diff --git a/features/FEATURE_BLE/ble/generic/GenericSecurityManager.h b/features/FEATURE_BLE/ble/generic/GenericSecurityManager.h
index 89fed596ef..d530402c36 100644
--- a/features/FEATURE_BLE/ble/generic/GenericSecurityManager.h
+++ b/features/FEATURE_BLE/ble/generic/GenericSecurityManager.h
@@ -272,12 +272,20 @@ public:
 
 public:
     GenericSecurityManager(
-        PalSecurityManager &palImpl,
-        pal::ConnectionEventMonitor<GenericSecurityManager> &connMonitorImpl,
-        SigningEventMonitor &signingMonitorImpl
+        PalSecurityManager &palImpl
+#if BLE_FEATURE_CONNECTABLE
+        , pal::ConnectionEventMonitor<GenericSecurityManager> &connMonitorImpl
+#endif
+#if BLE_FEATURE_SIGNING
+        , SigningEventMonitor &signingMonitorImpl
+#endif
     ) : _pal(palImpl),
+#if BLE_FEATURE_CONNECTABLE
         _connection_monitor(connMonitorImpl),
+#endif
+#if BLE_FEATURE_SIGNING
         _signing_monitor(signingMonitorImpl),
+#endif
         _db(NULL),
         _default_authentication(0),
         _default_key_distribution(pal::KeyDistribution::KEY_DISTRIBUTION_ALL),
@@ -527,8 +535,12 @@ private:
     };
 
     PalSecurityManager &_pal;
+#if BLE_FEATURE_CONNECTABLE
     pal::ConnectionEventMonitor<GenericSecurityManager> &_connection_monitor;
+#endif
+#if BLE_FEATURE_SIGNING
     SigningEventMonitor &_signing_monitor;
+#endif
 
     SecurityDb *_db;
 
diff --git a/features/FEATURE_BLE/ble/pal/PalSecurityManager.h b/features/FEATURE_BLE/ble/pal/PalSecurityManager.h
index ca768efd91..1ea497efdc 100644
--- a/features/FEATURE_BLE/ble/pal/PalSecurityManager.h
+++ b/features/FEATURE_BLE/ble/pal/PalSecurityManager.h
@@ -520,18 +520,18 @@ public:
         impl()->on_keys_distributed_local_ediv_rand_(connection, ediv, rand);
     }
 
+#if BLE_FEATURE_PRIVACY
     /**
      * Store the results of key distribution after IRK has been received.
      *
      * @param[in] connection connection handle
      * @param[in] irk identity resolution key
      */
-    void on_keys_distributed_irk(
+    virtual void on_keys_distributed_irk(
         connection_handle_t connection,
         const irk_t &irk
-    ) {
-        impl()->on_keys_distributed_irk_(connection, irk);
-    }
+    ) = 0;
+#endif // BLE_FEATURE_PRIVACY
 
     /**
      * Store the identity address of the peer after it has been distributed.
@@ -540,26 +540,24 @@ public:
      * @param[in] peer_identity_address_type public or private address indication
      * @param[in] peer_identity_address peer address
      */
-    void on_keys_distributed_bdaddr(
+    virtual void on_keys_distributed_bdaddr(
         connection_handle_t connection,
         advertising_peer_address_type_t peer_identity_address_type,
         const address_t &peer_identity_address
-    ) {
-        impl()->on_keys_distributed_bdaddr_(connection, peer_identity_address_type, peer_identity_address);
-    }
+    ) = 0;
 
+#if BLE_FEATURE_SIGNING
     /**
      * Store the peer's CSRK after it has been distributed.
      *
      * @param[in] connection connection handle
      * @param[in] csrk signing key
      */
-    void on_keys_distributed_csrk(
+    virtual void on_keys_distributed_csrk(
         connection_handle_t connection,
         const csrk_t &csrk
-    ) {
-        impl()->on_keys_distributed_csrk_(connection, csrk);
-    }
+    ) = 0;
+#endif // BLE_FEATURE_SIGNING
 
     /**
      * Request the LTK since the peer is asking us to encrypt the link. We need to
@@ -642,7 +640,7 @@ public:
     ////////////////////////////////////////////////////////////////////////////
     // Resolving list management
     //
-
+#if BLE_FEATURE_PRIVACY
     /**
      * Return the number of address translation entries that can be stored by the
      * subsystem.
@@ -704,6 +702,7 @@ public:
     ble_error_t clear_resolving_list() {
         return impl()->clear_resolving_list_();
     }
+#endif // BLE_FEATURE_PRIVACY
 
