The eUICC technology enables SIM profiles to be changed without having to replace the physical SIM card. However, the previous eUICC standards never really met the requirements of IoT projects. SGP.02 was too complex and too dependent on SMS, SGP.22 does not work for minimalist IoT devices without a user interface. Now, with SGP.32, the GSMA has succeeded in closing the gaps in the previous standards.
The larger and more international IoT projects become, the clearer the limits of the existing eUICC standards become. Irrespective of the fact that both standards were not intended directly for IoT applications from the outset, different technical approaches for M2M and consumer applications have so far led to fragmented solutions that have made scaling and interoperability more difficult. The new SGP.32 standard is now intended to lay the foundation for a uniform, globally scalable IoT ecosystem.
The development of eUICC standards began back in 2014, but when the GSMA launched SGP.02 (M2M eSIM), the focus was on the automotive industry. The reason for the focus on automotive: in 2015, the EU introduced the mandatory eCall system, which meant that vehicles had to be able to automatically make emergency calls in the event of an accident - a driver for the early introduction of M2M eSIMs in the automotive industry.
SGP.02 made remote provisioning of SIM profiles possible for the first time, but was dependent on complex integrations and with a clear vendor lock-in (SM-SR). This meant that the standard was not only unsuitable for fast and uncomplicated provider changes - which contradicted the original wishes of many IoT projects - but was primarily geared towards the requirements of huge automotive projects with millions of SIM cards. As a result, SGP.02 projects were complex, lengthy, extremely costly and locked into rigid 10-year contracts with a vendor lock-in.
2016 saw the breakthrough in the smartphone segment with SGP.22 (Consumer eSIM). Simpler, user-friendly, QR code-based. But IoT devices are not smartphones: they often have no screens (and no one sitting in front of them to change them manually if necessary), run on minimal hardware and have to function autonomously for years. This left a gap for many IoT applications despite the second standard: M2M was too rigid, consumer too complex. The new eSIM IoT standard SGP.32 breaks away from this and is tailored to the specific requirements of IoT applications.
Technically, SGP.32 is based on a modular architecture that allows eSIM profiles to be managed remotely and independently of the end device. Mobile network providers no longer determine how profiles are uploaded and managed, but other market players and companies are given significantly more say and the right to shape the management of IoT devices. In particular, the actual customers will have almost sole control over remote SIM provisioning.
The standard also integrates enhanced security mechanisms and defines clear compatibility requirements that ensure smooth cooperation between different manufacturers, network operators and service providers. This turns a previously fragmented market into an interoperable ecosystem that enables true scaling.
The new standard brings with it a number of practical benefits that significantly simplify the rollout and operation of IoT solutions:
Let's imagine an energy supplier rolls out millions of smart meters in different countries. If a SIM provider needs to be changed, every card would have to be physically swapped with traditional SIMs. A logistical nightmare. With SGP.32, the SIM profiles can be updated remotely, for thousands of devices at the same time if necessary. This not only saves time and money, but also makes it possible to remain globally flexible in the first place.
This makes it clear that SGP.32 is not a niche standard, but a key driver for almost all IoT segments with high scaling requirements. This standard will prevail in the IoT environment - because it removes technical hurdles, creates interoperability and gives companies the flexibility they need for international rollouts.
The introduction of SGP.32 not only changes the technical basis, but also shifts the roles and balance of power in the IoT ecosystem:
- Mobile network operators (MNOs) must adapt their previous, often proprietary provisioning solutions and rely more heavily on open interfaces. This may require investments in the short term, but also opens up new business areas, such as globally scalable IoT services.
- The new standard gives virtual network operators (MVNOs) and connectivity providers the opportunity to develop more flexible and interoperable offerings. Companies can switch between providers more easily or use several providers in parallel, which should intensify competition. Technologically leading connectivity providers with their own platform development will benefit in particular. Thanks to continuous further developments, they are often superior to the rigid, cumbersome platforms of traditional MNOs. In an environment in which switching providers will be easier than ever before thanks to SGP.32, the better products and services will prevail in the long term. In short: SGP.32 offers MVNOs and connectivity providers less lock-in, more competition and new business models.
- Companies as users are probably the biggest winners from the introduction of SGP.32. Not only do they gain significant control, but they can also rely on a standard from the start of their projects that enables global scaling and long-term operating cost optimization. Projects with high data consumption in particular are likely to benefit from lower operating costs, as provisioning and management are centralized and standardized. They will also have greater flexibility in their choice of partners, networks and devices.
