What Is eSIM for IoT? A Practical Guide to Embedded SIM Technology
How embedded SIM technology differs from consumer eSIM - and the honest answer on when IoT deployments actually need eUICC.
eSIM is one of the most discussed – and most misunderstood – technologies in IoT connectivity. If you’ve looked into it, you’ve probably encountered a wall of acronyms (eUICC, RSP, SGP.02, SGP.32, SM-DP+, MFF2, iSIM) and marketing claims that make it sound like every IoT deployment should already be using eSIM.
The reality is more nuanced. eSIM technology is genuinely transformative for certain IoT use cases, but it is not a universal replacement for traditional SIM cards, and understanding what it actually does – versus what vendors claim it does – is essential before making procurement and deployment decisions.
This guide explains what eSIM means in the context of IoT, how it differs from consumer eSIM, the technical standards behind it, when it makes sense, and when it doesn’t.
Consumer eSIM and IoT eSIM Are Not the Same Thing
This is the single most important distinction, and it’s where most confusion starts.
When most people hear “eSIM”, they think of the technology in their iPhone or Samsung phone – scan a QR code, download a carrier profile, and you’re connected. That’s consumer eSIM, governed by the GSMA SGP.22 specification. It’s designed for devices with screens, user interaction, and app stores. The user drives the process.
IoT eSIM is a fundamentally different proposition. IoT devices – routers, sensors, meters, trackers, industrial gateways – typically have no screen, no user interface, and no human operator standing by to scan QR codes. They may be deployed in sealed enclosures, mounted on masts, buried underground, or installed in vehicles. They need to connect automatically, stay connected for years, and be managed remotely at scale.
The IoT eSIM standards (SGP.02 for M2M and the newer SGP.32 for IoT) are designed for exactly this scenario: remote, automated, fleet-scale management of connectivity profiles on devices that have no user interface and may have limited or intermittent network access.
Same underlying technology. Completely different operational model.
What eSIM Actually Means – Clearing Up the Terminology
The term “eSIM” is used loosely in the industry to mean several different things, and this causes real confusion. Here’s what the terms actually mean:
SIM
The Subscriber Identity Module – the function, not the plastic card. It’s the set of credentials (IMSI, authentication keys, network parameters) that identify a subscriber to a mobile network.
UICC
The Universal Integrated Circuit Card – the smart card platform that hosts the SIM application. This is what a traditional SIM card actually is: a UICC running a SIM application, locked to a single operator profile.
eUICC
The embedded Universal Integrated Circuit Card. This is a UICC enhanced with the ability to securely store, download, and switch between multiple operator profiles. The eUICC is the technology that enables remote provisioning – it’s the software capability, not the hardware form factor.
This is the critical point: eUICC is the capability. eSIM is the concept. They are not the same as MFF2.
MFF2
Machine Form Factor 2 – a tiny chip-scale package (approximately 5mm x 6mm) designed to be soldered directly onto a circuit board. This is a physical form factor, not a software capability. An MFF2 chip can have eUICC capability, but it doesn’t have to. And a standard removable nano SIM can have eUICC capability too.
iSIM
Integrated SIM – where the SIM functionality is built directly into the device’s system-on-chip (SoC) or modem, running in a secure partition alongside the main processor. This eliminates the need for a separate SIM chip entirely. iSIM is still emerging but represents the likely long-term direction for high-volume IoT devices.
The Practical Takeaway
When someone says “eSIM”, ask what they actually mean. Are they talking about the eUICC software capability (remote provisioning)? The MFF2 soldered form factor? Or both? The answer matters, because you can have one without the other:
- A removable nano SIM with eUICC = remote provisioning capability in a standard SIM tray
- A soldered MFF2 without eUICC = embedded hardware, but locked to one operator (just a small, permanently installed traditional SIM)
- A soldered MFF2 with eUICC = the full package – embedded, remotely provisionable, and physically resilient
For most IoT deployments, it’s the eUICC capability that delivers the value, regardless of the physical form factor.
