Fact-checked by Grok 2 weeks ago

eUICC

The embedded Universal Integrated Circuit Card (eUICC) is a standardized secure element integrated into mobile devices and Internet of Things (IoT) equipment, enabling the remote provisioning, storage, and management of multiple SIM profiles for seamless connectivity across network operators without physical card swaps.^[1] Developed by the GSM Association (GSMA), eUICC forms the core of eSIM technology, supporting over-the-air (OTA) updates to enhance flexibility, security, and global roaming capabilities in both consumer and industrial applications.^[1] The concept of an embedded SIM, which underpins eUICC, was first proposed by the GSMA in 2010 as an evolution of traditional removable SIM cards, initially targeting machine-to-machine (M2M) communications.^[2] In 2014, the GSMA released its inaugural specification (SGP.02) focused on M2M use cases, laying the groundwork for remote SIM provisioning in IoT scenarios.^[3] By 2016, the GSMA formalized the eUICC standard through documents like SGP.21 and SGP.22, expanding its scope to consumer devices such as smartphones and wearables, while subsequent updates addressed IoT-specific needs with SGP.31 (architecture) and SGP.32 (technical implementation) released in 2023 and refined through 2025.^[1] These specifications ensure interoperability across ecosystems, with eUICC chips identified via unique Embedded UICC Identifiers (EIDs) managed under the GSMA's eUICC Identity Scheme for secure global deployment.^[4] Architecturally, eUICC operates within a Remote SIM Provisioning (RSP) framework, dividing the chip into secure domains for profile isolation and leveraging cryptographic protocols for OTA operations like profile download, enablement, and deletion.^[1] Key components include the eUICC itself, Subscription Manager Data Preparation (SM-DP), and Subscription Manager Secure Routing (SM-SR), which facilitate operator-agnostic connectivity while adhering to stringent security standards such as those in SGP.08 for certificate management.^[1] This design supports multiple profiles—up to dozens depending on storage capacity—allowing devices to switch networks dynamically based on location, cost, or coverage.^[1] In consumer applications, eUICC powers eSIM adoption in devices like iPhones and Android smartphones, enabling users to activate cellular plans digitally and reducing reliance on physical SIM distribution since its commercial rollout around 2017.^[2] For IoT, it addresses challenges in large-scale deployments, such as remote sensors, vehicles, and smart meters, by permitting localized network selection to optimize performance and avoid international roaming fees, with the GSMA estimating billions of eUICC-enabled connections by 2030.^[5] Benefits include logistical efficiencies, as no physical SIM swaps are needed for device activation or relocation; and ecosystem-wide compliance via GSMA's eUICC Security Assurance (eSA) scheme, which certifies chips against Common Criteria standards.^[6] Challenges persist in interoperability testing and certification, but ongoing GSMA refinements, including SGP.23 test specifications (version 3.1.2, April 2024), continue to drive adoption.^[1]

History and Development

Origins and Evolution

The eUICC, or embedded Universal Integrated Circuit Card, is a secure chip integrated into devices that enables the remote over-the-air provisioning and management of multiple SIM profiles, eliminating the need for physical SIM card swaps.^[4]^[7] This technology builds on the traditional Universal Integrated Circuit Card (UICC) used in removable SIMs but embeds it directly into the hardware, allowing seamless switching between network operators and profiles.^[8] The origins of eUICC trace back to the early 2010s, when the limitations of physical SIM cards—such as the challenges of swapping them in compact or inaccessible devices—prompted the evolution toward embedded SIM (eSIM) solutions. Driven by the rapid growth of machine-to-machine (M2M) communications and the Internet of Things (IoT), this shift addressed the need for more flexible, scalable mobile connectivity in sectors like automotive, utilities, and consumer electronics.^[9]^[2] The GSMA recognized that traditional SIMs hindered efficient global deployment and management of connected devices, spurring innovation toward software-based alternatives.^[10] In November 2010, the GSMA launched its Embedded SIM initiative, marking a pivotal push for standardized remote provisioning to enhance global roaming capabilities and streamline device lifecycle management across borders.^[10]^[11] This effort focused initially on M2M applications, where physical access to devices is often impractical, aiming to enable operators to download and activate profiles securely without hardware intervention. In December 2013, the GSMA published its first Embedded SIM specification (SGP.02), formalizing the technical framework for remote over-the-air management.^[12]^[13] Early prototypes and pilots emerged shortly thereafter, with the GSMA coordinating demonstrations of the technology's feasibility in real-world scenarios. In 2012, initial device implementations were anticipated as part of the initiative's rollout, paving the way for practical testing.^[10] By 2013–2014, major operators including AT&T and Vodafone participated in early pilots, showcasing remote profile switching for M2M devices to support applications like asset tracking and connected vehicles.^[14]^[15] These efforts validated the eUICC's potential to reduce deployment costs and improve connectivity reliability, setting the stage for broader adoption. The GSMA's standards, such as those outlined in SGP.02, provided the foundational architecture for these advancements.^[10]

