What is Layer 2 cellular and how is it different from a basic carrier SIM?

A basic carrier SIM gives you a Layer-3 (IP-routed) connection — the carrier handles addressing, NAT and often deep packet inspection, and your device sits behind a dynamic public or CGNAT IP. Simsy operates at Layer 2 (Data-Link): the carrier becomes a transparent transport for Ethernet-like frames between the device and your datacentre. Your private IP scheme extends across the cellular link, and your firewall, routing and QoS policy apply end-to-end. The carrier does not route or modify traffic above the link layer.

Why does fixed private IP matter for fire and intruder alarm monitoring?

Alarm Receiving Centres (ARCs) need to poll panels at known addresses and to receive inbound connections that pass certification probes. A basic SIM puts the panel behind carrier NAT with a rotating dynamic IP — the ARC cannot whitelist it, cannot reach it inbound, and cannot rely on consistent poll latency. Simsy gives each SIM a fixed private IP on your plan, so the ARC always knows where to reach the panel and EN 50136 Grade 3+ becomes achievable on cellular without fibre redundancy cost.

Does Simsy work for CCTV with PTZ control and VMS dial-back?

Yes. The Video Management System (VMS) pins each camera at its fixed private IP and the camera list never goes stale. Layer 2 transparency means H.264 / H.265 RTSP streams pass through unmangled — no carrier transcoding, no QoS deprioritisation. Because the SIM sits on your private network rather than behind CGNAT, the VMS can dial back into the camera for live view and PTZ. Round-trip on PTZ commands typically stays under 200ms on a healthy radio.

Is Simsy suitable for UK government and public-sector deployments?

Yes. Traffic terminates on the customer’s government VPN endpoint rather than the carrier’s public gateway — there is no deep packet inspection and the carrier is transport-only at Layer 2. Devices appear as nodes on your existing internal network with fixed private addressing, so firewall and IDS whitelisting works exactly as it does on copper. This is suitable for data-handling regimes where commercial public-internet routing is disallowed, and it is useful for resilient mobile comms when copper or fibre is unavailable.

Managed Cellular Connectivity

Simsy Private Mobile Data Services

A secure, private cellular network for connected infrastructure — built for automation, cyber security and regulatory compliance.

Constructive-IT delivers Simsy as a managed service for UK organisations operating connected estates — from smart buildings and EV charging to industrial automation and digital signage.

Private cellular connectivity — no public internet exposure for managed devices
Zero-touch provisioning — devices configure themselves at boot from the network
Real-time monitoring across the entire estate, with automated alerting
Built-in compliance evidence for NIS2, CRA, PSTI and the UK CSR Bill
Multi-network coverage across ~600 carriers in 140+ countries
OT / IT segregation enforced at the cellular layer, not by site firewalls

~600

Networks

140+

Countries

2G / 3G / 4G

NB-IoT, LTE-M

Get a Simsy Quote How it Works

What Simsy Is

A managed private mobile network — not resold carrier SIMs

Simsy combines device and connectivity management into a single interface, automating the manual processes that make connected estates expensive, fragile and hard to secure. Because the platform operates its own cloud-native mobile core, it reaches further than hardware-only device managers.

Devices are managed through the private cellular network with no public internet exposure. Configuration is delivered from the network at boot rather than pushed from a cloud platform. Compliance evidence is generated as a natural byproduct of normal operation — when the auditor asks, the evidence already exists.

Talk to our Simsy team

Constructive-IT engineer commissioning a Simsy private mobile network rack

Why Simsy is Different

Network intelligence meets device management

A device platform that does not control the network can only ever do what the device tells it. Simsy operates the cellular core — which is what makes everything else possible.

Architecture

Cloud-native mobile core

An advanced mobile core built on virtualised cloud principles. Constructive-IT delivers Simsy as a partner — controlling the network layer is what makes the rest possible. This is not resold carrier connectivity.

