How SGP.32 is reshaping IoT connectivity and security

Show Notes

In this episode of the Trending Tech podcast, host Satyajit Sinha, principal analyst at IoT Analytics, is joined by Giesecke+Devrient’s (G+D) David Hambling, head of connectivity business development for Asia Pacific, to unpack what the new SGP.32 eSIM specification really means for the Internet of Things (IoT). With IoT connections racing towards 39 billion by 2030, they explore why cellular is growing faster than the wider IoT market, how embedded SIM (eSIM) and integrated SIM (iSIM) adoption is accelerating, and why a ‘one-size-fits-all’ approach to connectivity is no longer realistic in today’s fragmented global landscape.

From GSMA-compliant SGP.32 and the role of the eIM, to in-factory provisioning (SGP.42), post-quantum security, automotive innovation and the rise of ‘born-connected’ devices, Satyajit and David explain how an end-to-end stack can deliver secure, scalable IoT connectivity for the next decade and what operators, OEMs and automotive manufacturers should be watching very closely over the next 24 months.

Transcript

[00:00:00] 

Satyajit Sinha: Hello everyone. Welcome to this Trending Tech podcast brought you by the team at IoT-Now.com and TechLedworld.com. My name is Satyajit Sinha, principal analyst at IoT Analytics.

I've been in IT market research for more than 12 years, focusing on IT hardware, connectivity and security. Today we have amazing guest David. David, can you introduce yourself? 

David Hambling: Thank you, Satyajit. Yes, I can. I'm David Hambling and I'm head of connectivity business development in Asia Pacific for G+D and I'm also the managing director for the Connectivity Hub in Hong Kong. G+D is a global security technology company and we've been creating confidence as a reliable partner for the last 170 years. This has been from delivering the first SIM card to now continuing to innovate and pioneer in the SIM technology space. So we're here to discuss secure and scalable IoT connectivity today.

So Satyajit, how fast is IoT connectivity growing and what is driving [00:01:00] it? 

Satyajit Sinha: So if you look at IoT connections, it has reached 18.6 billion mark by end of 2024, and it's growing at a rate of 12% year on year, and the total number of connections that we expect that it will reach is 39 billion by 2030 and at the CAGR of 14%.

This is very interesting because among these 18.6 billion connections, there are three key technologies basically driving these connections: Wi-Fi, Bluetooth and cellular. So among all the three technologies, cellular is something that we are pretty much interested in, but yes, these three technologies are driving the market.

David Hambling: Yeah, that's massive , but where does cellular and eSIM growth fit into that picture? 

Satyajit Sinha: Yeah, that's interesting. You know, if you see cellular connections are growing much faster than the overall IoT connection market, it is going at 15% CAGR and right now it accounts for 22% of connections, which is 4.1 billion by the end of 2024.

And if you look at the [00:02:00] eSIM adoption among these, the 32% of cellular IoT modules shipped in 2024 was eSIM or iSIM capable. And if you look at it from an install base or active connection perspective, 17% of cellular IoT connections are already eSIM and iSIM capable devices. And the driving options are obviously, you know, smaller form factor and security and all those things that are driving these things.

But if you see overall picture, cellular connectivity is going much faster than IoT connection market and eSIM is also having a much faster adoption rate within that penetration. 

David Hambling: Yeah, yeah, of course.

Satyajit Sinha: So David, what are the key challenges that we are seeing in the IoT connection landscape that you are seeing? 

David Hambling: Well, I think it's a little bit like what you've just said. I think it's the sheer quantity of devices out there and that causes, quite a few challenges. So it's, I think one is the technology on offer, whether it's NB-IoT, whether it's LTE-M, LTE Cat-1, LTE Cat-1 BIS.

So there's so much out there and I think it [00:03:00] starts to become very difficult to find a one size fits all global solution for that. I mean NB-IoT, for example, is not available in every country. LTE-M isn't available in every country either. And then you start looking at the regulatory landscape as well. There's permanent roaming restrictions in some places. And there's also, um, you've got devices that are using more and more data globally, and that becomes more of a commercial issue. But at the same time, you've got lots of devices which are using very little data globally, and that also becomes a commercial issue because they're quite resource intensive on the network.

