IoT deployments are often designed to operate for years in the field, sometimes in remote locations where physical access to devices is difficult or costly. In these environments, replacing SIM cards or manually updating network credentials can quickly become a logistical challenge.
To address this, the GSMA introduced eSIM technology, built around the embedded Universal Integrated Circuit Card (eUICC). eSIM enables remote SIM provisioning (RSP)—a framework that allows mobile operator profiles to be securely downloaded, activated, and managed over the air without replacing the physical SIM.
Over time, the GSMA has developed multiple specifications to support different device categories and connectivity models. The most relevant standards today include:
- SGP.02, originally developed for machine-to-machine (M2M) deployments
- SGP.22, designed for consumer devices such as smartphones and wearables
- SGP.32, the newest specification created specifically for IoT deployments
Each standard reflects the connectivity and operational requirements of the devices it was designed to support. Understanding the differences between them is essential when designing a scalable IoT connectivity strategy.
In this article, we explore how these GSMA eSIM standards work, their key differences, and how the new SGP.32 architecture addresses many of the limitations of earlier models for IoT deployments.
What Are eUICC and Remote SIM Provisioning (RSP)?
eUICC (Embedded Universal Integrated Circuit Card) is a SIM architecture defined by the GSMA that allows a single SIM to securely store and manage multiple mobile network operator profiles.
These profiles contain the credentials that allow a device to authenticate and connect to a cellular network.
RSP is the framework that enables these operator profiles to be securely downloaded, activated, and managed remotely on an eUICC.
Together, eUICC and RSP allow devices to change or update operator profiles without replacing the physical SIM, enabling more flexible connectivity management for IoT and connected devices.
The GSMA has defined several RSP architectures for different device categories, including SGP.02 for M2M deployments, SGP.22 for consumer devices, and the newer SGP.32 specification designed for IoT environments.
SGP.02: The First eSIM Standard for M2M Devices
What is SGP.02?
SGP.02 is the GSMA specification that defines remote SIM provisioning for machine-to-machine (M2M) devices. It allows mobile operator profiles to be remotely installed and managed on an eUICC without physically replacing the SIM card.
The specification was originally designed for long-lifecycle connected devices such as smart meters, industrial equipment, and connected vehicles.
How SGP.02 Works
The SGP.02 architecture relies on two core subscription management components:
- SM-DP (Subscription Manager – Data Preparation) – prepares and encrypts operator profiles
- SM-SR (Subscription Manager – Secure Routing) – securely delivers profiles to the device and manages their lifecycle on the eUICC
In this architecture, operator profiles are prepared by the SM-DP and delivered to the eUICC under the control of the SM-SR. Because provisioning actions are initiated through the subscription management infrastructure, SGP.02 is often described as using an operator-controlled or “push” provisioning model.
Advantages & Limitations of SGP.02
SGP.02 established the first GSMA framework for remote SIM provisioning in M2M deployments and enabled operator profiles to be managed remotely on deployed devices.
However, the architecture reflects the operational models of early M2M ecosystems. The model worked well in the early phases of automotive and other controlled deployments, where connectivity was typically provisioned once and remained relatively static over the device lifecycle. As IoT deployments expanded in scale and flexibility requirements, some architectural constraints became more apparent.
ADVANTAGES OF SGP.02 | LIMITATIONS OF SGP.02 |
Enabled remote provisioning of operator profiles for deployed devices | Each eUICC is managed by a specific SM-SR platform responsible for profile lifecycle management |
Reduced the need for physical SIM replacement in deployed devices | Profile downloads and lifecycle operations are controlled through the subscription management infrastructure |
Allowed multiple operator profiles to be stored on an eUICC (with one active at a time) | The architecture requires coordination between several systems including SM-DP, SM-SR, device manufacturers, and mobile network operators |
Introduced the first GSMA-standardized framework for M2M remote SIM provisioning | Communication with the eUICC is typically performed using SMS or IP transport mechanisms |
While SGP.02 laid the foundation for remote SIM provisioning, evolving IoT requirements eventually led to the development of additional GSMA specifications designed for other device categories and connectivity models.
SGP.22: eSIM for Consumer Devices
What is SGP.22?
SGP.22 is the GSMA specification that defines Remote SIM Provisioning for consumer devices. It was designed for devices with user interfaces, such as smartphones, tablets, laptops, and smartwatches, where a user can initiate profile download and activation directly on the device.
How SGP.22 Works
The SGP.22 architecture is built around several key components:
- SM-DP+ (Subscription Manager Data Preparation +), which securely prepares and hosts operator profiles for download
- LPA (Local Profile Assistant), software on the device that manages profile download and local profile operations
- SM-DS (Subscription Manager Discovery Server), which can help the device discover the relevant SM-DP+
- eUICC, which securely stores the operator profiles on the device
In a typical SGP.22 flow, the user initiates activation on the device, often by scanning a QR code or using an activation code. The device’s LPA then connects to the appropriate provisioning infrastructure to download and install the operator profile onto the eUICC.
Advantages & Limitations of SGP.22
SGP.22 simplified digital activation for consumer devices and reduced much of the architectural complexity associated with the earlier M2M model. It works well for devices that are accessible, user-operated, and equipped with a local interface.
