If you only look at the glossy keynote slides, eSIM feels inevitable: slimmer phones, instant activation, global roaming without queuing for plastic. And yes, we’re getting there—Apple’s eSIM-only iPhones in the U.S. started the domino effect, and Google’s Pixel 10 is following suit for U.S. models, a clear signal of the direction of travel. But talk to any operator, aggregator, or travel eSIM brand and you’ll hear a more complicated story: provisioning quirks, odd incompatibilities, margins squeezed by app-store fees and EU roaming caps, and a regulatory patchwork that can slow KYC to a crawl.

This is a reporter’s notebook view of the challenges—technical and commercial—behind the scenes of eSIM and Remote SIM Provisioning (RSP). It’s conversational, because that’s how these issues are actually debated in corridors and Slack threads. It’s also grounded in what the standards bodies and regulators are doing right now.

The technical tangle: provisioning isn’t “one click” yet

Under the hood, consumer eSIM rides on the GSMA’s RSP architecture (think: standards SGP.21/22 for consumer, with newer SGP.31/32 aimed at IoT scale). Two core back-end roles do the heavy lifting: the SM-DP+ (which hosts and delivers the profile) and the SM-DS (discovery service that helps devices find what to download). On paper, it’s beautifully modular. In practice, small misalignments in how profiles are created, tested and delivered can cause “it works on Phone X, not on Phone Y” headaches that look like user-experience failures but are really spec-interpretation differences. The GSMA has continued to iterate (e.g., SGP.22 v3.x) and is actively prodding the ecosystem to tighten profile testing because partial compliance is where many real-world failures hide.

What does “failure” look like? Sometimes: a profile that downloads but won’t enable VoLTE on a given firmware; other times: activation that times out because a device can’t reach discovery on a captive airport Wi-Fi; or an SM-DP+ expecting a capability the device doesn’t expose. None of this is dramatic, but at scale it means support tickets, refunds, and lost trust—especially for first-time travel eSIM users.

For IoT, the story diverges. The new SGP.31/32 (plus eIM, the IoT eSIM management spec) are designed to make cross-vendor deployments less brittle—“any eUICC should work with any compliant SM-DP+ / SM-DS” is the north star. But we’re still early: IoT adoption has lagged in part due to fragmented implementations and lifecycle management complexity. Translation: the standards are there, but multi-supplier interoperability still needs rigorous, continuous testing to feel plug-and-play for enterprises.

Interoperability: everybody says it, but not everyone passes the test

Interoperability isn’t just a GSMA buzzword—it’s the day-to-day determinant of whether a customer activation takes seconds or spirals into a support script. The GSMA has even published security and compliance guidance aimed at keeping SM-DP+ and friends aligned and certified, while industry coverage continues to highlight broader device-network compatibility gaps across VoLTE, 5G and eSIM. The subtext: operators and OEMs need structured, ongoing test programs together, not just a one-off certification.

SM-DP+ vendors (think Thales, G+D, IDEMIA, 1GLOBAL, etc.) spend a lot of time on profile tooling and test harnesses for exactly this reason—because the more permutations you can validate pre-launch, the fewer “why doesn’t it work on my model?” emails you’ll field after. It’s not glamorous, but it’s where customer experience is won.

Security and fraud: QR codes are convenient—and abusable

eSIM activation has made connectivity feel as simple as scanning a code, but QR makes a juicy target for “quishing.” Banks and regulators warned throughout 2024–2025 that malicious QR codes are rising, and security researchers continue to flag social engineering that ends with SIM-swap-style account takeovers. The fix isn’t to ditch QR altogether, but to harden flows (deep-link verification, device binding, secure in-app activation, and clear user education). Expect more providers to push app-based activation that never exposes a raw QR in an email or PDF.

The business reality: distribution is where margins go to die

Let’s talk money. A travel eSIM has two primary cost centers most consumers never see:

1. Wholesale and support. Profiles are cheap at scale but not free, and every failed activation incurs support costs. Add in refunds when coverage disappoints or VoLTE breaks on a given device, and the profitability of a €5 day pass degrades quickly.
2. App-store tolls. If you sell inside iOS/Android apps using native billing, you face commissions that historically sat at 15–30% depending on program/tier. The rules have been shifting—particularly in the U.S. and EU, where regulators and courts forced Apple to open external payment links (with evolving fee structures), while Google continues with a tiered model (15% up to $1M, 30% beyond for digital goods). Bottom line: many eSIM brands steer new users to web checkout to protect margins, then let customers manage profiles in-app post-purchase. It’s not user-hostile—it’s survival.