Security

No public internet exposure

Devices are not reachable from the public internet. Data does not transit it. Device management happens through the private cellular network. There is no public cloud portal for attackers to target.

Reach

Global carrier network

Multiple carriers across more than 140 countries, providing access to approximately 600 networks worldwide. Multi-network failover with 2G, 3G, 4G, NB-IoT and LTE-M.

How it Works

Network identity, not credentials

Every Simsy SIM has a network identity. When a device makes a request to the Simsy Edge API over its cellular connection, the network intercepts the request, identifies the calling SIM session and returns data scoped only to that device. The SIM session is the authentication — no tokens, no API keys, no complex provisioning.

At boot, a device retrieves

Identity — ICCID, IMSI, endpoint ID, group
Context — IP, country, operator, radio access type
Config — broker URL, site name, reporting interval, service tokens

LAN device discovery

Plug into a Simsy router LAN port — detected within 60 seconds
MAC address read from ARP, vendor identified
Device type classified, default credential alerts

Network-native data collection

MQTT, HTTP, SNMP, Modbus over IP intercepted at the network
Industrial telemetry parsed without an agent
Telemetry redirected by routing policy, not device config

Multi-APN segregation

One SIM, multiple independent data sessions
Different APNs, IPs and routing policies in parallel
OT and IT cannot reach each other by design

Real-time monitoring of a Simsy connected estate from a Constructive-IT operations centre

Five Capabilities

What changes when you operate on Simsy

Five capabilities work together to take cost, fragility and security risk out of your connected estate — and to deliver compliance evidence as a byproduct rather than as a separate project.

Zero Touch Provisioning

Devices configure themselves from the network at boot. Hardened settings, unique credentials and network enrollment are applied automatically. One firmware image serves any fleet size.

Real-time Monitoring

Network-level visibility across every connected device. Status, health and data usage telemetry. Network-triggered alerts notify your team the moment something changes — even when a device is silent.

Automated Support

Level 1 support in seconds, 24/7, triggered directly from network monitoring. Self-serve session access, in-network packet capture, automated carrier failover and remote firmware updates.

Device Security

Default-deny architecture from the moment a SIM connects. No public internet exposure of management surfaces. Unique per-device credentials. URL locking and IP whitelisting enforced at the network layer.

Compliance Reporting

Every provisioning event, configuration change and access event logged automatically. Live device inventory and configuration history available on demand. Evidence the regulator asks for, already in place.

Use Cases

Managed connectivity for every connected estate

The same platform underpins very different deployments because the architectural advantages translate across sectors. The headline differs, the architecture does not.

Smart building running on Simsy private mobile data, supplied and supported by Constructive-IT

Smart Buildings

Building systems isolated from corporate IT. Centralised management across estates of buildings with a single interface and standard hardware integrations.

EV Charging

Resilient cellular backhaul, payment isolation via multi-APN, fleet-wide monitoring and remote diagnostics. Multi-network failover keeps chargers online.

Industrial Automation

Network segmentation for IEC 62443 zones and conduits. OT and IT segregation enforced at the cellular layer, with default-deny east-west traffic and Modbus / SNMP capture at the network.

Digital Signage

Multi-network failover, network isolation and remote management to keep screens online and secure. Public internet exposure eliminated; CMS access via private cellular only.

Edge AI & IoT

Programmable connectivity for automation pipelines. Edge API and network-native telemetry. Cellular Private LAN between nodes with zero-touch device identity at boot.

Robotics

Multi-network failover for always-on operation. Real-time monitoring and remote diagnostics. Per-robot identity, telemetry and private cellular LAN for fleet coordination.

What's Included

Everything you need from one Simsy service

Constructive-IT delivers Simsy as a managed service — connectivity, devices, configuration, monitoring and audit trail all under a single interface, with our engineering team commissioning and supporting the rollout.

Managed SIMs and eSIMs

Physical SIMs, eSIMs or over-the-air provisioning. Each SIM carries a network identity used as authentication, removing tokens and complex per-device credentials.