Key Milestones and Adoption

The development of eUICC technology began to accelerate with the publication of the GSMA's SGP.02 specification in December 2013, which outlined the remote provisioning architecture for embedded UICC in machine-to-machine (M2M) devices, enabling secure over-the-air profile management without physical SIM swaps.^[12] This was followed in 2016 by the GSMA's SGP.22 specification tailored for consumer devices, further standardizing eUICC implementation across smartphones and tablets. In May 2023, the GSMA released SGP.32, a technical specification for remote SIM provisioning in IoT applications.^[5] Integration into broader cellular standards occurred with ETSI TS 103 383 version 13.1.0 in February 2016, aligning eUICC functionality with 3GPP Release 13 enhancements for improved security and interoperability in mobile networks.^[16] Widespread commercial adoption gained momentum after 2018, particularly with Apple's introduction of eSIM support in the iPhone XS, XS Max, and XR models announced on September 12, 2018, which allowed dual-SIM functionality via eUICC for the first time in mainstream consumer smartphones. Samsung followed suit with eSIM-enabled Galaxy devices, contributing to global rollout. Regulatory progress included the launch of GSMA's certification programs in 2016, such as the Remote SIM Provisioning (RSP) test specifications under SGP.16, ensuring compliance and security for eUICC ecosystems.^[17] In Europe, alignment with the eIDAS Regulation (EU) No 910/2014 advanced in 2019 through implementing acts that supported trust services for secure eUICC provisioning, facilitating cross-border electronic identification.^[18] By 2023, over 1 billion eUICC-enabled devices had been shipped cumulatively, with the installed base of eSIM IoT devices alone reaching approximately 1 billion units, driven by demand in automotive and connected consumer sectors.^[19] Adoption continued to surge within 5G ecosystems, where eUICC's remote management capabilities supported seamless network slicing and multi-operator switching; GSMA projections indicate 2.4 billion smartphone connections using eSIM by the end of 2025, bolstered by 5G's expansion to over 2.25 billion connections as of April 2025.^[20] ^[21] Key partnerships accelerated deployment, including the 2017 collaboration between GSMA and Verizon to certify eUICC platforms for IoT security, enabling Verizon to issue GSMA-compliant certificates for remote provisioning in enterprise devices.^[22] GSMA's ongoing work with device makers like Apple and Samsung integrated eUICC into flagship products, while telecom operators such as Verizon facilitated global trials, ensuring interoperability across 5G networks.^[23]

Technical Overview

Core Architecture

The eUICC represents a hardware-software system designed for secure, remote management of mobile network subscriptions, enabling the embedding of SIM functionality directly into devices without physical card swaps. At its core, the architecture comprises layered components that ensure tamper resistance, profile isolation, and seamless interoperability with cellular networks. This design facilitates over-the-air updates and multi-profile support, distinguishing it from traditional removable SIMs by prioritizing flexibility for consumer and IoT applications. Recent updates, such as in SGP.22 v2.6.1 (April 2025), incorporate enhancements like improved multi-enabled profile support and alignment with post-quantum cryptography standards (as of November 2025).^[24]^[25] The hardware layer of the eUICC is an embedded, tamper-resistant chip compliant with ISO/IEC 7816 standards for integrated circuit cards, providing a secure element for storing sensitive credentials. This chip integrates directly into the device's motherboard, offering physical protection against unauthorized access through features like secure memory partitioning. The software layer builds upon this with an operating system that manages applets—small, executable programs—for handling subscription profiles and cryptographic operations. Network interfaces, such as those supporting remote SIM provisioning (RSP), enable secure communication with external servers over cellular or IP channels for profile downloads and updates.^[24]^[26]^[25] Integration with device ecosystems occurs primarily through the Local Profile Assistant (LPA), a software component that acts as an intermediary between the eUICC and the device's operating system. In Android platforms, the LPA leverages APIs like EuiccManager to discover, download, and manage profiles, routing operations securely to the embedded chip. Similarly, iOS incorporates LPA functionality within its framework for eSIM activation and switching, ensuring compatibility across major mobile OSes. This setup allows the eUICC to operate as a native extension of the device's connectivity stack, with the LPA handling user interactions and notifications.^[27]^[28]^[25] The data storage model employs secure, isolated partitions within the eUICC's non-volatile memory to hold multiple SIM profiles simultaneously, with the capacity determined by available memory rather than a fixed limit. Each profile contains subscription data, cryptographic keys, and network parameters, enabling the device to maintain several operator configurations offline. Active profile selection is achieved through enable/disable commands issued via the LPA, which switches the operational profile without disrupting connectivity, thus supporting seamless transitions in multi-network environments.^[24]^[25]^[29] Interoperability is ensured through adherence to Java Card specifications for applet development and execution, allowing portable, secure applications across diverse eUICC implementations. Complementing this, GlobalPlatform standards govern card configuration, secure channel protocols, and lifecycle management, promoting vendor-neutral compatibility for profile installation and execution. These principles enable the eUICC to function uniformly in global ecosystems, reducing fragmentation in deployment.^[30]^[31]^[26]

Key Components and Functionality

The embedded Universal Integrated Circuit Card (eUICC) relies on several core components to enable secure and flexible management of mobile network subscriptions. The Issuer Security Domain Root (ISD-R) serves as the primary security domain within the eUICC, responsible for isolating profiles and managing access controls to prevent unauthorized interactions between them.^[32] It enforces security policies through mechanisms like the Profile Policy Rules (PPR), ensuring that each profile operates in a protected environment.^[32] Complementing the ISD-R is the Subscription Manager Data Preparation Plus (SM-DP+), an off-card entity that creates, protects, and prepares subscription profiles for delivery to the eUICC. The SM-DP+ authenticates with the eUICC using ECDSA certificates and binds profiles to specific devices via cryptographic protocols. Also key is the Subscription Manager Secure Routing (SM-SR), an off-card entity that handles post-installation management operations such as profile enabling, disabling, and notifications, communicating via secure interfaces like ES11.^[33]^[32]^[1] Core functionalities of the eUICC center on the lifecycle management of profiles, facilitated through secure interfaces defined in GSMA specifications.^[33] Profile download involves the SM-DP+ initiating a secure session with the eUICC over the ES9+ interface, transferring encrypted profile data that the ISD-R then installs into dedicated Issuer Security Domains (ISD-Ps).^[32] Once installed, profiles can be enabled or disabled by the ISD-R, allowing users to switch subscriptions without physical card changes; enabling activates the profile for network use, while disabling suspends it while preserving data integrity. Over-the-air (OTA) profile management operations, such as enabling/disabling or updating policy rules, are supported via the Subscription Manager Secure Routing (SM-SR) using interfaces like ES11. Modifications to core profile parameters, such as access point names, typically require downloading a new profile via the ES9+ interface to the SM-DP+.^[32]^[33] The eUICC supports storage and management of multiple profiles, with typically one enabled for network connectivity at a time in standard operation. Advanced configurations, such as Multiple Enabled Profiles (MEP), allow multiple profiles to be active simultaneously, with the ISD-R handling prioritization and switching based on device policies, supporting scenarios like international roaming.^[32] Profile lifecycle events are managed comprehensively: installation integrates a new profile, deletion removes it securely to prevent data leakage, and disabling temporarily deactivates it for network operations while retaining the profile for later enablement.^[32] Error handling ensures reliability during profile operations. If a download fails due to network issues or authentication errors, the eUICC's ISD-R initiates a rollback to the previously enabled profile, maintaining service continuity.^[32] Mechanisms like state preservation on failures (FPT_FLS.1) and detection of tampering or replay attacks further protect against disruptions, with secure channels (e.g., TLS/DTLS) providing confidentiality and integrity.^[32]

