Key Takeaways
- WhatsApp, Telegram, and Signal must enforce ‘SIM binding’ and log out web sessions every 6 hours.
- The new rule aims to curb cyber fraud but may add user friction.
- Implementation is set for February 2026, with industry concerns about feasibility and overreach.
The Indian government has mandated that messaging platforms like WhatsApp, Telegram, and Signal implement ‘SIM binding,’ requiring the original registered SIM to be present in the device for the app to function. Additionally, web-based chat sessions must be automatically logged out every six hours. This directive, issued by the Department of Telecommunications (DoT) on November 28, 2025, is a significant expansion of its regulatory power.
Combating Cyber Fraud
Officials expressed frustration over the difficulty in tracking cybercriminals who exploit apps like WhatsApp. Currently, users only need to validate their mobile number once, allowing use across multiple devices. The new ‘SIM binding’ rule would force these apps to stop working if the registered SIM is removed, aiming to improve the traceability of fraudsters, even if it adds some inconvenience for legitimate users.
The DoT stated that SIMs used outside their registered phones are “being misused from outside the country to commit cyber-frauds.” The order takes effect in February 2026.
Industry Pushback and Jurisdictional Concerns
An industry source labeled the instructions “problematic,” citing a lack of feasibility studies or consultations. They also questioned whether these measures could be easily circumvented by determined fraudsters.
This move marks a rare foray for the DoT, which typically regulates telecom carriers, into the “content” layer of the internet. An official argued that such jurisdictional divisions need to be “rethought” due to the convergence of telecom and internet services.
Legal Groundwork and Broader Implications
The directive builds on amendments to the 2024 Cyber Security Rules, which introduced the concept of “Telecommunication Identifier User Entities” (TIUEs). This classification can apply to any company using mobile numbers for user identification, from e-commerce to messaging apps.
The Internet and Mobile Association of India (IAMAI), representing Meta and other digital firms, has previously argued that these rules represent a “clear overreach” and will have “broad implications for digital businesses” across sectors like fintech and social media. Meanwhile, the telecom industry has supported the DoT’s action, stating that existing anti-spam regulations are ineffective against fraud on platforms like WhatsApp.
