How GSMA Specifications Shape eSIM: From SGP.22 to SGP.32

Behind every eSIM activation and profile download lies a complex ecosystem of technical standards maintained by the GSMA. The eSIM specification family, officially designated as SGP (SIM Governance Program), defines every aspect of how embedded SIMs are manufactured, provisioned, and managed throughout their lifecycle. The foundational specification, SGP.01, established the core eSIM architecture and terminology, but it is the later documents — SGP.21, SGP.22, SGP.31, and SGP.32 — that have shaped the eSIM experience we know today. These specifications are not static documents; they evolve through collaborative input from mobile network operators, device manufacturers, chipset vendors, and security experts worldwide. The GSMA's working groups meet regularly to address emerging challenges, from IoT scalability to quantum-resistant cryptography. Understanding this specification landscape is essential for anyone working in telecommunications, as it reveals how the industry balances interoperability, security, and commercial flexibility across a global ecosystem of competing stakeholders. Each specification targets a distinct use case, and knowing which one applies to your scenario can mean the difference between a seamless deployment and a stalled rollout.

SGP.22, officially titled 'RSP Technical Specification,' is the document that governs how consumer devices — smartphones, tablets, and wearables — download and manage eSIM profiles. At its heart is the Remote SIM Provisioning (RSP) architecture, which defines four core entities: the eUICC (the embedded chip itself), the LPA (Local Profile Assistant, the on-device software that manages profiles), the SM-DP+ (Subscription Manager Data Preparation+, the server that prepares and delivers encrypted profiles), and the SM-DS (Subscription Manager Discovery Server, which helps devices locate available profiles). SGP.22 introduced the concept of profile containers — isolated, secure execution environments within the eUICC that can each host a fully functional SIM profile. A single eUICC can store multiple profiles simultaneously, though only one can be active at a time in most consumer implementations. The specification also defines the profile download process in exhaustive detail: from mutual authentication using PKI certificates issued by the GSMA Certificate Issuer, through the encrypted transmission of profile data over HTTPS, to the final installation and state transition. SGP.22 version 3.0, released in 2023, brought significant enhancements including improved support for multiple enabled profiles and streamlined profile deletion workflows.

While SGP.22 works well for consumer devices with rich user interfaces, it proved inadequate for the Internet of Things. Many IoT devices lack screens, keyboards, or even regular human interaction — yet they require the same profile management capabilities. Enter SGP.32, released in mid-2023, which introduces an entirely new provisioning paradigm built around the IoT Remote SIM Provisioning (IoT RSP) architecture. The key innovation in SGP.32 is the IPA (IoT Profile Assistant), which replaces the consumer-centric LPA with a lightweight, automatable agent that can operate without user interaction. Alongside the IPA, SGP.32 defines the eIM (eSIM IoT Manager), a new server-side component that orchestrates profile operations across fleets of IoT devices. This allows enterprises to manage thousands or millions of eSIMs from a single dashboard — pushing profiles, triggering switches, and monitoring device connectivity status in near real-time. SGP.32 also introduces a more flexible profile state machine that accommodates the unpredictable connectivity patterns of IoT deployments, where devices may operate offline for extended periods or connect through constrained, low-power networks like NB-IoT and LTE-M. For industries from logistics to agriculture, SGP.32 represents the missing piece that finally makes eSIM viable at massive scale.

Understanding the RSP architecture requires moving beyond diagrams to see how the components interact during a real profile download. When a user scans a QR code from their carrier, the LPA extracts the SM-DP+ address and activation code. It then initiates a TLS session with the SM-DP+, performing mutual authentication: the SM-DP+ verifies the eUICC's GSMA-issued certificate, and the eUICC verifies the SM-DP+ certificate. This cryptographic handshake ensures neither party is communicating with an impostor. Once authenticated, the SM-DP+ generates a profile package encrypted specifically for that eUICC's unique key, making intercepted data useless to any other device. The LPA passes this encrypted package to the eUICC, which decrypts and installs it within an isolated security domain. The entire process — from QR scan to active profile — typically completes in under 60 seconds, though complex profiles with multiple network access applications may take longer. For SGP.32 IoT deployments, the flow differs: the eIM communicates directly with the IPA via a standardized API, triggering profile operations according to business logic defined by the enterprise. This decoupling of profile management from physical device access is what makes over-the-air provisioning truly transformative — a sensor in a remote oil field can switch carriers without anyone ever touching it.

The GSMA specification roadmap extends well beyond SGP.32. SGP.41 and SGP.42, currently in development, target the next frontier: iSIM (integrated SIM) architectures where SIM functionality is embedded directly into the device's system-on-chip alongside the processor and modem. This eliminates the discrete eUICC chip entirely, enabling even smaller, more power-efficient designs for wearables and sensors. Meanwhile, the specifications are evolving to address emerging security threats. Post-quantum cryptography (PQC) is a growing concern, as quantum computers could theoretically break the elliptic curve cryptography that underpins current eSIM authentication. The GSMA has initiated working groups to evaluate PQC algorithms and define migration paths for the eSIM certificate infrastructure — a transition that will take years and require coordination across the entire industry. Another active area is multi-profile simultaneous operation, where devices could keep multiple profiles active concurrently — enabling a smartwatch to maintain separate data connections for health monitoring and messaging simultaneously. As satellite connectivity enters the mainstream through direct-to-device services, specifications are also adapting to accommodate non-terrestrial network profiles. The GSMA's specification work, while largely invisible to end users, continues to define what is technically possible in mobile connectivity, one document revision at a time.