Bootstrap Connectivity: The Control Layer Behind SGP.32

04.06.2026

The first wave of eSIM adoption in IoT was often framed as a replacement story: replacing plastic SIM cards with soldered eSIMs, replacing manual handling with remote provisioning, replacing fragmented supply chains with digital workflows. But the real transformation goes further. In his recent article, From SIM Logistics to Digital SIM Logistics: The New Operating Model for IoT Connectivity, emnify Co-Founder and CEO Frank Stoecker outlines how the industry is shifting from physical SIM logistics toward a software-defined operating model for connectivity. At emnify, we describe this emerging model as Digital SIM Logistics: a new operational category for managing connectivity in a software-defined world.

SGP.32 is a central part of that shift. It introduces an IoT-specific model for remote SIM provisioning, designed for fleets of devices that may have no screen, no user interface, limited power, intermittent connectivity, and long operational lifetimes. Unlike consumer eSIM models, which assume a smartphone-like setup experience, SGP.32 is built for server-orchestrated profile lifecycle management at scale.

But one point remains underestimated: every SGP.32 workflow still depends on initial connectivity.

Before an operational profile can be downloaded, before a device can be assigned to the best network, before an enterprise can switch providers remotely, the device must first be reachable. That first moment of reachability is provided by bootstrap connectivity.

This makes bootstrap connectivity one of the most important foundations of the SGP.32 era. It is not a secondary detail. It is the control layer that enables everything else.

Every SGP.32 workflow starts with reachability

The promise of SGP.32 is flexibility. OEMs and enterprises can manufacture devices with eSIM capabilities, deploy them globally, and manage connectivity profiles remotely throughout the device lifecycle. This reduces the dependency on physical SIM logistics and opens the door to more dynamic SIM profile strategies.

However, none of this happens in isolation. A device cannot receive instructions, download an operational profile, or report provisioning status unless it can connect to a network first.

That is the role of the bootstrap profile.

The bootstrap profile provides the initial path between the device and the remote provisioning infrastructure. It enables the device to establish first contact, exchange information, and begin the process of downloading or activating an operational profile. In the SGP.32 architecture, the eIM (eSIM IoT Remote Manager) and IPA (IoT Profile Assistant) play key roles in managing profiles and supporting remote orchestration for IoT devices.

The eIM is responsible for the remote lifecycle management of eSIM profiles, including profile provisioning, activation, deactivation, and policy enforcement across deployed devices. The IPA resides on or interacts closely with the device and acts as the interface between the eUICC and the remote management ecosystem, facilitating profile operations and communications with the eIM. Together, the eIM and IPA enable secure, scalable, and automated remote SIM provisioning for IoT deployments.

In practical terms, bootstrap connectivity answers a critical question: how does the enterprise reach the device before the device has its final connectivity setup?

Without this first connection, the rest of the SGP.32 value chain cannot start.

SGP.32 makes bootstrap more important, not less

It may be tempting to assume that because SGP.32 makes connectivity more flexible, the initial bootstrap profile becomes less important. The opposite is true.

The more dynamic the operational profile becomes, the more important the stable bootstrap layer becomes.

In the traditional SIM model, the connectivity relationship was usually fixed at deployment. A device was shipped with a SIM, the SIM had a pre-defined operator relationship, and the operational model remained relatively static. This created inefficiencies, but it also meant fewer profile lifecycle events.

SGP.32 changes that. Profiles can be downloaded, changed, replaced, optimized, or recovered over time. Connectivity becomes programmable. Enterprises gain more flexibility, but they also introduce a new operational requirement: reliable remote lifecycle management.

That requires persistent reachability.

Whenever an operational profile needs to be installed, updated, replaced, or recovered, the device needs a trusted connectivity path. Bootstrap connectivity provides that path. It becomes “the stable layer” underneath a more flexible operational environment.

SGP.32 does not eliminate the need for strong bootstrap connectivity. It elevates it.

From activation mechanism to operational control layer

Historically, bootstrap connectivity was often seen as a temporary step. The device connects once, downloads its final profile, and then the bootstrap profile becomes irrelevant.

