The contemporary landscape of the Internet of Things (IoT) is defined by an unprecedented shift in how cellular connectivity is provisioned, managed and secured. As modern deployments transition from small-scale pilots to massive, geographically dispersed fleets, the traditional paradigms of connectivity management are being fundamentally rewritten. The operational scale and geographic dispersion of these modern IoT deployments have elevated connectivity lifecycle management from a peripheral provisioning task to a core systems concern. Central to this transformation is the standardisation of ‘eSIM for IoT’ under the GSMA SGP.32 specification, a technical framework designed to overcome the device constraints and architectural rigidities that hampered earlier remote SIM provisioning (RSP) models.
The evolution from physical SIM cards to the embedded universal integrated circuit card (eUICC) has fundamentally altered cellular logistics, representing the most significant factor in device personalisation and customer access identification in decades. With over six billion xSIM (eSIM and iSIM) devices projected to ship over the next five years, and approximately 70% of all cellular devices expected to feature an eSIM by 2030, the technical specifications governing these elements are becoming the bedrock of global digital infrastructure. However, the mere standardisation of lifecycle workflows does not inherently guarantee that the secure element enforcing those workflows is resilient against sophisticated attack classes. This necessity for verifiable trust has led to the development of the eUICC Security Assurance (eSA) scheme, a rigorous evaluation framework grounded in the Common Criteria (CC) approach, intended to make security claims comparable and auditable across a diverse ecosystem of implementations and suppliers.
Technical foundations: The architecture of SGP.32 v1.2
The release of SGP.32 v1.2 on 27 June 2024, marked the arrival of a stable, normative technical specification for eSIM IoT RSP. This specification is part of a broader technical suite that includes SGP.31 (Requirements and Architecture) and SGP.33 (Test Specifications), providing a comprehensive blueprint for building GSMA-compliant IoT RSP components. SGP.32 is specifically engineered for resource-constrained, headless and battery-powered devices, categories that were often poorly served by previous standards.
The role and mechanism of the eSIM IoT manager (eIM)
The most transformative introduction in SGP.32 is the eSIM IoT manager (eIM), a standardised cloud-based tool designed for the mass deployment and management of eSIM-enabled IoT devices. In previous M2M architectures (SGP.02), the management of profiles was often gated by a subscription manager – secure routing (SM-SR) role, which frequently resulted in technical and commercial vendor lock-in because switching providers required complex platform-to-platform integrations.
SGP.32 moves the control logic off the device and into the eIM, shifting the management paradigm from a one-to-one manual process to a one-to-many automated model. The eIM acts as the central orchestrator, communicating with backend subscription manager data preparation plus (SM-DP+) servers to download, install, enable, disable or delete profiles across entire fleets. Because the eIM can be owned or operated by the IoT device manufacturer or the enterprise itself, it facilitates a more carrier-agnostic environment, allowing businesses to oversee device connectivity without being tethered to a specific operator’s proprietary infrastructure.
The IoT profile assistant (IPA): Bridging cloud and device
While the eIM handles the orchestration from the cloud, the IoT profile assistant (IPA) serves as the local agent within the device environment. The IPA is responsible for facilitating profile switching and bridging communications between the eIM, the SM-DP+ and the eUICC. In SGP.32, the IPA is available in two distinct variants to accommodate different hardware architectures:
- IPAd (device-based IPA): This implementation runs directly on the IoT device or within the cellular module. It is best suited for devices with sufficient processing power and memory, providing the OEM with more granular control over eSIM operations.
- IPAe (eUICC-based IPA): This variant is embedded as an application within the eUICC itself. It is the ideal choice for ultra-low-power devices, as it offloads the complexity of eSIM management to the eUICC provider, thereby reducing the integration effort and hardware requirements for the device manufacturer.
By decoupling the profile assistant from the user interface, SGP.32 enables zero-touch provisioning. A device can be shipped with a generic bootstrap profile, and upon its first activation in the field, the eIM can automatically push the correct local connectivity profile, eliminating the need for manual intervention or site visits.
Protocol evolution and efficiency
A critical architectural achievement of SGP.32 is its shift toward lightweight, transport-agnostic protocols. Earlier standards like SGP.22 (Consumer) were designed for smartphones with robust power and bandwidth, mandating the use of HTTPS over TCP/TLS. For battery-constrained IoT devices, particularly those using low power wide area networks (LPWANs) like NB-IoT, the overhead of TCP handshakes and heavyweight encryption is often prohibitive.
