On November 28, the Department of Telecommunications (DoT) directed major communication platforms, including WhatsApp, Telegram, Signal, Snapchat, ShareChat, JioChat, Arattai and Josh, to ensure their services function only when the registered Subscriber Identity Module (SIM) card is inserted in the user’s primary device. The companies were given 90 days to comply, a deadline that ends on February 28, with compliance reports due within 120 days. The new system will come into effect from March 1.
🚨 BREAKING: WhatsApp to enforce SIM-binding from March 1
App will work only if the registered SIM is physically present & active in your phone
👉🏻 WhatsApp Web sessions to AUTO LOGOUT within 6 hours~ No using WhatsApp with a number if that SIM isn’t in your device pic.twitter.com/hnFIaI0u0F
— The Analyzer (News Updates🗞️) (@Indian_Analyzer) February 27, 2026
The guidelines were issued by DoT’s AI & Digital Intelligence Unit, which has been empowered to regulate Telecommunication Identity User Entities (TIUEs), online services that use mobile numbers as identity credentials. The government warned that non-compliance could invite action under the Telecom Cyber Security Rules, the Telecommunications Act, 2023, and other applicable laws.
Speaking at the Rising Bharat Summit 2026, Communications Minister Jyotiraditya Scindia reaffirmed that the “SIM-binding regulation stands,” calling it a “need of the day” and expressing confidence that all service providers would implement the directive.
Under the new telecom security standards, messaging apps must ensure that users accessing services on secondary devices, such as web versions, are automatically logged out every six hours if the registered SIM is not present in the primary phone. However, this restriction will not apply to devices where the SIM is physically installed. Platforms must continuously verify that the account-linked SIM remains active in the main device; if it is removed, replaced, or deactivated, the services must stop functioning. The Centre clarified that users travelling or roaming will not face disruptions as long as the SIM remains active in the handset.
What is SIM-binding?
At present, most messaging applications authenticate users through a one-time password (OTP) sent to their registered mobile number during installation. Once verified, the apps continue to operate even if the SIM is removed, swapped, or deactivated. Similarly, web-based versions function through OTP or QR code verification, allowing access on devices like computers without requiring the registered SIM to remain in the phone.
The new SIM-binding rule seeks to end this practice. The government believes the existing system has enabled large-scale fraud and misuse, particularly by cybercriminals operating from outside India.
Under SIM-binding, a messaging app will remain operational only if the registered SIM card stays inserted in the original smartphone. Removing the SIM will automatically disable access to the application.
The directive follows the Centre’s notification of the Telecommunications (Telecom Cyber Security) Rules in November 2024, which mandate telecom service providers to report security incidents within 24 hours. The rules also require companies to implement robust cybersecurity frameworks, appoint a Chief Telecommunication Security Officer, and enhance compliance monitoring. Additionally, the government has been empowered to seek non-content and traffic data from telecom entities to strengthen cybersecurity measures.
According to DoT’s observations, several app-based communication services using Indian mobile numbers for user identification allow continued access without the underlying SIM in the device — a loophole that has been increasingly exploited by cybercriminal networks, especially those operating overseas.
An interministerial panel, along with several government agencies, examined concerns over the misuse of messaging platforms and the need for SIM-binding safeguards. The Department of Telecommunications (DoT) held multiple consultations with leading app-based communication service providers to assess the feasibility and necessity of the proposal. Following these deliberations, the government issued formal directions aimed at preventing the misuse of telecommunication identifiers and strengthening the security and integrity of India’s telecom ecosystem.
Under the new requirements, app-based communication services must:
Ensure that their services remain continuously linked to the SIM card associated with the mobile number used for user identification, service provisioning, or delivery. The application must not function unless the registered and active SIM is physically present in the primary device.
Ensure that, where web-based access is provided, such sessions are automatically logged out at regular intervals — no later than six hours — with users allowed to reconnect through QR code authentication.
In its notification, DoT stated that the SIM-binding directions are critical to closing a significant security loophole that cybercriminals have been exploiting for large-scale, often cross-border digital fraud. It noted that accounts on instant messaging and calling applications frequently remain active even after the linked SIM is removed, deactivated, or taken abroad. This vulnerability has enabled anonymous scams, so-called “digital arrest” frauds, and impersonation calls using Indian mobile numbers.
The crucial role of SIM-binding in preventing online fraud
Long-running web and desktop sessions have made it difficult for authorities to trace and disable compromised accounts. At present, a session can be authenticated once on a device in India and continue operating from overseas, allowing fraudsters to remotely control accounts without possessing the original handset or SIM. This loophole enables criminals to misuse Indian mobile numbers for scams without further verification.
The new auto-logout provision — applicable to web versions but not the primary mobile app — is designed to terminate extended web sessions and require periodic re-authentication through device or SIM control. By forcing repeated verification, it significantly reduces risks such as account takeovers, remote access exploitation, and mule-account operations. Regular re-authentication also increases traceability by compelling users to repeatedly demonstrate control over the registered SIM and device.
Through continuous SIM–device binding and periodic session expiry, every active account and web login will be tied to a live, KYC-verified SIM. This restores accountability and improves traceability of numbers used in phishing, lending fraud, fake investment schemes, and so-called “digital arrest” scams.
In its notification, the Department of Telecommunications stated that with cyber-fraud losses exceeding Rs 22,800 crore in 2024 alone, the enforceable measures introduced under the Telecom Cyber Security Rules are proportionate and necessary. The objective, it said, is to curb misuse of telecom identifiers, ensure traceability, and preserve citizens’ trust in India’s digital ecosystem.
Device binding and automatic session logouts are already standard security features in banking and payment applications to prevent session hijacking and unauthorised access from untrusted devices. Extending similar safeguards to app-based communication platforms reflects their growing centrality in cybercrime investigations.
Industry response and legal pushback
According to reports, Meta, the parent company of WhatsApp, has begun testing beta versions that prompt users to confirm whether their registered SIM card is present in the device. References to SIM-binding compliance have reportedly been identified in the app’s code.
Technology blog WABetaInfo revealed that the new beta includes a notification on the sign-in screen stating: “Due to regulatory requirements in India, WhatsApp needs to check that your SIM card is in your device.”
However, the directive has also sparked legal resistance. A global industry body representing major messaging platforms, including Google and Meta, has reportedly challenged the SIM-binding mandate in court, arguing that it is unconstitutional and exceeds the government’s statutory authority. As reported by Business Today, the companies have written to DoT alleging that the move goes beyond the powers granted under the Telecommunications (Telecom Cyber Security) Amendment Rules, 2025.
