Key Takeaways
- WhatsApp, Telegram, Signal, and other messaging apps must now remain tied to an active SIM card.
- Web versions like WhatsApp Web will log users out every 6 hours for re-authentication.
- Companies have 90 days to comply or face action under the Telecommunications Act, 2023.
The Indian government has issued a major cybersecurity directive requiring all popular messaging apps to maintain continuous linkage with a user’s active SIM card. This ‘SIM binding’ rule aims to close a security loophole exploited by cybercriminals.
The Department of Telecommunications (DoT), under the new Telecommunication Cybersecurity Amendment Rules, 2025, has officially categorized these platforms as Telecommunication Identifier User Entities (TIUEs). This places them under a regulatory framework similar to traditional telecom operators for the first time.
Closing the Security Gap
The core objective is eliminating a critical vulnerability: the ability for apps to function even after the original registration SIM card is removed, deactivated, or no longer in the device. The DoT states this persistent linkage is essential for safeguarding the telecom ecosystem and preventing sophisticated cyber-frauds and financial scams, many originating from outside India.
Strict 90-Day Compliance Deadline
TIUEs have been given 90 days from the directive’s issuance to ensure continuous SIM linkage. Failure to comply could lead to severe action under the Telecommunications Act, 2023, and other relevant laws.
Major Change for Web Users
Beyond mobile apps, the rules introduce a significant change for web browser versions (like WhatsApp Web). Platforms must now automatically log users out at least once every six hours. Mandatory re-authentication, typically via QR code, will then be required, ensuring every session is tied back to a verified, active mobile number.
Industry Support and User Impact
Industry bodies like the Cellular Operators Association of India (COAI) support the move, stating it enhances accountability and traceability. However, the directive raises operational and privacy questions for users, meaning a loss of uninterrupted convenience, especially on web browsers. The government views the mobile number as India’s most reliable digital identifier, mirroring SIM-verification used for UPI and banking services.