Standards and Specifications

GSMA SGP Standards

The GSMA's SGP.02 specification, initially released in 2014, establishes the foundational architecture for remote provisioning of embedded UICCs (eUICCs) in machine-to-machine (M2M) applications. It outlines the overall system framework, including key interfaces such as ES8+ for profile policy management, which enables secure handling of subscription profile policies between subscription managers and profile owners. This specification was updated to version 4.3 in 2023, incorporating enhancements for improved interoperability and security in eUICC operations across diverse M2M environments.^[34]^[35] Building on this foundation, the SGP.22 specification, introduced in 2016 and continually updated thereafter, addresses remote provisioning specifically tailored for consumer devices such as smartphones and wearables. It defines the technical requirements for the Subscription Manager Data Preparation (SM-DP+) and Subscription Manager Secure Routing (SM-SR) entities, facilitating user-friendly profile downloads and switches over-the-air without physical SIM handling. Key features include support for Local Profile Assistant (LPA) implementations on devices, ensuring seamless integration with user interfaces for profile management. Ongoing revisions include version 3.1 in 2023 and version 2.6.1 in 2025, refining these mechanisms to enhance user experience and ecosystem compatibility.^[36]^[25] For M2M and IoT deployments, the SGP.32 specification, released in 2023, provides a specialized framework optimized for low-power, high-volume scenarios. It emphasizes batch provisioning capabilities, allowing efficient bulk management of eUICC profiles in resource-constrained devices without user interfaces, such as sensors and industrial equipment. This includes streamlined interfaces for autonomous profile installation and switching, reducing operational overhead in large-scale IoT networks. The specification supports minimal profile sizes and low-bandwidth operations to accommodate energy-limited environments; version 1.2 was released in June 2024, with the first GSMA-certified SGP.32 solutions available as of August 2025.^[37]^[38] To ensure interoperability and reliability, the GSMA has implemented comprehensive eUICC testing programs, including the eUICC Security Assurance (eSA) scheme and compliance validation through GlobalPlatform. These programs validate compliance with SGP specifications through functional, security, and performance assessments conducted by accredited labs, covering aspects like profile lifecycle management and secure bootstrapping. Certification under these schemes, often aligned with GlobalPlatform and GCF processes, is mandatory for ecosystem participants to guarantee seamless deployment across global networks.^[1]^[39]

Involvement of ETSI and 3GPP

The European Telecommunications Standards Institute (ETSI) has significantly contributed to eUICC standardization through the TS 103 383 series, which defines high-level requirements for embedded UICC functionality, including profile provisioning, architecture, and remote management capabilities. This series, initiated in 2013 and updated through versions such as V13.2.0 in 2016 and V14.0.0 in 2018, establishes foundational guidelines for eUICC operations while maintaining compatibility with traditional UICC specifications. ETSI's work extends to test specifications that verify conformance, ensuring reliable implementation across devices and networks.^[40] The 3rd Generation Partnership Project (3GPP) incorporated eUICC into its specifications starting with Release 13 in 2016, where it was introduced within Non-Access Stratum (NAS) protocols to support dynamic subscription handling and profile activation without physical intervention. Subsequent enhancements in Release 17, completed in 2022, extended eUICC support to 5G network slicing, enabling profiles to be tailored to specific slice types for optimized service delivery in diverse scenarios.^[41]^[42] Alignment between GSMA SGP standards and 3GPP specifications has focused on harmonizing network authentication processes, allowing eUICC profiles to integrate seamlessly with core mobile network elements for secure credential management. Updates in 2024 and 2025 have included alignments with 3GPP Release 18 for 5G-Advanced, enhancing secure remote SIM provisioning for 5G and constrained IoT devices.^[43] These ETSI and 3GPP standards collectively promote cross-operator compatibility by standardizing profile switching and authentication protocols, which facilitate seamless international roaming and enable devices to dynamically select optimal networks across borders.

Applications and Use Cases

Consumer Devices

The embedded Universal Integrated Circuit Card (eUICC) technology enables consumer devices to support embedded SIM (eSIM) profiles, allowing users to activate and manage cellular plans digitally without physical SIM cards. This capability is particularly prominent in smartphones, where eUICC facilitates remote provisioning of operator profiles, enabling seamless carrier switching and enhanced flexibility for users. The GSMA predicts 1 billion eSIM smartphone connections worldwide by the end of 2025.^[33]^[44] In smartphones, eUICC has been widely adopted starting with models like the iPhone 14 series launched in 2022, which in the United States are exclusively eSIM-only devices, eliminating the need for physical SIM slots. Similarly, Android devices such as the Google Pixel series have supported eUICC since earlier models, with comprehensive integration allowing users to download and switch carrier profiles directly through device settings. These implementations support dual-SIM functionality within a single eUICC chip, permitting simultaneous use of multiple numbers for personal and work lines or different carriers.^[45]^[27]^[46] eUICC extends to tablets and smartwatches, enhancing connectivity in portable consumer electronics. For instance, recent iPad models, including the iPad Pro (M4) and iPad Air (M2), are eSIM-only, supporting on-the-go data plans without physical cards. Apple Watch cellular models also leverage eUICC for independent connectivity, allowing calls, messages, and app usage away from a paired iPhone. This broadens access to mobile services in compact form factors, where space constraints make physical SIMs impractical.^[45]^[47] A key benefit of eUICC in consumer devices is support for seamless international travel, as users can remotely download local carrier profiles to avoid roaming fees or connectivity issues abroad. This process often involves scanning a QR code provided by the carrier for quick activation, integrated into the device's operating system settings for straightforward profile management—such as adding, switching, or deleting plans with minimal steps. Overall, these features reduce hardware complexity and improve user convenience by enabling multiple profiles to be stored and activated on demand.^[48]^[33]^[49]

