Here’s the thing most people outside telecom don’t realise: eSIM didn’t just change how we buy connectivity. It quietly changed how identity moves across networks. And right now, that layer is far less secure than the industry likes to admit.

That’s exactly where Fior Group is trying to step in.

A missing layer in the eSIM stack

Fior Group has announced the general availability of its eSIM Identity Verification Layer, positioned as a security overlay for the GSMA eSIM Open Gateway. On paper, that sounds incremental. In practice, it targets one of the more uncomfortable gaps in the current eSIM architecture.

The GSMA standard does a solid job of handling transport security. TLS encryption is there. The pipes are protected. But what it doesn’t do is verify who is actually on the other end at the application layer.

In simple terms: if a device can complete a TLS handshake, it can present itself as something it’s not. There’s no built-in cryptographic proof tying identity to the device or the provisioning server.

That’s not a theoretical issue anymore.

SIM swap fraud surged 1,055% in the UK in 2025, and globally, telecom fraud continues to scale. The U.S. Federal Trade Commission reported $12.5 billion lost to fraud in 2024, much of it tied to phone-based attacks. Industry-wide losses are estimated at $45 billion annually.

eSIM was supposed to simplify connectivity. But it also expanded the attack surface.

Where Fior fits in

Fior’s approach is quite surgical. Instead of changing the GSMA protocol or requiring new hardware, the company inserts itself at the SM-DP+ API layer. That’s the point where eSIM profiles are provisioned to devices.

So rather than rebuilding the system, it wraps it.

The idea is to add application-layer identity attestation on top of the existing provisioning flow. Every device, every server, every session gets cryptographically verified.

That includes:

• Binding the eSIM profile directly to the device’s secure hardware (TPM or Secure Enclave)
• Mutual authentication between the device and the SM-DP+ server
• Nonce-based session protection to prevent replay attacks
• Digitally signed eSIM profiles to detect tampering
• Offline verification capabilities in under 5 milliseconds
• A cryptographic audit trail for compliance and forensics

From a technical perspective, this is less about adding features and more about closing a structural gap.

Why this matters now

The timing isn’t accidental.

We’re moving into a phase where eSIM is no longer just a travel product. It’s becoming infrastructure. It sits inside IoT deployments, enterprise mobility stacks, embedded finance experiences, and even AI-driven systems.

And identity becomes critical the moment connectivity is no longer tied to a physical SIM card.

The GSMA’s Open Gateway initiative and CAMARA APIs are pushing telecom toward programmable networks. That’s powerful. But it also means identity is increasingly exposed across APIs, partners, and external systems.

Fior is clearly aligning with that shift. Its identity layer integrates with CAMARA-based services like SIM Swap Detection, Number Verification, and Device Status to create something closer to end-to-end identity protection.

Not just at provisioning. Across the lifecycle.

The business angle carriers will care about

This isn’t just a security story. It’s also a monetisation play.

Fior is effectively proposing a new product category: “Verified Identity eSIM.”

For carriers, that comes with a few immediate implications:

• No protocol changes required. It’s a drop-in layer.
• Minimal latency impact. Under 5 milliseconds per provisioning event.
• Full coverage across all provisioned devices.
• Alignment with regulatory frameworks like eIDAS 2.0 and the EU Digital Identity Wallet.

That last point is important. Europe is moving toward stronger digital identity frameworks, and telecom is expected to play a role. Operators that can prove identity integrity at the network level will have an advantage.

What Fior is actually saying

Speaking at Mobile World Live, founder David Williams put it quite directly:

“The GSMA eSIM Open Gateway is a transformative standard for the carrier ecosystem, but it was rightly designed for interoperability, not identity verification. Fior completes the picture by adding the cryptographic proof that every device is who it claims to be, every server is who it claims to be, and every provisioning event is secure, immutable and auditable.”

It’s a sharp positioning move. They’re not competing with the GSMA. They’re completing it.

Where this sits in the broader market

Fior isn’t alone in pushing identity deeper into telecom.

Players like 1GLOBAL, BICS, and Orange Business are already building infrastructure layers around connectivity, APIs, and enterprise services. Meanwhile, CAMARA itself is trying to standardise identity-related APIs across operators.

But most of these efforts focus on network-level signals. SIM swap detection. Number verification. Device status.

What Fior is doing is slightly different. It’s anchoring identity inside the provisioning process itself, tied to hardware-level trust.

That puts it closer to security infrastructure than traditional telecom services.

And that’s where the trend is heading.

As connectivity becomes embedded into products, platforms, and services, identity can’t remain an assumption. It has to be provable.

Conclusion

The uncomfortable truth is that eSIM solved distribution faster than it solved identity.

The industry is optimised for scale, interoperability, and user experience. Security, particularly at the identity layer, lagged behind. That’s not unusual. It happens in every technology cycle.

What’s different now is the context.

With fraud numbers climbing, regulators tightening requirements, and telecom APIs opening up to external ecosystems, identity is no longer a backend concern. It’s becoming a core part of the product.

Fior’s move is a signal of where things are going next.

No more data plans. Not better pricing.

But verifiable, cryptographic identity is part of connectivity itself.

And if that becomes the new baseline, then “secure eSIM” won’t be a premium feature. It will be the expectation.