Fact-checked by Grok 2 weeks ago

Remote SIM provisioning

Remote SIM provisioning (RSP) is a standardized technology that enables the remote management of subscriber profiles on embedded Universal Integrated Circuit Cards (eUICC) in mobile devices and Internet of Things (IoT) equipment, allowing over-the-air (OTA) download, installation, enabling, disabling, or deletion of network operator subscriptions without requiring physical SIM card replacement. Developed by the GSMA, RSP facilitates seamless connectivity for eSIM-enabled devices by supporting dynamic profile switching to optimize coverage, cost, and performance across global networks. The GSMA's RSP framework originated in the mid-2010s to address the limitations of traditional removable SIM cards in emerging connected ecosystems, with initial specifications released around 2016 for consumer applications. Key standards include SGP.22, which defines technical requirements for RSP in consumer devices such as smartwatches, tablets, and laptops, enabling users to activate and switch profiles securely via apps or web portals. For IoT and machine-to-machine (M2M) use cases, SGP.32 provides a tailored architecture for resource-constrained devices like utility meters, vehicles, and industrial sensors, accommodating limited bandwidth, power, and user interfaces through autonomous or network-initiated provisioning; the specification, finalized in version 1.2 in June 2024, saw its first fully certified implementations in August 2025. Earlier foundational documents, such as SGP.02, outline the overall remote provisioning architecture for eUICC, applicable to both consumer and M2M scenarios, with the latest version 4.3 approved in January 2025. At its core, RSP involves a ecosystem of trusted entities: the eUICC embedded in the device stores multiple profiles; the Subscription Manager Data Preparation (SM-DP) service prepares and delivers profiles; and the Subscription Manager Secure Routing (SM-SR) handles secure communication and profile lifecycle management. Security is paramount, with end-to-end encryption, mutual authentication, and compliance to GSMA security evaluations ensuring protection against tampering or unauthorized access. This architecture supports interoperability among operators, device manufacturers, and eSIM vendors, backed by major stakeholders including AT&T, Vodafone, Apple, and Qualcomm. RSP's primary benefits include enhanced flexibility for global roaming and subscription changes, reduced logistics costs by eliminating physical SIM distribution, and accelerated deployment for IoT fleets in hard-to-reach locations. In consumer markets, it simplifies activation for wearables and connected cars, while in IoT, it enables scalable management of the projected 38.7 billion connections by 2030, fostering innovation in smart cities, healthcare, and logistics. Compliance processes, governed by SGP.24, ensure ecosystem reliability through testing and certification.

Introduction

Definition and overview

Remote SIM provisioning (RSP) is a standardized process defined by the GSMA that allows mobile network operators to remotely download, install, enable, disable, and delete SIM profiles on compatible devices over-the-air (OTA), thereby eliminating the need for physical SIM card replacement or handling. This capability supports flexible subscription management across consumer devices and Internet of Things (IoT) applications by leveraging secure digital channels for profile updates. Central to RSP is the embedded Universal Integrated Circuit Card (eUICC), commonly known as eSIM, which is a tamper-resistant, reprogrammable chip soldered directly onto the device's motherboard. The eUICC can store multiple operator profiles simultaneously, with only one active at a time, enabling seamless switching between networks without hardware intervention. This contrasts with traditional removable SIM cards, which are limited to a single profile and require physical insertion or replacement to change service providers. A SIM profile in this context consists of essential data for network authentication and operation, including the International Mobile Subscriber Identity (IMSI) as the unique subscriber identifier, the individual subscriber authentication key (Ki) for secure network access, the operator variant algorithm configuration field (OPc) to customize authentication algorithms, and various network parameters such as Access Point Names (APNs) for data connectivity. These elements ensure the device can authenticate with the operator's core network while maintaining compatibility with global standards. Unlike conventional SIM provisioning, which involves manufacturing personalized physical cards, logistical distribution, and manual insertion or mailing to users—often leading to delays and supply chain complexities—RSP streamlines the process through digital delivery directly to the eUICC. This shift reduces operational overhead for operators and enhances user convenience by allowing on-demand profile changes.

Importance in mobile and IoT ecosystems

Remote SIM provisioning (RSP) significantly streamlines operations in mobile networks by eliminating the logistical challenges associated with physical SIM cards, such as manufacturing, shipping, and inventory management, which can account for substantial costs for mobile network operators (MNOs). By centralizing provisioning and personalization processes, RSP reduces these expenses and enhances efficiency, allowing operators to focus resources on service expansion rather than hardware distribution. A key advantage of RSP lies in its support for multi-profile eSIM functionality, enabling devices to store and switch between multiple operator profiles over-the-air without requiring physical hardware changes. This capability facilitates seamless global roaming and carrier switching, improving user flexibility and connectivity in diverse international environments. As the hardware foundation for RSP, eSIM technology underpins this profile management, ensuring secure and efficient transitions between networks. In the IoT ecosystem, RSP is instrumental in driving scalable connectivity for billions of devices deployed in remote or inaccessible locations, such as embedded sensors and vehicle telematics, by enabling over-the-air updates and profile changes without physical intervention. This remote management capability addresses key deployment barriers, supporting the rapid expansion of massive IoT networks. According to GSMA Intelligence, cellular IoT connections are projected to reach 3.1 billion by 2025, with RSP facilitating further growth toward over 38 billion total IoT connections by 2030. Market data indicates that eSIM adoption in smartphones has reached 1 billion connections globally by 2025, exceeding 50% penetration in key markets like North America, while IoT eSIM connections are forecasted to hit approximately 2.2 billion by 2030, underscoring RSP's role in ecosystem maturation.

