eSIM, eUICC and iSIM: What They Are, Why They Matter, and What Comes Next

If you have followed the shift from removable SIM cards to embedded connectivity, you will have encountered three terms that are often used interchangeably but can mean quite different things.

eSIM has two meanings in practice. The GSMA uses eSIM to describe the complete remote SIM provisioning capability that allows operator profiles to be downloaded, switched, and managed over the air. The industry also uses eSIM to refer to the embedded SIM form factor (typically the MFF2 package), a SIM soldered onto the device’s circuit board rather than inserted as a removable card. Both usages are common, so context matters.

eUICC (embedded Universal Integrated Circuit Card) is the secure UICC platform that delivers the eSIM capability. It can securely store multiple operator profiles and manage their lifecycle: download, install, enable, disable, and delete. An eUICC can be implemented in any SIM form factor, including removable cards, but it is most commonly associated with soldered embedded SIMs. The eUICC is what makes GSMA Remote SIM Provisioning (RSP) models possible.

iSIM takes this a step further by integrating eUICC functionality into a secure hardware subsystem within the device’s System-on-Chip (SoC). Instead of a separate component, the SIM capability sits inside a dedicated secure area of the chipset called an Integrated Tamper-Resistant Element, or Integrated TRE. This can reduce board space, simplify manufacturing, and potentially lower power consumption, although commercial availability is still at an early stage.

For consumer devices like smartphones and tablets, eSIM is already well established. But for IoT, the picture is different. Many IoT devices have no screen, no user interface, and no human operator to scan a QR code. They may be deployed in the thousands, across multiple countries, and expected to run for a decade or more on battery power.

That is why the GSMA developed a dedicated IoT provisioning standard called SGP.32. Published in its current form (v1.2) in June 2024, SGP.32 introduces a server-managed model where an eIM (eSIM IoT Remote Manager) orchestrates profile management decisions, and an IPA (IoT Profile Assistant), hosted either in the device or in the eUICC depending on implementation, carries out the required interactions. This removes the dependency on a user-facing interface for many IoT provisioning workflows, and supports IP-based communication models better suited to constrained IoT deployments, including devices using technologies such as NB-IoT and LTE-M.

A related development is In-Factory Profile Provisioning (IFPP), defined by the GSMA’s SGP.41 standard (published February 2025). IFPP allows operator profiles to be loaded onto eUICCs during device manufacturing, so devices can potentially connect to a network as soon as they are powered on in the field. This can reduce first-boot OTA provisioning overhead, which may be significant for battery-powered devices targeting long operational lifetimes.

The corresponding technical specification, SGP.42, has not yet appeared in the current GSMA released specification set, so implementation planning should be based on the published SGP.41 architecture and vendor-specific readiness evidence.

Security is central to the eSIM ecosystem. For GSMA-compliant eUICC products, security evaluation is based on defined protection profiles and Common Criteria-based assurance routes. The GSMA eUICC Security Assurance (eSA) framework provides structured certification methods for both discrete and integrated eUICC implementations.

For integrated eUICC (iSIM) implementations, GSMA certification is anchored in the Integrated TRE concept, evaluated under SGP.08 or SGP.18 methodologies depending on the protection profile. TEE-based approaches exist in the broader industry, but they are not the certification path described by GSMA for integrated eUICC compliance.

On the compliance side, SGP.24 v3.2.1 defines the formal compliance process for consumer eSIM products. For IoT, conformance testing is supported by the SGP.33 test specification family (with early IoT product declarations already underway), but there is no equivalent formal compliance declaration framework to SGP.24 for IoT RSP (SGP.31/SGP.32) products in the current GSMA released set, which is an important distinction for organisations planning SGP.32-based deployments.

No, it depends upon the product type, it’s intended use and its operational framework. The right connectivity architecture depends on the deployment context. Devices provisioned through managed installer channels, operating in stable single-operator environments, or deployed into estates with established connectivity workflows do not necessarily need the full OTA remote provisioning stack today.

eSIM and eUICC remote provisioning models add the most value where zero-touch deployment, dynamic operator switching, or global SKU simplification are genuine operational requirements. For existing deployed estates, no immediate migration is required. Current connectivity solutions remain reliable, supported, and fit for purpose throughout their operational lifecycle.

Consumer eSIM is now firmly established and growing. For example, GSMA Intelligence reported 441 operators offering smartphone eSIM services across 123 countries as of June 2024, including MNOs, MVNOs and global roaming providers. Counterpoint Research forecasts over 9 billion xSIM-capable consumer devices  (eSIM and iSIM) shipping between 2024 and 2030, with nearly 70% of cellular devices expected to support embedded SIM by the end of the decade.

IoT eSIM based on SGP.32 is still emerging: the technical baseline is published, vendor ecosystem activity is building, but broader deployment depends on interoperability evidence, operator enablement, and product readiness. The market is expected to grow, however, with Transforma Insights projecting IoT eUICC/RSP-capable connections to reach 2.36 billion by 2032.

iSIM remains earlier in the adoption curve. Juniper Research forecast installed iSIMs rising from 800,000 in 2024 to more than 10 million by 2026, with much larger growth possible later in the decade. These figures should be treated as directional because adoption depends on chipset availability, certification readiness and ecosystem support.

The key milestones to track are the publication status of SGP.42 (the IFPP technical specification), the pace of SGP.32 cross-vendor interoperability testing, and the evolution of the GSMA’s IoT compliance and certification landscape. For organisations designing new connected products, the decisions to make now are which GSMA provisioning model applies, whether your chipset and module vendors are aligned with SGP.32 v1.2, and whether factory provisioning via SGP.41 can reduce your deployment overhead.

CSL will continue to publish practical guidance as these standards and the surrounding ecosystem matures. For example, more detailed technical guides covering the GSMA standards landscape, IoT architecture options, compliance considerations and implementation planning will follow this article.

If you have questions about how eSIM, eUICC or iSIM technologies apply to your deployment, please contact CSL.

With over 30 years of experience in critical communications, CSL supports secure, resilient IoT connectivity for mission-critical applications across fire, security, healthcare, retail, transport and logistics, public sector, utilities, and industrial IoT. CSL selects the optimal connectivity architecture for each product based on deployment model, installer workflow, operator landscape, and device lifecycle requirements.