IoT and M2M Communications

eUICC technology is particularly well-suited for Internet of Things (IoT) and machine-to-machine (M2M) communications, where devices demand robust, long-term connectivity in challenging environments. In connected vehicles, eUICC enables seamless global roaming and over-the-air profile switching to support features like real-time diagnostics, navigation, and vehicle-to-everything (V2X) interactions, ensuring uninterrupted service across borders without manual SIM swaps. Smart meters utilize eUICC to provide reliable, remote data transmission for utility monitoring, often in fixed or semi-fixed installations where physical access is limited. Industrial sensors, deployed in factories or remote sites, leverage eUICC for persistent connectivity to transmit operational data, enabling predictive maintenance and automation in harsh conditions.^[50]^[51]^[52] A key advantage of eUICC in these setups is its support for bulk provisioning, which allows operators to remotely download and activate profiles across millions of devices at scale, streamlining deployment for large IoT ecosystems. In 2025, eUICC is increasingly integrated with non-terrestrial networks (NTN) and satellite communications for enhanced global coverage in remote IoT deployments. Additionally, eUICC integrates effectively with low-power wide-area networks (LPWAN) such as NB-IoT, providing efficient, low-bandwidth connectivity that conserves battery life for power-sensitive M2M applications like remote monitoring. These features reduce operational overhead by eliminating the need for physical SIM distribution and enabling dynamic network optimization.^[53]^[54]^[55]^[56] Notable implementations include automotive eUICC adoption in BMW models starting from 2021 and Tesla vehicles around 2023, where it powers embedded connectivity for over-the-air updates and telematics services. The GSMA's IoT roadmap further embeds eUICC integration through evolving standards like SGP.32, with initial commercial rollouts in 2025 and mass market adoption by late 2025 or early 2026 to enhance interoperability in M2M ecosystems.^[57]^[58]^[59] For scalability, eUICC's remote SIM provisioning allows fleet managers to switch operator profiles on-the-fly without device downtime, facilitating efficient management of expansive IoT networks such as logistics fleets or sensor arrays. This capability supports zero-touch activation and lifecycle management, ensuring high availability in dynamic M2M scenarios.^[60]^[61] In large-scale IoT and M2M deployments, eUICC profiles are often managed not only by mobile network operators but also by specialised IoT mobile virtual network operators (MVNOs). These providers aggregate cellular access from multiple carriers and expose it through a single global platform, using eUICC to download and switch profiles remotely so that devices can move between national networks while keeping one SIM and one management interface. For example, iONLINE Connected Networks’ FlexiSIM is an intelligent network-switching eUICC SIM for IoT that can be updated over the air to change mobile network operators, providing multi-network connectivity in roughly 220 countries and territories across more than 700 carrier networks.^[62]^[63]

Implementation and Deployment

Profile Management Process

The profile management process for eUICC-enabled devices follows a standardized end-to-end workflow defined in the GSMA Remote SIM Provisioning (RSP) architecture, enabling remote handling of subscriber profiles without physical SIM card replacement. This process begins with profile discovery, where the Local Profile Assistant (LPA)—a software component on the device—initiates the retrieval of available profiles by obtaining the address of the Subscription Manager Data Preparation Plus (SM-DP+) server. The LPA can use methods such as Activation Codes, queries to the Subscription Manager Discovery Service (SM-DS), or default SM-DP+ addresses to locate the server, often employing the ES10a interface to fetch the eUICC's Embedded Identity Document (EID) and configuration data from the eUICC itself.^[64] Once discovered, the profile download occurs over a secure channel established via mutual authentication between the LPA, eUICC, and SM-DP+. The user or device triggers the process through the LPA's user interface, prompting the operator to authenticate the request—typically via the ES2+ interface where the operator issues a DownloadOrder to the SM-DP+. The SM-DP+ then generates a Bound Profile Package (BPP), which includes the profile data encrypted with keys derived from a key agreement protocol, and transfers it to the LPA using the ES9+ interface for preparation and the ES10b interface for segmented delivery to the eUICC. This secure channel relies on Transport Layer Security (TLS) and certificate-based verification, ensuring the integrity and confidentiality of the profile data during transit.^[64] Following download, installation integrates the profile into the eUICC's secure memory. The LPA processes the BPP using the ES10b.LoadBoundProfilePackage command, which includes sub-procedures like InitialiseSecureChannel for session establishment, StoreMetadata for policy storage, and verification of the SM-DP+'s digital signature to confirm authenticity. Post-installation verification occurs through checks on the profile's integrity, compatibility with the eUICC, and adherence to any embedded rules, with the LPA notifying the operator of success or failure via the ES2+ interface. Activation then enables the profile for use, where the LPA selects it via the ES10c.EnableProfile command, potentially disabling the current profile in an atomic operation to maintain connectivity; this step requires user consent and operator confirmation to finalize network attachment.^[64] eUICCs support multiple profiles, allowing prioritization and switching based on operational needs, with the LPA managing them through ES10c commands like GetProfilesInfo to list and sort profiles by attributes such as notification priority from the SM-DP+. For updates and maintenance, Over-The-Air (OTA) policy rules—known as Profile Policy Rules (PPRs)—govern actions like profile enabling, disabling, deletion, or switching; these rules, stored in a Rules Authorisation Table (RAT), are enforced by the eUICC's Profile Rules Enforcer and may require explicit user or operator approval. Emergency fallback mechanisms ensure resilience, such as reverting to a previously enabled operational profile or using a test profile if the primary activation fails, with session cancellation options available during any sub-procedure to abort and restore prior states without disrupting service.^[64]

