The Government of India has tightened its digital security framework with a new rule requiring app-based communication platforms to remain continuously linked to a user’s active SIM card. The directive, issued by the Department of Telecommunications (DoT) on November 28, applies to services such as WhatsApp, Telegram, Snapchat, Signal, Arattai and others, and is aimed at curbing misuse of accounts, impersonation scams and cross-border fraud.
The DoT said it had observed that these apps continue functioning even when a SIM card linked to the number used for registration is removed, replaced or deactivated. According to the telecom department, this capability has been exploited by cybercriminals operating from outside India to run scams involving impersonation, financial fraud, digital arrest operations and cross-border phishing calls. “This feature is being misused to commit cyber-frauds, especially from outside the country,” the DoT said in its official communication on December 1.
Therefore, the government is ordering messaging and calling apps that use Indian mobile numbers to change how their apps work so that user accounts stay connected to the active SIM card, and cannot be used if the SIM is removed or deactivated. Users are free to change their devices or travel abroad as long as the chat apps and active SIM card are in the same device; they will not be required to activate international roaming on their SIM cards while travelling in a foreign country.
The order explicitly names WhatsApp, Telegram, Snapchat, Arattai, ShareChat, Josh, JioChat and Signal. However, it covers any app that uses an Indian mobile number for identity, login and delivery of services. If an app fits this description, it has to comply with the new SIM binding and session rules, which are enforceable under the Telecom Cyber Security Rules, 2024.
At present, most messaging apps verify their users’ phone numbers once during sign-up, and the apps continue to work even if the SIM card is removed from the phone, replaced with another SIM, deactivated, or used from outside India. Under the new directions, these apps must: “Ensure that the App Based Communication Services is continuously linked to the SIM card (associated with mobile number used for identification of customers/users or for provisioning or delivery of services) installed in the device, making it impossible to use the app without that specific, active SIM.”
So, SIM binding means your messaging account must stay continuously connected to the active SIM card that you used to sign up to the account. If the SIM is not present and active in your device, the app will not function.
Also Read: Can AI end India’s spam call epidemic? These startups think so
The directive requires apps to ensure that user accounts function only when the original SIM card linked to the account is active in the device. If the SIM card is removed or deactivated, the app should not work.
If the app offers browser or desktop access, it must log out users automatically at least every six hours. Users will need to re-link devices using QR verification; this means scammers cannot operate accounts remotely without control over the SIM. The government says this restores traceability, since every active communication session is tied to an active and verified SIM.
The government has given app-based communication services 90 days to complete implementation of the new directives and require them to submit a compliance report within 120 days.
The telecom department says multiple government bodies and an inter-ministerial group have raised concerns about how messaging apps are being used in cybercrime. The DoT has linked this to phishing, 'digital arrest' scams, impersonation (including impersonation of government entities), investment and loan scams, and cross-border frauds that use Indian numbers and operate from outside the country.
The DoT framed the directions in response to rising cybercrime, noting that losses to fraud exceeded Rs 22,800 crore in 2024. It argues that app accounts continuing to work after SIM card removal or deactivation, and long-lived web sessions, enable criminals to hijack accounts and run scams with very little traceability. SIM binding and frequent re-authentication for web sessions, the DoT added, is “anchoring every active account and web session to a live, KYC-verified SIM”, which restores traceability and accountability for numbers.
Several media outlets and netizens have expressed concerns with the impact of SIM binding on their communication abilities. Some worry that forcing apps to be continuously linked to the original SIM can disrupt multi-device use and travel routines. Others suggest it raises questions around surveillance and data access.
Homegrown messaging platform Arattai, one of the chat-apps named in the DoT directive, tells Forbes India that its current goal is to meet the 90-day deadline while balancing compliance with maintaining a seamless user experience. “The Department of Telecommunications’ directive arrives amid a rising surge of digital scams and fraudulent activities in the communication platform sector, adding another layer of security to safeguard citizens. While we recognise the need to implement this, we are actively working on the necessary backend adjustments to ensure it functions effectively,” says Jeri John, Global Product Head, Arattai. He adds that while SIM binding already exists in sectors such as banking and fintech, “some use-cases require some more clarity and discussions”.
Telecom operators and industry associations have welcomed the move. In its official statement, the Cellular Operators Association of India (COAI) called it a “landmark step towards bolstering national security”. “This is a first-in-the-world regulatory measure,” says SP Kochhar, director general of COAI, adding that continuous linkage between apps and SIMs “closes long-persistent gaps that have enabled anonymity and misuse”.
Operators say they are committed to supporting implementation of the directive and urged stronger safeguards for financial authentication, including wider use of SMS-based OTP systems.
Critics point out that while the directive targets fraud, offenders may simply shift to SIM theft or social engineering, by which fraudsters manipulate people to get information or access. This means the real test of effectiveness will lie in how smoothly the changes are implemented.
First Published: Dec 02, 2025, 18:34
Subscribe Now