The central government has issued a sweeping set of new SIM-binding rules that will fundamentally change how millions of Indians use popular messaging platforms such as WhatsApp, Telegram and Signal. These new rules, which came into force immediately with the notification issued on November 28, 2025, prohibit the use of these apps without the active SIM card physically present in the device, in an attempt to strengthen telecom cyber security and prevent increasing instances of mobile number-based cyber fraud.
Government cites rising cybercrime risk as reason for mandatory SIM-linked operation of messaging apps
The new rules effectively mean that users will no longer be able to operate messaging apps using a different SIM card than the one linked to the account. The long-standing flexibility of shifting devices freely, running WhatsApp on a phone without an active SIM, or keeping web versions logged in for extended periods will now change dramatically. These changes arise from concerns flagged by government agencies about how messaging platforms were being exploited for cyber fraud, particularly from outside India.
According to the government’s directive, the issue came to the notice of authorities after they observed that certain app-based communication services—defined under the Telecom Cyber Security Rules as Telecommunication Identifier User Entities—allow users to operate accounts using only a mobile number for identification, even when the SIM linked to that number is not physically present in the device. This system gap, the government says, has enabled fraudsters to manipulate devices and identifiers remotely, creating significant national security concerns.
The Telecom Cyber Security Rules were notified in 2024 and updated again in 2025 to respond to emerging threats in the digital ecosystem. These rules apply to any app or digital service that relies on mobile numbers for identity verification or service delivery. Messaging platforms that fall within this category must now follow stringent instructions designed to prevent misuse of telecom identifiers, mobile networks and digital communication tools.
The notification also states that the lack of mandatory SIM presence within devices has led to increasing instances of criminal exploitation. Cybercrime involving impersonation, spoofed numbers, remote device control and fraud coordinated from outside Indian borders has risen sharply. Because messaging platforms allow remote access and multi-device functionality, they became a common route for criminals to conduct scams, financial fraud and phishing attacks.
The Department of Telecommunications explained that the absence of the SIM from the device created vulnerabilities that were being exploited by cybercriminals abroad. The DoT emphasised that discussions with major service providers had been underway for several months, and the gravity of the issue required immediate action. The new rules, therefore, aim to ensure the integrity of the telecom ecosystem while preventing the misuse of India-based mobile numbers by remote actors.
These measures are seen as the next major evolution in India’s cyber security strategy. Over the past few years, the government has repeatedly warned that criminals have increasingly used messaging apps to mask their identity, trick users and defraud them through impersonation or social engineering. The SIM-binding requirement aims to close this loophole, ensuring that users can operate communication apps only on devices containing the verified SIM card.
India has one of the world’s largest user bases for messaging apps, particularly WhatsApp, which is used by over half a billion people for personal communication, business interactions and financial transactions. Given the scale of usage, any vulnerabilities in the ecosystem can have significant consequences for national security and public safety. Authorities have pointed to several cases in which cyber criminals, often operating from countries like Dubai, Pakistan, Nepal or Southeast Asian regions, used cloned or spoofed numbers to bypass local systems. The new rules are intended to curb such practices by mandating stronger device-identifier alignment.
New rules mandate stricter device-SIM linkage, periodic logout of web sessions and immediate compliance reporting
Under the new requirements, all app-based communication services that use mobile numbers must ensure continuous linkage between the app and the SIM card installed in the device. This rule must be fully implemented within 90 days of the issuance of the notification. After the 90-day period, apps cannot be used on a device unless the active SIM linked to the account is inserted in that device. The rule will end the longstanding practice of using WhatsApp on devices without a SIM, operating it after swapping SIM cards, or running it on old devices purely over Wi-Fi.
Another major rule mandates that web-based or desktop versions of messaging apps be logged out periodically. Currently, WhatsApp Web and similar features allow users to stay logged in for days or even weeks without re-linking. Under the new rules, the web session must be logged out at least once every six hours. To continue using the web version, users will have to re-authenticate by scanning a QR code—ensuring that active device verification remains intact. This is aimed at preventing illicit remote operations or hijacking attempts.
The Department of Telecommunications has clarified that these rules take effect immediately and will remain in force until the DoT either updates or withdraws them. This means that service providers cannot delay compliance. All Telecommunication Identifier User Entities must also submit compliance reports to the DoT within 120 days of the notification. The reports must demonstrate that they have fully implemented SIM-binding and periodic logout features.
Failure to comply will lead to action under the Telecommunications Act, 2023, the Telecom Cyber Security Rules, 2024 (as amended), and other relevant legal provisions. Penalties may include fines, withdrawal of permissions or other punitive measures, depending on the severity of non-compliance. Officials have indicated that enforcement will be strict, given the high stakes involved in national cyber security.
The DoT also addressed concerns from service providers regarding the timeline. The department clarified that the instructions had been under consultation for months and that platform operators were already aware of the imminent changes. Many major communication platforms have reportedly begun internal technical changes to align with the new rules.
Industry analysts believe that while the new rules will enhance cyber security, they will significantly alter user experience. Multi-device flexibility has long been a defining feature of messaging apps. Many users operate WhatsApp across several devices for business or personal convenience. Others use the web version for office work. Mandatory logout every six hours, along with SIM-binding, may cause disruptions for these users.
Businesses that rely on WhatsApp-based customer service models may also need to modify workflows. Multiple employees often access a single business account from multiple systems. Stricter device-SIM linkage may complicate such operations unless service providers introduce new business-ready frameworks compatible with the rules.
Cyber security experts, however, say the rules are necessary to close critical gaps. According to several studies and digital forensics reports, multi-device syncing and non-SIM-linked operations were increasingly exploited for illegal activities such as money laundering, sextortion, stock manipulation, identity theft and cross-border scams. The government’s move aims to strengthen law enforcement capabilities and ensure accountability in communication systems.
Law enforcement agencies have welcomed the decision. Investigators have long complained that remote login through web interfaces and device-shifting enabled cyber criminals to hide their tracks effectively. Linking accounts strictly to their SIM cards will help authorities trace movements, detect fraud patterns and identify offenders with greater precision.
The new rules are also aligned with the government’s long-term digital policy, which emphasises secure communication, data integrity and cyber resilience. The Telecom Cyber Security Rules classify messaging apps as critical infrastructure, meaning they must uphold the highest standards of secure operations.
Telecom industry observers say that these rules may mark the beginning of a broader regulatory framework for digital communication services. With India moving rapidly towards integrated digital governance, further regulations may emerge to ensure transparency, traceability and responsible use of mobile identifiers.
While users may find the adjustments inconvenient, the government believes that the benefits far outweigh the inconveniences. Preventing cyber fraud, protecting users from impersonation, and securing India’s digital networks are seen as overriding priorities. The directive signals a strong commitment to safeguarding the telecom ecosystem at a time when cyber threats are becoming more sophisticated.