The expected increase in competition means that providers will have to offer greater service quality and flexibility, while companies will have significantly more control over their IoT connectivity.
As promising as SGP.32 is, the standard still has its limits. The complete test specifications have only been available since the beginning of 2025, which means there is a lack of field experience. Providers and companies are therefore still in the early stages of integrating eIM and IPA properly into their platforms. Precisely because the standard is still young, it is worthwhile for companies to work closely with partners who have already gained initial practical experience. eUICCs and the necessary infrastructure are also more expensive than classic IoT SIM solutions - an aspect that is likely to be particularly important for projects with lower data volumes.
Another important point: SGP.32 is not backwards compatible. Existing fleets based on SGP.02 or SGP.22 cannot simply be migrated, but must be replaced in the long term. In addition, the risk of commercial lock-ins remains even with SGP.32. Although the standard is generally more open in technical terms, providers can still create dependencies on the user side via business models or proprietary platform functions.
Despite all the limitations, SGP.32 is the first standard to seriously address the reality of IoT deployments and overcome the biggest obstacles of its predecessors. After the first standards (SGP.02 and SGP.22), which were often difficult to use in practice, SGP.32 is now a truly successful standard. It creates the basis for making IoT connectivity easier and more flexible to use - and this is precisely what plays into the hands of strong IoT providers. Because those who offer powerful, modern solutions can assert themselves even more clearly in a market without technical lock-in. As a result, IoT connectivity is consistently developing in the direction of CaaS - Connectivity as a Service: standardized, interchangeable and yet with clear advantages for providers who are leaders in technology and service quality.
SGP.32 represents a decisive step towards a standardized, global IoT standard. However, development is not standing still. Future enhancements could focus on even greater automation of provisioning processes, improved security frameworks and the integration of non-cellular IoT technologies (e.g. satellite connectivity or LPWAN).
In the long term, the standard should create the basis for a fully interoperable IoT ecosystem, roughly comparable to today's standards on the internet. For companies, this means more sustainable investments in IoT infrastructures, as devices, platforms and networks will remain compatible for years to come. Anyone planning IoT projects with an eUICC approach today should therefore focus exclusively on SGP.32 - older standards are effectively obsolete.
The challenge for providers will be to develop value-added services such as monitoring, security-as-a-service or intelligent platform solutions in order to differentiate themselves in the more standardized market.
SGP.22 is the eSIM standard for consumer devices such as smartphones. It is based on user interaction (e.g. QR code scanning), relies on a simplified architecture model (SM-DP+) and was developed for devices with a display. SGP.32, on the other hand, addresses the special requirements of IoT: there is no longer any dependency on SMS, profiles can be downloaded via both push and pull, and new roles have been introduced with eIM and IPA, which enable flexible, scalable operation of IoT fleets.
No, SGP.32 is not backwards compatible. Devices with SGP.02 (M2M) or SGP.22 (consumer) cannot be upgraded to SGP.32 via a software update, as the architecture and roles are different. For existing fleets, this means that they continue to run with the standard for which they were built. It is better to plan new IoT projects with the new eSIM IoT standard SGP.32 from the outset in order to be future-proof.
In principle, most modern IoT modules are "SGP.32-ready". The GSMA has published test specifications since 2025 and the first certified eUICCs are available. However, initial practical tests show that while installing an initial profile usually works without any problems, there are still some difficulties when changing profiles. Companies should therefore not only check whether a profile is running, but also explicitly test the switch to other profiles.
SGP.32 offers a higher level of security than its predecessors. All profile operations (e.g. activation, deactivation, deletion) run as so-called Profile State Management Operations (PSMO) and are cryptographically secured. This means that only authorized eIMs can make changes. In addition, standardization ensures interoperability between manufacturers and providers, which prevents security gaps caused by proprietary special solutions.
SGP.32 is the clear recommendation for all new IoT deployments from 2025 onwards. The standard eliminates lock-ins, enables simple integration of local profiles (important in countries with regulatory requirements) and allows flexible switching between providers. Existing projects with SGP.02 or SGP.22 do not need to be replaced immediately, but should migrate to SGP.32 when hardware is replaced in order to avoid long-term costs and dependencies.