Can I use one IoT SIM across the entire EU without regulatory issues?

Yes, for 28 of 31 European countries. Permanent roaming for M2M/IoT is permitted EU-wide with two exceptions: Germany restricts it to M2M-only services (no public internet access), and Belgium prohibits it except for eCall and certain nomadic services. For Belgium, a local SIM profile is required. For Germany, ensure the service qualifies as M2M under BNetzA's definition.

Should I specify SGP.32 for new IoT deployments in Europe?

For new deployments with 5+ year lifecycles, yes —SGP.32-capable modules (Quectel, SIMCom, Telit) should be the default procurement spec. SGP.32 lets the enterprise control profile switching through a cloud-based eIM without touching the device. Existing SGP.22 fleets cannot upgrade without hardware replacement —multi-IMSI remains the bridge.

How does the EU Data Act affect IoT deployments?

The Data Act (September 2025) requires IoT-generated data to be accessible to users, portable between cloud providers, and subject to third-party sharing restrictions. IoT deployers must specify data governance in contracts, ensure cloud portability, and handle user data access requests. It regulates data —not connectivity.

Europe IoT SIM Deployment Guide: EU-Wide Roaming That Works, Country Rules That Diverge, and the SGP.32 Shift

June 2, 2026 · 10 min read · Regional Info

Europe is the world's most permissive region for IoT roaming —28 of 31 countries allow permanent roaming for M2M. But EU-level regulation is tightening faster than anywhere: the Data Act, Cyber Resilience Act, and RED cybersecurity mandates. The real fragmentation is not roaming bans — it is SIM registration (15 of 31 countries require it, 11 demand explicit identity verification), Germany's M2M-only restriction, Belgium's eCall exception, and SGP.32 changing who holds the profile-switching keys.

TL;DR: Europe allows permanent IoT roaming almost everywhere —28 of 31 countries permit it, making it the easiest region globally for single-SKU SIM deployment. But ease of roaming masks a different fragmentation: SIM registration rules diverge sharply (15 of 31 require it, 11 demand explicit identity verification), EU product regulation is tightening on three simultaneous fronts, and the SGP.32 eSIM standard —designed in Europe for IoT —is about to change the procurement equation for devices with 5+ year lifecycles. The European paradox: the easiest region to roam in is also where regulation is evolving fastest.

Europe's Roaming Baseline: 28 of 31 Countries Say Yes

Cullen International's October 2025 benchmark of 31 European countries confirms: most permit permanent roaming for IoT and M2M, relying on commercial agreements between operators rather than regulatory mandates. This is fundamentally different from Brazil's outright ban or India's 6-month conversion clock.

Two exceptions:

1. Germany (BNetzA): Permanent roaming permitted only for M2M communications. If the IoT service includes public internet access —interactive kiosks, passenger WiFi on fleet vehicles —it falls outside the exemption.

2. Belgium (BIPT): Most restrictive in the EU. Permanent roaming generally prohibited except for eCall (vehicle emergency systems) and certain narrowly-defined nomadic services. Any other IoT deployment requires a local SIM profile.

Source: Cullen International, "European regulators adopt different approaches to IoT for SIM registration, authorisation, and roaming", October 2025. Available at https://www.cullen-international.com/news/2025/10/European-regulators-adopt-different-approaches-to-IOT-for-SIM-registration--authorisation--and-roaming.html

SIM Registration: Where Europe Actually Fragments

While roaming is broadly permitted, SIM registration is where the 31 countries diverge:

Registration Requirement	Count	Examples
--------------------------	-------	----------
Registration + explicit verification	11	Austria (video ID), Sweden (BankID), Germany (PostIdent), Netherlands
Registration, no verification	4	France, Spain, Italy, Poland
No registration or IoT-exempt	16	Estonia, Finland, UK, Ireland, Czech Republic

For 1,000 devices across Germany, Austria, and Sweden: each SIM requires a verified identity process with a different national system. This is not a roaming problem —it's a KYC fragmentation problem that adds 3-6 weeks to deployment timelines.

The UK sits outside the EU framework post-Brexit —Ofcom has not imposed IoT-specific registration, and permanent roaming is permitted. One of the simplest European markets for IoT, but it requires a separate roaming agreement from EU-wide arrangements.

