ETSI SAS

ETSI SAS -- European SIM Production Security Standard

ETSI Security Assurance Specification (ETSI SASETSI SASComplianceEuropean standard for SIMSIMApplicationSmart card for mobile network authentication.Click to view → card production security assurance.Click to view →) defines security requirements for the production and management of UICC (SIM card) products, published by the European Telecommunications Standards Institute. While closely related to GSMA SAS, ETSI SAS provides a formal technical specification (ETSI TS 102 527) that many European operators reference in their procurement contracts alongside or instead of the GSMA scheme.

Security Domains

ETSI SAS evaluations examine three interconnected security domains. Physical security covers the manufacturing facility's perimeter defenses, access control systems, secure storage areas for chip modules and finished cards, and environmental protections (fire suppression, power backup) that prevent data loss. Logical security addresses the IT infrastructure supporting electrical personalization: HSM configuration and management, encryption of personalization data files, secure communication channels between data preparation systems and personalization machines, and database access controls. Personnel security covers employee vetting, role-based access assignment, security awareness training, and incident response procedures.

Relationship to GSMA SAS

ETSI SAS and GSMA SASGSMA SASComplianceGSMA security certification for SIM/eSIMeSIMApplicationProgrammable embedded SIM chip.Click to view → manufacturers.Click to view → share significant overlap in their security requirements, and many personalization bureaus maintain both accreditations simultaneously. The primary difference is governance: ETSI SAS is maintained by a standards body (ETSI) while GSMA SAS is maintained by the mobile operators association (GSMA). In practice, operators may specify either or both as procurement requirements. Facilities already holding GSMA SAS-UP accreditation can typically achieve ETSI SAS compliance with minimal additional effort, as the audit criteria cover substantially the same security controls.

Evaluation and Certification

ETSI SAS evaluations are conducted by independent audit firms with expertise in manufacturing security and smart card production. The evaluation assesses compliance against each requirement clause in ETSI TS 102 527, producing a conformity assessment report. Unlike Common Criteria evaluations which can take 12-18 months, ETSI SAS audits typically complete in 4-8 weeks for an established facility. The certification must be renewed through periodic surveillance audits, ensuring continuous compliance as production processes, personnel, and IT infrastructure evolve.