So now we're seeing commercially, people are bringing access fees in addition to different technologies. So it's almost becoming more fragmented and from an Asia Pacific point of view, as I'm over here, you see that it's quite stark over here just because one country will have NB-IoT, one country doesn't, another country is bringing in access fees for low usage devices, and you've also got the added pressure of very cheap local pricing added into [00:04:00] that. So yeah, it's a change in commercial landscape and yeah, one size fits all is very difficult these days. 

Satyajit Sinha: So among these challenges, we see a solution as SGP.32.

So what is SGP.32 in simple terms? 

David Hambling: Well, in simple terms, it's the new eSIM specification that is focusing on IoT. It is for IoT and it's building on the great base of SGP.22, which was, in simple terms, for consumer devices. So SGP.32 removes the need for complicated integrations. It just makes eSIM very, very accessible for IoT devices and for the sheer range of IoT devices out there. 

Satyajit Sinha: So interestingly there is SGP.02, which is pure M2M, then as you said, SGP.22 consumer. Then why does the industry need an IoT- focused standard now? 

David Hambling: So if I think back, and I think I've been in IoT for quite a long time.

I think I remember the SGP.02 [00:05:00] standard being around, perhaps not in commercial use, but being around since around 2012 and from what you were talking about earlier and the growth of IoT, we're now 2025 going into 2026. With that, the IoT market has grown massively. There are so many more devices, there are new technologies, and we really needed to standardise and create a new standard for that. I think a lot of devices wanted to use SGP.22 for IoT. But there were some difficulties with that and therefore, SGP.32 was born out of that.

Satyajit Sinha: Interesting. And if I want to understand from a technical perspective that SGP.02 was pure M2M, which I knew it was based on push model, if I'm not wrong, right? And then SGP.32 came into the picture, which I think is a mix of more than push and pull model. What are the gaps that SGP.32 addresses right now, which SGP.02 didn't have before?

David Hambling: Yeah, so I mean, what's fascinating is once you start [00:06:00] to understand the difficulties, especially of SGP.02, you really start to see how smart SGP.32 is. So you are right, yeah. SGP.02, it was pushing, so you'd have a, a management portal, RSP, and you would push the profiles to the device, which was needed because these are headless devices. They don't have an interface. SGP.22 was around activation codes, QR codes. Very clever, very fast, but you're not able to scan the QR code most of the time on quite simple IoT devices. So, I think where then SGP.32 comes in is removing that barrier. It's allowing for mass deployment of profiles to devices, and also it's using the SGP.22 technology through the SM-DP+ to make the connectivity agnostic. So it's not SGP.02 was heavily reliant on integrations with operators, SM-DPs, and now this follows the same logic as SGP.22.

So, you don't have to have the [00:07:00] integration. You're contacting the SM-DP+ of the operator. You're downloading any connectivity profile from them. You don't need to have that integration.

Okay. What's very interesting. SGP.02 was quite difficult, especially for some simple devices and also devices like NB-IoT devices because some of them are battery operated, some of them are quite lightweight, and there was a necessity to make SGP.32 more accessible to devices that speak perhaps more lightweight communication protocols. So, SGP.02 also used SMS as well as a more clunky communication protocol, which is great for big devices, not battery powered, that can take a long download time of the profile, and they moved that into some kind of language translation and just brought out the accessibility to all IoT devices.

Satyajit Sinha: Interesting, and as you mentioned very clearly that SGP.02 required that SM-DP and SM-SR servers, and now we are [00:08:00] moving to SM-DP+ servers. It is interesting. But now we have LTE and eIM coming into the picture and want to understand how it sits with SM-DP+ architecture. 

David Hambling: Yeah, so I think it's still on the theme of accessibility. So all of these parts work in harmony to promote accessibility to all IoT devices.

So you've got the SM-DP+ which comes from the SGP.22 landscape, and then underneath that you've got the eIM, and what's massively interesting about the eIM is that what we needed to do when it came to making SGP.32 accessible to as many devices as possible was that we had to put the layer in the middle because we don't know exactly what's going to be on the devices.

So when you think about a mobile phone and SGP.22, what would be the eIM layer was within the device and on the mobile phone. There's a lot of mobile phone models out there, but there's a very small number compared to the massive number of IoT devices out there.