That view no longer reflects the operational reality of SGP.32.

In a modern IoT deployment, the bootstrap profile can support much more than first activation. It can enable initial provisioning, fallback, recovery, diagnostics, re-orchestration, and long-term lifecycle control.

Bootstrap connectivity becomes the operational control layer for the device. It provides the enterprise with a route back to the device when the primary operational setup is not enough.

This matters because IoT devices do not operate in perfect conditions. They move between countries. They encounter network changes. They are deployed in basements, vehicles, factories, elevators, energy systems, logistics assets, and remote infrastructure. They may remain active for five, ten, or even fifteen years. During that time, networks, regulations, commercial agreements, and deployment requirements evolve.

In this environment, the bootstrap profile should not be treated as disposable.

It should be treated as a lifelong lifeline.

What OEMs and enterprises need from bootstrap connectivity

For OEMs and enterprises, bootstrap connectivity should not be evaluated like a simple data plan. The decision is not only about coverage maps or price per megabyte.

The bootstrap layer has a different role. It must provide the foundation for activation, orchestration, fallback, and recovery across the entire device lifecycle.

Several characteristics become essential.

First, bootstrap connectivity requires global coverage. Devices may be manufactured in one region, warehoused in another, sold into multiple markets, and activated wherever the customer installs them. A bootstrap profile that only works reliably in selected countries creates friction from the first power-on.

Second, it requires technical scalability. OEMs may need to activate thousands or millions of devices across different markets and time windows. The bootstrap layer must support provisioning events, retry logic, signaling traffic, and fleet-level orchestration without becoming a bottleneck.

Third, it requires operational consistency. Enterprises need predictable behavior across regions, networks, and deployment scenarios. If activation works in one country but fails unpredictably in another, the promise of digital SIM logistics breaks down.

Fourth, it requires visibility and intelligence. Bootstrap connectivity should not only connect the device. It should help the platform understand what is happening: where the device is, which networks are visible, whether provisioning succeeded, and what fallback path is available if something goes wrong.

Finally, it requires resilience. The bootstrap profile should remain available as a recovery channel when the operational profile fails, underperforms, or needs to be replaced.

Bootstrap as the foundation for intelligent profile selection

One of the most powerful promises of SGP.32 is the ability to select and manage operational profiles dynamically. But the value does not come only from the ability to switch. It comes from knowing when to switch, why to switch, and which profile to choose next.

That is an intelligence problem.

The best operational profile for a device may depend on many factors: country, network availability, radio access technology, signal quality, latency, cost, regulatory requirements, customer policy, data usage pattern, and historical network performance. A logistics tracker moving across borders has different requirements from a smart meter in a fixed location. A medical device has different risk tolerance from a vending machine. A vehicle charger has different uptime expectations from a seasonal asset tracker.

SGP.32 creates the technical foundation for more flexible profile management. But intelligent selection requires data, policy, automation, and decision-making logic.

Bootstrap connectivity is the starting point for that intelligence.

It gives the device the initial path to report its context. It enables the orchestration layer to evaluate conditions. It allows AI-driven systems to compare available options, detect provisioning issues, recommend the right operational profile, and initiate fallback if needed.

This is where the future of SGP.32 becomes especially interesting. Connectivity management can move from static provisioning to intelligent orchestration. Instead of asking, “Which SIM should we ship with this device?” enterprises can ask, “Which profile is best for this device, in this location, under these conditions, at this point in its lifecycle?”

The bootstrap layer enables that question to be answered in the field.

Fallback: the bootstrap profile as a lifelong lifeline

In any large IoT deployment, failure is not an exception. It is part of the operating model.

An operational profile may fail to download. A device may lose connectivity after moving into a new country. A network may perform poorly in a specific location. A provider relationship may need to be changed. A regulatory requirement may force the enterprise to migrate profiles. A fleet may need to be recovered after a configuration error.

In each of these cases, the enterprise needs a route back to the device.

This is where the bootstrap profile becomes strategically important.