     ////////////////////////////////////////////////////////////////////////////
     // Pairing
@@ -1004,6 +1003,7 @@ public:
         return impl()->set_ltk_not_found_(connection);
     }
 
+#if BLE_FEATURE_PRIVACY
     /**
      * Set the local IRK.
      *
@@ -1015,7 +1015,9 @@ public:
     ) {
         return impl()->set_irk_(irk);
     }
+#endif // BLE_FEATURE_PRIVACY
 
+#if BLE_FEATURE_SIGNING
     /**
      * Set the local CSRK.
      *
@@ -1056,6 +1058,7 @@ public:
     ble_error_t remove_peer_csrk(connection_handle_t connection) {
         return impl()->remove_peer_csrk_(connection);
     }
+#endif // BLE_FEATURE_SIGNING
 
     ////////////////////////////////////////////////////////////////////////////
     // Authentication
diff --git a/features/FEATURE_BLE/source/generic/GenericSecurityManager.tpp b/features/FEATURE_BLE/source/generic/GenericSecurityManager.tpp
index 495aea9a0e..c59f2b6ee9 100644
--- a/features/FEATURE_BLE/source/generic/GenericSecurityManager.tpp
+++ b/features/FEATURE_BLE/source/generic/GenericSecurityManager.tpp
@@ -47,6 +47,11 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::init_(
     bool signing,
     const char* db_path
 ) {
+#if !(BLE_FEATURE_SIGNING)
+    if (signing) {
+        return BLE_ERROR_INVALID_PARAM;
+    }
+#endif // !(BLE_FEATURE_SIGNING)
     ble_error_t result = _pal.initialize();
 
     if (result != BLE_ERROR_NONE) {
@@ -79,14 +84,20 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::init_(
 
     // FIXME: depends on BR/EDR support
     _default_key_distribution.set_link(false);
-
+#if BLE_FEATURE_SIGNING
     _default_key_distribution.set_signing(signing);
     if (signing) {
         init_signing();
     }
-
+#else
+    _default_key_distribution.set_signing(false);
+#endif // BLE_FEATURE_SIGNING
+#if BLE_FEATURE_CONNECTABLE
     _connection_monitor.set_connection_event_handler(this);
+#endif
+#if BLE_FEATURE_SIGNING
     _signing_monitor.set_signing_event_handler(this);
+#endif
     _pal.set_event_handler(this);
 
     result = init_resolving_list();
@@ -388,6 +399,7 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::setKeyp
     return BLE_ERROR_NONE;
 }
 
+#if BLE_FEATURE_SIGNING
 template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
 ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::enableSigning_(
     connection_handle_t connection,
@@ -429,6 +441,7 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::enableS
 
     return BLE_ERROR_NONE;
 }
+#endif // BLE_FEATURE_SIGNING
 
 template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
 ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::setHintFutureRoleReversal_(bool enable) {
@@ -579,7 +592,7 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::setEncr
 ////////////////////////////////////////////////////////////////////////////
 // Keys
 //
-
+#if BLE_FEATURE_SIGNING
 template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
 ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::getSigningKey_(connection_handle_t connection, bool authenticated) {
     if (!_db) return BLE_ERROR_INITIALIZATION_INCOMPLETE;
@@ -614,16 +627,19 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::getSign
         }
     }
 }
+#endif // BLE_FEATURE_SIGNING
 
 ////////////////////////////////////////////////////////////////////////////
 // Privacy
 //
 
+#if BLE_FEATURE_PRIVACY
 template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
 ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::setPrivateAddressTimeout_(uint16_t timeout_in_seconds) {
     if (!_db) return BLE_ERROR_INITIALIZATION_INCOMPLETE;
     return _pal.set_private_address_timeout(timeout_in_seconds);
 }
+#endif // BLE_FEATURE_PRIVACY
 
 ////////////////////////////////////////////////////////////////////////////
 // Authentication
@@ -839,6 +855,7 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::init_da
     return BLE_ERROR_NONE;
 }
 
+#if BLE_FEATURE_PRIVACY
 template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
 ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::init_resolving_list() {
     if (!_db) return BLE_ERROR_INITIALIZATION_INCOMPLETE;
@@ -864,7 +881,9 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::init_re
 
     return BLE_ERROR_NONE;
 }
+#endif // BLE_FEATURE_PRIVACY
 
+#if BLE_FEATURE_SIGNING
 template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
 ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::init_signing() {
     if (!_db) return BLE_ERROR_INITIALIZATION_INCOMPLETE;
@@ -886,6 +905,7 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::init_si
 
     return _pal.set_csrk(*pcsrk, local_sign_counter);
 }
+#endif // BLE_FEATURE_SIGNING
 
 template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
 ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::get_random_data(uint8_t *buffer, size_t size) {
@@ -1000,6 +1020,7 @@ void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::set_ltk_cb(
     }
 }
 