How eUICC Works – Remote SIM Provisioning
The core value of eUICC is Remote SIM Provisioning (RSP) – the ability to manage operator profiles on a SIM without physically touching the device.
What a Profile Contains
Each operator profile stored on an eUICC contains the IMSI (International Mobile Subscriber Identity) that identifies the subscriber, authentication keys (Ki, OPc) for network authentication, network access credentials and APN configurations, operator-specific applets and file structures, and policy rules governing how the profile behaves.
Profiles are isolated from one another within the eUICC. One profile being active does not expose data from another. This isolation is enforced at the hardware level through secure domains defined by GlobalPlatform specifications.
The Profile Lifecycle
On a traditional SIM, the profile is burned in at manufacture and never changes. On an eUICC, profiles go through a defined lifecycle:
Download – A new profile is securely transferred to the eUICC over the air, encrypted end-to-end between the provisioning server and the secure element on the chip.
Install – The profile is unpacked and stored in its own isolated secure domain on the eUICC.
Enable – The profile becomes the active subscription. The device authenticates on the mobile network using this profile’s credentials.
Disable – The profile is deactivated but remains stored on the eUICC. It can be re-enabled later.
Delete – The profile is permanently removed from the eUICC, freeing space for a new one.
This lifecycle can be managed entirely remotely – no physical access to the device, no SIM swap, no engineer visit. For a device deployed on top of a wind turbine, inside a sealed utility cabinet, or embedded in a vehicle dashboard, this is transformative.
Bootstrap Connectivity
A common question: how does the device download a profile if it doesn’t have connectivity yet?
The answer is the bootstrap profile. An eUICC is typically manufactured with a bootstrap profile pre-installed – a basic connectivity profile that provides enough network access to reach the provisioning server and download the operational profile. Think of it as a temporary key that gets you in the door so you can collect the real key.
Some deployments use the bootstrap profile only for initial provisioning, then disable it. Others maintain it as a fallback in case the operational profile needs to be replaced.
The IoT eSIM Standards: SGP.02 vs SGP.32
The GSMA defines two distinct standards for IoT/M2M eSIM, and understanding the difference matters if you’re specifying hardware or choosing a connectivity provider.
SGP.02 – The Original M2M Standard
SGP.02 was the first remote SIM provisioning standard, designed primarily for automotive and industrial M2M applications. It works, and it’s been deployed successfully in millions of connected cars and industrial devices. But it has limitations that make it challenging for broader IoT adoption.
The architecture relies on an SM-SR (Subscription Manager Secure Routing) server that must be configured at eUICC manufacturing time. This creates a binding between the eUICC and a specific SM-SR, which complicates multi-vendor deployments and limits flexibility. Changing the SM-SR after deployment is technically possible but operationally complex.
SGP.02 also assumes relatively capable devices with reliable, always-on broadband connectivity – fine for cars and industrial gateways, less suited to battery-powered sensors on NB-IoT with intermittent connectivity.
SGP.32 – The New IoT Standard
Released by the GSMA in 2023, SGP.32 is specifically designed for the realities of IoT deployment. It addresses the limitations of SGP.02 by introducing a more flexible, scalable architecture.
The key innovation is the eIM (eSIM IoT Remote Manager) – a centralised management platform that can control profiles across entire fleets of devices without the rigid SM-SR binding of SGP.02. The eIM can trigger profile downloads, enable, disable, and delete profiles remotely, and manage devices that may have limited connectivity or no user interface.
SGP.32 also introduces the IPA (IoT Profile Assistant) – a lightweight client that can run either on the device itself or directly on the eUICC. This is significant because it means SGP.32 can work on devices that have no host processor capable of running complex provisioning software. The eUICC handles it internally.
