The cellular network's final point of direct control over a connected device has long been the SIM card. That boundary is dissolving into OEM software stacks, and the trust it used to anchor is moving with it.
"The SIM card is the last piece of technology still controlled by the mobile network… The network effectively terminates at that root of trust," G+D Mobile Security CEO Philipp Schulte told EE Times. His argument: the physical SIM (pSIM) already functions as a hardware root of trust for the device. eSIM changes the form factor and operating model, but the underlying security role is preserved. Provisioning moves to the device maker.
GSMA's SGP.32 specification, finalized in 2023, is a remote SIM provisioning architecture designed primarily for headless M2M and IoT applications. The specification draws from the SGP.22 consumer architecture with modifications for IoT device categories. Operators still issue profiles, but activation, profile management, and policy logic can sit inside the OEM's own cloud.
G+D is the first vendor to ship a certified product on that architecture. In April 2025, the company received GSMA eSIM compliance and certification for an IoT eUICC, the embedded universal integrated circuit card that holds operator profiles on the device side. The certification is the gating step for any device maker that wants to ship SGP.32-capable hardware without building the eUICC stack in-house.
Two follow-on moves push the same trust layer into the cloud. G+D and AWS are collaborating on cloud-based remote eSIM provisioning for consumer and IoT fleets, and G+D has integrated the first SGP.32 eSIM into Amazon's eero Signal mesh router. That puts a programmable cellular identity inside a consumer mesh router that, until recently, would not have shipped with cellular at all.
The demand driver is not the smartphone. Schulte frames eSIM adoption around connected infrastructure: industrial IoT, automotive telematics, smart-home and enterprise gateways, and the long tail of devices that need authenticated connectivity for software updates and remote device management. For those categories, the question is not whether the device has a SIM but who provisions and trusts it over a long operational life.
Owning the trust anchor changes the procurement calculus. Instead of inheriting whatever SIM and provisioning the mobile operator pre-installs, the OEM now selects the eUICC vendor and runs profile management in its own cloud. In G+D's framing, that moves the SIM from "subscriber identity" to "device trust," from a token the carrier issues to a credential the device OEM owns and rotates. Cellular connectivity becomes a software feature the device maker controls end-to-end, sitting alongside firmware signing, secure boot, and over-the-air updates.
Two qualifications. SGP.32 is recent, and operator support for SM-DP+ (the subscription management platform that delivers profiles to the device) is uneven across regions. Independent measurement of eSIM-as-root-of-trust deployment scale is not yet public; G+D's first-mover certifications are vendor-authored claims of capability, not audited market share. Watch item: when the first automotive OEM ships SGP.32 as the production telematics trust anchor rather than a fallback.