India Tightens Security on Messaging Apps with New SIM-Binding Rules

The Indian government is enacting new regulations requiring messaging apps like WhatsApp, Telegram, and Snapchat to tie their web-based services directly to the physical SIM card linked to a user’s mobile number. The move, announced November 28, 2025, and immediately effective, aims to curb escalating cybersecurity risks and prevent fraud originating from outside the country.

The Department of Telecommunications (DoT) issued a notification outlining the new mandate, wich will significantly impact how users access messaging apps on multiple devices. The core of the regulation centers on limiting the duration users can remain logged into web versions of these apps and enforcing a constant link between the app and the user’s active SIM.

Web Access Limited to Six-Hour Sessions

Under the new rules, web service instances of mobile apps will be forced to log users out every six hours. Users will then be required to re-link their devices using a QR code, effectively verifying the presence of the registered SIM card. “From 90 days of issue of these instructions, ensure that the web service instance of the Mobile App, if provided, shall be logged out periodically (not later than 6 hours) and allow the facility to the user to re-link the device using QR code,” a DoT notification stated.

This restriction extends beyond simply logging out; the apps themselves will be unable to function without the active SIM card physically present in the device. “From 90 days of issue of these instructions, ensure that the app based Communication Services is continuously linked to the SIM card…installed in the device, making it unfeasible to use the app without that specific, active SIM,” the notification continued.

Growing Threat of Cyber Fraud Drives Action

The DoT explained that the impetus for these changes stems from a growing vulnerability: the operation of app-based communication services on devices without a Subscriber Identity Module (SIM). This gap, according to the department, is being actively exploited by malicious actors based outside of india to perpetrate cyber fraud.

A senior official stated that the issue had been under discussion with major service providers for months, with the increasing severity of the threat ultimately necessitating these directives. The goal is to prevent the misuse of telecom identifiers and safeguard the overall security and integrity of the Indian telecom ecosystem. The DoT’s list of affected apps includes WhatsApp, Telegram, Signal, Arattai, Snapchat, Sharechat, Jiochat, and Josh.

Compliance and Enforcement

The Department of Telecommunications has instructed all Telecommunications Infrastructure Providers and Virtual Network Operators (TIUEs) that utilize mobile numbers for user identification or service delivery to adhere to the new regulations. these platforms are required to submit compliance reports to the DoT within 120 days of the directions being issued.

Failure to comply will result in action taken under the Telecommunications Act, 2023, the Telecom Cyber Security Rules, 2024 (as amended), and other applicable laws. this underscores the government’s commitment to enforcing the new rules and protecting the nation’s digital infrastructure.

The implementation of these SIM-binding rules represents a meaningful shift in how India regulates access to popular messaging platforms,pr