.

For teams planning for CRA, this means the update path must do more than move software. It must support traceability, accountability, and long-term control.

The opportunity we have together: how SGP.32 eSIM for IoT fits

This is where SGP.32 eSIM for IoT becomes relevant.

SGP.32 is a GSMA standard for remote SIM provisioning and management for IoT devices. It gives manufacturers a standardized way to manage eSIM operations in devices that are often constrained, unattended, or deployed in the field for many years.

That is useful because secure updates depend on secure reachability. If you cannot securely reach a device, you cannot reliably patch it, recover it, or manage it at scale. SGP.32 helps provide a standards-based connectivity and management foundation for IoT products.

However, it is worth noting that SGP.32 alone does not automatically create a CRA-compliant software update capability.

The GSMA specification does not by itself guarantee compliance with the CRA. It does not mean every SGP.32 eSIM supports the secure and auditable update process. The value depends on how the standard is implemented and what additional capabilities are built around it.

That distinction matters because many manufacturers are now evaluating how standards can reduce cost and risk. Within standards-compliant products too, that capability is dependent on a strong implementation that can help manufacturers get ready for it.

How Kigen’s eSIM stack supports CRA-compliant systems

At Kigen, we have taken that foundation further.

Using the standard as a base, Kigen has developed an innovation that helps manufacturers prepare for CRA compliance by making secure update operations more practical, more traceable, and more cost-predictable.

Kigen’s latest eSA-certified eSIM OS provides a turnkey foundation for manufacturers that want to strengthen product security without building a full custom update control plane from scratch. With the ability to seek dynamic security patches from a guardian remote management agent or service, it helps make secure updates and long-term support easier to manage across the product lifecycle.

This is where the difference resides: SGP.32 provides the framework. The GSMA eUICC specifications have been designed to fulfill the highest security standards, and the eSA scheme, with a Common Criteria methodology, defines an efficient and reliable mechanism towards CRA conformance. Kigen builds on that framework to help manufacturers create a CRA-ready update for their eSA-certified eSIMs and SIMs.

Further, a secure update mechanism is only part of the challenge. Manufacturers also need to provide evidence of the update and the insight into active status can potentially be a driver for durable advantage. 

Under CRA-driven product security expectations, teams need to show:

  • what update was delivered,
  • when it was delivered,
  • how it was authorized,
  • and how it fits into wider product security and compliance processes.

That is why Kigen Pulse is such an important part of the story.

Kigen Pulse provides the ability to make security update operations traceable and auditable through logs. This helps security, engineering, and compliance teams maintain a clearer record of update activity across the fleet.

Kigen Pulse also supports Open API 3.0, which allows manufacturers to integrate eSIM-enabled security patch operations into wider SBOM, compliance, and security management toolchains. That reduces manual work and avoids creating another isolated operational system.

This lowers operational overhead because auditability and traceability are built into the workflow, instead of being added later through extra tooling, custom reporting, or separate cloud services.

Actioning secure product updates to eSIMs remotely 

Play video “Getting CRA-ready: Security Patching via Kigen eSIM and eIM”

eSIMs: a smarter way to think about cost-effective CRA readiness

For device makers, the goal is not only to meet a regulation. The goal is to build connected products that stay secure in a way that is commercially sustainable and successful, retaining the maximum market access.

That means choosing an architecture that:

  • supports secure lifecycle updates,
  • reduces custom infrastructure,
  • improves traceability,
  • integrates with wider compliance tools,
  • and lowers the long-term cost of cyber resilience.

This is why Kigen’s approach stands out. It does not claim that every SGP.32 eSIM for IoT automatically delivers CRA compliance. Instead, it shows how innovation built on the standard can help manufacturers move toward a more secure, auditable, and cost-efficient update model.

For CISOs, product managers, and engineering leaders, next generation smart cards with eSIMs certified to these latest standards are critical in CRA compliance assessment. Analysts already estimate that 70% of all wireless devices will soon be eSIM-only, or eSIM-first as businesses invest further in Edge AI and physical AI. Understanding implementation with this now, well-established security anchor helps reduce lifetime complexity while supporting better security outcomes.

Acelerating this innovation further

Cybersecurity is becoming a board-level priority as connected products move deeper into critical operations, infrastructure, and enterprise transformation. In Europe, the Cyber Resilience Act is increasing the focus on secure-by-design products, vulnerability handling, coordinated reporting, and the ability to maintain security over the lifecycle of products with digital elements. In parallel, in the US, NIST-2 is raising expectations around cyber risk management, operational resilience, governance, and incident reporting across critical sectors and their supply chains. Recognizing this, Salica Investments has backed Kigen with £10 million in funding to support Kigen’s next phase of growth across the UK, EU, and US.

“Kigen is the kind of category-defining business we look to back,” said Usman Ali, Partner, Venture Debt Fund at Salica Investments. “The team has built a highly differentiated platform at the intersection of connectivity and cybersecurity, with strong relevance for manufacturers and enterprises navigating a more demanding regulatory and operational environment. We are delighted to support Kigen as it scales across critical sectors and international markets.”

Salica funding for Kigen

Read this announcement in full on Salica’s website here.

Building the future together

As consumers, it is easy to see the benefits of CRA’s mandates to avoid the type of hidden surprises on unsupported devices that can surround our lives, much like the Which? investigation revealed. And so, this is Kigen’s first step to offering a cost-effective and efficient solution for manufacturers in the class of devices that has remained by far the toughest to reach, hardest to patch, and verify. We continue our journey to strengthen this and apply it across the broadest set of sectors through our growing partnerships.

To learn more, contact Kigen today. We will also be discussing how CRA compliance can work for you at Hardware Pioneers Max 2026 in London.

Content Authenticity Statement 

The research, structural outlining, and content for this article were generated by the author. AI tools were used for proofreading and adjustments to ensure the text can be translated into multiple languages. The final content was reviewed and edited by our team to ensure accuracy.