New Delhi, The Department of Telecommunications (DoT) has introduced far-reaching amendments to the Telecommunication Cybersecurity Rules, requiring over-the-top (OTT) messaging platforms – including WhatsApp, Telegram, Signal, Snapchat, ShareChat, JioChat and others – to enforce continuous linkage with an active, verified mobile SIM card. The rules, notified on 28 November 2025, will come into force within 90 days.
Under the Telecommunication Identifier User Entities (TIUE) framework, platforms previously exempt from telecom-style regulation will now mirror the stringent SIM-binding protocols already in place for banking and UPI applications. Users will be unable to log in or remain authenticated if the registered SIM is removed, deactivated or swapped.
In a separate measure aimed at web-based access, sessions on browser versions of these services will automatically expire every six hours, forcing re-authentication via QR-code scanning from a linked mobile device.
The government argues that the existing practice – whereby most messaging apps verify a phone number only once at registration – has created a significant vulnerability exploited by cybercriminals. Fraudsters have routinely continued operating accounts after discarding or deactivating the original SIM, rendering location tracing and carrier-record correlation effectively impossible.
A senior DoT official told the media: “A mobile number linked to KYC remains the strongest digital identity anchor available in India. Closing this gap will substantially raise the cost and risk for perpetrators of financial fraud, harassment and disinformation campaigns.”
The Cellular Operators Association of India (COAI) welcomed the move, describing it as “long overdue alignment of OTT communication services with the accountability standards applied to licensed telecom operators”.
Cybersecurity experts offered a more nuanced assessment. While most acknowledge that persistent SIM linkage will complicate large-scale fraudulent account operations and reduce impersonation risks, several cautioned that determined actors can still obtain new SIMs using forged or borrowed documents. “The measure will deter casual and mid-tier fraud, but sophisticated rings with access to bulk fake KYC will adapt,” said one Delhi-based ethical hacker speaking on background.
For India’s roughly 800 million messaging-app users, the changes will impose new frictions. Dual-device workflows will be curtailed, prolonged WhatsApp Web or Telegram Desktop sessions will no longer be possible without periodic re-authentication, and travellers or users switching to eSIM-only devices abroad may face temporary loss of access if their Indian physical SIM is not inserted and active.
Industry sources indicate that Meta, Telegram and Signal have already begun internal compliance reviews, though none has issued public comment at the time of writing.
The amendments mark the first instance globally of a major jurisdiction extending telecom-grade identifier binding to consumer messaging platforms at scale – a step likely to be watched closely by regulators in Southeast Asia, Africa and Latin America grappling with similar fraud and security challenges.
With the 90-day implementation clock now ticking, platforms face a complex technical and user-experience overhaul against the backdrop of India’s position as their largest single-country market by user base.
