Govt. Issues SIM Binding Directions To WhatsApp and Telegram

The Department of Telecommunications (DoT) has issued directions to app-based communication service providers to make it impossible for their users to use services without a SIM. This comes after the DoT notified the Telecommunication Cybersecurity Amendment Rules, 2025, which bring in the category of telecommunication identifier user entity (TIUE) under the scope of telecom regulations. The amendment introduced a new category of service provider called the Telecommunication Identifier User Entity (TIUE), which would fulfill a range of cybersecurity obligations, including using a Mobile Number Validation (MNV) Platform to verify the customers or users associated with a telecommunication identifier for services linked to such an identifier. Besides validation, the government can also direct TIUEs to stop using a specific telecom identifier to identify customers or deliver services.

When the rules were first introduced, many raised concerns that the TIUE category was too broad and would cover almost any business collecting customer phone numbers to provide a service. This could range from food delivery platforms like Swiggy or Zomato to a local grocery store sending e-receipts via mobile numbers.

The new directions, which have been sent to WhatsApp, Telegram, Signal, Arattai, Snapchat, ShareChat, JioChat, and Josh, effectively recognise these companies as TIUEs. They require platforms to ensure that SIM cards remain continuously linked to their services within the next 90 days. For website or web-app-based access, TIUEs must ensure users are logged out periodically (not later than 6 hours) and must offer an option to relink accounts through a QR-code-based method.

The rationale behind SIM-binding:

According to the directions, the government has observed that some apps using mobile numbers for customer validation allow access even when the underlying SIM is not present in the device. The government argues that this creates vulnerabilities exploited from outside India to commit cyber fraud. This reasoning aligns with the Cellular Operators Association of India’s (COAI) August statement supporting SIM binding.

“Presently, the binding process between a subscriber’s app-based communication services and their mobile SIM card occurs only once during the initial installation and verification phase, after which the application continues to function independently on the device even if the SIM card is later removed, replaced or deactivated,” the industry body had explained.

This creates situations where a removed SIM does not prevent the use of an OTT communication app for criminal activity from any location. Without an active SIM, authorities have no verifiable link, such as call records, location data, or carrier logs, to establish where the service was used. As such, COAI suggested persistent SIM binding on OTT communication services, which remains active beyond initial installation.

 “This would ensure that the communication service cannot operate without the authenticated SIM physically inserted in the device, maintaining critical traceability between the user, the number and the device. COAI believes that this will not only help reduce the occurrence of spam and fraud communications significantly over these applications, but also help mitigate financial frauds by acting as a deterrent against misuse of app-based communication platforms, thus bringing relief to both the telecom service providers and the OTT communication platforms,” the Association had mentioned in its statement.

Other sectors that have SIM binding:

Several financial applications, including banking and Unified Payment Interface (UPI) apps, already enforce strict active-SIM rules to prevent fraud.

In February, the Securities and Exchange Board of India (SEBI) proposed hard-binding trading accounts to SIM cards, similar to the UPI system, ensuring only the actual trader can access the account. SEBI also suggested mandatory biometric or facial recognition checks to mitigate unauthorised trading risks.

How effective will SIM binding be in preventing fraud?

At a 2023 MediaNama event, cybersecurity researcher and DeepStrat co-founder Anand Venkatnarayan explained that scammers frequently use loaned or forged IDs to procure SIM cards, bypassing KYC norms.

“They need 10 SIM cards for scamming a hundred victims; they don’t reuse SIM cards,” he said. He added that the scammers only need to procure two to three IDs per year to conduct their activities. In such cases, binding communication services to SIM cards may offer limited benefits, as fraudsters can simply acquire new SIM cards and resume operations.

Advertisements

The accuracy of the telecom subscriber database:

Interestingly, industry professionals had pointed out similar concerns during MediaNama’s discussion on the telecom cybersecurity amendment rules when they were in a draft stage. “Video KYC verification process through the ASTR database has been there for at least two years. Frauds have not reduced. So if frauds have not reduced, how is bringing the same identifier to a different ecosystem going to increase trust?” MediaNama Editor Nikhil Pahwa asked. ASTR is the AI- and facial-recognition-powered telecom subscriber verification system deployed by the DoT in 2023.