Integration Challenges and Solutions

One of the primary integration challenges for eUICC deployment involves interoperability issues among diverse vendors, including SIM providers, device manufacturers, and network infrastructure suppliers, which can lead to inconsistencies in profile management and remote provisioning processes.^[65] Ensuring seamless communication across these components requires rigorous testing, as highlighted by GSMA initiatives like the eSIM LITE Event, where multiple vendors collaborate to validate profile compatibility.^[66] Backward compatibility with legacy SIM (UICC) systems poses another hurdle, as eUICC must support existing network protocols without disrupting established device ecosystems, particularly in transitional IoT deployments.^[67] Additionally, high initial certification costs, stemming from the multi-step GSMA compliance process involving functional, security, and interoperability evaluations, can deter smaller vendors and delay market entry.^[68]^[69] To address these, the GSMA has established a comprehensive compliance program, including accredited testing labs and the eUICC Security Assurance (eSA) scheme, which verifies adherence to SGP standards and promotes ecosystem-wide reliability.^[70]^[71] Modular Local Profile Assistant (LPA) designs further facilitate integration by allowing flexible implementation within operating systems, such as Android's EuiccManager APIs, enabling carriers to manage profiles without deep hardware modifications.^[28]^[72] Over time, adherence to standards like SGP.32 fosters economies of scale, reducing overall implementation costs through broader adoption and optimized manufacturing.^[73] Regionally, varying regulations create additional barriers; in the European Union, security certifications under voluntary schemes like the EUCC (as outlined by ENISA) provide a framework for compliance for eUICC in critical infrastructure, contrasting with the United States' primarily market-driven adoption without equivalent mandates.^[74] Solutions include hybrid device designs supporting both physical SIM slots and eUICC, as seen in smartphones like recent iPhone models, which allow gradual transitions and compatibility across markets.^[75]

Security and Identification

eID System

The eUICC Identifier (eID) is a unique 32-digit hexadecimal number assigned to each embedded Universal Integrated Circuit Card (eUICC) chip during its manufacturing process, serving as a persistent device marker within the eSIM ecosystem.^[76]^[4] This identifier distinguishes one eUICC from all others globally, without relation to any service subscriptions or user data.^[76] The eID is generated by the eUICC manufacturer (EUM) under the oversight of the GSMA eUICC Identity Scheme, which defines its structure as a combination of the EUM Identification Number (EIN)—allocated by the GSMA as the first-level assignment authority—and an EUM-specific identification number (ESIN), followed by two check digits to ensure validity.^[76] The GSMA manages the assignment process, maintaining a list of allocated identifiers to guarantee uniqueness and coordinating with manufacturers, device makers, and national authorities through a verification system that includes 5-day reviews for assignments and cancellations.^[76]^[4] In practice, the eID facilitates secure tracking of eUICC devices for remote provisioning, such as profile installation, while enabling anti-cloning measures through its inherent uniqueness and supporting lifecycle management—from activation to deactivation—without revealing sensitive operational details.^[76]^[4] Once assigned at manufacture, the eID remains immutable throughout the chip's lifecycle, which poses coordination challenges in multi-vendor supply chains but is addressed via GSMA's centralized allocation protocols to prevent duplication across diverse production environments.^[76]

Authentication and Protection Mechanisms

The eUICC employs mutual authentication protocols based on Public Key Infrastructure (PKI) to secure profile downloads and installations. During the remote provisioning process, the Subscription Manager Data Preparation (SM-DP) and the eUICC perform mutual authentication using digital certificates issued by the GSMA Certification Authority (CI) and the eUICC Manufacturer (EUM). This involves the eUICC presenting its certificate, signed by the EUM, which the SM-DP verifies against the EUM's certificate chained to the GSMA root. The process establishes a secure session keyset via Elliptic Curve Key Agreement (ECKA-DH), ensuring both parties authenticate each other before transferring encrypted profile data.^[77] For ES9+ interfaces, which facilitate communication between the SM-DP, Subscription Manager Secure Routing (SM-SR), and the eUICC, digital certificates provide entity authentication and enable TLS-secured channels. These certificates, compliant with X.509 standards, verify the authenticity of involved components, preventing unauthorized access during profile management operations such as enabling or disabling. The use of PKI in these interfaces aligns with GSMA's security requirements, where the SM-DP authenticates the eUICC's public key to derive session keys for subsequent secure messaging.^[77] Profile protection in eUICC relies on AES-256 encryption for confidentiality, applied to profile packages during download and storage. Profiles are encrypted using derived session keys (Ke for encryption), ensuring data remains inaccessible without proper authentication. Additionally, secure boot mechanisms, enforced by the Embedding Controller Access Security Domain (ECASD), verify the integrity of the eUICC's boot process against tampering. Runtime integrity checks occur via Message Authentication Codes (MAC) computed with integrity keys (Km), validating profile installations and updates in real-time to detect alterations.^[78]^[77] To mitigate threats, eUICC implementations incorporate resistance to side-channel attacks, such as differential power analysis, through hardware-level protections in certified secure elements meeting Common Criteria EAL4+ or higher. GSMA-defined keys, including Platform Management Credentials and Profile Management Credentials stored in Hardware Security Modules (HSMs), establish trust between operators and devices by securing OTA operations and preventing key extraction. These mitigations address risks like replay attacks and unauthorized profile cloning by enforcing secure channel protocols (e.g., SCP03). Compliance with ISO 27001 is integrated via GSMA's baseline security controls for information security management in eUICC ecosystems.^[79]^[77] As of 2025, enhancements include options for post-quantum cryptography in GSMA-accredited eUICC implementations to protect against quantum computing threats.^[80]^[81] The GSMA eUICC Security Assurance (eSA) scheme, expanded in October 2025 to support alternative hardware certification paths, ensures ongoing ecosystem compliance.^[82]

