What is an eUICC?
The eUICC, or embedded Universal Integrated Circuit Card, is the secure element at the heart of eSIM technology. It combines tamper-resistant hardware with an operating system that can store one or more operator profiles, and it exposes the standardised interfaces that allow those profiles to be downloaded, enabled, disabled and deleted remotely.
In practical terms, the eUICC is what turns a SIM from a fixed, single-operator credential into a managed platform. It supports multiple profiles held simultaneously, GSMA-compliant Remote SIM Provisioning (RSP) and secure credential storage, and it carries a globally unique identifier known as the EID.
What is an eSIM?
eSIM, short for embedded SIM, most precisely describes a form factor: a reflow-solderable SIM chip, typically supplied in the MFF2 package measuring 6 x 5 x 0.9 mm, fitted to a device’s circuit board during manufacture. It replaces the removable SIM tray, which reduces physical vulnerabilities and frees board space for smaller designs.
In common industry usage, eSIM has also become shorthand for the wider capability: an embedded SIM containing an eUICC that supports remote provisioning. That shorthand is often harmless in conversation, but it can create ambiguity in procurement, where the form factor, the secure element and the provisioning architecture each need to be specified in their own right.
The distinction in one sentence
eSIM describes the embedded form factor; the eUICC is the secure element inside it, and it is the eUICC, not the packaging, that enables Remote SIM Provisioning.
Where iSIM fits
iSIM, the integrated SIM, takes eUICC functionality and moves it from a separate SIM package into the device’s System-on-Chip, where it is implemented within secure hardware such as an Integrated Tamper-Resistant Element. Removing the separate package can reduce board area, power consumption and component cost, which is why iSIM attracts strong interest for high-volume and battery-constrained IoT designs.
From a standards perspective, an integrated eUICC is still an eUICC. The GSMA’s compliance framework includes dedicated security evaluation methodologies for integrated implementations (SGP.08 and SGP.18). In practice, this means integrated eUICC and iSIM
implementations can be assessed through certification pathways designed for their SoC based architecture, rather than treated simply as conventional removable or soldered SIM packages.
The GSMA standards behind eSIM and eUICC
The GSMA defines Remote SIM Provisioning through families of specifications, each pairing an architecture document with a technical specification.
Consumer devices. SGP.21 (architecture) and SGP.22 (technical specification) cover smartphones, tablets, wearables and other devices where the user drives profile download, typically by scanning a QR code handled by the device’s Local Profile Assistant (LPA). The
SGP.22 v3 release line added support for Multiple Enabled Profiles.
IoT devices. SGP.31 (architecture) and SGP.32 (technical specification) define eSIM IoT RSP for devices that are network constrained, user interface constrained, or both. SGP.32 reached version 1.2 in June 2024 and is the current GSMA IoT RSP technical baseline.
Earlier M2M deployments. The original M2M specifications, SGP.01 and SGP.02, remain in service across large deployed estates. For new IoT designs, the industry direction is SGP.32.
In-factory provisioning. SGP.41 v1.0, published in February 2025, defines the architecture for In-Factory Profile Provisioning (IFPP), which loads operator profiles during manufacture rather than over the air. As at publication, the companion technical specification, SGP.42, has not yet appeared in the GSMA released specification set and remains under development.
Compliance and certification. SGP.24 defines the GSMA RSP compliance process. Two version lines are active: the v3.x line for Consumer eSIM products, and the v2.6.x line, which covers declarations against both the Consumer v2.x specifications and the SGP.31/32 IoT branch. SGP.25 defines the eUICC Protection Profile that underpins security evaluation, and the SGP.33 series provides the IoT eUICC test specifications.
Why SGP.32 matters for IoT
SGP.32 exists because neither of the earlier models fully addressed the needs of constrained, unattended IoT devices. Consumer RSP assumes a person with a screen is present to approve each step, while the legacy M2M model depends on heavyweight platform integrations and SMS-based transport that sit poorly with modern low-power networks.
SGP.32 introduces two new components. The IoT Profile Assistant (IPA) sits on the device side and handles profile operations locally, while the eSIM IoT Remote Manager (eIM) sits on the server side and performs profile state management across a single device or an entire fleet. Communication runs over IP, with both HTTP/TLS and CoAP/DTLS transport bindings, so the architecture works on NB-IoT and LTE-M as well as broadband cellular.
The practical outcome is server-initiated provisioning suited to unattended devices, with fallback and emergency profile mechanisms built in, and operator switching that no longer requires integration between subscription management platforms.
What this means for your deployments
For greenfield IoT designs, specifying SGP.32-capable eUICCs is the forward-looking choice. It preserves operator flexibility for the life of the device and aligns with where the GSMA ecosystem, including the published SGP.33 test specifications, is investing.
For existing estates, the message is continuity. Deployed SIM estates remain reliable, supported, and fit for purpose throughout their operational lifecycle. Any move towards SGP.32 is a planning decision to take on your own timetable, typically aligned with natural hardware refresh cycles, rather than a forced response to the standards landscape.
Quick answers
Is an eUICC the same as an eSIM? No. eSIM describes the embedded form factor, while the eUICC is the secure element and operating system inside it that stores operator profiles and enables remote provisioning. Part of the confusion stems from the GSMA’s own use of eSIM throughout its specification names.
Can a removable SIM card contain an eUICC? Yes. The GSMA defines an eUICC product as a secure component in a discrete or integrated form factor that may be removable or non-removable. The defining feature is the remote provisioning capability, not the package.
What is SGP.32? SGP.32 is the GSMA technical specification for eSIM IoT Remote SIM Provisioning. Version 1.2, published in June 2024, is the current technical baseline and introduces the eIM and IPA components for managing profiles on constrained devices.
What is iSIM? iSIM integrates eUICC functionality into the device’s System-on-Chip within an Integrated Tamper-Resistant Element, removing the separate SIM package and reducing footprint, power consumption and component cost.
Where to go next
This article is a short introduction to a deep subject. For the full treatment, including architecture diagrams, certification pathways and deployment recommendations, read our eSIM, eUICC and iSIM Standards FAQ and guides.
If you are specifying connectivity for a new IoT product or planning the next step for an established SIM estate, CSL can help you assess the right eSIM, eUICC, iSIM and SGP.32 approach for your deployment.