Multi-Network Global Coverage

Approximately 600 networks across 140+ countries. Multi-network failover with 2G, 3G, 4G, NB-IoT and LTE-M support so devices stay online wherever they are deployed.

Unified Management Portal

Connectivity and device management in a single interface — provisioning, monitoring, alerts, remote access, diagnostics and audit trail. No separate hardware portal.

Multi-APN Segregation

A single SIM can maintain multiple independent data sessions with different APNs, IPs and routing policies. Traffic classes are isolated at the cellular layer, not by firewall rules.

Cellular Private LAN

SIM-to-SIM private networking in a configurable private IP space. Default-deny external traffic. Scales from a handful of devices to enterprise fleets without VPNs or fixed IPs.

Edge API and LAN Discovery

Devices retrieve identity, context and configuration from the network at boot. Anything plugged into a cellular router LAN port is detected within 60 seconds and recorded — no agents required.

Network-Native Telemetry

MQTT, industrial telemetry, HTTP, SNMP and Modbus over IP captured and redirected at the network layer. Telemetry without installing software on the monitored devices.

Audit and Compliance Evidence

Every event logged automatically. Device inventory exposed via API. Configuration history always available. Mappings to CRA, NIS2, UK PSTI and the UK Cyber Security and Resilience Bill.

Cellular routers and edge devices commissioned for a Simsy deployment

Hardware Ecosystem

Works with leading cellular hardware — and any device with a cellular interface

Simsy is pre-integrated with the major cellular hardware platforms used across UK industrial and enterprise deployments — InHand, Teltonika, Robustel, Raspberry Pi, NVIDIA, Rockchip and more. Routers, USB modems, M.2 modules, PCIe cards, hat modules, edge compute platforms and embedded modems all manage through the same interface.

For everything else, the platform extends to any device with a cellular interface through the Edge API. Constructive-IT will recommend the hardware that fits your deployment and commission it on site.

Compliance

Compliance as a consequence, not a project

Connected device regulations are tightening across the EU and UK, and the deadlines are imminent. Because Simsy already secures, monitors and logs everything by default, the evidence regulators ask for is generated as a natural byproduct of normal operation.

Connected estate management with full audit trail for NIS2, CRA and PSTI

2.5%

CRA max fine

of global turnover

£17M

UK CSR Bill

or 4% of turnover

Sept 2026

CRA reporting

obligations begin

24 hrs

CRA early warning

on active vulnerabilities

EU Cyber Resilience Act (CRA)

Mandatory cybersecurity requirements for products with digital elements. Reporting obligations begin September 2026. Fines up to 2.5% of global turnover.

NIS2 Directive

Critical infrastructure cyber resilience across the EU. Expanded scope and tougher penalties than NIS1.

UK PSTI Act

Baseline security requirements for consumer-connected products. Default password ban and disclosure policy.

UK Cyber Security and Resilience Bill

Expected to expand UK cyber-resilience scope. Fines up to £17M or 4% of turnover.

ETSI EN 303 645 / IEC 62443

Baseline standards for IoT and industrial automation cybersecurity. Underpin UK PSTI and inform CRA harmonised standards.

Getting Started

From conversation to connected, in days

The platform is designed to be self-serve from the first SIM, and the same tooling that runs a pilot also runs production. Constructive-IT manages the rollout end to end.

Talk to us

We help you assess your requirement and determine the right connectivity and hardware approach for your deployment.

Register & configure

We register your devices on the Simsy platform and define configuration policies, security settings and provisioning rules.

Deploy connectivity

Deploy via physical SIM, eSIM or over-the-air provisioning. Devices connect and pull configuration automatically.

Monitor & manage

Real-time visibility, remote access, automated alerting and compliance evidence — all available from day one.

