Comprehensive technical knowledge base covering 12 GSMA eSIM specifications. 84+ articles on Remote SIM Provisioning — SGP.02, SGP.22, SGP.32, SGP.41, SGP.29, SGP.23, SGP.25, SGP.26 and more.
🏠 eUICC.tech > SGP.33-3 eIM Testing > IoT eSIM Certification Path: From Test Cases to Production
💡 Why this matters: Passing SGP.33-3 test cases in a lab is one thing: getting an eIM product certified for production deployment in the IoT eSIM ecosystem is another. The certification path for IoT eSIM components is still evolving: unlike the mature consumer eSIM certification programme (with its well-established GSMA Test Events, SAS audits, and GlobalPlatform DLOAs), IoT eSIM certification is being built incrementally. Understanding the current state and future direction of IoT eSIM certification helps eIM vendors, IoT device manufacturers, and operators plan their compliance strategies.
Key takeaways:
- IoT eSIM certification builds on the existing GSMA compliance framework but must address multi-vendor test ecosystems where the eIM, IPA, SM-DP+, SM-DS, and eUICC may all come from different vendors
- The eIM is tested as a standalone component (per SGP.33-3), but production deployment requires end-to-end interoperability with real IPAs, eUICCs, SM-DP+s, and SM-DSs: an area still marked FFS (For Future Study) in SGP.23
- eIM/DUT combo testing: where the eIM is tested alongside a real Device Under Test with an actual IoT eUICC and IPA: bridges the gap between isolated conformance testing and real-world deployment
- SAS-SM (Security Accreditation Scheme for Subscription Management) applies to eIM platforms, extending the SAS framework from eUICC manufacturing to remote management servers
- The certification workflow mirrors SGP.23: vendor readiness → Optional Features declaration → test execution → review → approval: but with IoT-specific additions for eIM Configuration Data, eIM Package Retrieval mode, and multi-interface orchestration
- As of v1.2, many test sequences remain FFS, making the current certification path partial: practical certification for eIM products is possible but focuses on ES9+’ and ES11’ interfaces adapted from proven consumer eSIM testing
SGP.33-3 v1.2 is a test specification, not a certification programme document. But the two are inseparable: test cases exist to support certification, and certification programmes require test cases. This article traces the path from an eIM implementation through testing to production deployment.
Consumer eSIM certification tests individual components (eUICC, LPAd/Device, SM-DP+, SM-DS) in isolation using simulators. This works because the consumer ecosystem has a relatively simple topology: Device ⟷ SM-DP+ ⟷ SM-DS, with the LPA as the on-device orchestrator.
IoT eSIM introduces a fundamentally more complex topology:
Operator
│
ES2+ │
▼
┌─────────┐ ┌─────────┐
│ SM-DP+ │◄──►│ SM-DS │
└────┬────┘ └────┬────┘
│ES9+' │ES11'
▼ ▼
┌─────────────────────────┐
│ eIM │ ← Remote server, multi-tenant
└────────────┬────────────┘
│ESipa
┌───────┴───────┐
▼ ▼
┌─────────┐ ┌─────────┐
│ IPA │ │ IPA │ ← Many IoT devices
│ (Device │ │ (Device │
│ 1) │ │ 2) │
└────┬────┘ └────┬────┘
│ES10b │ES10b
▼ ▼
┌─────────┐ ┌─────────┐
│ eUICC │ │ eUICC │
└─────────┘ └─────────┘
In this topology:
Multi-vendor interoperability is not just desirable: it’s the core value proposition of the GSMA eSIM ecosystem.
SGP.33-3 tests the eIM in isolation using simulators. But production deployment requires the eIM to work with:
SGP.23 Section 7 (“End-to-End Testing”) is explicitly marked FFS (For Future Study). This means:
This gap is particularly significant for IoT because the eIM-to-IPA interface (ESipa) : the critical bridge between the remote management server and the device: has no standardised test cases at all as of v1.2.
The IoT eSIM certification workflow follows the same general pattern as consumer eSIM (SGP.23), adapted for IoT-specific concerns:
The eIM vendor prepares:
#IUT_RSP_VERSION : SGP.22 version supported#IUT_EIM_ADDRESS : FQDN of the eIM#IUT_EIM_ID : Unique identifier (OID, FQDN, or proprietary)#IUT_TLS_VERSION : Highest TLS version supported (at least v1.2)Tests execute in the General (eIM) Test Environment:
The GSMA’s Security Accreditation Scheme (SAS) has historically focused on:
With IoT eSIM, SAS-SM applies to eIM platforms as well. The eIM is a subscription management server: it remotely controls profile state, manages eIM configuration, and orchestrates profile downloads. As such, eIM platforms must meet the same security standards as SM-DP+ and SM-DS platforms:
While SGP.33-3 doesn’t directly reference SAS audit requirements, the test cases implicitly verify SAS-relevant security properties:
eimSignature) and present valid TLS certificates on ESipa| Interface | Test Status | Certification Readiness |
|---|---|---|
| ES9+’ (eIM→SM-DP+) | Fully defined | Ready: adapted from proven SGP.23 LPAd tests |
| ES11’ (eIM→SM-DS) | Fully defined | Ready: adapted from proven SGP.23 LPAd tests |
| ESep (eIM→eUICC) | Partially defined (FFS) | Limited: 9 functions defined but most test sequences FFS |
| ESipa (eIM→IPA) | Requirements only (FFS) | Not certifiable: all 11 function test sequences FFS |
| Behaviour (Profile Enable) | One test case defined | Conditional: only for eIMs with O_S_PKG_RETRIEVAL + O_S_ESIPA_HTTPS |
The “For Future Study” annotations throughout SGP.33-3 indicate active development areas:
For eIM vendors seeking certification today, the pragmatic path is:
SGP.33-3 does not exist in isolation. It connects to:
Based on GSMA SGP.33-3 v1.2 (27 January 2025) : eUICC IoT Manager Test Specification, Sections 1–5, Annexes F–G; GSMA SGP.23 certification framework; GSMA SAS programme
| ← Previous: eIM Security Testing: DTLS, Certificates, and Signed Packages | Section Index |