A strong bootstrap layer can act as a fallback path when the operational profile does not deliver the expected result. It can allow the device to reconnect, receive new instructions, download another profile, or return diagnostic information. It reduces the risk that a failed profile operation turns into a stranded device.

For OEMs, this can reduce field service costs and protect customer experience. For enterprises, it can improve uptime and operational continuity. For connectivity teams, it creates a recovery mechanism that is built into the architecture instead of added later through manual intervention.

In the SGP.32 era, fallback should not be an afterthought. It should be part of the bootstrap strategy from day one.

Native bootstrap versus resale-based approaches

Not all bootstrap connectivity is created equal.

Some providers may offer bootstrap profiles through resale-based connectivity models. In these cases, the provider depends heavily on upstream network or roaming partners for coverage, troubleshooting, policy control, and operational behavior. This can work for simple deployments, but it may create limitations at scale.

The challenge is control.

When the bootstrap layer is only resold, the provider may have less influence over network behavior, availability, diagnostics, and long-term continuity. Troubleshooting can become slower. Responsibilities can become fragmented. The enterprise may not know whether an issue sits with the eSIM platform, the bootstrap provider, the upstream carrier, or a roaming partner.

In smaller deployments, these issues may be manageable. In large-scale IoT fleets, they become operational risk.

A native bootstrap approach is different. When a provider has stronger ownership and operational control over the bootstrap layer, it can manage availability, policy, diagnostics, and scaling more directly. It can integrate bootstrap connectivity more deeply with profile orchestration, fallback logic, and fleet intelligence.

In SGP.32, the key question is not only whether a provider can offer a bootstrap profile.

The key question is how much control the provider has over the infrastructure behind it.

Why ownership and operational control matter at scale

At small scale, bootstrap may look like a technical prerequisite. At large scale, it becomes a business-critical dependency.

If bootstrap connectivity fails, the issue is not limited to connectivity. The device may not activate. The operational profile may not download. The enterprise may not be able to switch providers. Diagnostics may not reach the platform. Recovery may not be possible without physical intervention.

That creates cost, complexity, and risk.

For OEMs, failed activation can damage the customer experience at the most critical moment: first use. For enterprises, unreliable bootstrap can delay rollouts, create support tickets, and undermine confidence in remote lifecycle management. For global fleets, weak bootstrap design can create hidden operational debt that only becomes visible after devices are already deployed.

This is why ownership matters. The more control a provider has over the bootstrap layer, the better it can support predictable activation, scalable orchestration, troubleshooting, and long-term resilience.

SGP.32 gives enterprises the option to be more independent. But independence is not created by the standard alone. It depends on how the connectivity layer is operated.

emnify’s role: bootstrap as part of a cloud-native connectivity model

For emnify, bootstrap connectivity is not just an access mechanism. It fits into a broader model of cloud-native, software-defined IoT connectivity.

The value comes from combining global reach, technical scalability, lifecycle orchestration, and operational control.

At emnify, bootstrap is designed as part of a cloud-native connectivity architecture rather than a standalone access layer. This enables factory-ready provisioning, provider-independent orchestration, fallback resilience, and lifecycle control at global scale.

This is important because OEMs and enterprises do not only need a bootstrap profile. They need a bootstrap strategy.

An in-house bootstrap layer, global coverage, and the ability to support large numbers of bootstrap profiles are key capabilities. They allow bootstrap connectivity to be designed as a strategic control layer rather than sourced as a commodity access layer.

What OEMs and enterprises should ask

As SGP.32 adoption grows, OEMs and enterprises should evaluate bootstrap connectivity with more rigor.

They should ask:

Does the bootstrap profile provide reliable global coverage from first power-on?
Who owns and operates the bootstrap connectivity layer?
Is the provider dependent on resale-based arrangements, or does it have direct operational control?
Can the bootstrap profile remain active as a lifelong fallback?
Can the provider support large-scale activation and provisioning events?
What visibility is available when provisioning fails?
Can bootstrap data support intelligent operational profile selection?
Are fallback and recovery workflows built into the architecture?
Can the bootstrap layer integrate with enterprise systems, APIs, and lifecycle processes?

These questions shift the conversation from “Can you provide an eSIM?” to “Can you operate the connectivity lifecycle?”