History and Development

Origins and early specifications

Remote SIM provisioning (RSP) originated in the early 2010s, driven by the rapid growth of machine-to-machine (M2M) communications and the increasing adoption of smartphones, which highlighted the limitations of traditional physical SIM cards for flexible subscription management in connected devices. The need for secure, over-the-air updates to SIM profiles became evident as the Internet of Things (IoT) ecosystem expanded, particularly in sectors like automotive and metering, where device deployment in remote or sealed environments made physical SIM swaps impractical. In response, the GSMA established the Embedded SIM Task Force in 2010 to explore solutions for remote SIM activation, with significant progress by 2013 when the group published SGP.01 version 1.0 in July 2013, outlining requirements and use cases for embedded UICC (eUICC) technology tailored to M2M applications. This effort addressed key challenges in SIM provisioning, such as secure profile downloading and management without compromising authentication integrity. The task force's work laid the groundwork for standardized RSP, emphasizing interoperability across global operators and device manufacturers. SGP.01 version 1.1 was released on January 30, 2014, titled "Embedded SIM Remote Provisioning Architecture." This document served as a proof-of-concept for M2M devices, outlining the architecture for secure remote enablement of SIM profiles via over-the-air channels, including roles for subscription managers and ecosystem certificate authorities. SGP.01 focused on enabling dynamic network switching while maintaining high security standards to prevent unauthorized access. Key early milestones included collaborations between the GSMA, ETSI, and 3GPP to integrate RSP with established mobile standards, such as ETSI's UICC specifications and 3GPP's security protocols for enhanced compatibility. Initial pilots emerged shortly after, with AT&T launching one of the first commercial M2M solutions based on the GSMA embedded SIM specification in September 2014, allowing remote profile downloads for deployed devices. Several operators, including Vodafone, supported early commercial deployments based on the specifications.

Evolution of GSMA standards

The evolution of GSMA standards for remote SIM provisioning (RSP) included the release of SGP.21 (architecture) and SGP.22 (technical specification) around 2015–2016, tailored for consumer devices and introducing comprehensive lifecycle management for eSIM profiles. This enabled remote downloading, enabling, disabling, and deletion of profiles, facilitating seamless carrier switching and device activation without physical intervention. By standardizing the architecture for embedded UICCs in smartphones and tablets, SGP.21 and SGP.22 addressed the growing demand for flexible connectivity in consumer ecosystems, reducing logistical challenges for manufacturers and operators. Building on the M2M foundation from SGP.01 (2013–2014) and SGP.02 (2014–2015 technical specification for M2M), the standards were updated for IoT applications, with SGP.32 released in May 2023 specifically designed for constrained IoT environments. Key enhancements in SGP.32 included reduced data overhead in profile transfers—cutting payload sizes by up to 50% compared to prior specs—and streamlined bootstrapping processes that eliminate unnecessary user interfaces or complex local profile assistants. This made RSP viable for headless, battery-powered endpoints in remote or high-volume applications, such as smart meters and asset trackers, fostering greater adoption in global IoT networks. As of November 2025, ongoing GSMA developments continue to integrate RSP standards with 5G and emerging 6G networks, enhancing low-latency provisioning and hybrid connectivity models, while expansions support satellite integration for ubiquitous coverage in non-terrestrial scenarios. These efforts, including updates to SGP.32 (e.g., v1.2 in June 2024) for improved data efficiency and security, aim to align eSIM management with next-generation wireless ecosystems, enabling resilient connectivity for billions of IoT devices worldwide.

Technical Specifications

Consumer eSIM (SGP.22)

The SGP.22 specification, which builds on the foundational SGP.02 architecture, outlines the technical requirements for remote provisioning of embedded Universal Integrated Circuit Cards (eUICCs) in consumer devices, facilitating secure and remote management of cellular subscriptions without physical SIM cards. This architecture supports high-interaction user scenarios, where individuals can initiate profile downloads and switches using device interfaces such as mobile apps or QR code scanning, making it suitable for smartphones, tablets, and wearables. Key features of SGP.22 include the ability to store and manage multiple profiles on a single eUICC, enabling users to maintain subscriptions from different mobile network operators (MNOs) simultaneously. The specification mandates mutual authentication protocols between the eUICC and the Subscription Manager to verify identities and protect against unauthorized access during provisioning. Additionally, it incorporates robust security measures, such as end-to-end encryption, to ensure profile integrity throughout the remote provisioning process (as of v3.1, December 2023). The profile structure in SGP.22 relies on defined interfaces, notably the ES8+ secure channels, which establish protected pathways for over-the-air (OTA) transfers between the Subscription Manager Data Preparation (SM-DP+) and the eUICC. These channels support the binding and delivery of protected profile packages, including subscriber credentials like the International Mobile Subscriber Identity (IMSI) and authentication keys. The architecture is compatible with operating system-specific eSIM APIs, allowing seamless integration with platforms like Android's eUICC Manager and iOS's CoreTelephony framework for profile installation and management. Adoption of SGP.22 became mandatory for GSMA-certified consumer eSIM implementations starting in 2016, aligning with the release of related technical specifications to promote interoperability across the ecosystem (as of v3.1, December 2023). It has been widely implemented in flagship devices, including Apple's iPhone series from the iPhone XS onward, Samsung's Galaxy lineup since the Galaxy S20, and Google's Pixel series beginning with the Pixel 3. This standardization has driven broader eSIM deployment, enhancing flexibility for global travelers and multi-SIM users.

IoT and M2M specifications (SGP.02 and SGP.32)

The GSMA SGP.02 specification provides the remote provisioning architecture for embedded Universal Integrated Circuit Cards (eUICCs) in M2M and IoT applications, emphasizing secure profile management for devices without physical SIM swaps (as of v4.3, January 2025). It supports remote diagnostics by enabling over-the-air updates to connectivity profiles, allowing operators to monitor and troubleshoot device performance in real-time without on-site intervention. For fleet management, SGP.02 facilitates multi-operator profile switching, ensuring seamless connectivity across regions for assets like connected vehicles and industrial equipment. In contrast to consumer-oriented specifications like SGP.22, which rely on user interfaces for profile selection, SGP.02 in IoT/M2M contexts prioritizes operator-initiated provisioning to automate management in headless devices, eliminating the need for manual user input. It also integrates support for specialized networks such as NB-IoT and LTE-M, optimizing for lower data rates and extended coverage typical in industrial deployments. This operator-driven model enhances scalability for large-scale M2M environments, where devices operate autonomously without end-user interaction. The SGP.32 specification, released on May 26, 2023 (v1.2, June 2024), represents a dedicated evolution for constrained IoT and M2M ecosystems, particularly low-power wide-area network (LPWAN) devices such as environmental sensors and smart meters. Tailored for resource-limited hardware, it streamlines remote provisioning through simplified bootstrapping processes via the IoT Profile Assistant (IPA), offloading complex operations to cloud-based components like the eSIM IoT Manager (eIM), enabling single-SKU manufacturing where devices ship with a neutral eUICC that can be configured post-production for any operator. SGP.32 further emphasizes operator-led automation and compatibility with NB-IoT and LTE-M technologies, diverging from consumer specs by forgoing user interfaces in favor of server-orchestrated profile lifecycle management. Overall, SGP.32 addresses the scalability demands of massive IoT deployments, projecting support for billions of connections by facilitating zero-touch provisioning and reduced operational complexity.