Other improvements include support for lightweight protocols (CoAP/UDP for LPWAN devices alongside HTTP/TCP for broadband), better handling of intermittent connectivity (if a profile download fails mid-way, it can resume rather than restart), and interoperability between different provisioning servers (any GSMA-certified SM-DP+ can provision any SGP.32 eUICC).
Which Standard Matters for Your Deployment?
If you’re deploying cellular routers (Teltonika, Cradlepoint, etc.) or industrial gateways with reliable 4G/5G connectivity, either standard works in practice. The router has sufficient processing power and connectivity to handle provisioning under either architecture.
If you’re deploying LPWAN devices (NB-IoT, LTE-M) with constrained power and connectivity, SGP.32 is the better fit – it’s designed specifically for these scenarios.
If you’re specifying hardware today for deployments that need to last 10+ years, SGP.32 provides better future-proofing due to its more flexible architecture and growing ecosystem support.
In practice, many UK IoT connectivity providers abstract the standard away – you interact with their management platform, and they handle the underlying provisioning architecture. But understanding the distinction helps you ask better questions when evaluating providers.
eSIM vs Multi-IMSI: When Do You Actually Need eUICC?
This is the practical question that most vendor-driven content avoids, because the answer is sometimes “you don’t”.
Multi-IMSI SIM cards – which store multiple operator profiles using a SIM applet rather than eUICC – achieve many of the same outcomes as eSIM for common IoT deployments. A multi-IMSI SIM can switch between networks (EE, Vodafone, Three, O2 in the UK), appear as a native subscriber on each, and provide network resilience without any remote provisioning infrastructure.
So when does eUICC actually add value over multi-IMSI?
Where eUICC Wins
Changing operator after deployment. If you deploy 5,000 devices and your connectivity provider’s pricing becomes uncompetitive three years later, eUICC lets you switch to a different provider without touching any hardware. With multi-IMSI, you’re locked to whichever profiles were loaded at manufacture.
Network technology transitions. If a mobile network sunsets a technology (as happened with 3G), eUICC allows the profile to be updated to support the new network parameters. A traditional SIM – even a multi-IMSI one – may not survive a fundamental network change.
Global deployment with unknown destinations. If you manufacture devices in one country and ship them worldwide without knowing the final destination at manufacturing time, eUICC lets you provision the appropriate local profile after deployment. Multi-IMSI requires you to pre-load profiles for every possible destination.
Regulatory compliance. Some countries restrict permanent roaming. eUICC solves this by downloading a genuinely local profile when the device arrives in-country, rather than relying on roaming or multi-IMSI workarounds.
Single SKU manufacturing. Device manufacturers benefit from building one hardware SKU with eUICC and provisioning connectivity later, rather than managing multiple SKUs with different SIM cards for different markets.
Where Multi-IMSI Is Sufficient
Fixed UK deployments. If your devices are deployed in the UK and staying in the UK, a multi-IMSI SIM with profiles for the four major UK networks provides excellent resilience without the complexity and cost of eUICC infrastructure.
Short-to-medium deployment lifecycles. If devices will be in the field for 3-5 years and your connectivity provider is stable, the operator-switching benefit of eUICC may not justify the additional cost.
Cost-sensitive deployments. eUICC SIMs are more expensive than standard multi-IMSI SIMs, and the provisioning infrastructure adds complexity. For large deployments where cost per device matters, multi-IMSI may deliver better value.
Existing infrastructure. If you already have thousands of devices deployed with multi-IMSI SIMs working well, there’s no compelling reason to switch to eUICC unless you’re hitting specific limitations.
The Honest Answer
For many UK IoT deployments today – particularly those using cellular routers for fixed-site connectivity (CCTV, BMS, utilities, industrial monitoring) – multi-IMSI provides the network resilience benefits that matter most, at lower cost and complexity than full eUICC.
eUICC becomes essential when you need operator flexibility over long device lifecycles, global deployment across multiple countries, or manufacturing simplicity through single-SKU production. The technology is genuinely transformative for those use cases – but it’s not universally necessary.