The EU Regulatory Stack: Three Laws That Changed IoT in 2025

Europe regulates IoT not through roaming restrictions, but through product and data regulation:

EU Data Act (September 2025): Data portability obligations between cloud providers, requirements to make IoT-generated data accessible to users, restrictions on third-party data sharing. For fleet operators and smart meter deployers: new contractual obligations around data governance.

Cyber Resilience Act (CRA): Mandatory cybersecurity for connected products. Critical devices may require third-party conformity assessment. Security updates must cover the expected product lifetime —minimum 5 years. Connectivity modules (SIM, modem) fall within scope.

Radio Equipment Directive (RED) cybersecurity (August 2025): All wireless devices placed on the EU market must comply with network protection, personal data protection, and fraud prevention requirements. Cellular IoT devices must demonstrate compliance at the radio module level.

The practical impact: a cellular IoT device deployed in Europe in 2026 must comply with three overlapping frameworks that did not exist in current form two years ago. The SIM is compliant if it connects; the device, firmware, and cloud backend determine whether the whole deployment is compliant.

Source: Cullen International, "Countries tighten IoT rules with new security, numbering and device measures", July 2025. Available at https://www.cullen-international.com/news/2025/07/Countries-tighten-IoT-rules-with-new-security--numbering-and-device-measures.html

SGP.32: The IoT eSIM Standard That Changes Who Holds the Keys

SGP.32 —driven by European MNOs and IoT platform providers —is designed for IoT, unlike the consumer-focused SGP.22. Its key difference: it removes the requirement for a device user interface. A water meter in a basement has no screen to tap "Download eSIM."

Under SGP.32, an IoT Profile Assistant (IPA) on the device communicates with an eSIM IoT Remote Manager (eIM) in the cloud. The enterprise —not the MNO —controls profile switching through the eIM. If a Deutsche Telekom profile underperforms in rural France, the eIM loads an Orange profile. If Vodafone raises rates in Italy, the eIM loads a TIM profile. Switching cost: an API call, not a truck roll.

The caveat: SGP.32 chipset adoption is still ramping. By mid-2026, Quectel, SIMCom, and Telit are shipping SGP.32-compatible modules, but deployed SGP.22 fleets cannot upgrade without hardware replacement. For new deployments with 5+ year lifecycles, specify SGP.32-capable modules. For existing fleets, multi-IMSI is the bridge.

Source: BEREC, "MVNO Europe response to draft Work Programme 2025 on EU Roaming Regulation for pan-European IoT", November 2024. Available at https://www.berec.europa.eu/system/files/2024-11/BoR%20PC10%20%2824%29%2008_MVNO%20Europe.pdf

When One SIM Covers Europe —and When Local Profiles Earn Their Keep

For Germany, France, Netherlands, Poland, Nordics, and CEE: a single-SKU roaming SIM at EUR 0.7344/GB pooled is sufficient. Roaming is permitted and compliance overhead is low.

Two triggers for local profiles:

1. Belgium is in the deployment. A Belgian-local profile (Proximus, Orange Belgium, Telenet) is effectively mandatory for non-eCall IoT. Budget as a separate IMSI on a multi-IMSI SIM or a Belgium-specific SKU.

2. Germany with public internet access. BNetzA's M2M exemption may not apply to passenger WiFi or interactive kiosks. A German-local profile with correct service classification is required.

For all other European deployments: the roaming premium is typically 20-40% above native rates —far less than the 50-70% seen in Africa. Below 100MB/month, the premium is absorbed by operational simplicity. Above 500MB/month —video surveillance, digital signage, bulk firmware updates —native-rate local profiles justify the added management complexity.

European Carrier Coverage: Who Has What

Operator	NB-IoT	LTE-M	Key Markets
----------	--------	-------	-------------
Deutsche Telekom	Full	Full	DE, AT, NL, PL, CZ, SK, HR, HU, GR, RO
Vodafone	Full	Full	UK, DE, IT, ES, NL, PT, IE, GR, RO, CZ
Orange	Full	Full	FR, ES, PL, BE, RO, SK, MD
Telefónica	Full	Selective	ES, DE, UK (O2)
Telenor	Full	Full	NO, SE, DK, FI

For pan-European coverage: a multi-IMSI SIM with Deutsche Telekom and Vodafone profiles covers 25+ markets. Add Orange for France, Spain, and Belgium at native rates. Three profiles cover effectively all of Europe.