System Architecture

Key components

The key components of the Remote SIM Provisioning (RSP) system form the foundational elements enabling secure, remote management of eSIM profiles in mobile and IoT devices. These include the embedded Universal Integrated Circuit Card (eUICC), the Subscription Manager Data Preparation Plus (SM-DP+), the Subscription Manager Secure Routing (SM-SR), the Local Profile Assistant (LPA) for consumer implementations, and the certificate infrastructure anchored by the GSMA's root Certificate Authority (CA). The eUICC is a tamper-resistant secure element integrated directly into the device's hardware, designed to store multiple operator profiles and execute cryptographic functions for profile protection and management. As specified in GSMA standards like SGP.02, the eUICC supports the secure retention of credentials without physical SIM card swaps. The SM-DP+ functions as a backend server operated by profile providers, where it generates personalized SIM profiles, applies encryption to safeguard subscription data, and prepares them for secure transmission. This component ensures that profiles remain protected during preparation stages before delivery. The SM-SR operates as a backend server, typically managed by mobile network operators, responsible for controlling profile lifecycle operations such as enabling, disabling, or deletion on the eUICC, while maintaining profile states and secure routing. It maintains the integrity of profile states remotely. For consumer-oriented RSP, the LPA is a software module embedded in the device operating system that handles user-facing aspects of profile management, including the presentation of options for profile selection and oversight. This component bridges the hardware eUICC with the device's user interface. The GSMA Root CA provides the foundational trust model through a public key infrastructure (PKI), issuing root and intermediate certificates that authenticate critical entities like eUICCs and SM-DP+ servers, thereby verifying their legitimacy and ensuring data integrity across the ecosystem. These certificates are integral to the security accreditation schemes outlined in GSMA specifications.

Roles and interactions

The Subscription Manager Data Preparation Plus (SM-DP+) plays a central role in remote SIM provisioning by preparing eSIM profiles, including generating and signing profile packages, binding them to target devices via transaction identifiers, and authenticating eUICCs before initiating secure transfers of bound profile packages. It also manages profile metadata, performs eligibility checks, and coordinates notifications for lifecycle events on behalf of mobile network operators (MNOs). The Subscription Manager Secure Routing (SM-SR) is responsible for eUICC registration, maintaining the embedded identity structure, and overseeing profile lifecycle management, such as enabling, disabling, deletion, and rollback operations, while enforcing authorization policies and routing commands through secure channels protected by TLS/DTLS protocols. It verifies operator permissions, handles platform management commands, and facilitates secure data transport between provisioning entities and the eUICC. Key interactions occur across defined interfaces to ensure secure and coordinated provisioning. The device's Local Profile Assistant (LPA) or IoT Profile Assistant (IPA) establishes a session with the SM-DP+ via the ES8+ interface to authenticate, retrieve, and download bound profiles, often tunneling eUICC-specific communications (via ES9+) through the ES8+ interface. The SM-SR then interacts with the eUICC over the ES10a interface to execute management commands like state changes (e.g., enabling or disabling profiles), using protocols such as SCP03 for secure messaging. MNOs and ecosystem operators connect to both the SM-DP+ and SM-SR through the ES2+ interface for initiating requests, such as profile downloads or status updates, typically via SOAP over HTTPS. In consumer scenarios, the LPA integrates user consent flows during interactions with the SM-DP+, allowing manual approval for profile switches or downloads. For IoT and M2M use cases, the SM-DP+ supports bulk operations, enabling efficient preparation and delivery of profiles to numerous devices without individual consents, often leveraging the IPA for automated routing through the SM-SR. For IoT use cases under SGP.32, the architecture supports an optional SM-SR and introduces the embedded Identity Manager (eIM) for network-initiated provisioning without a full LPA/IPA, enabling bulk and autonomous operations.

Operation

Profile download and installation

The profile download and installation process in remote SIM provisioning begins with bootstrapping, where the device establishes a secure connection to the Subscription Manager Secure Routing (SM-SR). This initial step relies on pre-provisioned credentials, such as the ISD-R keyset on the embedded Universal Integrated Circuit Card (eUICC), or discovery mechanisms like DNS resolution using the device's Embedding Identifier (EID). Mutual authentication occurs via the ES1 interface between the device and SM-SR, often employing Elliptic Curve Key Agreement with Ephemeral keys (ECKA-EG) and GlobalPlatform Scenario 3 protocols to establish a secure channel, ensuring the eUICC can retrieve necessary identifiers like the SM-SR's Endpoint Identifier Service (EIS). Once bootstrapped, the download phase is triggered by the user or operator, typically through scanning a QR code containing the profile details or via an API call such as ES2.DownloadProfile from the operator to the Subscription Manager Data Preparation Plus (SM-DP+). The SM-DP+ then prepares the encrypted profile package, which includes the profile data protected by session keys and cryptographic mechanisms like Secure Channel Protocol 03 (SCP03), and transmits it to the eUICC either directly over the ES8 interface or tunneled through the SM-SR via ES9+ and ES5 interfaces. The profile is segmented for transfer (e.g., maximum 1024 bytes per segment) and requires inputs like the EID, Integrated Circuit Card Identifier (ICCID), and SM-SR ID to initiate the secure delivery. During installation, the eUICC's Issuer Security Domain for Profile (ISD-P) verifies the profile's integrity using digital signatures and decrypts it with the established keyset, followed by storage in the ISD-P and an initial state set to "Disabled." A confirmation message is then sent back to the SM-DP+ via the SM-SR over ES3 and ES5 interfaces, with optional immediate enablement if specified in the request; a REFRESH command may follow to update the device's applications. The process operates asynchronously with polling or callbacks to handle the validity period defined by the requester. Error handling ensures robustness, with mechanisms to address failures such as connectivity issues or authorization errors through status codes (e.g., "Failed," "Expired," or "EID Unknown") and fallbacks like retrying the download with regenerated Protection Profile Key with Root Key MAC (PPK-RMAC), deleting the partial ISD-P, or rolling back to a prior profile state. If over-the-air (OTA) transfer fails, manual modes via local profile injection serve as alternatives, preventing incomplete installations and maintaining system integrity within the defined validity window.

