SIM-binding rule for WhatsApp, Telegram and other messaging apps to be implemented from 1st March: Read what it means and how it will impact users

On 28th November, popular communication applications like WhatsApp, Telegram, Signal, SnapChat, ShareChat, JioChat, Arattai and Josh were formally ordered by the Department of Telecommunications (DoT) to ensure that their services only function when the correct Subscriber Identity Module (SIM) card is in the phone. They were allotted a period of 90 days to implement the measure, which is going to end on 28th February, and the report had to be submitted in 120 days. Hence, the development will take effect on 1st March (Sunday). The guidelines were released by DoT’s AI & Digital Intelligence Unit, which has been given more power to govern Telecommunication identity User Entities (TIUEs), online services that employ a phone number as an identity. The government issued a warning that noncompliance could result in legal action under the Telecom Cyber Security Rules, the Telecommunications Act of 2023 and other relevant laws. “The SIM-binding regulation stands and we hope all service providers will come on board,” Minister of Communications Jyotiraditya Scindia expressed during a conversation at Rising Bharat Summit 2026, referring to the move as “need of the day.” The new telecom safety standards require messaging apps to certify that, when used on different devices, individuals are immediately logged out of web-based services like WhatsApp Web every six hours. However, this logout will not happen on devices here the SIM is installed. The apps must verify that the primary mobile device has the registered SIM card linked to the account. If the registered SIM is not present, services must cease to operate. The centre clarified that users who are roaming will not be impacted if the SIM card remains active in the device. What is SIM-binding Currently, an OTP (one-time password) provided to the user’s mobile number during installation is used by the majority of messaging apps to verify users. The platform continues to work after verification, even if the SIM is taken out, changed or deactivated. Similarly, web versions of the apps work by OTP or QR code-based verifications, where the app can be used on a device, like a computer, without the presence of the SIM card used to register for that account. The intention of the new rule is to alter this practice, as the government deems that this has led to widespread fraud and misuse of the feature. Therefore, a security measure called SIM-binding, which connects a messaging software to the SIM card, has been introduced. The app will only run after activation when the registered SIM remains inserted in the same smartphone. This implies that removing the SIM would cause applications to stop working. This directive followed the centre’s notification of the Telecommunications (Telecom Cyber Security) Rules in November 2024, which required telecom service providers to report security incidents within 24 hours. They were also told to put in place thorough cybersecurity measures, including designating a Chief Telecommunication Security Officer to supervise adherence to the new regulations. It allowed the government the authority to obtain non-content and traffic data from telecom entities to improve cybersecurity protocols. The official release highlighted that, according to observations made by DoT, certain app-based communication services that use Indian Mobile Numbers to identify their clients or users or to provision or deliver services permit users to use their services without the underlying SIM on the device running the service. Cybercriminals are abusing this advantage, particularly when they operate from outside. An interministerial panel and other government organisations brought up the topic of SIM binding in messaging apps and their misuse. DoT discussed the viability and significance of this issue on several occasions with a major provider of app-based communication services. An order was eventually pronounced to prevent the exploitation of telecommunication identifiers and protect the integrity, along with the security of the telecom ecosystem. According to requirements, these app-based communication services must: Make sure the app-based communication services are always connected to the SIM card (which is linked to the mobile number used for customer or user identification, service provisioning, or delivery) that is installed in the device. This will bar the app from opening without that particular active SIM. Make sure that, if offered, the mobile app’s web service instance is periodically logged out (no later than six hours) and with the option to reconnect the device via a QR code. “DoT’s SIM‑binding directions are essential to plug a concrete security gap that cybercriminals are exploiting to run large‑scale, often cross‑border, digital frauds. Accounts on instant messaging and calling apps continue to work even after the associated SIM is removed, deactivated or moved abroad, enabling anonymous scams, remote digital arrest frauds and government‑impersonation calls using Indian numbers,” the notification read. The important role of SIM-binding in thwarting online thefts Long-lived web or desktop sessions make it difficult to trace and take down accounts of the victims since they allow fraudsters to control them from a distance without possessing the original device or SIM. A session can be validated once on an Indian device at present and then continue to function from overseas, allowing crooks to use Indian phones to conduct scams without any additional authentication. The auto-logout feature, which only applies to the web version and not the app version, ends lengthy web sessions and requires periodic re-authentication with device or SIM control. This drastically reduces the possibility of account takeover, remote access abuse and mule-account activities. Moreover, regular re-authentication increases detectability and friction by asking offenders to repeatedly illustrate control of the device or SIM. Every active account and web session is linked to a live, SIM-validated through Know Your Customer (KYC) owing to regular SIM–device binding and periodic logouts, which restore the traceability of numbers used in lending, phishing, investment and digital arrest schemes. “With cyber‑fraud losses exceeding ₹22,800 crore in 2024 alone, these uniform, enforceable directions under the Telecom Cyber Security Rules are a proportionate measure to prevent misuse of telecom identifiers, ensure traceability, and protect the trust of citizens in India’s digital ecosystem,” the notice further conveyed. Device binding and automatic session logout are commonly used in banking and payment apps to steer clear of account takeover, session hijacking and improper usage from untrusted devices. As a result, they have been expanded to app-based communication platforms, which are now at the heart of cyber crimes. The reaction to the government’s instruction According to reports, Meta, the parent company of WhatsApp, is testing beta versions of the app that alert users to the need to determine whether their registered SIM card is in the phone. Code references to the SIM-binding commands have been discovered on these versions. A prompt on the sign-in screen is part of the fresh code, which was revealed by WABetaInfo, an independent blog that monitors changes in WhatsApp’s code frequently prior to it is made public. It informed, “Due to regulatory requirements in India, WhatsApp needs to check that your SIM card is in your device.” On the other hand, the Indian government is facing a legal challenge from a group that represents the major messaging services in the globe, such as Google and Meta, accusing the new SIM-binding restrictions of being unconstitutional and an unlawful extension of state power, reported Business Today. The corporations wrote to DoT and alleged that the effort is illegal and goes beyond the authority given to the ministry by Parliament. The letter claimed that the government has taken action outside of its legislative jurisdiction concerning the Telecommunications (Telecom Cyber Security) Amendment Rules 2025. “No reason for extension of SIM-binding deadline. SIM binding is essential for preventing fraud and ensuring security. There can be no compromise on national security,” CNBC TV18, meanwhile, quoted an insider who added that they are a national security precaution and were developed following public engagement.