So you can't rely on the fact that the devices are [00:09:00] going to be able to do this management layer themselves, and so you need to centralise it, and we've centralised it in the eIM. And then you need to do what the LPA did in SGP.22, which is the IPAe and IPAd, and also in the vein of accessibility, we also know that not all devices are going to be able to build in the IPAd. Some devices won't really need to use remote management very much, and it's going to be more insurance. So what we do there is we put the IPAe on the eUICC on the SIM, and as I said, they all work together in harmony to make it more accessible.

You've got the IPAd or the device level, the eIM in the middle. eIM also does the language translation as it were to be able to get the profile from the SM-DP+, bring it down to the eIM, translate it, and then put it down to the device. 

Satyajit Sinha: Interesting, and yes, I mean SGP.32 was in the process of specification and as an analyst we see in the market, there were a lot of pre-standard coming into the picture from many of the [00:10:00] operators, uh, eSIM management players, but what's interesting is something that came earlier this year, news from you guys. It would be great if you can share that news, what happened in the SGP.32.

David Hambling: Yes, we were the first company to get the eUICC Security Assurance scheme compliance from the GSMA and also generally the eSIM compliance. And then after that, the first commercial deployment with eero. So, yeah, we're very proud of being able to get to that stage. I think it was two months after the specification was released.

So yeah, we worked very hard to get there and yeah, managed to move quite fast with that.

Satyajit Sinha: Interesting.

David Hambling: How important is security in IoT today, Satyajit, and what are the key challenges?

Satyajit Sinha: I mean, security has been a very important piece of technology for any new technology that we see in the market, and we didn't, even with the IoT, we are saying 18 billion, 18 billion devices being active. There is a always a concern of data security, hardware security, network security and the [00:11:00] cloud security because this data is going somewhere, right? So, there's a different layer of security required to protect the IoT ecosystem, and we have seen multiple challenges. We have seen a lot of ransomware attack, we've seen malware attack because most of the IoT devices are either not secured through hardware, generally traditionally secured through software mechanism, and there is no anchor of security within these hardware. And they're relying on the old technology of security. So there is a huge challenge that we are seeing in the market and obviously there are multiple solutions that is coming into the picture. You know, hardware, secure element, PUF technologies is coming into the picture, creating hardware root of trust, and that is making the securities much better than what we had before and going forward, we will have PQC (Post Quantum Security) as well in the picture. But right now, I mean, we are in a stage where security is still considered as a cost. Hence, it makes sense to attach security to a element , you have connectivity element as well, and then security [00:12:00] as well, and then eSIM’s comes to the picture that brings both the aspects of it so it's not an additional cost for the OEM to implement, it is basically a go-to factor that you should implement. I'm sure you have seen this implementation, but it'll be interesting to understand from you, how do eSIM and SGP.32 are enable strong security for IoT?

David Hambling: Yeah, so definitely security is a necessity in today's world, isn't it? And constant threats, you need to make things as secure as possible. So, I mean, what's been great about SGP.32 is the specification was designed and built with security as a priority. So the various different parts of the specification from the GSMA focusing on the security.

Also, I think when you look at just how the technology works, I think the fact that there's fewer integrations needed with exterior, external parties, that makes it by design more secure, and the level of encryption that's needed within the SGP.32 environment. I think from our point of view, it's using our secure [00:13:00] OS and being able to continue that use from the other previous specifications and continue using that in SGP.32 and just even from a physical point of view, I think these days we're moving in the direction of embedded SIMs, with the eSIM and iSIM, and that's just from a physical security layer, they can't be removed. So you need this SGP.32 technology in order to be able to manage these devices over their lifespan, whether it's 10, 15 years, and you need the security that comes in that. And I think SGP.32, it does a lot for reliability and also being able to secure your coverage with different profiles and that's needed as well from a device point of view to be able to download OTA updates when the security threats change new software onto the devices and you need secure, stable connectivity to be able to do that, and SGP.32 promotes that. 

Satyajit Sinha: Interesting. But beyond the security, what are the top benefits that we see in [00:14:00] SGP.32 implementations? 

David Hambling: So I think, yeah, we discussed it a little bit before. I think one of the main benefits I see is the lack of integration needed to be able to use different MNOs and connectivity partners' connectivity. You don't need to be connecting to everybody's RSP. Like SGP.22, you can contact the SM-DP+ and download the profile from there. And so it's scalability as well, and accessibility being able to put this out to, so all the devices out there.