Form Factors: Choosing the Right Physical Package
The physical form factor of the SIM affects device design, environmental resilience, and long-term reliability.
Removable SIM Cards (2FF, 3FF, 4FF)
Standard removable SIMs – mini (2FF), micro (3FF), and nano (4FF) – are the most familiar and the simplest to work with. They slot into a SIM tray in the device and can be physically swapped.
For IoT, removable SIMs are perfectly suitable when the device is accessible for maintenance, the environment is relatively benign (indoor, temperature-controlled), and you want the flexibility to physically swap SIMs if needed. Most cellular routers (Teltonika RUT/RUTX series, Cradlepoint, Digi, etc.) use removable nano SIMs.
The downsides are vulnerability to vibration (the SIM can work loose in the tray), corrosion in harsh environments, potential for tampering or theft, and the mechanical SIM tray as a point of ingress for moisture and dust.
MFF2 Embedded SIM
The MFF2 form factor is soldered directly to the device’s circuit board during manufacture. It eliminates the SIM tray entirely, making the device more resistant to vibration, moisture, temperature extremes, and physical tampering.
MFF2 is the standard choice for devices that will be deployed in harsh environments (outdoor, industrial, automotive), sealed enclosures where physical SIM access is impractical, high-vibration applications (vehicles, machinery), and security-sensitive deployments where SIM theft is a concern.
The trade-off is that you cannot physically swap the SIM. If the MFF2 chip doesn’t have eUICC capability, you’re permanently locked to whatever operator profile was loaded at manufacture. This is why MFF2 and eUICC are so often paired together – the combination gives you physical resilience without sacrificing operator flexibility.
WLCSP (Wafer-Level Chip Scale Package)
Even smaller than MFF2, WLCSP packages are used in extremely space-constrained designs. They’re relevant for wearables, miniature sensors, and high-density IoT modules. For most router and gateway deployments, MFF2 is sufficient.
iSIM (Integrated SIM)
iSIM eliminates the separate SIM chip entirely by integrating the SIM functionality into the device’s main SoC or modem. This reduces component count, saves board space, lowers power consumption, and reduces manufacturing cost at scale.
iSIM is still in the early stages of commercial IoT deployment, but it represents the direction of travel for high-volume, cost-sensitive IoT devices. For current router and gateway deployments, it’s not yet a practical option, but it’s worth understanding as the technology matures.
Security Benefits of eSIM for IoT
Security is one of the strongest arguments for eSIM adoption in IoT, and it goes beyond the obvious “can’t steal the SIM” benefit of soldered form factors.
Hardware Root of Trust
An eUICC is a secure element – a tamper-resistant hardware component with its own processor, memory, and cryptographic capabilities. Authentication keys and subscriber credentials never leave the secure element. They cannot be extracted, copied, or read externally, even with physical access to the device.
This provides a hardware root of trust that traditional SIM cards also offer (SIM cards are secure elements too), but eUICC extends this with the ability to securely manage multiple profiles and receive new credentials over the air without exposing them during transfer.
Encrypted Provisioning
When a new profile is downloaded to an eUICC, the entire transfer is encrypted end-to-end between the SM-DP+ provisioning server and the secure element on the eUICC. The profile data is never visible to the device’s host processor, the network it’s travelling over, or any intermediary. Even if the download occurs over an untrusted network, the profile data remains protected.
Anti-Cloning and Anti-Tampering
eUICC technology includes protections against SIM cloning – a risk with some traditional SIM deployments where credentials could theoretically be duplicated. The eUICC’s secure element architecture makes cloning practically impossible, and the profile binding mechanisms ensure that profiles can only be installed on authorised eUICCs.
