India Introduces SIM-Binding Regulation for WhatsApp, Telegram and Others

India is preparing to implement a major telecom cybersecurity reform that will require messaging apps to function only when the registered Subscriber Identity Module (SIM) card is physically present in the user’s primary device.

The directive, issued on November 28 by the Department of Telecommunications (DoT), provided companies with a 90-day compliance window ending February 28. The rule is therefore expected to come into force on March 1.

Major platforms impacted by the order include WhatsApp, Telegram, Signal, Snapchat, ShareChat, JioChat, Arattai and Josh.

Regulatory Context

The instructions were released by the DoT’s AI & Digital Intelligence Unit, which has been granted enhanced authority to oversee Telecommunication Identity User Entities (TIUEs) — digital services that rely on mobile numbers as a core identity marker.

Officials have warned that failure to comply could lead to legal consequences under the Telecom Cyber Security Rules, the Telecommunications Act of 2023 and other relevant statutory provisions.

Communications Minister Jyotiraditya Scindia addressed the issue at Rising Bharat Summit 2026, stating:

“The SIM-binding regulation stands and we hope all service providers will come on board,”

He further described the reform as a “need of the day.”

What the SIM-Binding Directive Requires

Under the updated telecom security framework, messaging platforms must meet several core conditions:

• Services must operate only if the registered SIM card is inserted in the primary mobile device.

• If the registered SIM is removed, replaced or deactivated, the application must stop functioning.

• Web-based instances, such as desktop or browser versions, must automatically log out every six hours unless the SIM remains active in the linked device.

The six-hour auto-logout rule applies specifically to web sessions, not to the main mobile app where the SIM is installed.

Authorities have clarified that users traveling domestically or abroad will not be affected, provided the SIM remains active in their device.

Understanding SIM-Binding

Existing Verification Model

Currently, most messaging apps authenticate users by sending a one-time password (OTP) to the registered mobile number during installation. Once verified, the app continues to function even if:

• The SIM is removed

• The SIM is swapped

• The SIM is deactivated

Similarly, web access is typically enabled through OTP or QR code verification, allowing accounts to remain active without the SIM being physically present.

What Will Change

The new framework aims to close this gap. Under SIM-binding:

• The application will only remain operational if the original registered SIM stays in the device.

• Removing the SIM will automatically disable service access.

• Web sessions must expire within six hours and require fresh authentication.

The official notification explained:

“DoT’s SIM-binding directions are essential to plug a concrete security gap that cybercriminals are exploiting to run large-scale, often cross-border, digital frauds. Accounts on instant messaging and calling apps continue to work even after the associated SIM is removed, deactivated or moved abroad, enabling anonymous scams, remote digital arrest frauds and government-impersonation calls using Indian numbers,”

It further stated:

“With cyber-fraud losses exceeding ₹22,800 crore in 2024 alone, these uniform, enforceable directions under the Telecom Cyber Security Rules are a proportionate measure to prevent misuse of telecom identifiers, ensure traceability, and protect the trust of citizens in India’s digital ecosystem,”

Government’s Rationale

Addressing Digital Fraud

Authorities argue that prolonged web or desktop sessions make it easier for fraudsters to control accounts remotely, sometimes from outside India, without needing physical access to the SIM.

Such loopholes have reportedly enabled:

• Anonymous scam networks

• So-called digital arrest frauds

• Impersonation of government officials

• Phishing and fraudulent investment schemes

Mandatory SIM-device linkage and recurring authentication are intended to restore accountability by tying active accounts to Know Your Customer (KYC)-verified SIM records.

Broader Cybersecurity Framework

The directive follows the Telecommunications (Telecom Cyber Security) Rules notified in November 2024. These regulations require telecom operators to:

• Report security incidents within 24 hours

• Implement robust cybersecurity mechanisms

• Appoint a Chief Telecommunication Security Officer

The amendments also empower authorities to access non-content and traffic-related data for cybersecurity oversight.

Industry Reaction and Legal Pushback

Reports indicate that Meta Platforms, the parent company of WhatsApp, has begun testing beta versions incorporating SIM verification alerts.

According to findings shared by WABetaInfo, users may encounter a login notification stating:

“Due to regulatory requirements in India, WhatsApp needs to check that your SIM card is in your device.”

At the same time, an industry body representing global messaging platforms, including Google and Meta, has reportedly challenged the directive. The companies have argued that the SIM-binding requirement exceeds the DoT’s authority under the Telecommunications (Telecom Cyber Security) Amendment Rules 2025 and may be unconstitutional.

Meanwhile, an insider quoted by a news agency said:

“No reason for extension of SIM-binding deadline. SIM binding is essential for preventing fraud and ensuring security. There can be no compromise on national security,”

Wider Impact

SIM-binding and automatic session expiration are already standard in banking and digital payment apps to prevent account takeovers and session hijacking. Extending these safeguards to messaging platforms reflects the growing role such apps play in financial and identity-linked fraud.

Given India’s status as one of the largest user markets for global messaging services, the implementation of this rule could significantly reshape operational models. It may also influence international discussions around digital identity management, cybersecurity enforcement and platform accountability.

Conclusion

India’s SIM-binding mandate represents one of the most assertive regulatory steps taken in the messaging app sector. By requiring applications to remain tied to an active SIM and enforcing periodic web-session logouts, the government aims to reduce cybercrime and strengthen traceability.

While officials argue that the measure is critical for national security and fraud prevention, industry stakeholders have raised legal and constitutional objections. With the March 1 deadline approaching, the balance between cybersecurity enforcement and platform autonomy will likely shape the next chapter of India’s digital governance framework.