Switching and management processes

In remote SIM provisioning, profile switching involves the eUICC disabling the currently enabled profile and enabling a new one through commands issued by the Subscription Manager Secure Routing (SM-SR). This process utilizes the ES5 interface between the SM-SR and the eUICC's ISD-R applet, employing STORE DATA commands to update profile states securely over HTTPS or SMS transport channels. The operation ensures seamless handover by minimizing downtime, as the eUICC performs the state change atomically after policy checks (POL1 and POL2) are verified, allowing the device to maintain connectivity with the new operator's network profile. Management operations extend beyond initial setup to include remote profile deletion, typically for lost or compromised devices, where the SM-SR issues a DELETE command via the ES5 interface after confirming the target profile is in a disabled state. Profile updates, such as refreshing authentication keys like the Ki for enhanced security, are handled through similar SM-SR-initiated commands that modify profile data without full replacement. For IoT fleets, bulk management enables operators to apply changes across multiple eUICCs simultaneously via the SM-SR's ES3 interface with the ecosystem management system, supporting scalable updates like policy rule modifications or profile state adjustments; as of 2025, IoT-specific enhancements in SGP.32 include support for Automatic Emergency Call, delegated authority interfaces, preloaded test profiles, and eUICC OS updates to improve management efficiency. Triggers for these processes vary by use case: in consumer devices, switching is often user-initiated through a settings application interfacing with the Local Profile Assistant (LPA), which relays commands to the eUICC. In IoT scenarios, automation prevails, with profile switches occurring based on geolocation changes (e.g., crossing borders to select local networks) or signal strength thresholds to prioritize optimal connectivity. Operators monitor these activities using SM-SR logs, which record profile state changes, command executions, and audit events for compliance verification and troubleshooting, ensuring adherence to GSMA specifications through timestamped entries and status responses.

Benefits and Applications

Advantages for consumers and operators

Remote SIM provisioning (RSP) offers significant advantages to consumers by enabling seamless and instant switching between mobile network operators without the need for physical SIM card replacements. This flexibility allows users to download and activate new profiles over-the-air (OTA), facilitating quick carrier changes based on coverage, pricing, or service needs. For international travelers, RSP supports the adoption of local or regional eSIM profiles, which can eliminate or substantially reduce traditional roaming fees by connecting directly to affordable domestic networks rather than incurring high international charges from the home operator. Additionally, the compact embedded nature of eSIMs frees up internal device space, enabling slimmer designs and more efficient layouts in compact gadgets such as smartwatches and wearables, where traditional SIM trays would otherwise constrain form factors. For mobile network operators (MNOs), RSP reduces customer churn by simplifying profile porting and activation processes, which enhances user satisfaction and loyalty through frictionless service transitions. It also lowers operational support costs by eliminating the logistics, distribution, and replacement expenses associated with physical SIM cards, allowing for remote management of subscriptions and profiles. Operators can generate new revenue streams from digital subscription models, as RSP accelerates the rollout of promotional plans, add-ons, and personalized offerings without hardware dependencies. GSMA studies indicate that RSP can lead to significant cost reductions in provisioning processes through streamlined OTA updates and reduced supply chain complexities, while also enabling faster time-to-market for new service plans. On an ecosystem level, RSP empowers mobile virtual network operators (MVNOs) to compete more effectively on a global scale by bypassing physical distribution networks, allowing them to offer instant activations and international services without the overhead of SIM card logistics. This democratization of access fosters greater competition and innovation in the telecom market, benefiting both providers and end-users through diverse, cost-competitive options.