That is the real SGP.32 question.

Conclusion: the foundation of software-defined IoT connectivity

SGP.32 is often discussed as a standard for remote profile management. That is technically correct, but operationally incomplete.

For OEMs and enterprises, the success of SGP.32 depends on whether devices can be reached, provisioned, optimized, recovered, and managed throughout their lifecycle. Bootstrap connectivity is the foundation that makes this possible.

It is the first connection. It is the control channel. It is the fallback path. It is the recovery mechanism. And increasingly, it is the intelligence layer that enables better operational profile decisions.

The SGP.32 era will not be defined only by the ability to download SIM profiles remotely. It will be defined by the ability to operate connectivity dynamically, reliably, and globally.

That starts with the bootstrap layer.

SGP.32 does not make bootstrap connectivity less important. It makes bootstrap connectivity the key enabler of the entire model.

Get in touch with our IoT experts

Discover how emnify can help you grow your business and talk to one of our IoT consultants today!

Martin Giess

Martin Giess is co founder and founding CTO of emnify, where he oversees the technical execution of emnify’s product vision. He has 15 years’ experience as a technology expert in agile development of innovative telecom services. Before founding emnify, he held technical VP positions at Syniverse and MACH.

What Is GSMA SGP.32? The Definitive Guide to the Next-Gen eSIM IoT Standard

12.03.2026 – Knowledge Hub

Table of contents Introduction How does SGP.32 compare to SGP.02 and SGP.22? How SGP.32 Works: Key Components Explained IoT eSIM Architecture – SGP.32 Compliance & Standards: What You Need to Know Challenges & Implementation Considerations How emnify Supports SGP.32-Ready IoT Deployments Conclusion: Why SGP.32 Matters Introduction GSMA’s SGP.32 is the newest global SIM technology standard for IoT which finally makes remote profile management and profile switching a reality. It enables connected devices to securely download, manage, and switch SIM profiles over the air without requiring a user interface, QR codes, or physical SIM replacements. Unlike earlier GSMA standards designed for traditional machine-to-machine deployments, SGP.32 was defined specifically for modern IoT deployments, where physical SIM logistics and vendor lock-in have caused operational headaches for far too long. At its core, SGP.32 introduces a streamlined architecture that allows enterprises and connectivity providers to manage SIM profiles from any number of connectivity providers from one unified platform. At scale, this means, businesses are not locked into a single provider for their device’s full lifecycle and therefore are not burdened with costly SIM swaps when switching or adding new operators. Typical use cases for which this becomes extremely helpful to businesses deploying connected devices include: For manufacturers of connected devices (OEMs) that need devices to connect directly from the factory but don’t want the device to be locked to that specific network for their customers. Here SGP.32 enables that enables devices to be deployed with a bootstrap profile that gets the device online and SGP.32 enables any number of additional operator profiles to be added based on the device's deployment area. Providers of connected devices now have a built-in resiliency plan. In the past, if a business wanted to leave their connectivity provider it added complexity as it meant leaving their already deployed devices connected with their original operator (SIM swaps are too costly) and adding another provider for future deployments. This management of multiple operators added complexity and operational overheads. For providers of connected devices, SGP.32 also integrates a level of resiliancy that wasn’t available before. The fact that it is now possible to have multiple profiles on a single SIM means that a true ‘fallback’ option is available. What this means in reality? If the primary profile fails, the device can simply be switched to the backup operator. Not only does this protect uptime, but it also protects operations from unexpected events such as, outages, the operator switching off coverage in your deployment zone or even if the operator goes out of business. How does SGP.32 compare to SGP.02 and SGP.22? SGP.02 SGP.02 was designed for traditional M2M deployments. In theory, it enabled remote profile to download and switching. In practice, however, the architecture was complex, costly to integrate, and not well suited to low-power or bandwidth-constrained IoT devices. For most deployments, large-scale remote profile swapping simply wasn’t commercially feasible. SGP.22 SGP.22 was built for consumer devices like smartphones and tablets. It assumes a user interface, QR code scanning, and user-driven profile downloads. That works perfectly for phones, but not for 'screenless’ devices. SGP.32 SGP.32 is the first standard designed specifically for IoT