There’s a second distribution war brewing: who “owns” the eSIM moment? Airlines, OTAs and even phone makers want it. Airlines love add-on ancillary revenue; OEMs can bake in frictionless device-to-device transfers and one-tap store listings; wallets and super-apps eye connectivity as a stickier utility. For independent travel eSIM providers, that means competing both on CAC (can you afford the traffic?) and on attach-rate partnerships where the margin splits get thinner.

Regulation: great for consumers, tough for “roamers”

Europe’s “Roam Like at Home” framework—extended to 2032—ensures retail roaming is charged at domestic rates (with fair-use rules). That protects travelers (good) but narrows the headroom for classic roaming arbitrage (tough for MNOs) and shapes how travel eSIMs price and source wholesale in the region. Wholesale caps for data drop to €1/GB by 2027; great for MVNOs and consumers, less fun for anyone relying on big roaming markups. The Commission’s 2025 reporting and BEREC guidance make clear: caps help competition, but they can pinch sustainability for open data bundles if traffic shifts materially.

Then there’s KYC/registration. Many countries require SIM registration, and eSIMs are no exception. That means eKYC flows, document checks, and sometimes local-number restrictions. For a traveler, it can feel arbitrary—“why did Provider A activate me instantly in Country X, while Provider B asked for a passport in Country Y?” For providers, it’s compliance engineering and cost. Expect stricter regimes in fraud-sensitive markets and faster electronic verification where regulators modernize.

The market context: growth, but not a straight line

eSIM is crossing the chasm. GSMA Intelligence tracks steady device and operator support; analyst shops like CCS Insight and ABI Research are projecting sharp growth through 2030, with travel eSIMs a large share of the action. That’s visible in the product landscape: operators launching their own travel eSIMs, OEMs doubling down on eSIM-only variants, and investor interest spiking across 2025. But growth doesn’t magically fix the unit economics or the provisioning snags; it magnifies them.

What “good” looks like in 2026 if you’re building an eSIM business

• Relentless interoperability testing. Don’t just certify; re-test profiles across OS updates and OEM firmware. Track VoLTE/VoNR permutations by device family. Build (or buy) robust SM-DP+ test tooling and monitor activation telemetry in real time. GSMA’s security/compliance materials aren’t paperwork—they’re the playbook.
• Own the checkout, streamline the app. Push first-purchase flows to the web, where permissible to avoid punitive commissions; keep the app for activation, transfers, and support. Revisit your approach frequently as Apple/Google policies (and EU DMA enforcement) continue to evolve.
• Design for secure, QR-lite activations. Deep-link activation, device binding, and in-app provisioning reduce exposure to QR phishing. Educate users explicitly (pop-ups beat blog posts).
• Price with wholesale reality—especially in Europe. Recognize EU cap glide-paths and fair-use rules; negotiate access that protects QoS/VoLTE where it matters for travelers.
• Treat KYC as a product, not paperwork. Bake in fast, compliant eKYC only where required, with clear copy about why you’re asking. Maintain market-by-market playbooks; the rules change.

Conclusion: the winners won’t be the loudest—just the most disciplined

Comparing the field today, you can roughly split players into three camps:

1. OEM-adjacent and platform-native (Apple, Google, and device-tight experiences): they win on frictionless setup and transfers, but won’t always give you the best cross-border economics. Pixel and iPhone moving to eSIM-only forces the ecosystem forward—and raises user expectations that every activation should be instant and invisible.
2. Incumbent operators (Vodafone, Orange and peers): some are launching travel eSIMs and bundles to defend roaming revenue. Their strength is network control and VoLTE/VoNR quality; their challenge is moving with product speed while wholesale caps squeeze the upside.
3. Independent travel eSIM brands and aggregators (Airalo, Holafly, Nomad, aloSIM, etc., plus SM-DP+ specialists behind the curtain): they thrive on UX, pricing, and partnerships (airlines, OTAs, super-apps). Their risk is margin erosion via app-store fees and support costs if provisioning falters in peak travel season. The smart ones will double down on interoperability testing, own their billing stack, and pick partners who can guarantee VoLTE on the devices their customers actually carry.

The macro trend is not in doubt: eSIM is becoming the default. GSMA and analysts agree adoption will climb sharply through the end of the decade, propelled by eSIM-only devices and the convenience travelers now expect. But in a market where regulation compresses roaming upside and app ecosystems still tax digital goods, the durable advantage isn’t a catchy brand or a giant ad budget—it’s operations: bulletproof provisioning, disciplined distribution, and compliance that doesn’t feel like friction.

If you’re building in this space, the play is clear: engineer away the edge cases, reduce your dependency on channels that skim your margin, and meet regulators halfway with transparent, fast eKYC. Do that, and you’ll look—quietly—like the most premium connectivity experience in the market, even if you never shout about it.