Use cases in IoT and consumer devices

Remote SIM provisioning (RSP) enables seamless connectivity management in consumer devices, particularly for international travel. Smartphones equipped with eSIM technology allow users to download local data plans directly from network operators upon arrival at airports or other locations, eliminating the need for physical SIM card swaps and reducing roaming costs. This capability supports multiple eSIM profiles on a single device, facilitating quick activation of region-specific plans through over-the-air updates. According to GSMA research, travel eSIM adoption is driven by consumer demand for flexible, cost-effective global connectivity, with over two-thirds of mobile network operators offering eSIM services for smartphones. GSMA Intelligence forecasts that global eSIM smartphone connections will double between 2025 and 2026, reaching 4.9 billion by 2030, representing 55% of total smartphone connections. In wearables, RSP provides standalone cellular access without reliance on a paired smartphone. For instance, the Apple Watch uses eSIM to enable independent operation on supported carrier networks, allowing users to make calls, send messages, and stream data via 4G LTE or 5G even when away from their iPhone. This setup is activated through the Apple Watch app on an iPhone or during initial device pairing, with automatic switching between cellular, Wi-Fi, and Bluetooth for optimal connectivity. Apple Support documentation confirms that eSIM integration supports international roaming and family plans on different carriers, enhancing usability for fitness tracking and emergency services. In IoT applications, RSP facilitates efficient fleet management in the automotive sector. Connected cars leverage eSIM for remote SIM profile updates, enabling vehicles to switch to optimal local networks based on geographic location or operator agreements. The GSMA Embedded SIM Specification supports late-stage programming of these devices, simplifying global production and ensuring secure, multi-operator connectivity for telematics, infotainment, and over-the-air software updates. This approach accelerates the connected car market, projected to surpass $190 billion in global revenue by 2028. Healthcare IoT devices, such as wearable monitors for remote patient tracking, benefit from RSP's automatic network switching in areas with variable coverage. Continuous glucose monitors and telehealth wearables can seamlessly connect to local networks during patient travel or in rural regions, minimizing data outages for real-time vital sign transmission. Providers like 1GLOBAL enable access to at least three networks per country via eSIM, supporting applications like substance abuse monitoring where uninterrupted connectivity is critical. This dynamic switching ensures compliance with healthcare standards while reducing downtime risks. Specialized IoT mobile virtual network operators (MVNOs) operate RSP platforms that aggregate connectivity from multiple carriers into a single global service, using eUICC-based SIMs to download and switch profiles so embedded devices can remain connected as they move between countries or network partners. Similar approaches are used by IoT-focused MVNOs that build managed connectivity platforms on top of RSP. For example, iONLINE Connected Networks’ FlexiSIM service is an eUICC-based intelligent network switching SIM that uses remote SIM provisioning to update profiles over the air, providing multi-network NB-IoT, LTE-M, and 4G/5G connectivity across more than 700 carrier networks in roughly 190–220 countries and territories. For utilities, RSP streamlines bulk provisioning of smart meters, allowing operators to remotely install and switch carrier profiles across large deployments without physical intervention. eSIM technology supports a single global hardware design, reducing manufacturing variants and enabling post-deployment activation tailored to regional networks. IDEMIA's solutions, for example, facilitate secure, utility-controlled provisioning for millions of meters, as seen in the UK's over 27 million smart meter installations as of late 2025, optimizing energy savings of up to 10% monthly through reliable data transmission. SGP.32 further enhances this for low-power NB-IoT devices, supporting server-initiated profile pushes for scalable operations. Emerging applications in 2025 include drones utilizing RSP for dynamic profile changes mid-flight to maintain connectivity across varying terrains. eSIM enables over-the-air network switches, supporting real-time data relay for delivery, surveillance, and agriculture, with projections indicating full eSIM compatibility for 100% of drones by 2030. Satellite-IoT hybrids also leverage eSIM for global coverage, combining cellular and non-terrestrial networks in a unified architecture to eliminate roaming complexities. This hybrid model supports two-way communications and AI-driven edge processing, with satellite IoT connections expected to grow from 8.8 million to 46.1 million by 2034 at an 18% CAGR. Notable case studies highlight RSP's impact. Apple's 2022 launch of the iPhone 14 and iPhone 14 Plus as eSIM-only devices in the US marked a shift to fully digital SIM management, supporting multiple profiles and secure transfers without physical cards. This enabled easier international plan downloads, aligning with broader consumer flexibility benefits. Vodafone's IoT platform integrates SGP.32 for remote provisioning, managing over 200 million global connections across sectors like automotive and utilities, with certified devices available since mid-2025 enabling large-scale, seamless network switches.

Security and Challenges

Security mechanisms

Remote SIM provisioning employs robust authentication mechanisms rooted in public key infrastructure (PKI) to verify the identities of all participating entities, including the embedded Universal Integrated Circuit Card (eUICC), Subscription Manager Data Preparation (SM-DP+), and Subscription Manager Discovery Service (SM-DS). Certificates issued by the GSMA's eSIM Certificate Authority (CA) enable mutual authentication across key interfaces, such as ES8+ for profile preparation and ES9+ for subscription management. Specifically, elliptic curve digital signature algorithm (ECDSA) certificates, like CERT.DPauth.ECDSA for SM-DP+ and CERT.EUICC.ECDSA for the eUICC, facilitate secure entity verification during transactions. Mutual Transport Layer Security (TLS) is mandated for interfaces including ES12 (between SM-DP+ and eUICC) and ES15 (between SM-DS and eUICC), ensuring bidirectional authentication with TLS version 1.2 or higher, while server authentication suffices for ES9+ and ES11. These PKI-based protocols prevent unauthorized access by requiring valid certificate chains traceable to the GSMA root CA. In October 2025, an independent security analysis of the consumer RSP protocol (SGP.22 v2.3) confirmed its overall adequacy in securing profile management but recommended enhancements, such as reducing dependency on the TLS channel for critical security requirements to improve resilience. Additionally, as quantum computing advances threaten ECC and ECDSA-based mechanisms, GSMA and industry stakeholders are exploring post-quantum cryptography (PQC) integrations for future eSIM secure channels, with initial proposals in 2024-2025 specifications. Encryption safeguards sensitive data throughout the provisioning process, utilizing Advanced Encryption Standard (AES) with a minimum key length of 128 bits, commonly AES-256 in practice, for confidentiality. Secure channels, such as Secure Channel Protocol SGP.22 (SCP-SGP22), protect profile downloads and installations by deriving session keys (e.g., S-ENC for encryption and S-MAC for message authentication) from shared secrets. Elliptic Curve Cryptography (ECC) supports efficient key exchange and agreement, generating ephemeral keys for each session to enhance forward secrecy. For instance, AES in Cipher Block Chaining (CBC) mode encrypts profile packages during transmission over TLS/DTLS channels, while AES in Cipher-based Message Authentication Code (CMAC) mode provides both encryption and integrity for stored data like profile parameters and user codes. These mechanisms ensure that operational data, including network access application (NAA) parameters, remains protected against interception. Integrity checks are integral to preventing tampering and unauthorized replication in remote SIM provisioning. Digital signatures, generated using ECDSA over elliptic curves like P-256, are applied to profile packages and firmware updates to verify authenticity and unaltered state upon receipt by the eUICC. The unique eUICC Identifier (EID), a 32-digit hexadecimal value stored in the eUICC's Embedded Secure Element Access and Secure Domain (ECASD), binds profiles to specific hardware, enabling anti-cloning protections by ensuring profiles are only installable on the designated eUICC. Binding secrets, such as transaction-specific keys derived during mutual authentication, further link profiles to the eUICC's secure domain, preventing reuse or extraction. These checks are enforced during profile interpretation and installation by the Profile Package Interpreter (PPI), with any discrepancies triggering rejection. Compliance with GSMA standards is enforced through a rigorous certification process for all RSP components, including eUICCs, SM-DP+, and SM-DS, to guarantee interoperability and security adherence. The GSMA's certification program, aligned with SGP.22 v3.1 (as of 2023, with updates through 2025), requires platforms to undergo testing for PKI implementation, secure channel protocols, and lifecycle management, often in conjunction with Common Criteria evaluations at EAL4+ assurance level augmented by vulnerability assessments. Audit trails are maintained via event records in the Ecosystem Information Service (EIS), logging all operations with timestamps, entity identifiers, and outcomes to support traceability and forensic analysis. Access to these logs is restricted, ensuring only authorized entities can review security events.