I mean for my job just in Asia, the amount of devices that I see, the types of devices, and knowing that SGP.32 can reach all of those, and some of these have always been out of reach, to do updates remotely and just knowing that we can actually do that is very exciting.

So, yeah, scalability and then accessibility is catering for all types of devices and communication protocols.

So Satyajit, as an analyst, which applications do you expect to benefit first from SGP.32? 

Satyajit Sinha: I mean, IoT was the [00:15:00] default, right? So IoT was the first application we are seeing that is getting a lot of traction. I mean, there's IoT, agriculture, transportation and logistics. Ones where you need mobility was the first wave of adoption that we see. But apart from IoT, the interesting aspect was the automotive coming into the picture not just from a telematics perspective, but from an infotainment perspective.

We started to see that automotive getting a lot of traction for these technologies and especially in infotainment, and we expect also that going forward, that apart from IoT use cases, that generalised use cases, low band, IoT use cases, we will see a lot of adoption in automotive as well.

Three categories for eSIM will be the consumer, IoT and automotive. 

David Hambling: Yeah, yeah, definitely. I think especially for automotive. It always kind of bridged the gap, didn't it? Between SGP.02 and SGP.22, there was a consumer aspect, there's a machine aspect, and SGP.32 bridges that beautifully. It really feels like automotive will benefit from this new [00:16:00] specification and from the eCall point of view, that reliability for eCall and the priority involved there.

Satyajit Sinha: Okay. Makes sense. Makes sense. 

 David, just now to understand that how G+D is playing a key role with SGP.32. So from a solution perspective, wanted to understand that. 

David Hambling: Yes. Well we worked closely with the GSMA to create the specification, and then since then, we've been, I think, leading the way with PoCs We've had a lot of PoCs going out there, so we're really building the landscape and preparing the landscape for mass SGP.32 adoption. So I think a lot of OEMs or MNOs, device manufacturers and IoT players, I think they're champing at the bit to move forward with SGP.32. I think it answers a lot of the challenges that they've had in the past, so I think the PoCs have been really exciting because you see how eager people are to get this technology out in the field.

So with that, just helping the device manufacturers build this technology into their devices. If it's IPAd, for example, just getting people [00:17:00] ready for mass deployment. And we've also had some commercial use cases already, notably Amazon eero. So yeah, leading the way with that to push SGP.32 out to the world and get people remotely controlling their connectivity as soon as possible.

Satyajit Sinha: Interesting. I mean, just a few days ago I was pre creating this tech stack for eSIM Tech Stack and trying to allocate the OEMs, uh, with their eSIM features, and I saw that G+D is coming in all of the steps of that tech stack and that's very interesting. I want to understand from you what an end-to-end stack does mean for you and what it brings, the benefits and what it means for the G+D overall solution.

David Hambling: I think for our customers, the full stack means that they can use a reliable IoT partner for all parts of the IoT ecosystem. So from G+D's point of view, obviously we've got the SIM card side, the eUICC side up to the RSP, the device management. I mean, I work in the connectivity side.

What's really interesting for me is that we've got our library of [00:18:00] connectivity profiles that can be used as well. So we can be supplying the SM-DP+. We can be supplying the eIM. We can also supply the connectivity and it could just be to fill in the gaps for people. I mean, they could use their own connectivity worldwide and then where we might have something, say in Brazil, they don't have, and they need to access quickly and we can just download, we can give them our profile for that. So yeah, the full stack is really interesting. I think bringing all of these elements together within a very secure environment as we concentrate on security. We focus on security, bringing all of that together, wrapping it up in security, and then having one point of contact and one SLA, for example, so somebody can come to us and they can get as much of as they want or as little as they want, and that's, uh, it's very powerful position in the market.

Satyajit Sinha: Interesting.

David Hambling: So, Satyajit, where do you think the eSIM market is heading over the next 24 months?

Satyajit Sinha: I mean, that's a very interesting question. I mean, what we have observed that at the very early stage, eSIM got a good [00:19:00] traction when it came to the market and had a good start.

However, we started to see a plateau and everybody was waiting for SGP.32, and that was the plateau came into the picture. The interesting part was even before the SGP. 32 specification was finalised, the industry was interested in using 32, which led to a lot of OEMs and easy manual play to keep coming up with the pre-standards.