SGP.32 addresses this by introducing support for the Constrained Application Protocol (CoAP) over UDP and Datagram Transport Layer Security (DTLS). These protocols require significantly less data and energy, allowing connections to be established faster and with fewer interactions. This protocol efficiency is not merely a technical preference but a commercial necessity for devices intended to remain in the field for 10 to 15 years on a single battery charge.
| Protocol Component | SGP.22 (Consumer) | SGP.32 (IoT) | Implications for IoT |
| Transport | TCP | UDP (via CoAP) | Lower overhead, better for high-latency NB-IoT |
| Security | TLS | DTLS | Faster handshakes, reduced battery drain |
| Triggering | SMS/Manual | Cloud-based eIM | Enables headless, automated fleet management |
| Data Footprint | Heavy (HTTPS) | Lightweight (CoAP) | Reduced bandwidth costs and power consumption |
Comparative evolution: SGP.02 vs. SGP.22 vs. SGP.32
The history of eSIM standards is a progression toward greater flexibility and alignment with the unique realities of the IoT market. Understanding where SGP.32 fits requires an analysis of its predecessors, SGP.02 and SGP.22, and the specific pain points it aims to resolve.
The M2M legacy (SGP.02)
Introduced in 2014, SGP.02 was the industry’s first attempt at machine-to-machine (M2M) remote SIM provisioning. It utilised a push model, where the server proactively pushed profile changes to the device. However, SGP.02 was plagued by complexity and heavy reliance on SMS for triggering — a protocol that is not supported by all modern LPWAN. Furthermore, SGP.02 was characterised by high degrees of vendor lock-in; a device was often permanently bound to the subscription manager – secure routing (SM-SR) platform of the original provider, making carrier switching technically difficult and commercially restricted.
The consumer model (SGP.22)
In 2016, the GSMA released SGP.22 to support the consumer smartphone market. SGP.22 introduced a pull model, where the end-user initiates a profile download, often by scanning a QR code. While SGP.22 simplified the server-side architecture by introducing the SM-DP+ (which combined the preparation and routing functions), it was fundamentally designed for interactive devices with screens and human operators. This rendered it unsuitable for headless IoT sensors located in remote or inaccessible areas.
SGP.32: The hybrid “IoT-First” approach
SGP.32 is often described as a hybrid approach that takes the simplified architecture of the consumer model (SM-DP+) and adapts it for the remote, mass-management needs of the IoT. By introducing the eIM, it effectively remotely automates the pull mechanism of the consumer standard. This architectural shift provides the enterprise with the freedom to leave — the ability to switch carriers without the current provider’s explicit permission or the need for complex platform integrations.
| Feature | SGP.02 (M2M) | SGP.22 (Consumer) | SGP.32 (IoT) |
| Provisioning Type | Push | Pull | Managed Pull |
| User Interaction | Not Required | Required (QR/App) | Not Required (Remote) |
| Connectivity | SMS/TCP | TCP/HTTPS | UDP/CoAP |
| Vendor Locking | High (SM-SR based) | Low (SM-DP+ based) | Very Low (eIM based) |
| Scale Capability | One-to-one | One-to-one (User) | One-to-many (Fleet) |
The security model: Resilience and the eSA scheme
Standardising lifecycle workflows through SGP.32 is only one half of the trust equation; the other half is ensuring that the secure element – the eUICC – is resilient against physical and logical attacks. The GSMA eUICC Security Assurance (eSA) scheme is the framework designed to provide this confidence. Grounded in the Common Criteria (CC) approach, the eSA scheme uses a more condensed and efficient set of procedures than traditional CC evaluations, making it faster for manufacturers to gain certification while maintaining high levels of security assurance.
The core of eSA: SGP.06 and SGP.07
The eSA scheme is defined by two primary GSMA documents:
- SGP.06 (eUICC security assurance principles): Specifies the high-level requirements and conformity assessment determined by testing.
- SGP.07 (eUICC security assurance methodology): Describes the specific optimisations used for eUICC evaluation within the CC and common evaluation methodology (CEM) framework.
The evaluation results are typically benchmarked against a level of EAL4, augmented with AVA_VAN.5 (resistance to high attack potential) and ALC_DVS.2 (sufficiency of security measures). This level of assurance is essential for eUICCs that serve as the root of trust for both network access and sensitive enterprise data.