References

[1]
eSIM Consumer and IoT Specifications - GSMA
The below content provides the status of the eSIM specifications that have been published by GSMA and a comprehensive way to link the core specifications.
[2]
eSIM Standards: GSMA and eUICC - Instabridge
Apr 2, 2023 · eSIM, or embedded SIM, is a relatively new technology rooted in the traditional SIM card. The concept of an embedded SIM was first proposed by the GSMA in 2010.
[3]
eUICC – Dawn of a New Era - COMPRION
Feb 16, 2017 · ... introduction of the eUICC, this old model is history ... In 2014, the GSMA released the first specification targeting on the M2M use cases.
[4]
eUICC Identity Scheme - Device Services - GSMA
A global eSIM identification system that works for all, as it enables eUICC manufacturers to allocate their own number to identify the eUICC (the eSIM's chip).Why Is The Scheme Important... · Eids Activate Euiccs · Managed For Optimal...
[5]
M2M Specifications - eSIM - GSMA
Architecture Specifications · Technical Specifications · Test Specifications · Compliance Specifications · Security Evaluation of Integrated eUICC · Security ...
[6]
eUICC Security Assurance (eSA) - Industry Services - GSMA
Oct 29, 2025 · What is eSA? The embedded UICC (eUICC) is an evolution of SIM technology and key to consumer and IoT-driven digital transformation.Why Is It Important For Your... · Universally Recognised · Resources
[7]
What is eUICC, how it works, and 8 amazing use cases - floLIVE
eUICC stands for Enhanced Universal Integrated Circuit Card. Its primary function is to allow mobile devices to be provisioned over-the-air (OTA), ...
[8]
[PDF] eUICC for Smart Metering - Trusted Connectivity Alliance
eUICC, also known as an embedded UICC or eSIM, refers to a UICC which: ◗ Is capable of hosting multiple network connectivity profiles (as defined by GSMA).
[9]
A Brief History of the eSIM: From IoT to Smartphones - BetterRoaming
May 27, 2024 · The concept of the eSIM was first introduced by the Global System for Mobile Communications Association (GSMA) back in 2010. The GSMA are ...
[10]
GSMA Launches Embedded SIM Initiative to Support the Connected ...
Nov 18, 2010 · Devices featuring the new SIM activation capability are expected to appear in 2012. Traditional SIM-supported devices will continue to work ...Missing: first demonstration
[11]
[PDF] Remote eSIM Provisioning - achelos CONNECT
The first GSMA RSP standard released in 2010, enabling the centralised management of M2M eSIM ... Popular name equivalent to term eUICC used in GSMA ...
[12]
GSMA Publishes 'Embedded SIM' Specification For Machine-to ...
Dec 19, 2013 · LONDON, Dec. 19, 2013 /PRNewswire/ -- The GSMA today announced the publication of its specification to enable the remote 'over the air' ...
[13]
GSMA Publishes Embedded SIM Specs - Light Reading
Dec 20, 2013 · Embedded SIM initiative aims to accelerate the M2M market addressing key sectors including transportation and utilities. December 20, 2013. 2 ...
[14]
Driving M2M: AT&T becomes one of the first global operators to offer ...
Oct 2, 2014 · Driving M2M: AT&T becomes one of the first global operators to offer an M2M solution based on the GSMA Embedded SIM specification.Missing: demonstrations 2012
[15]
Vodafone implements eSIM specification | G+D - Giesecke+Devrient
Mar 2, 2016 · G&D has delivered the eSIM management solution for Vodafone Group's first implementation of the Remote SIM Provisioning specification.
[16]
[PDF] SGP.02-v4.0.pdf - GSMA
Feb 25, 2019 · The aim of this document is to define a technical solution for the remote provisioning ... eUICC OS Update. Mechanism to correct existing features ...Missing: 2010 | Show results with:2010
[17]
Over 2.3 billion cellular connections will be eUICC/Remote SIM ...
Jul 7, 2023 · This followed the availability of two other standards developed by the GSMA: SGP.02 (“M2M”) and SGP.22 (“Consumer”) introduced in 2014 and 2016, ...Missing: milestones | Show results with:milestones
[18]
[PDF] ETSI TS 103 383 V13.1.0 (2016-02)
The MNO may want to reuse the existing Profile on eUICC,. e.g. reusing network access credentials (e.g. IMSI, Ki) and other common files (e.g. files under MF), ...
[19]
[DOC] Download - GSMA
This document provides the framework within which: An eUICC, SM-DP or SM-SR can demonstrate functional and security compliance to SGP. 01 [1] and SGP. 02 [2].Missing: milestones | Show results with:milestones
[20]
The Electronic Identification and Trust Services ... - Legislation.gov.uk
These regulations amend the eIDAS Regulation and other EU legislation for electronic transactions, related to the UK's exit from the EU, and come into force on ...Part 1the Eidas Regulation · Co-Operation With Eu... · Recognition Of Eu Standards...Missing: alignment | Show results with:alignment<|separator|>
[21]
eSIM Cellular IoT Devices to Reach 3.6 Billion by 2030
The installed base of IoT devices with embedded SIM (eSIM) technology is poised to skyrocket, hitting a staggering 3.6 billion by 2030 from 1 billion in ...
[22]
Expanding the eSIM Ecosystem - GSMA
Sep 11, 2025 · In 2025, the market for embedded SIMs (eSIMs) is set to see strong growth. One of the engines of this expansion is the GSMA's new Io.
[23]
The State of 5G: Growth, Challenges, and Opportunities in 2025
Apr 16, 2025 · As of April 2025, 5G has reached a global inflection point. With more than 2.25 billion connections worldwide, adoption is accelerating at a rate four times ...
[24]
Verizon, GSMA Partner on IoT Security Featuring eUICC Platform
Apr 4, 2017 · Verizon and mobile association GSMA said today that they will partner on eUICC SIM cards for IoT security.Missing: Apple Samsung
[25]
Securing the Connected Future: Common Criteria's Rising Role in ...
Jun 3, 2025 · The GSMA has recently accomplished a significant milestone by obtaining eSIM Protection Profile certification for both Consumer and IoT eUICC ...Missing: AT&T Vodafone early
[26]
https://www.etsi.org/deliver/etsi_ts/102200_102299/102241/16.01.00_60/ts_102241v160100p.pdf
[27]
[PDF] ETSI TS 102 241 V16.1.0 (2020-02)
