The GSMA’s SGP.32 eSIM standard promises zero-touch, global IoT connectivity, addressing roaming and regulatory challenges. KORE highlights its flexibility and remote management capabilities, echoing the wider industry view of the new standard as a “revolution” for IoT deployments.
In truth, the eSIM revolution never happened in IoT – until now, maybe. The technology, to embed subscriber identity modules (SIMs) as soldered chips (eSIMs) into a device’s main circuit board, has been around for 15 years already. But developers of cellular-based IoT gadgetry have been forced to provision these in their devices using either hard-coded M2M integrations, defined in the SGP.02 specification, or UI-led consumer activation flows, as set out in SGP.22. In the end, neither have worked very well for IoT, until now – until the new SGP.32 specification.
This is the subject of a new editorial report from RCR Wireless, in association with IoT specialist KORE. The SGP.32 mechanism for remote SIM provisioning (RSP), now being certified in IoT platforms and devices, introduces a zero-touch, “build-once, ship-anywhere” model with key components, including the eSIM IoT Remote Manager (eIM) and the IoT Profile Assistant (IPA) for secure downloads, updates, and management. It mandates cryptographic authentication, introduces reset procedures, and supports delayed or scheduled asynchronous updates.
Industry leaders see it as a turning point. Talking about its first commercial deployment with tracking outfit Trackunit, Carolien Nijhuis, executive vice president for IoT at KPN, says the new standard “will revolutionise eSIM connectivity for IoT use cases.” Mats Lundquist, chief executive at Telenor Connexion, calls it “more than a technology upgrade”. It marks a “significant shift in the evolution of global connectivity that will simplify operations for our customers and reduce long-term integration challenges”, he says.
Even Vodafone, a grandaddy MNO on the cellular IoT scene, has reorganized itself to some extent because of the new eSIM push. The UK-based carrier group was emboldened 24 months ago to reorganise its entire business because of eSIM, plus other things, says Erik Kling, president of Vodafone IoT Americas. “We spun out Vodafone IoT for several reasons: for scale, for scope, for speed… And we did it also because of all the eSIM and iSIM development, which changes the dynamics – for both existing and new customers around the world,” he says.
IoT requirements
Historically, eSIM adoption in IoT has been largely confined to the automotive and utilities sectors. The old SGP.02 standard enabled M2M integration but required costly, bespoke carrier work; SGP.22, designed for consumer devices, relied on device-side software (LPA) and manual activation flows unsuitable for headless IoT deployments. There are regulatory shifts to contend with, also. A key driver for the SGP.32 architecture, and for eSIM in the first place, is changing rules around data roaming and localisation.
Permanent roaming restrictions are playing havoc with IoT fleets. Roaming cut-offs of 90-180 days mean traditional roaming SIMs do not work – which is part of the original RSP rationale. Steffen Sorrell, chief of research at Kaleido Intelligence, says: “More countries are restricting how devices roam onto their networks. If you want to support global IoT, you need to localize. You can’t do that with a roaming SIM.” The list of countries with limitations is long, whether as de jure bans (Brazil, Turkey, Nigeria) or de facto ones (China, Egypt, India, Saudi Arabia, Singapore, UAE).
Elsewhere, mobile operators are imposing restrictions on permanent roaming with much the same result (as in Australia, Canada, US). At the same time, developing data sovereignty laws – around where data is captured, processed, stored – have also driven the case for flexible SIM mechanics. Regulation is real or pending: the EU’s GDPR privacy rules and Gaia-X sovereign cloud initiative; China’s cybersecurity and data security laws; India’s personal data protection bill. The net result for the IoT sector is the clunky old roaming model is broken.
Again, SGP.32 seeks to solve all of that. Scott Lemon, senior director for market engagement and innovation at KORE, explains: “SGP.32 is the best of both worlds. We get the same flexibility as SGP.22, but with a standardized interface for the eIM to remotely manage the SIM and the profiles.” It brings new operational clarity, he says: “You have to understand the diversity of these solutions. Because it’s all over the map, and it requires money and effort. But the eIM in SGP.32 really changes things into a standardized RSP process.”
eSIM revolution
SGP.32 solutions are being tested now, with a view to a commercial ramp-up through 2026, and a tipping point some time in 2027/28, says Kaleido Intelligence. His firm forecasts compound annual growth (CAGR) of nine percent for consumer SGP.22 eSIMs in the period to 2028 (80.2 million to 102 million), 33 percent for M2M SGP.02 eSIMs (295.3 million to 693.5 million), and 240 percent for IoT SGP.32 eSIMs (4.9 million, today, to 192.8 million). Of course, whatever-percentage growth of not-very-much is still not-very-much, perhaps.
But the installed base of SGP.32 eSIMs will go from next-to-nothing to twice the consumer eSIM base in just a few years – and to about a third of the decade-old M2M base. By 2030, practically every non-consumer machine/thing will use SGP.32. For IoT developers, the advice is to test thoroughly, understand the ecosystem, and partner with experienced providers. SGP.32 offers a leap forward – but only if implemented carefully, with attention to long-term fleet management, roaming compliance, and device lifecycle.
Because pitfalls remain. Indeed, the whole eSIM concept of total freedom-and-flexibility is something of an illusion. “I feel pretty strongly about this,” says Lemon, responding to a question about whether to host the eIM with an MNO or a third-party provider such as an MVNO. His point is that new SGP.32 support for multiple eIMs on a single eSIM promises genuine flexibility, but also limits it potentially – because it provides the ability to remove eIMs, as well as to add them – and to also “throttle” their provisioning in a management console.
In other words, the freedom only holds if eIM providers, whether operators or others, implement the standard as intended. Lemon explains: “This is important for people to understand. If you are going to partner with an MNO, you have to make sure they provide the facility to move to another eIM, or add another eIM… The standard was designed to avoid lock-in. But if your provider refuses to allow another eIM to be connected, then you’re stuck – and with that vendor forever.” So the pitfall is not embedded in the standard, itself, but manufactured in its execution.
Business concerns
It puts focus on a new kind of ‘orchestrator’ role, as analyst house Transforma Insights puts it, for IoT service providers to deliver properly-flexible eIM-based RSP, alongside full-stack roaming and billing. Lemon says: “That automation on top of the eIM is key… to analyse, adapt, switch profiles to be on the best networks. But you need an appropriate portfolio of profiles in the first place, and a transparent way to manage them as well.” KORE makes its own case in this regard, with Lemon reeling off the highlights: 20 million connections; 3,600 customers; 45 carrier integrations; roaming in 190 countries; support for all the eSIM standards
But in the end, the advice to developers and enterprises is to be hopeful, but also to be careful: do your due diligence and bring new order and control to your IoT fleets, or else deal with lock-ins and other headaches, and get left behind. “The thing is to talk to lots of vendors,” says Lemon. “Ask questions, compare answers. Go into it in a smart way – because IoT investments pay off in the future as well.”