Pahwa also questioned whether the rules adequately address the issue of mule accounts. Responding to this, COAI Deputy Director General Vikram Tiwathia said the government’s goal is to maximise the usefulness of the telecom database.

“Now, where is the Government coming from? You see, there is a serious problem of cybersecurity plus fraud. Which is the most prevalent KYC? Is the mobile number devices. Correct. That’s the most prevalent, most updated, most monitored compared to any other device. So, the intent of the Government is, how can I squeeze more juice out of this national resource?” he said.

Full text of the directions:

1. WHEREAS, the Department of Telecommunications (DoT) has, vide Notification No. CG-DL-E-21112024-258808 dated 21st November, 2024, notified the Telecommunications (Telecom Cyber Security) Rules, 2024, and has subsequently amended the same vide Notification No. CG-DL-E-22102025-267074 dated 22nd October, 2025 (hereinafter collectively referred to as “the Rules”);
2. AND WHEREAS, Rule 2(i) of the Rules defines “Telecommunication Identifier User Entity (TIUE)” to mean a person, other than a licensee or authorised entity, which uses telecommunication identifiers for the identification of its customers or users, or for provisioning or delivery of services.
3. AND WHEREAS, Rule 4(3) of the Rules obligates every telecommunication entity and TIUE to ensure compliance with the directions and standards, including timelines for their implementation, as may be issued by the Central Government for the prevention of misuse of telecommunication identifiers or telecommunication equipment, network, or services for ensuring telecom cyber security
4. AND WHEREAS, Rule 10(2) of the Rules permits the Central Government to use secure modes of communication, other than the designated portal, for issuance of orders, directions, or instructions to telecommunication entities, TIUEs, manufacturers, or importers of telecommunication equipment, or for collection of any information from such entities
5. AND WHEREAS, it has come to the notice of Central Government that some of the App Based Communication Services that are utilizing Mobile Number for identification of its customers/users or for provisioning or delivery of services, allows users to consume their services without availability of the underlying Subscriber Identity Module (SIM) within the device in which App Based Communication Services is running and this feature is posing challenge to telecom cyber security as it is being misused from outside the country to commit cyber-frauds
6. AND WHEREAS, it has become necessary to issue directions to TIUEs providing such App Based Communication Services to prevent the misuse of telecommunication identifiers and to safeguard the integrity and security of the telecom ecosystem;
7. NOW THEREFORE, the Department of Telecommunications, in exercise of the powers conferred upon it under the Rules, hereby directs TIUEs providing App Based Communication Services utilizing Mobile Number for identification of customers/users or for provisioning or delivery of services in India, to:
   • From 90 days of issue of these instructions, ensure that the App based Communication Services is continuously linked to the SIM card (associated with Mobile Number used for identification of customers/users or for provisioning or delivery of services) installed in the device, making it impossible to use the app without that specific, active SIM.
   • From 90 days of issue of these instructions, ensure that the web service instance of the Mobile App, if provided, shall be logged out periodically (not later than 6 hours) and allow the facility to the user to re-link the device using QR code.
8. All TIUEs providing App Based Communication Services in India shall submit compliance reports to the DoT within 120 days from issue of these directions.
9. Failure to comply with these directions shall attract action under the Telecommunications Act, 2023, the Telecom Cyber Security Rules, 2024 (as amended), and other applicable laws.
10. These directions shall come into force immediately and shall remain in force until amended or withdrawn by the DoT.

Note: We will update this copy throughout the day with commentary and concerns.

Note: The story was updated on November 29, 2025 at 3:19 PM to add commentary around the development.

Note: The headline of this copy was updated for more clarity based on the editor’s input at 4:12 PM on 02/02/2025.

Also Read:

• DoT Notifies Telecom Cybersecurity Rules: What It Means
• How The Lack Of Clarity About The MNV Platform Causes Commercial Privacy Concerns #NAMA
• Telecom Regulations for Mobile Number Validation Violate Telecom Act, Says IAMAI; MediaNama’s Take