Potential issues and solutions

One significant challenge in Remote SIM provisioning (RSP) deployment is interoperability between different ecosystem components, particularly due to variations in specifications such as SGP.02 for consumer devices and SGP.32 for IoT applications, which differ in architecture, profile management, and communication protocols. These differences can lead to compatibility issues when integrating eUICCs, SM-DP+ servers, and network operators across global deployments. To address this, the GSMA has established a comprehensive compliance framework that includes certification and testing programs to ensure seamless interaction among devices, subscription managers, and provisioning systems. This framework mandates functional and security certifications, promoting standardized testing by accredited labs to verify adherence to RSP specifications and mitigate deployment fragmentation. Privacy concerns in RSP arise primarily from the potential exposure of profile data during remote downloads and management processes, where sensitive subscriber information could be intercepted or misused if not properly protected. To mitigate these risks, GSMA guidelines emphasize data minimization principles, limiting the collection and transmission of personal data to only what is essential for provisioning operations. Additionally, the use of anonymized transaction identifiers in protocol exchanges helps obscure user identities, preventing linkage to specific individuals during profile installations and switches. These measures, combined with end-to-end encryption in RSP architectures, ensure that profile data remains protected against unauthorized access while complying with broader mobile privacy standards. Connectivity dependencies pose another hurdle, as the initial bootstrap process for RSP typically requires internet access to download profiles from the SM-DP+ server, which can fail in areas with poor cellular coverage or during device activation. This reliance on IP-based communication for the ES9+ interface can delay provisioning in remote or low-bandwidth scenarios. Mitigations include fallback mechanisms such as SMS-based notifications for profile availability in consumer RSP implementations under SGP.02, allowing devices to receive alerts and initiate downloads via alternative channels. For IoT devices, Wi-Fi provisioning during initial setup serves as a common alternative, enabling bootstrap profile activation before full cellular handover. As of 2025, scalability challenges in RSP have intensified with the surge in 5G-enabled IoT deployments, where GSMA Intelligence projects 38.7 billion total IoT connections globally by 2030 (including over 6 billion cellular), demanding simultaneous profile downloads and management without overwhelming provisioning infrastructure. Traditional on-premises SM-DP+ servers struggle with this volume, leading to latency and bottlenecks in global operations. Solutions involve cloud-based clustering of SM-DP+ platforms, which distribute workloads across scalable, geographically redundant data centers to handle peak loads efficiently. Furthermore, integrating AI-driven anomaly detection helps monitor provisioning traffic in real-time, identifying and resolving irregularities like failed downloads or unusual patterns before they impact large-scale IoT networks. These advancements enable RSP systems to support the projected growth in 5G IoT connections while maintaining reliability.