Expansion to hardware: The 2025 milestone
A pivotal advancement in the eSA scheme occurred in May 2025 with the release of SGP.06 v2.3 and SGP.07 v2.3. Prior to this, the scheme primarily focused on software evaluation. The updated versions formally integrated hardware certification via Protection Profiles PP-0084 (Integrated Circuit) and PP-0117 (Runtime Environment of Tamper Resistant Element).
This holistic approach means that GSMA now supports eSA as a formally recognised alternative to traditional CC hardware evaluations. For eUICC manufacturers, this provides a unified pathway to certification for the entire stack, hardware, software, and the runtime environment. For the broader IoT ecosystem, this expansion ensures that the eUICCs used in SGP.32 deployments are evaluated as a complete, secure entity, bridging the gap between manufacturing-stage personalisation and operational-stage trust.
Benefits of eSA for the ecosystem
The eSA scheme provides tangible benefits for all stakeholders in the IoT value chain:
- For manufacturers: Presence on the global GSMA accredited supplier list boosts business opportunities and streamlines procurement.
- For Operators: Provides absolute confidence that data is secure and services will work as intended, ensuring global interoperability.
- For enterprise IoT device makers: Reduces the need for repetitive individual inspections from multiple customers and provides peace of mind that the device’s core identity is protected.
Industry evidence: Deployment initiatives and economic drivers
The transition to SGP.32 is not merely a theoretical exercise but is being aggressively driven by major telecoms operators and technology vendors who recognise the operational limitations of legacy systems.
The AT&T and Thales collaboration
In October 2025, AT&T and Thales announced a next-generation eSIM solution specifically powered by the SGP.32 specification. This platform, based on Thales Adaptive Connect (TAC), allows enterprises to remotely and securely manage IoT subscriptions across a unified interface. A key feature of this collaboration is the ability for enterprises to ship a single stock-keeping unit (SKU) device globally. A device can be pre-integrated with a single Thales eSIM and then activated with the correct local connectivity profile over-the-air, eliminating the logistical nightmare of managing different physical SIM variants for different regions.
Vodafone’s massive multi-country vision
Vodafone has been an integral part of the core group defining the SGP.32 standard, viewing it as a critical enabler for “massive multi-country” IoT deployments. Vodafone’s Global SIM+ solution utilises these standards to help businesses connect assets in highly regulated countries where permanent roaming is restricted by migrating them to a local SIM over-the-air. Vodafone anticipates that SGP.32 will significantly reduce the time and resource investment required to manage global fleets, particularly in the automotive, smart city and utility sectors.
Economic impact and ROI
The shift to SGP.32 is underpinned by clear economic incentives. By eliminating physical SIM logistics, which can cost between US$2 and US$5 per device for procurement and shipping, a fleet of 10,000 devices can see annual savings of up to US$50,000. Furthermore, the reduction in deployment time – from weeks to near-instant provisioning – allows companies to bring products to market up to 90% faster. For large-scale projects, such as a smart city deployment of 50,000 light poles, SGP.32 can lead to a 70% reduction in deployment costs by enabling dynamic carrier selection and phased remote activation.
| Savings Category | Traditional Model (SGP.02/SGP.22) | SGP.32 Model | Impact |
| SIM Procurement | Physical shipping/Inventory costs | $0 (Integrated/Digital) | |
| Manufacturing | Multiple SKUs per region | Single Global SKU | 60-80% inventory cost reduction |
| Field Maintenance | Physical SIM swap (Truck roll) | Remote profile swap | Drastic reduction in O&M costs |
| Activation Time | 2-4 weeks | Near-instant | 90% timeline reduction |
AI industry relevance: The convergence of trust and intelligence
As telecoms networks evolve into software-defined, autonomous systems, the role of secure device identity becomes a prerequisite for AI-driven security and operational tools. The Secure eSIM for IoT (SGP.32) and AI in Telecoms Security are now converging to create a more resilient digital fabric.
Bharti Airtel’s AI-powered network defence
Bharti Airtel has operationalised AI as a core component of its security posture. In early 2026, the company unveiled an AI-powered Fraud Alert system that operates at the network layer to protect customers from bank frauds and OTP leakages. This autonomous solution identifies suspicious call patterns in real-time and intervenes when it detects potential social engineering tactics.
