Does IoT SAFE work only with eSIM, or can it be used with traditional SIM cards?

IoT SAFE requires a UICC (SIM) that supports the GSMA SAS-UP applet. This is available on both traditional (plug-in) SIMs and eSIMs (M2M profile). However, for over-the-air credential management to be practical, eSIM is strongly recommended because it allows remote SIM provisioning. Most Global IoT SIM suppliers offer SAFE as an add-on for eSIM profiles, not for legacy SIMs.

What carrier networks currently support IoT SAFE provisioning?

GSMA members including Deutsche Telekom, Telefónica, Vodafone, and AT&T have certified IoT SAFE profiles in their CMP platforms. As of 2025, approximately 45 operators across Europe, North America, and parts of Asia support SAFE. Procurement should request a carrier compatibility matrix from the IoT SIM supplier before selecting.

How does IoT SAFE affect the certification timeline for a new IoT device?

Using a pre-certified GSMA SAS-UP SIM reduces the need for separate security certification of the device. Instead of a 12–16 week Common Criteria evaluation, device makers can rely on the SIM's EAL4+ certification. This cuts time to market by 8–10 weeks for modules that integrate the SAFE SIM. The CMP platform must still undergo API integration testing (2–4 weeks).

GSMA IoT SAFE: Reduce IoT SIM Security Deployment Costs by 30% with Embedded Identity

June 12, 2026 · 5 min read · Technical Whitepapers

GSMA IoT SAFE cuts per-device security provisioning cost by 30% by eliminating separate secure elements. Procurement must verify eSIM compatibility and CMP platform support for over-the-air credential management.

30% reduction in per-device security provisioning costs when deploying GSMA IoT SAFE-compliant SIMs — because the SIM itself becomes the root of trust, eliminating dedicated secure elements or HSM integration at scale. For a 50,000-unit deployment, this saves €18,750–€37,500 in hardware and logistics over three years.

WHY IT MATTERS

Before IoT SAFE, each IoT device required a separate hardware secure element (TPM or eSE) costing €1.20–€2.80 per unit, plus manual credential injection at contract signing, adding €0.50–€1.00 per device in labor. The operational boundary changed: security identity is now embedded in the IoT SIM card itself, provisioned over-the-air via a CMP platform using RESTful M2M APIs. This eliminates the need for physical secure element procurement and reduces Bill of Materials (BOM) by 30–50% for devices with connectivity requirements.

TYPICAL APPLICATIONS

Three deployment contexts that directly map to procurement paths:

- **Connected vehicles (telematics units)**: eSIM for IoT with GSMA IoT SAFE enables remote credential update without vehicle recall. Carrier evaluation must confirm the eSIM profile supports SAFE applet. CMP platform integration via IoT SIM API handles key rotation.

- **Smart meters (gas, water, electricity)**: Global IoT SIM with certified SAFE applet reduces per-unit hardware cost by €0.80–€1.20, crucial for high-volume projects. Catalog pricing covers standard eSIM; project quote required when custom certificate authority (CA) is mandated by local utility regulation.

- **Industrial sensors (asset tracking, environmental monitoring)**: M2M SIM with IoT SAFE allows zero-touch provisioning across multiple carrier networks. The procurement decision hinges on whether the CMP platform supports SAFE credential lifecycle management (create, rotate, revoke) via its API.

TECHNICAL SPECIFICATION / COMPARISON TABLE

Dimension	Traditional HSM/TPM	GSMA IoT SAFE (eSIM)	Business Impact	-----------	---------------------	----------------------	-----------------	Trust anchor location	External chip (TPM, eSE)	Inside the SIM (UICC)	Eliminates €0.90–€2.10 component cost per device	Credential provisioning	On-device injection (factory)	Over-the-air via CMP API	Reduces logistics lead time from 14 days to <1 hour	Key generation	On-chip or external HSM	On-SIM (within secure applet)	No need for pre-loaded certificates; lowers inventory risk	Over-the-air update support	Often requires custom firmware	Standardized GSMA SAS-UP profile	Simplifies carrier certification; reduces compliance cost by ~15%	Certification level	Varies (FIPS 140-2, Common Criteria)	GSMA SAS-UP certified (EAL4+)	Meets EU Cybersecurity Act requirements for many IoT use cases

SELECTION NOTES

When deployment volume is fewer than 5,000 units and no carrier-specific SAFE applet is required (i.e., the standard GSMA SAS-UP profile suffices), catalog pricing for a standard eSIM for IoT with SAFE capability is sufficient. The IoT SIM card quote from your supplier should include a line item for the SAFE applet activation, typically €0.05–€0.15 per SIM per month. When any of the following conditions apply, a project quote is mandatory: (1) device needs a custom certificate authority not pre-certified by the carrier, (2) deployment spans more than two MNOs each requiring separate SAFE applet versions, (3) the CMP platform must be custom-integrated with an existing PKI via the IoT SIM API. In those cases, procurement must engage supplier engineering teams for scoping, which adds 4–6 weeks to timeline.

COST MODEL / TCO

Hardware per unit (BOM reduction): Traditional €1.80 (secure element + SIM) vs IoT SAFE €0.90 (eSIM with integrated trust). Connectivity per month: identical (€0.30–€0.80 depending on region and volume). CMP platform cost: €0.08–€0.12 per SIM per year (standard API usage). Installation labor: traditional requires secure element mounting – €0.40/device; IoT SAFE eliminates this (€0.00). Maintenance/rekey: traditional €0.20/device/year (physical or manual); IoT SAFE €0.05/device/year (automated over-the-air). Three-year total for 50,000 devices: Traditional = €120,000 + €54,000 + €6,000 + €20,000 + €10,000 = €210,000. IoT SAFE = €45,000 + €54,000 + €6,000 + €0 + €2,500 = €107,500. Savings: €102,500 (49% reduction). Payback is realized in month 14 of deployment.