DoT orders mandatory SIM-binding for messaging apps. Here is what it means for mobile users

New rules mean tighter security, periodic relinking and no use of communication apps if the linked SIM isn’t in the device

New Delhi: The Department of Telecommunications (DoT) has issued strict new cyber-security directions requiring major communication and messaging apps—such as WhatsApp, Telegram, Signal, Snapchat, ShareChat, JioChat and other India-number–based platforms—to implement mandatory SIM-binding within 90 days. The move aims to prevent misuse of Indian mobile numbers for cross-border scams, impersonation frauds and digital arrest cases.

DoT said it had observed widespread misuse of app-based communication services that continue functioning even when the associated SIM is removed, inactive, or used abroad—making it difficult to trace criminals using Indian numbers. The directions, issued under the Telecom Cyber Security (TCS) Rules, 2024, follow consultations with multiple ministries, security agencies and major app providers.

What the New Directions Require

Under the new rules, communication apps that use Indian mobile numbers for user identification must:

• Continuously bind each active account to the specific SIM card present in the device. The app must become unusable if the SIM is not in the phone.

• Auto-logout all web/desktop sessions every 6 hours, requiring users to re-link the device through QR code authentication.

• Complete implementation within 90 days and submit compliance reports within 120 days.

The mandatory SIM-binding extends standards already used in banking and UPI payment apps to the communication platforms that are now central targets for cybercrime.

Why the Rules Were Introduced

DoT said SIM-independent operation of messaging apps has enabled cybercriminals to run scams from outside India while posing as Indian numbers. Long-lasting web sessions allow remote account takeover and impersonation without requiring the physical SIM.

The government highlighted that cyber-fraud losses exceeded ₹22,800 crore in 2024, and ensuring traceability of Indian mobile numbers used in scams is essential.

Impact on Cybercrime Prevention

The ministry stated that a combination of SIM-binding and periodic web session logout will:

• Eliminate long-lived remote sessions used by fraudsters

• Force repeat re-authentication using the user’s device and SIM

• Ensure every active account is traceable to a live, KYC-verified SIM

• Reduce impersonation, phishing, investment scams and digital arrest calls

The new directions do not affect legitimate users travelling within India or abroad as long as the original SIM remains inserted in the device.

DoT said the measures are “proportionate and necessary” to protect citizens and strengthen India’s telecom cyber security.

What These New Rules Mean for Mobile Users (Key Takeaways)

1. You must keep your SIM in your phone to keep using apps like WhatsApp, Telegram, Signal and more

If your SIM is removed or becomes inactive, the app will stop working. This prevents someone else abroad from using your account.

2. Web/desktop versions of apps will log out every 6 hours

If you use WhatsApp Web, Telegram Web, Signal Desktop or similar services, you will be required to re-scan a QR code every few hours.

3. No impact on normal usage—roaming and travel are allowed

If your SIM is in your phone—even while roaming—the rules do not affect you.

4. Stronger protection against fraud

This makes it much harder for scammers to take over accounts, log in from abroad, or run remote scams using your Indian number.

5. Apps may ask for new permissions

Apps might request additional device/SIM verification prompts as they update for compliance.

6. If you change your SIM or get a replacement, you will need to re-authenticate

This will work similarly to how banking and UPI apps already function.