Airtel‘s previous AI-driven initiatives, including spam detection and malicious link blocking, have already shown remarkable results, with certified numbers indicating a 68.7% drop in financial losses and a 14.3% decrease in cybercrime incidents on its network. For an enterprise IoT deployment, this means that device identity (secured by SGP.32 and eSA) sits adjacent to an intelligent network layer capable of detecting and blocking threats across messaging, voice, and data channels in real-time.
Liberty Global and Google Cloud: The autonomous network
In early 2026, Liberty Global and Google Cloud announced a five-year strategic partnership to embed AI at scale across Liberty’s European operations, affecting approximately 80 million connections. A primary goal of this collaboration is the development of autonomous network operations. By using Google’s Gemini models, the partnership aims to proactively detect performance issues and execute corrective actions without manual intervention.
This trajectory toward autonomy heightens the value of auditable roots of trust. If a network is making autonomous decisions about routing or provisioning, it must be able to verify the cryptographic identity and secure lifecycle primitives of the devices at the edge. The partnership also explores the use of Liberty’s edge data centers to run Google Cloud services, highlighting a closer integration between hyperscale AI and telecoms infrastructure.
Future directions: iSIM, quantum resilience and LPWAN
The roadmap for IoT connectivity extends beyond the current iteration of SGP.32. The industry is already preparing for the next generation of threats and opportunities.
The rise of iSIM (integrated SIM)
For ultra-low-power and space-constrained devices, the transition from eSIM (embedded) to iSIM (integrated) is accelerating. iSIM integrates the eUICC functionality directly into the device’s chipset (SoC). SGP.31 and SGP.32 are designed to support iSIM-certified components, providing the same remote management benefits while further minimising power consumption and hardware footprint.
Post-quantum cryptography (PQC)
As IoT devices can remain operational for decades, they must be resilient against future threats, including quantum computing. Strategic recommendations for implementers include selecting eSIM suppliers that are already roadmap-ready for post-quantum cryptography (PQC) to mitigate the long-term risk of traditional encryption being compromised.
Connectivity and LPWAN
SGP.32’s independence from TCP/IP and SMS makes it the definitive standard for NB-IoT and other LPWAN technologies. By utilising Lightweight M2M (LwM2M) over CoAP/UDP, SGP.32 overcomes the bandwidth and latency constraints that rendered previous standards ineffective for simple sensors and smart meters.
Strategic implications and recommendations
The emergence of SGP.32 and the expanded eSA scheme necessitates a re-evaluation of IoT strategy for both engineering teams and executive leadership.
Executive and procurement strategy
- Treat eSA as a baseline: Procurement for large IoT fleets should treat GSMA eSA certification status as a mandatory requirement. This provides verifiable evidence that security claims have been evaluated by independent laboratories under a Common Criteria-based scheme.
- Evaluate switching costs: SGP.32 significantly lowers the technical barriers to switching operators. Enterprises should leverage this freedom to leave to negotiate better commercial terms and ensure long-term flexibility.
- Monitor the ecosystem: The announcement of SGP.32-powered offerings from leaders like AT&T and Thales indicates that the platform ecosystem is reaching commercial maturity. Organisations should prioritise near-term roadmap decisions that align with these implementable platforms to avoid bespoke integration costs.
Engineering and architectural implementation
- Align with normative models: Aligning device constraints and provisioning workflows with the normative SGP.32 model – specifically the use of CoAP/UDP – reduces integration complexity and ensures interoperability across different vendor environments.
- Implement robust governance: Treat SGP.32 profile lifecycle actions (download, enable, disable, delete) as high-impact change-controlled operations. Explicit policy, logging and auditability are essential to maintain the integrity of the fleet.
- Choose the right IPA placement: Technical teams must decide between IPAd and IPAe based on the device’s processing capabilities. IPAe is generally preferred for ultra-low-power devices to minimise the integration burden on the primary application processor.
The standardisation of SGP.32 and the expansion of the eUICC security assurance scheme represent a foundational shift in the global IoT ecosystem. By addressing the technical debt of SMS-heavy legacy systems and providing a clear pathway for verifiable security, these standards enable the next phase of massive, autonomous IoT deployments. The convergence of these secure provisioning controls with AI-assisted network monitoring creates a robust infrastructure where cryptographic identity at the edge and intelligent defense at the core work in tandem. For the modern enterprise, the adoption of SGP.32 is not just a connectivity choice; it is a strategic investment in the security, scalability and long-term viability of their digital fleet.
Marion Webber