fleets. It removes the need for user interaction, supports constrained environments like NB-IoT and LTE-M, and enables fully server-orchestrated profile lifecycle management at scale. How SGP.32 Works: Key Components Explained eUICC (Embedded Universal Integrated Circuit Card) Although not new or specific to SGP.32, the eUICC is crucial to enable remote profile management. The eUICC is the secure chip inside the SIM that can store multiple operator profiles. SM-DP+ (Subscription Manager Data Preparation+) The SM-DP+ is the secure server where eSIM profiles are stored, prepared, and encrypted for download to devices. Each profile has a unique identifier called an activation code, which is what devices use to retrieve the profile. The QR code used in consumer eSIM downloads is simply a graphical representation of that activation code. SM-DS (Subscription Manager Discovery Server) The SM-DS is a discovery service that devices can query to check if new eSIM profiles are available. If a profile is ready, it tells the device which SM-DP+ server hosts it so the profile can be downloaded. While commonly used in consumer eSIM deployments, it is often optional in IoT architectures where the platform already orchestrates the profile download. EID (eUICC Identifier) The unique ID assigned to every eUICC. It’s how the SIM is securely identified during remote provisioning. eIM (eSIM IoT Manager) The control layer introduced with SGP.32. It lets you remotely download, enable, disable, delete, and switch profiles across devices and fleets. The eIM can be a standalone platform or part of a traditional CMP like it is for emnify. Connectivity Management Portal Not new but as the name implies this is where you manage connectivity such as, adding removing coverage zones and changing plans. It is in the CMP that the eIM can be integrated so that SGP.32 functionality such as, adding or removing profiles can be managed from the same interface. IPA (IoT Profile Assistant) The IoT-native replacement for the consumer LPA. It runs on the device and handles profile discovery and downloads without needing a screen or user input. Activation Code Are required to activate the SIM by inputting them into the CMP/eIM. Bootstrap Profile A minimal connectivity profile that gets the device online for the first time so it can download its operational profile. Operational Profile The main operator profile used during normal device operation. Multiple operational profiles can live on the same SIM. Fallback Profile A secondary operator profile stored on the same SIM that can be activated if the primary one fails, protecting uptime and continuity. Polling Interval Is the frequency a device tries to connect to the eIM to understand if there is a new profile. IoT eSIM Architecture – SGP.32 SGP.32 Remote Profile Management Flow Explained The device connects using its existing profile The device is already online, typically via a bootstrap or operational profile. A profile download is scheduled on the eIM An operator profile is registered on the eIM using its activation code, preparing it for download to the device. The device checks the eIM for pending operations At its polling interval, the device contacts the eIM and discovers that a new profile is available, including which SM-DP+ server hosts it and which activation code to use. The IPA prepares the device The IPA establishes the secure session required to download the profile. The profile is retrieved from the SM-DP+ The encrypted operator profile is securely delivered from the SM-DP+ to the device. The eUICC securely stores the new profile The profile is installed on the eUICC but not necessarily activated yet. Profile activation is scheduled on the eIM A user or automated process configures the new profile to be activated. The device activates the profile During the next polling cycle, the device learns about the activation instruction from the eIM and the IPA activates the profile on the eUICC. The device switches connectivity The device begins operating on the new operator profile without any physical SIM change. Compliance & Standards: What You Need to Know SGP.32 is not just a new orchestration model. It is a GSMA-defined standard built on strict security, interoperability, and transport requirements. These compliance elements are embedded directly into the specification and are critical for secure, large-scale IoT deployments. Security All profile lifecycle operations between the eIM and the eUICC are cryptographically authenticated and integrity-protected. This ensures profiles cannot be downloaded, modified, or switched without proper authorization. Transport Protocols SGP.32 supports standard TCP/IP communication as well as lightweight protocols such as CoAP over UDP with DTLS encryption. This allows it to operate efficiently across a wide range of IoT environments, including low-power and bandwidth-constrained networks like NB-IoT and LTE-M. Challenges & Implementation Considerations Evolving Ecosystem SGP.32 adoption is still in progress across vendors, platforms, and