In a decisive move aimed at bolstering cybersecurity, the Government of India has introduced new SIM-binding rules that will fundamentally change how messaging apps like WhatsApp, Telegram, Signal, Arattai, and others are used across the country. The notification, issued by the Department of Telecommunications (DoT) on November 28, 2025, has come into immediate effect, mandating that these apps cannot operate on a device unless the active SIM card linked to the user’s registered mobile number is physically present in the device.

This regulation addresses a growing concern that the absence of a physical SIM card in devices running app-based communication services was creating opportunities for cyber fraud, particularly from outside India. According to the DoT, this gap in security was being exploited to commit digital crimes, prompting the government to act. The new rules are part of an ongoing effort to implement and reinforce the Telecom Cyber Security Rules, first notified in 2024 and updated in 2025, which define measures to prevent the misuse of mobile numbers, devices, and telecommunication networks.

The Problem Being Addressed

The government explained that several app-based communication services (ABCS) allow users to operate messaging apps without the physical SIM card associated with the mobile number used for identification. While this feature may have been convenient for users switching devices or using web-based versions of apps, it posed significant cybersecurity risks, including unauthorized access to accounts and misuse of mobile identifiers to commit fraud.

The notification specifically states:

“It has come to the notice of Central Government that some of the App Based Communication Services that are utilizing Mobile Number for identification of its customers/users or for provisioning or delivery of services, allows users to consume their services without availability of the underlying Subscriber Identity Module (SIM) within the device in which App Based Communication Services is running and this feature is posing challenge.”

The Department emphasized that apps using mobile numbers to identify users are classified as Telecommunication Identifier User Entities (TIUEs) and are required to follow government instructions to ensure the security and integrity of telecom services.

Key Provisions of the New Rules

The SIM-binding rules introduce multiple measures to ensure compliance and reduce potential misuse of telecom identifiers:

1. Mandatory SIM Presence: From 90 days after the issuance of the instructions, all app-based communication services must be continuously linked to the SIM card installed in the device. It will become impossible to use these apps without that specific, active SIM. This applies to all messaging applications where mobile numbers are used for user verification or service provisioning.
2. Periodic Web Logout: The notification also mandates that web-based instances of these apps, such as WhatsApp Web, Telegram Web, and others, must log out periodically no later than every six hours. Users will need to re-link their devices using the standard QR code authentication method to continue using these web services. This measure is intended to prevent unauthorized prolonged access on secondary devices.
3. Compliance Reports: All TIUEs must submit compliance reports to the DoT within 120 days from the date of the directions. Failure to submit or comply will invite action under the Telecommunications Act, 2023, the Telecom Cyber Security Rules, 2024 (as amended), and other applicable laws.
4. Immediate Effect and Continuation: While the 90-day period provides a buffer for implementation, the directions are effective immediately and will remain in place until the DoT decides to amend or withdraw them.

DoT’s Rationale

The DoT highlighted that the lack of SIM binding has been exploited by cybercriminals, particularly those operating from outside India, to commit fraud. By ensuring that messaging apps are always tied to an active SIM, the government aims to enhance account security, prevent misuse of mobile identifiers, and safeguard the integrity of the telecom ecosystem.

A DoT official clarified:

“Subscriber Identity Module (SIM) within the device in which App Based Communication Services is running … is being misused from outside the country to commit cyber-frauds. Discussions on this with prominent service providers were ongoing for the last few months. Given the seriousness of the issue, it had become necessary to issue directions to App Based Communication Services to prevent misuse of telecommunication identifiers and safeguard the security of the telecom ecosystem.”

Implications for Users

For the average user, the new rules mean a significant shift in how messaging apps will be used. Individuals who frequently switch phones or use multiple devices may need to adapt to more frequent logins and ensure that their SIM card is always present in the primary device. Additionally, web-based versions of apps will now automatically log out every six hours, requiring users to scan QR codes to continue sessions.

Messaging apps like WhatsApp, which have millions of users in India, will have to enforce these security measures through software updates, adding features to verify the presence of the SIM card in real time. Users may experience temporary inconveniences, such as more frequent authentication, but these steps are aimed at preventing fraud, hacking, and misuse of mobile numbers in criminal activities.

Broader Context

This initiative is part of a broader push by the Indian government to tighten cybersecurity and regulate digital communication platforms more effectively. With the rapid expansion of internet services and widespread use of messaging apps for personal, business, and financial communications, securing accounts against misuse has become a priority.

The SIM-binding rules complement other government measures, including digital identity verification systems, anti-phishing directives, and strengthened penalties under cybercrime laws. Together, these measures aim to create a safer digital environment, protect users from fraud, and maintain trust in online communication networks.

Enforcement and Accountability

TIUEs are now under clear legal obligation to comply with these rules. The DoT has made it explicit that non-compliance will not be tolerated, with enforcement mechanisms including financial penalties, legal action, and potential restrictions on services. By requiring compliance reports and periodic audits, the government seeks to ensure that app developers and service providers take proactive steps to implement the SIM-binding rules and maintain ongoing accountability.

Conclusion

The Centre’s new SIM-binding rules represent a significant step in securing India’s digital communications ecosystem. By requiring messaging apps to operate only with an active SIM card and enforcing periodic logouts on web platforms, the government aims to reduce cybercrime, prevent unauthorized access, and protect users from fraud.

While these measures may require users and service providers to adjust their habits and systems, the long-term benefits include greater account security, enhanced trust in digital services, and a stronger framework for cyber protection. As messaging apps roll out updates to comply with these rules, users will need to ensure that their devices always carry the registered SIM and that they follow new authentication requirements, ultimately contributing to a safer digital environment in India.