The Government of India has introduced sweeping new rules that will significantly change how users access WhatsApp Web and similar web-based messaging platforms. Through a notification issued by the Department of Telecommunications (DoT) on November 28, 2025, the Centre has mandated SIM-binding requirements for all major app-based communication services. These rules, which have come into immediate effect, aim to eliminate long-standing cybersecurity vulnerabilities associated with the misuse of telecom identifiers and the exploitation of app-based platforms from outside the country. As a result, users will soon experience time-bound access to web versions of messaging apps, including WhatsApp Web, Telegram Web, Signal Desktop, Arattai, Snapchat, and others.

At the heart of these new directives lies a firm mandate: the web service instances of any mobile-based communication app must automatically log out periodically, and the time limit for this auto-logout has been set at no later than six hours. This means that unlike the current system where WhatsApp Web sessions can remain active for days or even weeks unless the user manually logs out, the new protocol will force every active session on the web to terminate after a maximum of six hours. Users who wish to continue using the web version of WhatsApp or other messaging services will be required to re-link their devices by scanning a fresh QR code.

This mandatory logout requirement must be fully implemented within ninety days of the notification’s issue date. Therefore, by late February 2026, service providers will be compelled to redesign and update their architecture to accommodate the rule. The DoT’s notification states that companies must ensure that the web service instance shall be logged out periodically, not later than six hours, and that the user will always have the option to re-link a device through a QR code. The government has emphasized that this time-bound requirement is integral to limiting misuse and preventing unauthorized or prolonged access to communication platforms from devices that may not be secure.

In addition to restricting the duration of web access, the new rules introduce a far more stringent condition: apps must remain continuously tied to the physical SIM card associated with the user’s registered mobile number. Within ninety days, service providers must implement systems that make it impossible for users to operate app-based communication services unless the specific, valid, and active SIM is physically inserted into the device. This essentially means that even if a user’s phone is temporarily without the SIM card—whether due to switching devices, using eSIM features across phones, or simply removing the SIM—the communication app will immediately become inaccessible on all devices linked to the number.

This requirement aims to close a major vulnerability in how communication apps currently function. Today, platforms such as WhatsApp or Telegram often allow continued access even if the SIM is not present in the device, provided the phone remains connected to the internet. Although this enables user convenience, it also opens pathways for cybercriminals to misuse account credentials, hijack linked devices, or operate accounts without physical access to the registered SIM. The DoT has stated that this gap has increasingly been exploited by fraudsters operating from outside India to conduct complex cyber scams, impersonation attacks, and account takeovers.

According to the government, discussions have been ongoing for several months with major service providers to assess the rising threats and to determine the necessary reforms. The severity of the cybersecurity risks identified during these consultations has pushed the DoT to issue binding instructions rather than voluntary recommendations. By ensuring that communication apps remain tied to the SIM card at all times and restricting the duration of web-based sessions, authorities hope to add an extra layer of security to prevent misuse of telecom identifiers.

The DoT has categorized various popular communication platforms under the new regulations. This includes widely used messaging apps such as WhatsApp, Telegram, and Signal, along with Indian-origin platforms like Arattai and JioChat. Social content-sharing apps such as ShareChat, Snapchat, and Josh are also included under the purview of the notification because they rely on mobile numbers for user verification and delivery of services. All these platforms fall under the category of Telecom Identifier-Based User Entities (TIUEs), and compliance with the new directives is now mandatory.

The notification also outlines a compliance timeline and penalties for non-adherence. TIUEs must submit detailed compliance reports to the Department of Telecommunications within 120 days of the issuance of the instructions. These reports must demonstrate how each platform intends to meet the mandatory auto-logout requirements, enforce SIM-binding, and strengthen its security architecture to align with the government’s guidelines. Failure to comply will attract punitive action under the Telecommunications Act, 2023, the Telecom Cyber Security Rules, 2024 (as amended), and any other laws that may be applicable. This signals the government’s intention to enforce these changes strictly and uniformly across all platforms operating within the Indian telecom ecosystem.

The Indian government has argued that these measures are necessary to protect the integrity of the telecom environment, to prevent the misuse of identifiers such as mobile numbers, and to safeguard users from sophisticated cyber frauds that have become increasingly prevalent. By ensuring that communication platforms cannot function without the SIM physically present in the device, authorities hope to limit possibilities for unauthorized or remote exploitation of user accounts. Furthermore, forcing periodic logout of web sessions is intended to prevent prolonged, unattended, or hijacked access from devices that users may forget to manage or secure effectively.

While these rules may introduce additional steps for users, especially for those who rely heavily on desktop versions of messaging apps for work or communication, the government maintains that the long-term benefits in terms of cybersecurity outweigh the inconvenience. The emphasis is on creating a secure and accountable digital communication environment where identity-based misuse becomes significantly harder.

In the coming months, app developers and service providers will face the challenge of redesigning their systems to implement SIM-binding and six-hour logout rules without disrupting user experience. However, compliance is not optional, and the DoT’s clear enforcement provisions suggest that the government is prepared to take action to ensure full adherence.

Overall, the new SIM-binding rules represent a substantial shift in India’s approach to digital communication security. They mark a move toward tighter regulation of platforms that rely on mobile numbers for user identification and reflect the growing concerns surrounding cybercrime and telecom misuse. Whether these rules will significantly curb cyber fraud remains to be seen, but they undeniably signal a new era of stricter control and enhanced accountability within India’s communication ecosystem.