Industry Use Cases

Where Layer 2 + private IP control changes the deployment

A basic carrier SIM is Layer-3 IP-routed: the carrier handles addressing, applies NAT and often DPI, and the device sits behind a dynamic public or CGNAT IP. Simsy operates at Layer 2 — the carrier is transparent transport, your private IP plan extends over the cellular link, and every SIM has a fixed private IP your firewall, IDS, ARC or VMS can pin.

Government & Public Sector

Public-sector deployments — border posts, emergency comms, mobile command vehicles, ANPR, environmental sensors — need data sovereignty, auditable trails and integration with existing classified networks. A basic carrier SIM exposes that traffic to a commercial carrier’s general internet path, with carrier-side NAT and DPI sitting between the device and HQ.

Why Layer 2 + private IP changes it

Traffic terminates on YOUR government VPN endpoint, not the carrier’s public gateway. No DPI, no traffic broker — the carrier is transport-only at Layer 2.
Devices appear as nodes on your existing internal network with fixed addressing, so firewall and IDS whitelisting works exactly as it does on copper.
Meets data-handling rules where commercial public-internet routing is disallowed; usable as resilient mobile comms when copper or fibre is cut or unavailable.

"An emergency response unit deployed to a remote site has a Simsy SIM in its mobile router. The unit’s tablets join 10.20.0.0/24 — the same subnet as HQ. SOC sees them as internal devices. Active Directory auth works. Encrypted radio comms tunnel through the same link. No commercial-internet hop, no IP rotation, no captive portal."

Discuss your deployment

Fire System & Alarm Monitoring

Fire panels and intruder alarms communicate with Alarm Receiving Centres over a primary IP path plus a backup. Basic-SIM backup fails ARC certification: carrier NAT makes inbound polling impossible, dynamic IPs break the ARC’s whitelist, and carrier-side congestion degrades EN 50136 grade compliance during the exact incidents the backup exists for.

Why Layer 2 + private IP changes it

Fixed private IP per SIM means the ARC’s polling probes always know exactly where to reach the panel — the address never rotates.
Layer 2 transparency passes Contact ID over IP, SIA and Resitel unmangled. No carrier MITM, no protocol-class deprioritisation.
Failover from primary IP to the Simsy SIM is instantaneous — the panel does not have to renegotiate identity. EN 50136 Grade 3+ becomes achievable on cellular without fibre redundancy cost.

"A 200-site retail chain’s fire panels each carry a Simsy SIM as their ATP backup. Each panel has a fixed 10.50.x.x address visible to the ARC’s monitoring server. The ARC polls every 90 seconds; if primary fibre fails, the ARC sees zero downtime because the SIM keeps the same poll target alive."

Discuss your deployment

CCTV & Video Surveillance

Cellular CCTV — construction sites, mobile cameras, rural sites — needs sustained upload bandwidth, low jitter and fixed addressing so the VMS can dial back into the camera for live view and PTZ. Basic SIMs fail on all three: bandwidth deprioritised behind other carrier traffic, NAT prevents VMS→camera inbound, dynamic IP breaks the VMS’s camera list.

Why Layer 2 + private IP changes it

SIM gets a fixed private IP that the VMS pins; the camera list never goes stale. Failed connections retry against the same IP, not a roulette of NAT translations.
Layer 2 transparency means H.264 / H.265 RTSP streams pass through with native pacing — no carrier transcoding, no QoS deprio for the "video" traffic class.
Inbound VMS→camera connections work because the SIM is on your private network, not behind CGNAT. PTZ control round-trip stays sub-200ms on a healthy radio.

"A construction site has 16 mobile PTZ cameras on Simsy SIMs. Each camera reports to the on-prem Milestone VMS at fixed addresses. PTZ commands from the operator’s console reach the camera in under 200ms. RTSP keepalive sessions persist for days. Operators can dial in from the VMS to any camera without reverse-tunnel infrastructure."

Discuss your deployment

Ready to put your connected estate on a private mobile network?

Talk to Constructive-IT about Simsy. We will assess your requirement, recommend the hardware and deliver a managed pilot — typically live within days, not months.

Get a Simsy Quote