The eSIM Profile Lifecycle: Every Stage from Creation to Deletion

Every eSIM profile follows a tightly regulated lifecycle defined by the GSMA's SGP.22 specification for consumer devices and SGP.02 for machine-to-machine (M2M) applications. These specifications are not mere suggestions — they are the architectural blueprint that every carrier, device manufacturer, and secure element vendor must follow to ensure global interoperability. At the heart of this ecosystem sits the SM-DP+ (Subscription Manager Data Preparation+), the server responsible for generating, storing, and delivering profiles. Alongside it, the SM-DS (Subscription Manager Discovery Service) acts as a notification hub, alerting devices when new profiles are available. On the device side, the LPA (Local Profile Assistant) serves as the intermediary between the eUICC — the physical secure element — and the remote servers. The eUICC itself is manufactured by an EUM (eUICC Manufacturer) and pre-loaded with a root certificate that establishes a chain of trust. This multi-layered architecture ensures that every stage of a profile's life, from its cryptographic birth inside an SM-DP+ to its eventual deletion, is auditable, secure, and reversible under defined conditions. Understanding this framework is essential, because every troubleshooting scenario, every failed activation, and every profile conflict traces back to a specific stage in this lifecycle.

An eSIM profile begins its life not on a device, but inside the hardened infrastructure of an SM-DP+ server operated by the carrier or a trusted third-party vendor. Profile creation is a cryptographic process that bundles together a unique ICCID (Integrated Circuit Card Identifier), one or more IMSIs (International Mobile Subscriber Identities), authentication keys derived from the operator's Ki (root authentication key), OTA (Over-The-Air) update keys, and the file system structure that defines how the profile behaves. The profile is encrypted using keys that only the target eUICC can decrypt — a security property enforced by the eUICC's embedded root certificate from the EUM. This means that even if a profile is intercepted in transit, it is cryptographically useless to an attacker. The carrier also defines Profile Policy Rules (PPR) at this stage, which govern whether the profile can be disabled, deleted, or overridden by the end user. For example, a carrier may set a policy that prevents deletion of an active profile without first contacting customer support — a rule that has sparked regulatory debate in multiple jurisdictions. Once created, the profile sits dormant on the SM-DP+, waiting for a matching request from a device. Critically, profiles are not pre-allocated indefinitely; carriers typically generate them on-demand or in small batches tied to specific activation requests, which is why some eSIM activations experience delays if the SM-DP+ provisioning pipeline is overloaded.

The journey from server to secure element is the most complex stage of the eSIM lifecycle, involving multiple protocols and fallback mechanisms. There are two primary delivery models: push and pull. In the pull model — the most common for consumer eSIMs — the user initiates activation by scanning a QR code that contains a matching ID and the SM-DP+ address. The LPA on the device contacts the SM-DP+ directly, performs mutual authentication using the eUICC's certificate chain, and downloads the encrypted profile package over HTTPS. In the push model, often used for M2M and enterprise deployments, the SM-DP+ initiates the transfer via the SM-DS, which sends a wake-up notification to the device. The device then pulls the profile from the SM-DP+ at its convenience. During installation, the LPA passes the encrypted profile to the eUICC through the ISO 7816 interface. The eUICC decrypts and validates the profile using its hardware-rooted keys, then allocates a dedicated security domain — an isolated container within the chip — for the new profile. This installation process typically takes between 20 and 90 seconds depending on profile size and network conditions. A common failure point is the SM-DS lookup: if the SM-DS address is misconfigured or unreachable, push notifications silently fail, leaving the user wondering why their eSIM never arrived. This is why many carriers now favor the QR code pull model — it gives users immediate visual feedback and eliminates the SM-DS as a single point of failure.

Once installed, an eSIM profile can exist in one of several states defined by the GSMA: Disabled, Enabled, or (in some implementations) Suspended. The Enabled state means the profile is actively registered on a mobile network and consuming radio resources. The Disabled state keeps the profile stored on the eUICC but disconnects it from the network — useful for travelers who want to pause a local plan without deleting it. The eUICC on most consumer devices can store multiple profiles simultaneously (typically 8 to 12, depending on available memory), but only one — or two on dual-SIM devices — can be Enabled at any given moment. Profile switching, the act of toggling which profile is Enabled, is handled entirely by the LPA and does not require network communication — it is a local operation that completes in under a second. This is fundamentally different from physical SIM swapping, which requires mechanical access to the SIM tray. Profile management also includes OTA updates, where the carrier pushes updated network parameters, refreshed authentication vectors, or new roaming agreements to the profile without re-downloading it. These updates are cryptographically signed and processed by the profile's own security domain. However, not all profiles support OTA updates; some budget travel eSIMs are shipped as static profiles with fixed parameters, meaning they cannot adapt to network changes and may stop working if the underlying carrier reconfigures its infrastructure.

Profile deletion is the final, irreversible stage of the eSIM lifecycle — and it is more nuanced than most users realize. When a user deletes a profile through their device settings, the LPA sends a deletion command to the eUICC, which cryptographically erases the profile's security domain and frees its allocated memory. However, the carrier-side state does not always synchronize. The profile's ICCID and associated IMSI may linger in the carrier's HLR/HSS (Home Location Register / Home Subscriber Server) for days or weeks before being fully de-provisioned — a gap that can cause activation failures if the user attempts to re-download the same profile before the carrier has released it. Some carriers implement automatic cleanup timers; others require manual intervention. From a security standpoint, profile deletion is designed to be cryptographically complete: the eUICC's hardware security module ensures that deleted keys cannot be reconstructed, even through physical chip analysis. This is a significant improvement over physical SIM cards, where forensic recovery of deleted authentication data has been demonstrated in laboratory settings. For users, the practical takeaway is clear: before deleting a travel eSIM you might want to reuse, download a backup QR code or confirmation email if the carrier offers it. Once deleted from the eUICC, the profile is gone forever — and unlike a physical SIM card you can tuck into a drawer, there is no digital equivalent of a drawer for eSIM profiles.