For IoT, however, the fit is more limited. Many IoT devices are headless, remotely deployed, or managed in very large fleets, which makes a user-driven activation model less practical. In addition, the SGP.22 framework relies on LPA-based device interaction and HTTP/TLS-based provisioning flows, which may be less suitable for constrained, low-power devices depending on the device design and deployment model.
SGP.32: The New eSIM Standard for IoT
What is SGP.32?
SGP.32 is the GSMA specification that defines remote SIM provisioning for IoT devices. It introduces an architecture designed specifically for IoT devices that may have limited connectivity, operate in low-power environments, or lack a user interface
While SGP.02 was designed for early M2M deployments and SGP.22 focused on consumer devices, SGP.32 addresses the operational requirements of modern IoT deployments, including large-scale device fleets and automated connectivity management.
The specification builds on earlier GSMA eSIM standards while introducing mechanisms optimized for IoT environments.
How SGP.32 Works
The SGP.32 architecture introduces several components that enable remote provisioning and lifecycle management of IoT device connectivity:
- eUICC – securely stores and manages operator profiles
- IPA (IoT Profile Assistant) – facilitates communication between the device, the eUICC, and remote provisioning servers
- eIM (eSIM IoT Remote Manager) – manages provisioning operations and profile lifecycle management for IoT deployments
- SM-DP+ – prepares and securely delivers operator profiles
In this architecture, IoT devices can securely download, activate, disable, or update operator profiles remotely without requiring direct user interaction. The eIM enables centralized management of large device fleets while maintaining the security model defined by GSMA eSIM specifications.
The IoT Profile Assistant can be implemented either within the device (IPAd) or within the eUICC itself (IPAe), allowing manufacturers to optimize the design depending on device capabilities.
Advantages of SGP.32
SGP.32 introduces several improvements over earlier eSIM specifications that improve flexibility, efficiency, and scalability for large IoT deployments.
Server-initiated profile management
Unlike consumer eSIM models that rely on user-initiated profile downloads, SGP.32 allows provisioning operations to be initiated by remote management infrastructure. This enables connectivity profiles to be installed or updated across large device fleets without requiring direct user interaction.
Reuse of existing SM-DP+ infrastructure
SGP.32 is designed to work with the SM-DP+ infrastructure already used in consumer eSIM deployments. This reduces the need to deploy entirely new provisioning systems and helps simplify adoption within existing eSIM ecosystems.
Reduced reliance on SMS for provisioning
Earlier M2M eSIM architectures often relied on SMS messaging for certain provisioning operations. SGP.32 enables profile management using modern IP-based communication mechanisms, reducing operational complexity and improving reliability in environments where SMS support may be limited.
Optimized profile download efficiency
SGP.32 introduces mechanisms that reduce the amount of data required during profile download and management operations. This is particularly beneficial for IoT devices operating on constrained networks, such as LPWAN or low-bandwidth cellular connections.
Improved scalability for large device fleets
The architecture supports centralized lifecycle management of device connectivity, making it easier for organizations to deploy, provision, and manage large numbers of connected devices without requiring physical SIM replacement or manual intervention.
Limitations and Key Considerations for SGP.32
While SGP.32 introduces important improvements for IoT remote SIM provisioning, organizations should consider several factors when designing their connectivity strategy and evaluating vendor implementations.
Implementation and interoperability considerations
SGP.32 introduces new components such as the IoT Profile Assistant (IPA) and the eSIM IoT Remote Manager (eIM). The IPA can be implemented either within the device (IPAd) or within the eUICC (IPAe), depending on device capabilities and system design.
It is also important to note that support for a configurable eIM is optional within the specification. In practice, this means the flexibility of an SGP.32 deployment can depend on how the eIM and eUICC are implemented by vendors. Evaluating interoperability and configurability during vendor selection can help ensure long-term flexibility and avoid operational constraints later in the device lifecycle.
Industry adoption
SGP.32 adoption is growing across the IoT ecosystem, but implementation maturity can vary between device manufacturers, connectivity platforms, and mobile network operators.
Integration with existing deployments
Many IoT deployments today still rely on SGP.02 or SGP.22 architectures. Organizations deploying new devices may therefore need to support multiple provisioning frameworks while transitioning to SGP.32.
Flexible eSIM Connectivity Strategies with Velocity IoT
Velocity IoT supports connectivity architectures aligned with GSMA eSIM standards such as SGP.22 and SGP.32, enabling remote SIM provisioning and lifecycle management through eUICC technology.
Velocity IoT combines multi-IMSI connectivity with eUICC technology, enabling devices to connect immediately through access to an extensive global IMSI library. The platform also supports autonomous network switching, allowing devices to move to another available network if coverage or performance changes.
Velocity IoT’s platform leverages cloud-native core network infrastructure and localized packet gateway infrastructure, helping reduce latency while supporting regulatory compliance, security, and improved network performance across global deployments.
Through autonomous network switching, devices can automatically connect to alternative networks if coverage degrades, or a network becomes unavailable.
Conclusion
GSMA eSIM standards have evolved to support different connectivity models, from SGP.02 for early M2M deployments, to SGP.22 for consumer devices, and now SGP.32 designed specifically for IoT environments. Each architecture reflects the operational requirements of the devices it was built to support, from user-driven activation to automated provisioning and fleet-scale connectivity management.
For organizations deploying connected devices, understanding these differences helps inform key decisions around device design, connectivity strategy, and long-term lifecycle management.
Reach out to discuss how we can help you build the ideal connectivity strategy for your devices and IoT applications.