References

  1. [1]
    eSIM Consumer and IoT Specifications
    24. SGP.32 eSIM IoT Technical Specification. No. Spec, Title, Version ... SGP.18 GSMA Security Evaluation of Integrated eUICC based on PP-0117. No. Spec ...
  2. [2]
    Remote SIM Provisioning for Machine to Machine | Internet of Things
    The GSMA's Embedded SIM Specification provides a single, de-facto standard mechanism for the remote provisioning and management of machine to machine (M2M) ...Missing: definition | Show results with:definition
  3. [3]
    GSMA Releases Remote Provisioning specification to help ...
    Oct 9, 2025 · The GSMA today released a specification that allows consumers to remotely activate the SIM embedded in a device such as a smart watch, fitness band or tablet.Missing: definition | Show results with:definition
  4. [4]
    SGP.32 v1.2 - eSIM - GSMA
    Jun 27, 2024 · This document provides a technical description of the GSMA's eSIM IoT Architecture and Requirements SGP.31 specification.
  5. [5]
    SGP.02 – Remote Provisioning Architecture for Embedded UICC ...
    Jun 5, 2020 · This document provides a technical description of the GSMA's 'Remote Provisioning Architecture for Embedded UICC'. SGP.02 v4.1.
  6. [6]
    SGP.24 v3.1 - eSIM - GSMA
    Mar 22, 2024 · This document provides a description of the process and procedures that MUST be followed to declare a product, platform or service to be compliant with the ...
  7. [7]
    How GSMA IoT and consumer eSIM powers innovation
    Remote provisioning means much smaller devices can be supported. The first products have already come to market, and we can expect to see many further launches.The Esim For The Next... · Consumer Esim Benefits · The Esim Is Boosting Iot...
  8. [8]
    eSIM - GSMA
    Learn what eSIM is, how it works, and how GSMA's eSIM is changing mobile connectivity for consumers, M2M, and IoT devices.IoT eSIM specification · Embedded SIM Remote... · eSIM consumer benefits · Events
  9. [9]
    Ensuring Global Interoperability – Today and in the Future - eSIM
    Oct 30, 2025 · Provisioning the SIM card nowadays involves many logistic and physical steps and companies. After the SIM card is manufactured, it needs to be ...<|control11|><|separator|>
  10. [10]
    Blog from ARM: eSIM is on the rise, but what does this mean ... - GSMA
    Aug 13, 2025 · Mobile operators migrating from traditional SIM cards to eSIM reap other operational benefits: Reduced costs: For devices that use eSIMs, ...
  11. [11]
    IoT RSP – Enabling the growth of Massive IoT | Internet of Things
    Apr 16, 2025 · To fulfil this opportunity, the newly introduced GSMA SGP.32 eSIM IoT Technical Specification published in July 2023, specifically developed ...
  12. [12]
    Consumer eSIM: device and MNO service trackers, and adoption ...
    Aug 8, 2025 · With eSIM adoption set to accelerate from 2026, this tracker provides data that can be used to formulate or adjust eSIM commercial ...
  13. [13]
    2.2 Billion IoT Connections Expected to be on eSIM by 2030
    Feb 20, 2024 · IoT connections on eSIM are expected to grow at a rapid pace of 43% annually to reach 2.2 billion by 2030, according to a recent report released ...
  14. [14]
    GSMA Launches Embedded SIM Initiative to Support the Connected ...
    Nov 18, 2010 · The proposed embedded SIM solution will include programmable SIM card capabilities to enable remote activation. The group is expected to ...Missing: origins early
  15. [15]
    eSIM Journey: Advancing Telecom Connectivity - MVNO Index
    Feb 17, 2025 · The journey of the eSIM (Embedded SIM) began in the early 2010s due to the necessity of connecting vehicles. Traditional SIM cards were not ...
  16. [16]
    [DOC] ECCRep274.docx - ECO Documentation Database
    [3] GSMA SGP.01: "Embedded SIM Remote Provisioning Architecture", version 1.1 of 30 January 2014. [4] GSMA SGP.02: "Remote Provisioning Architecture for ...
  17. [17]
    [PDF] ETSI TS 131 127 V18.1.0 (2025-04)
    This Technical Specification (TS) has been produced by ETSI 3rd Generation Partnership Project (3GPP). The present document may refer to technical ...Missing: collaboration early
  18. [18]
    Driving M2M: AT&T becomes one of the first global operators to offer ...
    Oct 2, 2014 · The GSMA's Embedded SIM specification allows an appropriate in-country profile to be downloaded onto the SIM according to where the SIM is ...Missing: Task Force formation
  19. [19]
    GSMA ANNOUNCES MOBILE INDUSTRY INITIATIVE TO CREATE ...
    Mar 2, 2015 · “As TeliaSonera sees clear benefits for our customers with an embedded SIM we are fully engaged with the GSMA in developing a joint standard.Missing: Task formation 2013
  20. [20]
    What next for eSIM? Challenges and opportunities in the SGP.32 era
    Apr 14, 2025 · eSIM plays an increasingly critical role in connecting more people and devices – and the SGP.32 specification is a defining factor in this acceleration.Missing: growth | Show results with:growth<|control11|><|separator|>
  21. [21]
    SGP.32 explained: Next-gen eSIM for enterprise IoT - BICS
    Sep 16, 2025 · Affordability at scale: Remote provisioning eliminates recurring SIM lifecycle costs, making large-scale IoT deployments far more economically ...
  22. [22]
    The differences between consumer eSIM & M2M eSIM - 1oT
    Apr 23, 2020 · The differences in M2M push and Consumer pull models define how the eSIM profiles management operations of Download, Enable, Disable, Delete can be executed.
  23. [23]
    [PDF] SGP.02-v4.0.pdf - GSMA
    Feb 25, 2019 · Remote Provisioning Architecture for Embedded UICC Technical Specification Version 4.0 25 February 2019. Page 1. GSM Association. Non- ...
  24. [24]
    New GSMA Standard for IoT Further Unlocks eSIM Potential
    Jul 4, 2023 · The new IoT eSIM Specification (SGP.32) has been created to ease the rapid adoption of constrained IoT devices.
  25. [25]
    As eSIM Takes Off, MNOs Must Modernize Their Provisioning ...
    Sep 15, 2023 · In 2016, Samsung delivered a smartwatch with a GSM Association (GSMA)-compliant eSIM, while Apple announced eSIM in the Series 3 watch in 2017.
  26. [26]
    GSMA SGP.22 Explained | Consumer eSIM for IoT - Pelion
    Discover GSMA SGP.22, the eSIM standard for consumer and IoT devices. Learn how it works, its benefits, challenges, and how it compares with SGP.02 and ...
  27. [27]
    [PDF] New eSIM for IoT – SGP.32 specification explained - Kigen
    • eIM is a standardized eSIM provisioning tool allowing large-scale deployment and management of eSIM-enabled IoT devices. eIM is defined in GSMA SGP. 31 and ...
  28. [28]
    SGP.32 v1.1 - eSIM - GSMA
    Apr 29, 2024 · SGP.32 v1.1 describes the eSIM IoT architecture, including remote provisioning, eUICC architecture, interfaces, and security functions.Missing: low- | Show results with:low-
  29. [29]
    What is GSMA SGP.32 for eSIMs? - Zipit Wireless
    Jun 12, 2025 · GSMA SGP.32 is a transformative standard designed to streamline eSIM remote provisioning for IoT. It introduces simplified device architecture, autonomous ...
  30. [30]
    How it works - eSIM - GSMA
    eSIMs use remote over-the-air provisioning of credentials, enable/disablement, and deletion. SM-DP encrypts credentials, and SM-SR delivers and manages them.Missing: components | Show results with:components
  31. [31]
    Unlock the Future of Mobile Connectivity - eSIM - GSMA
    Jul 31, 2024 · eSIM technology is embedded SIM technology that is revolutionizing device connectivity. The guide covers key components, architectures, ...
  32. [32]