standards bodies. Interpretations and support may vary as the ecosystem matures. Platform Maturity Not all IoT platforms will initially provide full eIM functionality, IPA support, or large-scale orchestration tooling. The depth of implementation will differ between vendors. Open Ecosystem vs. Closed Implementations While SGP.32 technically enables multi-operator profile management, not every provider will support open third-party profile orchestration. Some implementations may limit profile management to their own network ecosystem. Enterprises evaluating SGP.32 solutions should carefully assess whether cross-operator flexibility is genuinely supported in practice, not just in theory. Backward Compatibility Migration from older standards such as SGP.02 or SGP.22 is not possible. How emnify Supports SGP.32-Ready IoT Deployments As SGP.32 moves from specification to real-world deployment, the key question is not just compliance. It is implementation. The standard enables multi-profile, multi-operator orchestration. But whether that flexibility is truly available in practice depends on the platform operating the eIM layer. emnify’s cloud-native architecture was built around centralized, API-driven profile lifecycle management. Through its integrated eIM capabilities, enterprises can download, enable, disable, and switch both emnify and third-party operator profiles across fleets from a single control plane. This approach aligns directly with the architectural intent of SGP.32: operator independence at the profile level, not just at the hardware level. Rather than binding deployments to a single network ecosystem, emnify enables organizations to design IoT architectures where connectivity can evolve over time, whether adding new operators, localizing in new regions, or introducing fallback profiles for resilience. In practice, this means SGP.32 is not just supported, it is operationalized in a way that preserves long-term flexibility. Check our unique SGP.32 offer, the emnify Advanced eSIM. Conclusion: Why SGP.32 Matters GSMA SGP.32 marks a structural shift in how IoT connectivity is designed and operated. It moves the industry beyond hardware-bound SIM logistics and toward software-driven profile orchestration built specifically for headless, large-scale device fleets. By enabling secure, server-orchestrated lifecycle management, SGP.32 allows enterprises to add, change, and manage operator profiles remotely without physical intervention. Devices can ship connected from the factory with a bootstrap profile, reducing the need for multiple regional SKUs and eliminating much of the traditional SIM logistics associated with global deployments. At the same time, SGP.32 introduces the possibility of true provider independence. Enterprises can localize connectivity as deployments expand into new regions, add new operators over time, and avoid being locked into a single connectivity provider for the lifetime of a device. It also strengthens operational resilience. With the ability to store and manage multiple profiles on a single eSIM, organizations can introduce fallback connectivity options that protect uptime and reduce the operational risk of network outages or coverage changes. For organizations building global IoT deployments, understanding SGP.32 is no longer optional. It is foundational to designing connectivity architectures that remain flexible, scalable, and commercially adaptable over the full device lifecycle.

What Enterprises Really Need from Modern IoT Connectivity Platforms

27.11.2025 – Executive Insights

Most IoT connectivity platforms today can technically support millions of devices. But at scale, “can handle it” isn’t the same as “handles it well.”

How to Control Your IoT Connectivity

27.10.2025 – Knowledge Hub

Control isn’t the SIM - it’s the power to see, manage and act Let's start by defining what it really means to have control over your IoT connectivity. The easiest way to understand it is by looking at what happens when you don’t have it. Unfortunately, that’s still the reality for most IoT businesses today. What a lack of control looks like: You face roaming costs or must source new connectivity when entering new markets You have little visibility into usage and only spot overages too late You pay for unused services like extra network types or SMS You can’t see network performance anddon’t know why devices disconnect Core management features sit behind paywalls Getting support is slow and time-consuming Most traditional operators still dictate how and when you can make changes. You’re often forced to raise support tickets for simple requests, wait for approvals, and deal with delays that slow down your operations. At emnify, we believe you shouldn’t need permission to manage your own devices. That's why we give you complete, instant control over how your devices behave, giving you the flexibility to manage deployments exactly the way you need. The following sections will show you how to take control of your connectivity in seconds within the emnify portal.