Permanent roaming for IoT: a regulatory issue finally resolved?

One of the major challenges for deploying multi-country cellular-based IoT connectivity has been the restrictions placed by regulators and host operators on the use of permanent roaming. In this article, Matt Hatton, the founding partner of Transforma Insights, explores the current status of permanent roaming, the recent strides made by IoT connectivity providers to deliver compliant services, the impact of the shift from roaming to eSIM localisation, and the continuing challenges in the space.

Permanent roaming: the constant challenge A recent Transforma Insights report ‘Regulatory landscape for the Internet of Things’ analysed the various regulations that affect deployments of the Internet of Things and the associated provision of connectivity, device functionality, and management of data, as well as regulatory drivers and barriers to IoT adoption, as illustrated in Figure 1.

One particularly relevant set of regulations for supporting IoT relates to ‘extra-territorial use of E.164 numbers’ (which is generally referred to as ‘permanent roaming’). Many, perhaps most, IoT deployments using cellular connectivity involve

connecting devices in multiple countries. Many have specific rules about how that connectivity is supported, in particular whether cellular connected devices could exist in a state of permanent roaming, i.e. whether a device that is connected by a connectivity provider that is not licensed in the territory could use its roaming agreements with local licensed operators to support a connection that was not simply temporarily roaming but would be present on a permanent basis in that country.

During the 2010s, many regulators, for instance in Brazil, China, India and Turkey, introduced, or more rigorously enforced, rules that prohibited permanent roaming. Sometimes the rules were explicitly against permanent roaming and in other cases were based on local registration requirements or tax obligations. The regulators are often motivated to protect the local market and enforce local rules with which a roaming connection may not comply, such as lawful intercept. Besides this, roaming was never envisaged to include a foreign device permanently being in a state of roaming.

Measures to restrict permanent roaming can come in various guides, for instance related to licensing, taxation, rules on management of eSIM localisation, or know your customer (KYC) rules, all of which can act to effectively prohibit the practice. In many cases, the issue relates to licensing, i.e. the company providing the services needs to be a locally licensed legal entity in the country.

Limitations on permanent roaming are not solely the preserve of regulators. There were also commercial equivalents, particularly in the US and Canada, where the operators themselves in some cases prohibited their roaming partners from having devices permanently roaming on their networks.

Figure 2 presents a summary of some of the rules. We should add the caveat that the rules do change often and there are often exceptions whereby permanent roaming is permitted despite seemingly explicit restrictions to the contrary.

Problem solved?

The limitations on permanent roaming have caused some headaches. Historically, roaming was the main – and certainly the simplest – mechanism used by MNOs and MVNOs to support connections across multiple territories. However, over the last decade IoT connectivity providers have made great strides in addressing the challenge.

In July 2024, Transforma Insights published its annual ‘Communications Service Provider (CSP) IoT Peer Benchmarking report’2 which analyses the capabilities and strategies of 25 of the world’s leading IoT connectivity providers. As part of that research, we assess the ability of the companies to provide compliant connectivity around the world. Specifically this year, we asked each of the CSPs about their approach to addressing connectivity in each of six countries/regions (Brazil, China, EU, India, Turkey, US) for permanently located devices. In Figure 3, we provide a summary of the approach of the 25 CSPs profiled.

The general trend is that CSPs have largely resolved the challenges in the most relevant countries. Compliant connectivity in the EU and US is more or less universal. Brazil, which has historically been the market most commonly quoted as being a challenging market, is now very well addressed by almost all CSPs. China continues to represent a few challenges, but where CSPs wish to address it there are commercial mechanisms for working with Chinese MNOs to support compliant connectivity.

But it’s not all plain sailing. The compliance situation in India is in flux with ongoing changes to requirements related to eSIM localisation; as a result it’s very hard to identify which CSP offerings are currently compliant or will be in the near future. The current strict rules about localisation within Turkey are also causing significant friction, with many providers unable to support connectivity in that country other than through the use of local SIMs. There are suggestions that the regulatory environment there might need to adapt to be rather less onerous on non-Turkish operators.

It is important to note that in almost all cases, the CSPs concerned would be in a position to negotiate and implement fully compliant solutions for specific clients regardless of current capability. The aim of Figure 3 is to illustrate the current state of the off-the-shelf offerings of the various players.

eSIM: a universal panacea?

Perhaps the most significant mechanism used for supporting compliance with permanent roaming rules is through the increasing use of some form of SIM localisation, so moving away from relying on roaming using a foreign international mobile subscriber identity (IMSI) to the use of a local IMSI (as part of a multi-IMSI offering) or switching of the eSIM profile to that of a local operator. In the last few years, the technology landscape related to eSIM has changed dramatically and we anticipate an ongoing impact on how global connectivity is delivered. To date there have been three main standards unveiled for remote SIM provisioning (RSP). Each of the three standards established slightly different mechanisms for the user or owner of a device to change the SIM profile while the device is deployed in the field.

Transforma Insights has explored in detail the capabilities and implications of the three standards in great detail, including in the June 2024 Position Paper ‘Key considerations for Enterprises looking to adopt SGP.32’. In summary, the SGP.02 (or M2M) standard was introduced in 2014. This was a ‘push’ model, whereby the donor and recipient network providers would act together to replace the SIM credentials on the device. The challenge with SGP.02 is that it requires cooperation between the subscription management infrastructure of the donor and the recipient networks to perform the hand-over. This was followed in 2016 by the SGP.22 (Consumer) standard where the end user can, via direct intervention using the device user interface (UI), ‘pull’ a new profile from a chosen provider down to the device. The limitation here was the need for an advanced UI as well as user intervention, neither of which are typically available on any IoT device. The SGP.32 (IoT) third variant, unveiled in 2023, was aimed at resolving some of the limitations of the earlier versions. It effectively amended the SGP.22 technology to allow for remote management. Compliant devices can be expected in 2025. In addition, several connectivity providers have developed variants on SGP.22 that place an agent on the device, removing the requirement for user intervention; these approaches effectively work in the same way as SGP.32, although with some element of proprietary technology.

While the new remote SIM provisioning technology might be well-defined, what is not yet entirely clear is what commercial models will prevail to make use of the new technology. What is completely clear, based on the research that Transforma Insights has done for the aforementioned CSP IoT Peer Benchmarking, is that the view from the CSPs is that they are willing, and in many cases keen, to work with the technology.

The big change, in the context of addressing permanent roaming, is that SGP.32 (and to a lesser extent variants on SGP.22) allow for much easier recredentialling of SIMs to a local profile. Local, compliant, profiles are relatively easily swapped in. However, we should add a caveat or two here. Most pertinently there is still a requirement to establish a commercial relationship with the network onto which the connection will be transferred. Some enterprise customers may well have these in some circumstances, which accounts for the increasing relevance of bring-your-own connectivity (BYOC) offerings. However, in most cases enterprises will still have requirements for someone to negotiate commercial relationships with appropriate network operators for connectivity and ideally act as a single point of contact. And, furthermore, simply switching between networks is not the only consideration, there is a further requirement to orchestrate data f lows and back-end processes to ensure a seamless transition between carriers. Simply put, the provision of compliant cellular-based IoT connectivity will need to be delivered as a managed service, albeit one where much of the friction of localisation and compliance is removed.

Article by Matt Hatton, a founding partner at Transforma Insight

Comment on this article via X: @IoTNow_