UICC Java Card™ Services are implemented as GlobalPlatform Global Services Applications according to the. GlobalPlatform Card Specification [15]. A unique ...
[28]
None
Below is a merged summary of the eUICC Profile Management Process based on the provided segments from SGP.22-v3.1. To retain all information in a dense and structured format, I will use a combination of narrative text and a table in CSV format to capture key details efficiently. The narrative will provide an overview and context, while the table will detail specific steps, interfaces, and features across all segments.
[29]
Implement eSIM - Android Open Source Project
Oct 9, 2025 · The Android framework automatically discovers and connects to the best available LPA, and routes all the eUICC operations through an LPA ...Missing: iOS | Show results with:iOS
[30]
eUICC APIs | Android Open Source Project
Oct 9, 2025 · The LPA APIs are public through EuiccManager (under package android.telephony.euicc ). A carrier app can get the instance of EuiccManager , and ...
[31]
What Is eUICC, and How Is It Used? - Telit Cinterion
Jan 13, 2023 · eUICC enables localization and remote provisioning for eSIMs. The eUICC standard empowers eSIMs with significant advantages over traditional ...
[32]
GlobalPlatform Specifications Archive
This ensures interoperability and portability of applications across different cards from different suppliers, and offers full backward compatibility with ...Card Specification v2.3.1 · UICC Configuration v2.0 · SAM Configuration v1.0
[33]
[PDF] eUICC Profile Package: Interoperable Format Technical Specification
May 12, 2021 · This is the eUICC Profile Package technical specification, version 3.0, from May 2021, with an objective of enabling trust in a connected ...
[34]
[PDF] eUICC for Consumer and IoT Devices Protection Profile
Feb 3, 2025 · This Permanent Reference Document is classified by GSMA as an Industry Specification, as such it has been developed and is maintained by. GSMA ...
[35]
eSIM
### Summary of eUICC and eSIM History, Origins, and Evolution (2010 Onwards)
[36]
SGP.02 v4.2 - eSIM - GSMA
Jul 7, 2020 · This document provides a technical description of the GSMA's 'Remote Provisioning Architecture for Embedded UICC'. SGP.02 v4.2.
[37]
SGP.22 V3.1 - eSIM - GSMA
Dec 1, 2023 · This document provides a technical description of the GSMA's 'Remote SIM Provisioning (RSP) Architecture for consumer Devices', SGP.21 v3.1 that applies for ...Missing: eUICC 2016
[38]
SGP.22 Technical Specification v2.2.2 - eSIM - GSMA
Jun 5, 2020 · This document provides a technical description of the GSMA's 'Remote Sim Provisioning(RSP) Architecture for consumer Devices'. SGP.22 v2.2.2.Missing: eUICC 2016
[39]
SGP.32 v1.2 - eSIM - GSMA
Jun 27, 2024 · SGP.32 v1.2 describes the eSIM IoT architecture, including remote provisioning, eUICC architecture, interfaces, and security functions.Missing: M2M 2018 batch
[40]
[PDF] New eSIM for IoT – SGP.32 specification explained - Kigen
This version allowed stakeholders to start implementation and provide feedback. On the 27th of June 2024, GSMA published SGP.32v1.2, the stable version of the ...Missing: 2018 | Show results with:2018
[41]
[PDF] An essential guide to GSMA eSIM certification | Kigen
Both solutions are based on a secure element in the device, the embedded UICC (eUICC), for the storage and management of profiles. Both use common features such ...
[42]
[PDF] ETSI TS 103 383 V14.0.0 (2018-07)
REQ-12-EU-03-20b There shall be a mechanism to allow the eUICC to provide on demand the following information to an authorized PPC holder and/or eUICC ...Missing: 2023 | Show results with:2023
[43]
Release 13 - 3GPP
Release 13 comprises around 170 high-level features and studies. In addition to enhancements to existing services and features, this release saw the completion ...Missing: eUICC | Show results with:eUICC
[44]
Release 17 - 3GPP
Support for edge computing in 5GC,; Proximity-based services in 5GS,; Access traffic steering, switch and splitting (ATSSS),; Network automation for 5G (Phase 2) ...Missing: eUICC | Show results with:eUICC
[45]
Trusted Connectivity Alliance Updates eSIM Specification to ...
Apr 1, 2025 · The latest version includes major updates to support full alignment with 3GPP Release 18 to enable advanced 5G functionality and secure authentication.Missing: harmonization | Show results with:harmonization<|control11|><|separator|>
[46]
Prepare to use eSIMs with Apple devices
Sep 24, 2025 · All iPhone 14 or later models sold in the United States, and all iPad Pro (M4) and iPad Air (M2) models are eSIM only. This provides an extra ...
[47]
Setup Your Google Pixel Phone with eSim
Google Pixel phones are compatible with nano SIM cards and eSIMs, and this guide shows you how to set it up. Your Google Pixel can support two SIMs at the same ...Missing: Android | Show results with:Android
[48]
Set up cellular on Apple Watch
even while you're away from your iPhone.Missing: eUICC | Show results with:eUICC
[49]
Use eSIM while traveling internationally with your iPhone
Oct 22, 2025 · Benefits of traveling with eSIM. eSIM is more secure than a physical SIM because it can't be removed if your iPhone is lost or stolen.What You Need · Roam Internationally With... · Purchase An Esim From A...
[50]
Set up eSIM on iPhone - Apple Support
Setting up an eSIM allows you to activate a cellular plan from your carrier without a physical SIM. In most cases, you can activate your eSIM while you're ...If you can't set up an eSIM · Find wireless carriers and...
[51]
[PDF] eUICC for Connected Cars
The eUICC delivers physical security benefits. As it can be soldered and is tamper-resistant, it cannot be stolen and subsequently used fraudulently.
[52]
IoT eUICC – an overview of IoT eSIMs - Cellhire
Dec 5, 2023 · eUICC enables global connectivity for IoT and M2M devices · eUICC increases flexibility and scalability · eUICC reduces operational costs.
[53]
Exploring the eUICC Technology: Revolutionizing Connectivity