Reduced Physical Attack Surface
Soldered eSIMs (MFF2 form factor) remove the SIM tray – a physical access point that can be exploited for SIM theft, unauthorised SIM swapping, or physical tampering. For unattended IoT devices deployed in public or semi-public locations (street furniture, EV chargers, vending machines, outdoor CCTV), this is a meaningful security improvement.
Practical Deployment Considerations
Beyond the technology itself, there are practical considerations that affect whether eSIM is the right choice for your deployment.
Hardware Compatibility
Not all cellular routers and gateways support eUICC. The device’s modem and firmware must support the provisioning protocols. Most current-generation industrial routers from manufacturers like Teltonika support eUICC-enabled SIMs in their standard SIM tray – but you should confirm with the manufacturer before assuming compatibility.
Some newer devices include built-in MFF2 eSIM slots alongside traditional SIM trays, giving you the option to use either.
Connectivity Provider Ecosystem
eUICC only delivers value if your connectivity provider supports it. This means they need to operate or have access to SM-DP+ provisioning infrastructure, offer a management platform that supports remote profile lifecycle operations, and have commercial agreements with the operators whose profiles you need.
Not all UK IoT connectivity providers have mature eUICC capabilities. Some offer it as a premium service, others include it as standard. Evaluate this carefully during provider selection.
Cost Implications
eUICC SIMs typically cost more than standard SIMs – the secure element is more complex, the manufacturing process is more involved, and the provisioning infrastructure adds overhead. For small deployments, the per-SIM premium may be negligible. For fleets of thousands, it’s a meaningful line item.
However, the total cost of ownership calculation should include the cost of NOT having eUICC: truck rolls to swap SIMs, inability to change provider, risk of network technology obsolescence. For long-lifecycle deployments, eUICC often pays for itself through operational savings.
Profile Storage Limits
eUICC chips have limited storage – typically supporting 4-5 operator profiles simultaneously. This is usually sufficient for most deployments, but it’s a constraint worth understanding. If you need profiles for more networks than the eUICC can hold, profiles need to be downloaded and deleted dynamically rather than stored permanently.
The Future: Where IoT eSIM Is Heading
The IoT eSIM ecosystem is maturing rapidly. SGP.32 adoption is accelerating, with more hardware manufacturers and connectivity providers adding support through 2025 and 2026. iSIM is moving toward commercial viability for high-volume IoT devices. The GSMA is developing SGP.42, which will define profile types for non-terrestrial networks (satellite IoT) – enabling devices to roam between terrestrial 5G and satellite links.
Industry forecasts project that nearly 70% of cellular IoT devices shipped by 2030 will use eSIM or iSIM technology. Whether or not your current deployment needs eUICC today, understanding the technology positions you to make informed decisions as the ecosystem evolves.
Summary
eSIM for IoT is not the same as consumer eSIM. It is a connectivity architecture built around remote provisioning, long device lifecycles, fleet-scale management, and secure operation in unattended environments.
The key concepts to understand are that eUICC is the software capability that enables remote profile management – it can exist in any SIM form factor. MFF2 is the soldered chip form factor that provides physical resilience – it may or may not include eUICC. SGP.02 is the original M2M provisioning standard, while SGP.32 is the newer IoT-optimised standard. Multi-IMSI achieves network resilience through pre-loaded profiles without eUICC infrastructure, while eUICC achieves it through remotely downloadable profiles with greater long-term flexibility.
For UK deployments using cellular routers at fixed sites, multi-IMSI SIMs often provide sufficient network resilience at lower cost. eUICC becomes essential for global deployments, long lifecycle devices, single-SKU manufacturing, and scenarios requiring operator flexibility after deployment.
The technology is maturing, costs are falling, and ecosystem support is growing. Whether you adopt eUICC now or plan for it in future hardware specifications, understanding how it works – and how it differs from the marketing claims – is essential for making sound connectivity decisions.
For more resources relating to SGP.32 and eSIM please visit euicc.co.uk
Do you need IoT eSIM connectivity? – Read our Top Ten IoT eSIM Providers post.