And with these pre-standards, they always started doing pilots to try doing some of the deployments. That shows a very clear picture of the demand and how industry was eagerly waiting for an IoT-specific standard and now when we have this standard, we start to see a good growth again so there are a lot of eSIM capable cellular modules are out there already shipping, they have both physical SIM and eSIM capable modules, but they are not in the implementation. So now what we will see quickly with SGP.32, some of the implementation will come into the picture.

We'll also see some of the new [00:20:00] deployments that will happen based on SGP.32. We are starting to see curve. Slowly. The penetration that we just seen, 32% in the shipment will quickly go to 45% and to 50% and 60% range within the next five years or so the moment we started the deployment, and these deployments will include IoT and automotive both the aspects, so I would say yes, there is a huge potential and industry will basically be waiting for this technology, and now this technology is here. I expect a good adoption of SGP.32 and eSIM technology within IoT and auto.

David Hambling: Yeah, definitely, and apart from SGP.32, what are the drivers do you think will push eSIM adoption? 

Satyajit Sinha: I mean we talked about security and everything, but I think one of the interesting things we didn't talk about that much is the in-factory provisioning.

I think that is something that is coming up as equal to, I would say, importance to SGP.32. And it's a complementary technology basically, but makes the use of SGP.32 or eSIM much better. I mean, and for the hardware perspective, [00:21:00] from an out of box connectivity perspective, it is makes more sense. But definitely like to understand from you something, if you want to add anything on the in-factory provisioning because I feel that is one of the key technologies that will change the market from a different perspective for the eSIM aspect. 

David Hambling: Yeah, definitely. So we are looking forward to SGP.42. We've currently got the pre-standard IFPP out there at the moment and in use and very, very popular. So yes, SGP.42. Yes, we've already got the pre-standard out at the moment for the IFPP, the in-factory provisioning, and it's working in harmony with SGP.32. What I really like about SGP.42 is that for devices that you don't want to be reliant upon remote provisioning, you don't want to be reducing their battery power. Perhaps the more lightweight devices, this is provisioning, pre-provisioning the connectivity in the factory from a profile library, putting that connectivity onto the device. So it's ready to go from day one.

 So, this is Born [00:22:00] Connected® and, that's crucial for iSIM and eSIM, and, then once that's been in, once the connectivity has been provisioned into the device, then it can continue to be managed by SGP.32 moving forward. Then also what's very exciting, obviously as we continue to innovate and we don't just, you know after the SGP.32 successes and specifications, we continue to innovate.

David Hambling: And then of course we've got the further versions of SGP.32 to look forward to. So, version two, where there'll be multiple enabled profiles, which will be hugely important for automotive as well, and for reliability of connectivity and for IoT devices, and then device initiated profile switching, and that all leads into iSIM, which is what we need to look out for as well. That's going to become more popular because of SGP.32, SGP.42, and then of course SGP.42 from the factory. 

Satyajit Sinha: Interesting. Interesting. Yeah, that makes complete sense. [00:23:00] Before concluding, I would like to understand from you, what should operator or OEM watch next and why? 

David Hambling: I think it's what we said, version two of SGP.32.

So drawing on what we've got at the moment. 

Yeah. 

And I think mainly as we said for automotive, the multiple enabled profiles would be hugely important, especially for things like eCall, infotainment, being able to switch profiles based on algorithms, based on intelligence, basically, what's got better signal, obviously you need eCall to have the best signal possible, and you it needs to have the highest priority.

So that's going to be very important for OEMs, auto manufacturers. iSIM building it in, so this is even more secure because it's really integrated into the device. And then you need the SGP.32 to be able to manage that remotely for however long it's going to be in the field.

And the SGP.32 needs to work seamlessly for that. And then, as I said, the SGP.42 in factory provisioning need to keep an eye on that when that specification is released. As I said, it's pre-standard at the moment. It's in [00:24:00] use. It's working very well but looking forward to that, going from strength to strength.

Satyajit Sinha: Interesting. Thanks David. It was really interesting and insightful discussion and I hope you all enjoyed from the discussion.

David Hambling: Thank you very much Satyajit. I really enjoyed speaking to you.

Satyajit Sinha: Thank you.