+#if BLE_FEATURE_SIGNING
 template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
 void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::set_peer_csrk_cb(
     SecurityDb::entry_handle_t db_entry,
@@ -1045,6 +1066,7 @@ void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::return_csrk_cb
         flags->csrk_mitm_protected
     );
 }
+#endif BLE_FEATURE_SIGNING
 
 template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
 void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::update_oob_presence(connection_handle_t connection) {
@@ -1139,8 +1161,9 @@ void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_disconnecte
     if (!cb) {
         return;
     }
-
+#if BLE_FEATURE_SIGNING
     _pal.remove_peer_csrk(connection);
+#endif
 
     _db->close_entry(cb->db_entry);
     release_control_block(cb);
@@ -1618,6 +1641,7 @@ void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_keys_distri
     _db->set_entry_local_ediv_rand(cb->db_entry, ediv, rand);
 }
 
+#if BLE_FEATURE_PRIVACY
 template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
 void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_keys_distributed_irk_(
     connection_handle_t connection,
@@ -1636,6 +1660,7 @@ void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_keys_distri
 
     _db->set_entry_peer_irk(cb->db_entry, irk);
 }
+#endif BLE_FEATURE_PRIVACY
 
 template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
 void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_keys_distributed_bdaddr_(
@@ -1656,6 +1681,7 @@ void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_keys_distri
     );
 }
 
+#if BLE_FEATURE_SIGNING
 template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
 void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_keys_distributed_csrk_(
     connection_handle_t connection,
@@ -1681,6 +1707,7 @@ void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_keys_distri
         flags->csrk_mitm_protected
     );
 }
+#endif // BLE_FEATURE_SIGNING
 
 template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
 void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_ltk_request_(
diff --git a/features/FEATURE_BLE/targets/TARGET_CORDIO/source/CordioBLE.cpp b/features/FEATURE_BLE/targets/TARGET_CORDIO/source/CordioBLE.cpp
index 18036cfac5..4ae6617416 100644
--- a/features/FEATURE_BLE/targets/TARGET_CORDIO/source/CordioBLE.cpp
+++ b/features/FEATURE_BLE/targets/TARGET_CORDIO/source/CordioBLE.cpp
@@ -233,11 +233,17 @@ impl::PalGattClientImpl& BLE::getPalGattClient()
 #if BLE_FEATURE_SECURITY
 SecurityManager& BLE::getSecurityManager()
 {
+#if BLE_FEATURE_SIGNING
     static vendor::cordio::SigningEventMonitor<impl::GenericSecurityManagerImpl> signing_event_monitor;
+#endif
     static impl::GenericSecurityManagerImpl m_instance(
-        impl::PalSecurityManagerImpl::get_security_manager(),
-        getGap(),
-        signing_event_monitor
+        impl::PalSecurityManagerImpl::get_security_manager()
+#if BLE_FEATURE_CONNECTABLE
+        , getGap()
+#endif
+#if BLE_FEATURE_SIGNING
+        , signing_event_monitor
+#endif
     );
 
     return m_instance;
diff --git a/features/FEATURE_BLE/targets/TARGET_CORDIO/source/CordioPalSecurityManager.tpp b/features/FEATURE_BLE/targets/TARGET_CORDIO/source/CordioPalSecurityManager.tpp
index d88682e130..d07f5e2a9f 100644
--- a/features/FEATURE_BLE/targets/TARGET_CORDIO/source/CordioPalSecurityManager.tpp
+++ b/features/FEATURE_BLE/targets/TARGET_CORDIO/source/CordioPalSecurityManager.tpp
@@ -704,7 +704,7 @@ bool CordioSecurityManager<EventHandler>::sm_handler(const wsfMsgHdr_t* msg) {
                         evt->keyData.ltk.rand
                     );
                     break;
-
+#if BLE_FEATURE_PRIVACY
                 case DM_KEY_IRK:
                     handler->on_keys_distributed_bdaddr(
                         connection,
@@ -717,6 +717,7 @@ bool CordioSecurityManager<EventHandler>::sm_handler(const wsfMsgHdr_t* msg) {
                         irk_t(reinterpret_cast<uint8_t*>(evt->keyData.irk.key))
                     );
                     break;
+#endif // BLE_FEATURE_PRIVACY
 #if BLE_FEATURE_SIGNING
                 case DM_KEY_CSRK:
                     handler->on_keys_distributed_csrk(