Apr 3, 2024 · eUICC is poised to drive the proliferation of IoT devices and machine-to-machine (M2M) communication by simplifying connectivity management and ...
[54]
Understanding SGP.32: The Latest eSIM IoT Standard - floLIVE
Mar 23, 2025 · SGP.32 is a GSMA specification that defines the technical framework for managing eSIMs in IoT devices. It builds on the SGP.31 specification.Missing: 2018 batch<|separator|>
[55]
SGP.32 is Here—But Is It Right for Your IoT Deployment - velocityiot.io
SGP.32 is a purpose-built standard for IoT that brings more flexibility, scalability, and control to SIM profile management.Missing: 2018 batch
[56]
Everything you need to know about IoT SIMs, Part I - 1GLOBAL
May 14, 2025 · The combination of eSIM, eUICC and Remote SIM Provisioning delivers game-changing advantages for IoT: (Even more) Durability, security and ...
[57]
eSIM/iSIM market to surpass 500 million units in 2023 - IoT Analytics
Jul 25, 2023 · The eSIM in Tesla vehicles enables features such as remote vehicle monitoring, software updates, and over-the-air (OTA) updates for the ...
[58]
Industry Checkpoint: IoT, Q3 2025 - GSMA Intelligence
Sep 3, 2025 · The report considers four major developments: 5G RedCap networks launching, but LTE-based IoT remaining strong; support for NTN-IoT ramping up; ...Missing: roadmap eUICC
[59]
What is Remote SIM Provisioning? - IoT eSIM Connectivity - Eseye
Jan 26, 2024 · Remote SIM Provisioning (RSP) in IoT is the process of remotely managing SIM profiles compatible with eUICC-capable SIMs.What is Remote SIM... · brief history of Remote SIM... · How IoT Remote SIM...
[60]
Remote SIM Card Provisioning for Expansive IoT Networks
SIM card provisioning with eSIM enables scalable, secure, and cost-effective IoT deployments using zero-touch remote management worldwide.
[61]
What is eUICC and why is it important? | IoT Now News & Reports
Jul 7, 2016 · They lacked interoperability between SIM vendors, the operating systems of UICC, the infrastructure vendors, and vendors of eUICC ...Missing: backward | Show results with:backward
[62]
eSIM LITE Event - GSMA's First Live Interoperability TestFest held in ...
Jul 18, 2025 · Three days full of testing eSIM profiles against eUICCs have completed. A total of 24 companies ranging from Three days full of testing eSIM ...
[63]
[PDF] ETSI TS 102 412 V18.2.0 (2024-12)
Backward compatibility requirements. Identifier. Requirement. REQ-7-13-02-01 The power consumption indication shall not generate backward compatibility issues ...
[64]
The OEM's Guide to eSIMs: How to Leverage eUICC Technology for ...
Stores multiple carrier profiles. eSIMs can store and manage multiple carrier profiles simultaneously. This means a single device can host profiles from ...
[65]
eSIM Compliance - GSMA
GSMA has created a compliance framework for eSIM devices, eUICCs, and Subscription Management servers to ensure they meet the GSMA Remote SIM Provisioning ...
[66]
Ensuring compliance with the specification | Internet of Things - GSMA
Its purpose is to describe the key test and accreditation expectations for eUICC and Subscription Management solutions that have been designed to SGP.01 and SGP ...Missing: ATA | Show results with:ATA
[67]
GSMA eUICC Security Assurance: Test. Trust. Assure.
The embedded UICC (eUICC) is key to safeguarding the end customer's and the operator's security. After all, it ensures secure access to networks and a ...
[68]
SGP.32: IPA & LPA for Next-Gen IoT eSIMs - Valid
Nov 14, 2024 · With SGP.32, the IoT Profile Assistant (IPA) and Local Profile Assistant (LPA) enable more flexible and decentralized eSIM provisioning.Missing: iOS | Show results with:iOS
[69]
[PDF] The eSIM Technology Best Practice Guide - Kigen
The embedded Universal Integrated Circuit Card (eUICC) is a. SIM component that allows a carrier to add a new SIM profile. 2014. 2016. 2023. Now. M2M RSP.
[70]
https://www.gsma.com/solutions-and-impact/technologies/internet-of-things/embedded-sim/compliance/
[71]
iPhone eSIM vs Dual SIM: Is the physical SIM tray really going away?
Oct 29, 2025 · The eSIM is a game-changer in terms of sleekness and flexibility. It lets you add, remove, or switch carriers without losing your physical SIM ...
[72]
[PDF] AI-Driven Provisioning in the 5G Core - Purdue Computer Science
In this article, we discuss the challenges encountered by network orchestrators in allocating resources to disparate 5G network slices, and propose the use of ...Missing: eUICC | Show results with:eUICC
[73]
[DOC] https://www.gsma.com/esim/resources/sgp-29-v1-1/
The EID is the eUICC Identifier used in the context of Remote SIM Provisioning and Management of the eUICC as defined in [1], [2], [3] and [4]. 7 EID Principles.History of EID issuance · Definitions · EID Principles · eUICC Numbering System
[74]
[DOC] Download - GSMA
... Authentication of the eUICC to the SM-DP is mandatory. The mutual authentication of the SM-DP and the eUICC is mandatory. The following figure details the ...
[75]
[DOC] Download - GSMA
The RMPF SHALL provide confidentiality based on encryption using a cipher with security strength equivalent to, or greater than AES-256 and using a suitable ...Missing: boot | Show results with:boot
[76]
[DOC] FS.31-Baseline-Security-Controls-v3.0.docx - GSMA
Ensure boot integrity to protect server hardware and BIOS/UEFI firmware against tampering and penetration attacks, which could further be used to penetrate ...
[77]
[DOC] Download - GSMA
This function SHALL be called by the eIM to notify the SM-DP+ that a Profile Management Operation has successfully been performed on the eUICC. This ...
[78]
IoT Connectivity Provider iONLINE Launches Intelligent Network Switching SIM with Multi-Network Resilience
Article detailing the launch of FlexiSIM by iONLINE Connected Networks, highlighting its eUICC-based features for global IoT connectivity.
[79]
iONLINE launches locally developed intelligent network switching SIM with local network delivery, multi-network resilience
Coverage of iONLINE's FlexiSIM, describing its eUICC technology for intelligent network switching and global coverage in IoT applications.