Comprehensive technical knowledge base covering 12 GSMA eSIM specifications. 84+ articles on Remote SIM Provisioning — SGP.02, SGP.22, SGP.32, SGP.41, SGP.29, SGP.23, SGP.25, SGP.26 and more.
You’re building a bank vault to store the world’s most valuable treasures. You could make it out of cardboard (cheap, easy, useless), steel (better), or reinforced titanium with laser sensors (the real deal). But how do you prove it’s secure? You follow a rulebook : a checklist written by security experts that says exactly how tough the vault must be.
For eSIM chips, that rulebook is SGP.25 : the GSMA’s Protection Profile. It’s the official security standard that every eUICC chip must meet before it can hold real operator profiles. Not “should meet” : must meet.
A Protection Profile (PP for short) is like a building code for digital security:
| Concept | Building Analogy | eSIM Equivalent |
|---|---|---|
| Protection Profile | National building code | SGP.25: security rules for all eUICCs |
| Security Target | Architect’s plans for one building | Vendor’s plan for their specific chip |
| Target of Evaluation | The actual building being inspected | The eUICC software being evaluated |
| Evaluation Level | Inspection rigour (visual check vs. stress test) | EAL4+ : the highest practical level |
Protection Profiles are part of an international system called Common Criteria (ISO/IEC 15408). It’s used by 31 countries that mutually recognise each other’s security certificates. So a chip certified in Germany is trusted in Japan, Brazil, and Australia.
A normal SIM card is simple: one carrier, installed at the factory, never changes. An eUICC is different:
An attacker with physical access to the chip could try to extract keys, clone the eUICC, or switch profiles without permission. SGP.25’s job is to make sure the chip is built to resist all of that.
SGP.25 evaluates the eUICC software : specifically:
| Component | Job |
|---|---|
| ISD-R | Profile life-cycle manager: creates, enables, disables, deletes profiles |
| ECASD | Secret keeper: holds private keys, certificates, and the eSIM CA public key |
| ISD-P | Profile container: each profile lives in its own locked room |
| Component | Job |
|---|---|
| Telecom Framework | Network authentication (3G/4G/5G algorithms) |
| Profile Package Interpreter | Translates downloaded packages into installed profiles |
| Profile Rules Enforcer | Makes sure nobody breaks the rules |
The physical chip hardware is evaluated separately (under its own Protection Profile). SGP.25 focuses on the software that runs on top.
SGP.25 isn’t one-size-fits-all. It uses a modular approach:
| Module | Covers |
|---|---|
| Base-PP | Core eUICC security: required for everyone |
| LPAe Module | Extra rules when the phone’s helper app lives inside the chip |
| IPAe Module | Extra rules when the IoT robot’s helper lives inside the chip |
| Dual Module | Rules for chips that support BOTH consumer and IoT |
Plus a mandatory OS Update Module if the chip supports remote software updates. This modularity means the rulebook scales from a basic consumer eSIM to a dual-purpose IoT+consumer powerhouse.
SGP.25 defines threats in two tiers:
SGP.25 requires EAL4 augmented : the highest practical level for a commercial product:
EAL4+ = EAL4 + ALC_DVS.2 + AVA_VAN.5
| Component | What It Means |
|---|---|
| EAL4 | Methodically designed, tested, and reviewed. Source code examined by evaluators. |
| ALC_DVS.2 | The development environment itself must be secure: physical, procedural, and personnel controls |
| AVA_VAN.5 | Advanced penetration testing by experts with elevated attack potential |
EAL1 is a quick check. EAL7 is for military satellites. EAL4+ is the sweet spot for commercial products that need real security without infinite cost.
The “augmented” in EAL4+ is crucial. Standard EAL4 only requires basic vulnerability analysis. AVA_VAN.5 means evaluators actively try to break the chip using the same techniques real attackers would use: power analysis, fault injection, and protocol attacks. It’s the difference between checking the vault door looks solid and actually trying to drill through it!
Kid-friendly version of GSMA SGP.25 v2.1: eUICC Common Criteria Protection Profile