What is eUICC? The Technology Behind eSIM

“eSIM” is the feature users see. eUICC is the secure SIM capability underneath that makes remote downloads and switching of mobile subscriptions possible.

This article explains what eUICC is, how remote provisioning works (consumer vs IoT), what form factors exist (embedded, removable, iSIM), and what to look for when choosing an eUICC ecosystem.

eUICC definition

eUICC stands for embedded Universal Integrated Circuit Card and, in practice, refers to a UICC that supports GSMA Remote SIM Provisioning (RSP).

Important nuance: eUICC is not only “a chip soldered to the board.” In consumer devices it is commonly an embedded secure element, but eUICC capability can also appear in:

• Removable form factors (traditional SIM sizes that still support remote provisioning)
• Integrated SIM (iSIM) implementations, where SIM functionality is integrated into a chipset/SoC

What makes something “eUICC” is the RSP capability and security model, not the physical shape alone.

eUICC vs eSIM: why the terms get mixed up

People use “eSIM” to mean several things. A practical way to separate them:

• eUICC: the secure element (hardware + OS + security domains) that can store and manage multiple subscription profiles.
• eSIM (as users experience it): the end-to-end system — eUICC + carrier profiles + the remote provisioning infrastructure + device software flow that installs and activates a profile.

When someone “activates an eSIM,” they are usually downloading and installing a carrier profile onto the eUICC.

How remote SIM provisioning works (consumer devices)

Consumer RSP (GSMA SGP.22) is designed for devices with a screen and user interaction.

A simplified flow:

1. Carrier prepares a profile (credentials + operator apps/policies).
2. Profile is hosted on an SM‑DP+ (Subscription Manager – Data Preparation).
3. The device’s LPA (Local Profile Assistant) initiates download (often via QR code or carrier app).
4. Optionally, an SM‑DS (Discovery Server) helps discover the correct SM‑DP+.
5. The profile is downloaded, verified, installed, and then enabled on the eUICC.
6. The device can keep multiple profiles installed, but typically only one is active at a time.

eUICC building blocks (at a high level)

Most eUICCs include:

• Secure element: tamper‑resistant hardware that protects keys and executes sensitive operations.
• eUICC OS / platform: manages profile lifecycle, cryptography, and internal security domains.
• Profile security domains (e.g., ISD‑P): isolated containers for each operator profile.
• Device-side assistant (LPA/IPA): software that coordinates download/management (usually runs on the device OS; for IoT may be in the device or eUICC depending on architecture).

Profile capacity varies by eUICC memory, profile size, and device OS policy. It’s better to treat “how many profiles can be stored” as device/vendor‑specific rather than a fixed industry number.

Form factors: embedded, removable, and iSIM

eUICC capability can be delivered through several physical implementations:

Embedded (MFF2)

A soldered, machine‑mounted form factor widely used in phones, wearables, and IoT modules.
MFF2 dimensions are commonly referenced as 6 × 5 mm (spec-defined).

Removable eUICC (2FF/3FF/4FF)

A removable card (mini/micro/nano SIM sizes) that still supports eUICC/RSP. This can be useful for:

• transition periods (mixed device fleets)
• serviceability requirements
• devices where soldering is undesirable

iSIM (Integrated SIM)

SIM functionality integrated into a chipset/SoC (rather than a discrete secure element package). iSIM can help reduce board space and simplify manufacturing, especially in IoT and wearables. Implementations depend on chipset/platform capabilities and certification approach.

Consumer vs M2M vs IoT: which GSMA specs apply?

The eUICC in the device can be similar, but the provisioning model and actors differ.

Consumer RSP (SGP.22)

• Built for smartphones/tablets/wearables with user interaction.
• Uses SM‑DP+, SM‑DS, and device LPA.

M2M RSP (SGP.02)

• Earlier architecture used widely in traditional M2M deployments.
• Uses SM‑SR (Subscription Manager – Secure Routing) and SM‑DP (Data Preparation).

IoT RSP (SGP.31/SGP.32)

• Built for IoT devices that are UI‑constrained and/or network‑constrained.
• Introduces an eIM (eSIM IoT Manager) and an IPA (IoT Profile Assistant) concept, enabling lifecycle management at scale where a human is not present.

Security: what eUICC is designed to guarantee

eUICC security is intended to protect subscription credentials and prevent unauthorized profile operations.

Typical security properties include:

• Tamper‑resistant secure element design (risk‑based protections against physical and side‑channel attacks).
• Mutual authentication + encrypted channels for profile download and management.
• Profile isolation between operators (security domains).
• Code/data authenticity controls (only authorized, signed components are accepted/executed).
• Auditable operational security across the ecosystem (manufacturing + subscription management platforms), often demonstrated via certification and accreditation.

In practice, claims should be anchored in:

• Common Criteria / protection profiles (where applicable)
• GSMA Security Accreditation Scheme (SAS) for relevant sites and services (e.g., manufacturing and subscription management environments)

Leading eUICC ecosystem vendors (examples)

Below are well-known vendors in the eUICC ecosystem. Capabilities vary by segment (consumer/IoT/automotive) and by which parts they supply (eUICC, RSP platform, secure elements, etc.).

• Thales (formerly Gemalto): eSIM/eUICC and management platform offerings; publicly states it has activated 200M+ eSIMs globally.
• Giesecke+Devrient (G+D): eSIM/eUICC products and RSP platforms; strong presence in security technology.
• IDEMIA: strong footprint in automotive connectivity and eSIM platforms; has publicly referenced managing 10M+ eSIMs in automotive contexts (example case studies).
• Kigen (Arm): focuses on eSIM/iSIM security and IoT enablement (eUICC and related platform components).
• STMicroelectronics / Infineon: major semiconductor suppliers of secure elements used in eUICC implementations.

Selection checklist (practical):

• Standards coverage (SGP.22 / SGP.02 / SGP.31–32 as relevant)
• Certification/accreditation posture (Common Criteria, GSMA SAS where applicable)
• Platform maturity (RSP/eIM operations, APIs, monitoring, lifecycle tooling)
• Regional support and operator ecosystem compatibility
• Long-term supply and lifecycle guarantees (especially for 10–15 year IoT deployments)

What’s next for eUICC

Common industry directions include:

• More IoT adoption of SGP.31/32 as fleets scale and devices remain “headless”.
• More eSIM-only designs in some consumer markets (reduced reliance on SIM trays).
• Growing iSIM adoption where space, cost, and power constraints matter.
• More automation and policy-driven connectivity (e.g., orchestration, fallback, compliance-focused management) rather than “swap a SIM”.

Sources and further reading

• GSMA Consumer RSP resources (SGP.22)
• GSMA M2M RSP architecture (SGP.02)
• GSMA eSIM IoT architecture and requirements (SGP.31) and eSIM IoT specification (SGP.32)
• ETSI TS 102 671 (MFF physical characteristics)
• Apple deployment guide on eSIM-only models in the US
• Vendor public statements and case studies (Thales, IDEMIA)