Kigen details CRA compliance path for IoT eSIM deployments

Kigen said in a blog post that its eSA-certified eSIM OS and Kigen Pulse platform can help IoT manufacturers prepare for the European Union Cyber Resilience Act. Kigen said the regulation will require vulnerability reporting and documentation from 11 September 2026, and security updates for identified vulnerabilities throughout each product's expected lifecycle starting in 2027, with a minimum of 5 years of support.

Kigen said GSMA SGP.32, a standard for remote SIM provisioning and management for IoT devices, provides a connectivity and management foundation but does not by itself make a product CRA-compliant. The company said its latest eSA-certified eSIM OS can seek dynamic security patches from a guardian remote management agent or service, while Kigen Pulse provides traceable and auditable logs for update operations and supports Open API 3.0 integration with SBOM, compliance, and security management toolchains. Kigen also cited KPMG figures that put the average cost of a significant cyber attack for a UK business at £194,729 and the wider cost to the UK economy at £14.7 billion, or 0.5% of GDP.

The post places Kigen's position within wider IoT security and eSIM regulation trends in Europe and the US. Kigen said the EU Cyber Resilience Act aligns with broader requirements around secure-by-design products, while also referencing US NIST and Executive Order 14028. The company also said GSMA eUICC, the embedded universal integrated circuit card used to store eSIM profiles, and the eSA scheme based on Common Criteria provide a security framework for IoT eSIM implementations. Separately, Kigen said Salica Investments has backed the company with £10 million to support growth across the UK, EU, and US.