Govt mandates 90-day deadline for WhatsApp, Signal others to enforce SIM-device binding
Web and app-based platforms must also enforce periodic logouts — at least once every six hours — and provide QR-code-based re-authentication.
- Nov 29, 2025,
- Updated Nov 29, 2025 10:01 PM IST
In a sweeping regulatory move, the Indian government has directed popular messaging apps like WhatsApp, Telegram, Signal, Snapchat, ShareChat, JioChat, Arattai, and Josh to tie user access strictly to active SIM cards.
The Department of Telecommunications (DoT) issued the order under the new Telecommunication Cybersecurity Amendment Rules, 2025, marking the first time app-based communication services will be regulated like traditional telecom operators.
All over-the-top (OTT) communication platforms have 90 days to implement continuous SIM-to-device binding, according to sources. This means users must have an active SIM in their device to access services. Web and app-based platforms must also enforce periodic logouts — at least once every six hours — and provide QR-code-based re-authentication.
These platforms, now designated as Telecommunication Identifier User Entities (TIUEs), must complete compliance within the 90-day period. A detailed compliance report must be submitted to the DoT within 120 days. Non-compliance could invite action under the Telecommunications Act, 2023, the Telecom Cyber Security Rules, 2024 (as amended), and other laws.
The rules aim to plug cybersecurity gaps. Officials say some platforms allow mobile number-based login even when the SIM isn’t in the device — a loophole exploited for cross-border cyber fraud. The Cellular Operators Association of India (COAI) had earlier supported mandatory SIM binding.
TIUEs will also be required to use a Mobile Number Validation (MNV) Platform to verify users and may be instructed to suspend identifiers used to access services in sensitive cases.
In a sweeping regulatory move, the Indian government has directed popular messaging apps like WhatsApp, Telegram, Signal, Snapchat, ShareChat, JioChat, Arattai, and Josh to tie user access strictly to active SIM cards.
The Department of Telecommunications (DoT) issued the order under the new Telecommunication Cybersecurity Amendment Rules, 2025, marking the first time app-based communication services will be regulated like traditional telecom operators.
All over-the-top (OTT) communication platforms have 90 days to implement continuous SIM-to-device binding, according to sources. This means users must have an active SIM in their device to access services. Web and app-based platforms must also enforce periodic logouts — at least once every six hours — and provide QR-code-based re-authentication.
These platforms, now designated as Telecommunication Identifier User Entities (TIUEs), must complete compliance within the 90-day period. A detailed compliance report must be submitted to the DoT within 120 days. Non-compliance could invite action under the Telecommunications Act, 2023, the Telecom Cyber Security Rules, 2024 (as amended), and other laws.
The rules aim to plug cybersecurity gaps. Officials say some platforms allow mobile number-based login even when the SIM isn’t in the device — a loophole exploited for cross-border cyber fraud. The Cellular Operators Association of India (COAI) had earlier supported mandatory SIM binding.
TIUEs will also be required to use a Mobile Number Validation (MNV) Platform to verify users and may be instructed to suspend identifiers used to access services in sensitive cases.