GSMA Device Attestation Pilot Program

Join the cross-industry initiative to standardize secure device attestation and homologation data sharing.

Navigating the fragmented landscape of global device attestation is becoming increasingly complex, costly, and cumbersome. To solve this, the GSMA is launching a Device Attestation Pilot to validate a trusted, standardized, and secure data-sharing framework. This pilot will demonstrate how OEMs can securely prove to regulators that a device identifier (such as an IMEI) is authentic and correctly associated with a specific manufactured unit.

By joining this pilot, you will help lead the industry in mitigating fragmented regulatory requirements and establishing a consistent global baseline that protects consumers while eliminating the need to expose commercially sensitive datasets.

Please fill out the form to register your interest in participating in the pilot.

Apkudo Device Passport™ Platform Overview

Report of device history and diagnostics summary

GSMA has partnered with Apkudo to provide the underlying data-sharing environment for this pilot. The pilot will be executed via the Apkudo Device Passport Platform, a production-ready infrastructure that supports complex device programs using secure, controlled data spaces. The platform enables Policy-Based Access Control (PBAC), allowing OEMs to retain full ownership of their data while granting purpose-bound, permissioned access to regulators. It will be used to confirm the configurations needed to support attestation across the world, answering regulator queries with controlled responses without replicating or broadly exposing underlying OEM datasets.

The Device Passport defines how device events are submitted, validated, and stored across a multi-party ecosystem, connecting carriers, OEMs, logistics operators, repair vendors, and diagnostics providers through a consistent, schema-validated, and auditable integration framework. Every data point entering the Device Passport is traceable to an actor, a time, a facility, and a program context. This is not simply an API specification; it is a governed data contract framework aligned with International Data Spaces Association (IDSA) principles for trusted, sovereign data exchange between independent parties.

2026 Pilot Timeline

Step 01

May – June

Participant registration and onboarding

Step 02

June – July

Testing and feedback (July)

Step 03

August

Final feedback and recommendations

Get to know all the details about your participation

Click on the questions below to expand the answers. We have provided additional details in the attached FAQ, which covers technical specifications for participation.

What is the purpose of this pilot?

The pilot seeks to validate a production-ready approach for enabling regulators to access OEM-provided device data securely. The focus is on device-level attestation using the IMEI and related identifiers to support regulatory homologation and compliance activities.

What are the expectations of pilot participants?

A successful pilot demands a constant feedback loop. Your feedback will directly influence the broader program rollout across OEMs and regulators worldwide. We ask participants to join a 30-minute weekly feedback session to share positive and negative experiences with sharing and accessing data.

What data is required from OEMs?

The core requirement from OEMs for this pilot is simply to confirm whether a specific IMEI was manufactured. The pilot will not ask OEMs to provide TAC, make, or model information, as GSMA already possesses this data within their existing TAC database. We are also not requesting intended market or country applicability, as devices frequently move across borders.

Will regulators see full OEM datasets?

No. The system is designed for controlled disclosure. Regulators will query using an identifier and receive only the necessary outputs (e.g., approval status, market applicability). Underlying OEM datasets are never exposed.

How is data access controlled?

Access is governed through Policy-Based Access Control (PBAC). OEMs define exactly who can access data, what data is accessible, and under what conditions. OEMs retain the ability to revoke access at any time, and all access queries are immutably logged.

Need more information?

The Power of a Data Spaces Framework

Enabling secure, cross-participant device data exchange without compromising your data ownership.

Contact Us

Paresh Modi
Senior Director, Partnerships
GSMA
‍
+44 (0)7771 730630
‍paresh.modi@gsma.com

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Preferences