    eSIM Certificates - GSMA
    This page details the esential certificates existing in the eSIM ecosystems for Consumer, M2M and IoT including GSMA Certificate Issuer (CI), Test Certificates ...
  33. [33]
    None
    Below is a merged summary of the SM-DP+ and SM-SR roles in Remote SIM Provisioning (RSP) based on GSMA SGP.32, consolidating all information from the provided segments into a dense, comprehensive response. To maximize detail and clarity, I’ll use a table format for key roles, responsibilities, interactions, and interfaces, followed by a narrative summary of architecture, flows, and additional details.
  34. [34]
    How long does it take to activate an eSIM? - Cybernews
    May 12, 2025 · In most cases, it's only a few seconds or up to a few minutes. For instance, Nomad's eSIM, which can be used in over 200 destinations, only takes less than 5 ...
  35. [35]
    [PDF] How Remote SIM Provisioning Works - Mobile World Live
    The SM-SR ensures the secure transport of both eUICC platform and profile management commands in order to load, enable, disable and delete profiles on the eUICC ...
  36. [36]
    Multi IMSI (SIM) explained: A technical deep dive for IoT - Onomondo
    Jun 20, 2025 · Location-based: automatically switching to another network profile when crossing borders · Signal-strength prioritized: selecting the strongest ...
  37. [37]
    E-SIM for consumers—a game changer in mobile ... - McKinsey
    Jan 1, 2016 · e-SIMs give device owners the ability to compare networks and select service at will—directly from the device ...
  38. [38]
    Remote SIM Provisioning Platform to Manage eSIMs - Valid
    The Remote SIM Provisioning (RSP) platform streamlines eSIM management services for Mobile Operators, offering greater efficiency, security, and flexibility.
  39. [39]
    MVNOs World 2025: eSIMs and cloud solutions expand opportunities
    Jun 13, 2025 · The technology can significantly reduce subscriber acquisition costs for operators, virtual or not, eliminating the need to ship physical SIM ...
  40. [40]
    https://www.gsmaintelligence.com/research/esim-connectivity-service-for-smartphones-over-two-thirds-of-mnos-have-launched-but-regional-differences-persist
  41. [41]
    https://support.apple.com/en-us/119601
  42. [42]
    Set up cellular on Apple Watch
    even while you're away from your iPhone.
  43. [43]
    Apple Watch - Carriers
    all without your iPhone. With International ...
  44. [44]
    Transforming the connected car market - eSIM - GSMA
    The GSMA's Embedded SIM Specification uses Remote SIM Provisioning technology and therefore enables late stage programming of M2M devices. In the auto ...
  45. [45]
    How IoT, eSIMs, and AI are Revolutionizing Healthcare - 1GLOBAL
    Jul 21, 2025 · The automatic network switching capability of eSIMs also helps to avoid downtime or signal outages by instantly reconnecting to a new local ...
  46. [46]
    Smart meter management simplified with eSIM services - IDEMIA
    Utility providers can remotely switch connectivity with eSIM without needing physical access to meters, ensuring continuity amid network sunsets and phase-outs.Missing: bulk | Show results with:bulk
  47. [47]
    100+ eSIM statistics telecom service providers need to know in 2025
    Apr 25, 2023 · Smartphone Connections Using eSIM in 2025: 1 billion eSIM smartphone connections (GSMA Intelligence), almost 18% up (Mobilise) from 850 million ...Consumer eSIM Market Size... · Global eSIM Market Growth...
  48. [48]
    Satellite + IoT: The Key to Expanding Global Connectivity and New Revenue Streams | IoT Now News & Reports
    ### Emerging Use Cases for Satellite-IoT Hybrids with eSIM for Global Coverage in 2025
  49. [49]
    Apple introduces iPhone 14 and iPhone 14 Plus
    ### Summary of iPhone 14 Launch (2022)
  50. [50]
    What you need to know about the new eSIM SGP.32 standard
    The first eSIM (or remote SIM provisioning) standard was the SGP.02 or 'machine-to-machine' standard, which was introduced in 2014. It relied on server ...Missing: 2015 | Show results with:2015
  51. [51]
    eSIM Compliance - GSMA
    GSMA has created a compliance framework for eSIM devices, eUICCs, and Subscription Management servers to ensure they meet the GSMA Remote SIM Provisioning ...
  52. [52]
    [PDF] An essential guide to GSMA eSIM certification | Kigen
    GSMA eSIM certification ensures interoperability and security, with a compliance process managed by GSMA, covering functional and security certifications.
  53. [53]
    [PDF] eSIMplicity or eSIMplification? Privacy and Security Risks in the ...
    Jul 30, 2025 · However, the centralized generation and reliance on global uniqueness introduce privacy concerns if the EID is exposed or misused by malicious ...Missing: anonymized | Show results with:anonymized
  54. [54]
    [PDF] Privacy Design Guidelines for Mobile Application Development
    In 2012, the GSMA published a set of universal mobile privacy principles that describe the way in which mobile users' privacy can be respected and protected.Missing: RSP transaction
  55. [55]
    Security Analysis of the Consumer Remote SIM Provisioning Protocol
    Aug 16, 2024 · There are three main entities involved in these phases: the eUICC, the LPA and user, and the SM-DP+ server. The certificates used in the ...
  56. [56]
    Security Analysis of the Consumer Remote SIM Provisioning Protocol
    Oct 21, 2025 · The remote SIM provisioning (RSP) protocol is adequately secured, between honest entities, against network adversaries and the security goals defined in the ...
  57. [57]
    [PDF] How Remote SIM Provisioning Works - Kigen
    Nov 1, 2020 · GSMA specifies two RSP solutions, one for consumer applications and one for M2M applications. 7 eBook. Key RSP terms defined. Page 8. EUM - ...
  58. [58]
    [DOC] Download - GSMA
    This document defines requirements and architectures to enable the remote provisioning and management of the eUICC in IoT Devices which are Network Constrained ...
  59. [59]
    1GLOBAL M2M Remote SIM Provisioning Platform
    GSMA SGP. 02. M2M Remote SIM Provisioning. Remote SIM Provisioning (RSP) in IoT is the process of remotely managing SIM profiles compatible with eUICC-capable ...<|control11|><|separator|>
  60. [60]
    Remote SIM provisioning: the time to turn tech availability into ...
    Feb 21, 2025 · This report examines the outlook for RSP and provides a view on future developments that could help overcome some of the challenges that are currently ...
  61. [61]
    SGP.32: The Future of Remote SIM Provisioning for IoT Devices
    The SM-DP+ is a cloud-based service which stores, encrypts, and delivers SIM profiles. Once requested by the eIM, the IPA downloads a new SIM profile from the ...Missing: clustering 5G
  62. [62]
    AI-Driven Anomaly Detection for Securing IoT Devices in 5G ... - MDPI
    This paper proposes a novel AI-driven anomaly detection framework designed to enhance cybersecurity in IoT-enabled smart cities operating over 5G networks.Missing: SIM provisioning SM- DP+
  63. [63]
    FlexiSIM Solution
    Official page describing iONLINE Connected Networks’ FlexiSIM service, including details on eUICC-based remote SIM provisioning for global IoT connectivity across 700+ networks in 190+ countries.
  64. [64]
    IoT connectivity provider iONLINE launches intelligent network switching SIM with multi-network resilience
    Industry news article detailing the launch of FlexiSIM, its use of RSP for OTA profile updates, and support for NB-IoT, LTE-M, 4G/5G across 700+ carriers in 190–220 countries.