The Indian government has taken a decisive step to reshape the way millions of people communicate online, issuing new rules that will require popular messaging apps like WhatsApp, Telegram, Signal, Snapchat, ShareChat, JioChat, Arattai, and Josh to operate only when linked to an active SIM card in a user’s device. The directive, announced by the Department of Telecommunications (DoT) on November 28, 2025, is being hailed as a landmark move in the country’s ongoing battle against cyber fraud and digital misuse.
For years, messaging apps in India have verified users simply by sending a one-time password (OTP) during installation. Once verified, the app would continue to function even if the SIM card was removed, deactivated, or replaced. This loophole, according to officials and industry experts cited by International Business Times and MediaNama, has made it easier for cybercriminals—sometimes operating from outside India—to exploit inactive or reassigned numbers, making it difficult for authorities to trace fraud or criminal activity through call records or location data.
Under the new Telecommunication Cybersecurity Amendment Rules, 2025, these platforms—now officially termed Telecommunication Identifier User Entities (TIUEs)—must ensure that a user’s SIM card remains continuously linked to the app within 90 days of the directive’s issuance. If the SIM is removed or becomes inactive, the apps will automatically stop functioning. The move is intended to close a gap in user verification and tie every messaging session to a verified, active SIM, thereby bolstering both transparency and accountability.
Web-based versions of these apps will face an added layer of security. As per the government’s order, users accessing messaging services through browsers will be automatically logged out every six hours. To regain access, they must re-link their device using a QR code. The DoT argues that this measure will make it much harder for criminals to misuse these services remotely, as each session must be tied to an active and verified SIM card. "The Department of Telecommunications, in exercise of the powers conferred upon it under the Rules, hereby directs TIUEs providing App Based Communication Services... to ensure that the App based Communication Services is continuously linked to the SIM card... making it impossible to use the app without that specific, active SIM," the directive stated, according to PTI and Bhaskar English.
The government’s rationale is clear: by ensuring that messaging platforms run only on active SIM cards, the risk of fraud, spam, fake accounts, and misuse of reissued numbers is dramatically reduced. The Cellular Operators Association of India (COAI) has welcomed the move, highlighting that mandatory SIM binding will keep a reliable link between the user, their number, and the device, helping to reduce spam and financial scams. The COAI’s view, as reported by International Business Times, is that mobile numbers remain India’s strongest digital identity, and these rules could significantly strengthen cybersecurity and user accountability.
But the new directive is not without its critics. Some cybersecurity professionals, speaking to MediaNama, have voiced concerns that while the rules may raise the bar, determined scammers could still exploit the system by using forged or borrowed IDs to obtain new SIM cards. These experts caution that the move may have only a limited impact unless accompanied by broader reforms in digital identity verification and SIM issuance processes. Nevertheless, telecom industry representatives maintain that the measure is a necessary step to plug a glaring vulnerability in the country’s digital landscape.
The rules also draw parallels to existing security practices in other sectors. For instance, banking and Unified Payments Interface (UPI) apps already require strict SIM verification to prevent unauthorized access. The Securities and Exchange Board of India (SEBI) has proposed linking SIM cards to trading accounts and even using facial recognition for additional security. In this context, the government’s directive is part of a broader push to align app-based communication services with the rigorous standards already in place for other digital services.
Compliance with the new rules is not optional. All affected platforms must submit detailed compliance reports to the Department of Telecommunications within 120 days of the directive’s issuance. Non-compliance will attract action under the Telecommunications Act, 2023, the Telecom Cyber Security Rules, and other applicable laws. The directive came into force immediately on November 28, 2025, and will remain in effect until it is amended or withdrawn.
The DoT’s statement leaves little room for ambiguity: "It has become necessary to issue directions to providers of app-based communication services to prevent the misuse of telecommunication identifiers and to safeguard the integrity and security of the telecom ecosystem." The department emphasized that these measures are not mere technicalities, but essential steps to protect the nation’s digital infrastructure from evolving threats.
For ordinary users, the changes will likely mean a more secure messaging experience, albeit with some new inconveniences. Those who rely on web versions of messaging apps will need to get used to being logged out every six hours and re-authenticating via QR code—a small price, the government argues, for increased security. The SIM-to-device binding rule also means that users can no longer run messaging apps on devices without the original SIM card. If the SIM is removed and inserted into another phone, services including messaging apps, banking apps, UPI, mobile wallets, and OTP logins will automatically cease to function.
On the industry side, the requirement to ensure continuous SIM binding could necessitate significant technical changes. Platforms will need to overhaul their authentication systems, update their privacy policies, and communicate the changes clearly to users. The government, for its part, has signaled that it expects full cooperation from all players, large and small. Providers who fail to comply face the prospect of strict regulatory action, including possible suspension or penalties under the new legal framework.
The broader context for these changes is India’s rapid digital transformation. With hundreds of millions of users relying on messaging apps for everything from personal communication to business transactions, the stakes for cybersecurity have never been higher. The rise in cyber fraud and the growing sophistication of digital criminals have prompted authorities to act decisively. By bringing app-based communication services under telecom-style regulation for the first time, the government aims to create a more secure, accountable, and resilient digital ecosystem.
As the deadline for compliance approaches, all eyes will be on how messaging giants and smaller platforms adapt to the new requirements. While the debate over privacy, convenience, and security will no doubt continue, one thing is certain: the rules of digital communication in India have changed, and the effects will be felt by users and companies alike.
With the new directive now in force, India’s messaging landscape stands at a crossroads—balancing the promise of connectivity with the imperative of security in an increasingly digital world.
