eSIM and Remote SIM Provisioning
How eSIM works: GSMA SGP.22, profiles, and migration.
eSIM and Remote SIM Provisioning
The eSIM (embedded SIMSIMApplicationSmart card for mobile network authentication.Click to view →) standard has fundamentally reshaped how mobile devices connect to networks. Instead of a removable physical SIM card, an eSIMeSIMApplicationProgrammable embedded SIM chip.Click to view → is a soldered chip whose operator profile can be loaded, swapped, or deleted entirely over the air — a capability known as Remote SIM Provisioning (RSP). Governed by GSMA specifications (SGP.02 for M2M, SGP.22 for consumer devices), RSPRSPApplicationOver-the-air SIM profile management.Click to view → allows a single hardware component to serve dozens of different operators across its lifetime.
Understanding RSP architecture is essential for device manufacturers, mobile operators, and enterprise IoT teams deploying connected hardware at scale.
RSP Architecture Overview
The GSMA RSP ecosystem separates duties across three logical entities:
| Entity | Role | Abbreviation |
|---|---|---|
| Subscription Manager — Data Preparation+ | Encrypts and packages operator profiles | SM-DP+ |
| Subscription Manager — Discovery Server | Routes devices to the correct SM-DP+ | SM-DS |
| Local Profile Assistant | On-device agent managing profile lifecycle | LPALPAProvisioningDevice-side app for managing eSIM profile operations.Click to view → |
| eUICCeUICCProvisioningReprogrammable SIM chip supporting remote profile switching.Click to view → (eSIM chip) | Secure vault storing profiles | eUICC |
The SM-DP+ is the authoritative source for profile packages. It encrypts each profile with keys bound to a specific eUICC, so only that chip can decrypt and install the profile. The SM-DS acts as a lightweight notification service — it tells a device that a pending profile download is waiting at a particular SM-DP+, without itself holding any sensitive data.
The OTA channel (typically HTTPS or BIP) carries encrypted profile packages from SM-DP+ to device. The SIM Toolkit and iSIM architectures influence how the LPA surfaces profile management UI to the end user.
SM-DP+ and Profile Packaging
An operator profile is not simply a file — it is a hierarchical package containing:
- Network authentication credentials (Ki, OPc)
- IMSI and MSISDN assignments
- Service enabler configuration
- Operator branding assets
The SM-DP+ applies SCP03 session keys derived from the eUICC's ISD-P key hierarchy to wrap each profile. This ensures end-to-end confidentiality even if the transport layer is compromised.
Profile states managed by the LPA follow a defined lifecycle: Available → Installed → Enabled → Disabled → Deleted. Only one profile can be in the Enabled state at a time, though multiple profiles can be installed simultaneously — a major advantage for travellers and enterprise multi-SIM deployments.
Profile Management and Lifecycle
| Operation | Initiated By | Over-the-Air? |
|---|---|---|
| Profile Download | End user / MDM | Yes |
| Profile Enable | End user / LPA | Local + OTAOTAPersonalizationRemote card management via mobile network.Click to view → notification |
| Profile Disable | End user / LPA | Local |
| Profile Delete | End user / operator | Local + OTA notification |
| Profile Audit | Operator / SM-DP+ | Yes |
Mobile Device Management (MDM) platforms can trigger profile operations silently in the background for enterprise deployments. The RSP protocol includes signed confirmation messages (Proof of Receipt) so the SM-DP+ knows a profile was successfully installed — critical for billing and audit trails.
Use the esim-checker to verify whether a device supports SGP.22 consumer RSP or the older SGP.02 M2M standard, and the cost-estimator to model subscription management costs at scale.
Consumer eSIM vs. M2M eSIM
| Dimension | Consumer (SGP.22) | M2M (SGP.02) |
|---|---|---|
| Profile switching | End-user self-service | Operator-initiated only |
| LPA location | On-device | Remote SM-SRSM-SRProvisioningSecure routing entity for M2M eSIM profile management.Click to view → |
| Primary use case | Smartphones, wearables | IoT sensors, vehicles |
| Profile UI | Native OS UI | No UI required |
| Typical activation | QR code or activation code | Pre-provisioned at factory |
Consumer eSIM relies on the device OS to present profile management UI (Apple iOS Settings, Android connectivity panel). M2M eSIM uses a Subscription Manager — Secure Routing (SM-SR) node to push profiles to unattended devices — such as industrial meters or automotive telematics units.
For deeper background on the secure elementsecure elementSecurityTamper-resistant hardware for secure operations.Click to view → underpinning both variants, see the Secure Element Guide and the SIM Evolution Guide.
Sıkça Sorulan Sorular
An eSIM (embedded SIM) is a programmable SIM chip soldered directly onto a device's circuit board, replacing the removable SIM tray. Unlike physical SIM cards that store a single operator profile in hardware, an eSIM can hold multiple operator profiles simultaneously and switch between them over-the-air without a physical card swap. The GSMA SGP.02 and SGP.22 specifications govern M2M and consumer eSIM architectures respectively.
Remote SIM Provisioning (RSP) is the GSMA-defined process for delivering and activating operator profiles onto an eSIM over a secure IP connection. For consumer devices (SGP.22), the flow involves the Subscription Manager – Discovery Server (SM-DS), Subscription Manager – Data Preparation (SM-DP+), and the device's Local Profile Assistant (LPA). The LPA discovers the SM-DP+, authenticates using certificate chains, and downloads the encrypted profile package into the eUICC secure element.
An eUICC (embedded Universal Integrated Circuit Card) is the secure element hardware that hosts eSIM profiles. It must be certified under the GSMA Security Accreditation Scheme (SAS-UP for Up Personalization, SAS-SM for Subscription Management), which builds on Common Criteria EAL4+ or higher. The eUICC contains the ISD-R (Issuer Security Domain Root) which controls profile lifecycle, and ISD-P domains that isolate each operator profile cryptographically.
An eSIM is a dedicated chip package soldered to the device board but physically separate from the application processor. An iSIM (integrated SIM) integrates the SIM functionality directly into the main SoC (System-on-Chip) die, reducing board space and power consumption further. Both implement the same GSMA eUICC specifications and RSP protocols; the distinction is purely at the silicon packaging level. iSIM adoption is growing in IoT and wearable devices.
Our guides cover a range of experience levels. Getting Started guides introduce smart card fundamentals. Security guides address Common Criteria certification and key management. Programming guides target developers working with APDU commands, JavaCard applets, and GlobalPlatform card management.