Inside eSIM: Remote Provisioning and the GSMA SGP Standards

eSIM technology is governed by the GSMA's SGP (SIM Global Platform) standards. The two most critical specifications are SGP.22 for consumer devices and SGP.02 for machine-to-machine applications. SGP.22 defines the Remote SIM Provisioning (RSP) architecture, which includes key components like the SM-DP+ (Subscription Manager Data Preparation), SM-DS (Discovery Server), and the eUICC (embedded Universal Integrated Circuit Card). The eUICC is the hardware chip soldered onto the device motherboard, capable of securely storing multiple operator profiles. Unlike removable SIM cards, the eUICC can be managed entirely over the air, allowing users to download, enable, disable, and delete operator profiles without physical access to the device.

Remote provisioning begins when a user scans a QR code or taps an activation link provided by their carrier. This action triggers the device's Local Profile Assistant (LPA) to contact the SM-DP+ server. The SM-DP+ prepares a personalized profile containing the IMSI, authentication keys, and network parameters, then encrypts it using the eUICC's public key. The encrypted profile is delivered over a secure HTTPS session and installed into an isolated security domain on the eUICC called an Issuer Security Domain (ISD-P). Each profile occupies its own ISD-P, ensuring complete separation between profiles. The entire download process can complete in under a minute, and once installed, the profile behaves exactly like a physical SIM.

eSIM security relies on a Public Key Infrastructure (PKI) with a rigorous chain of trust. At the root is the GSMA Certificate Issuer (CI), which signs certificates for entities like SM-DP+ servers and eUICC manufacturers. Each eUICC is factory-loaded with a unique private key and a corresponding certificate signed by the CI, binding the chip's public key to its EID (eUICC ID). During provisioning, the SM-DP+ verifies the eUICC's certificate against the CI root, while the eUICC authenticates the SM-DP+ using its own certificate chain. This mutual authentication ensures that profiles are only delivered to genuine, certified hardware and only from authorized provisioning servers, effectively eliminating SIM cloning and unauthorized profile interception.

For consumers, the SGP standards mean seamless carrier switching without waiting for physical SIM delivery, and the ability to store multiple profiles on a single device—ideal for travelers using local data plans alongside their home number. The GSMA is actively evolving these standards: SGP.32 introduces enhancements for IoT devices with constrained power and bandwidth, while future iterations aim to simplify the user experience further by eliminating QR codes in favor of fully server-driven activation. As eSIM adoption grows across smartphones, tablets, wearables, and laptops, the SGP framework provides the robust, interoperable foundation needed for a truly SIM-less world, where connectivity becomes an entirely digital, on-demand service.