SIM-Linking Now Mandatory for Messaging Apps: DoT Tightens Cybersecurity Norms

In a major push to strengthen telecom cybersecurity and prevent digital fraud, the Department of Telecommunications (DoT) has made it mandatory for all messaging apps—including popular services like WhatsApp, Telegram, and Arattai—to remain constantly linked to a SIM card on the user’s device. This landmark regulatory decision, announced on November 29, 2025, comes as part of the Telecommunication Cybersecurity Amendment Rules, 2025, and is aimed at plugging loopholes in mobile app identification systems.

The DoT directive requires all App-Based Communication Service providers to enforce continuous SIM-binding and implement web-based session restrictions to curb the misuse of telecom identifiers by domestic and foreign actors involved in cyber frauds.

What Does the New SIM-Linking Rule Mean?

Under the new guidelines, messaging apps must ensure,

• Their services are available only when the app is actively linked to a specific SIM card installed on the user’s device.
• The web versions of apps must log out users periodically (at least every six hours) and allow re-login only through QR code scanning linked to an active SIM.
• All compliance measures must be implemented within 90 days, and platforms are required to submit detailed compliance reports within 120 days.

Why This Rule Was Introduced

According to the DoT’s order, it was observed that,

• “Some messaging platforms allow services to continue even when the user’s SIM card is removed, enabling fraudulent usage of Indian mobile numbers from foreign locations without valid authentication.”
• This gap in SIM-dependency has reportedly been exploited by cybercriminals to hijack accounts, spoof identities, and bypass verification, often resulting in scams or security breaches that undermine India’s telecom infrastructure and national cybersecurity.

Legal and Regulatory Framework

The mandate is backed by a comprehensive legal architecture, including,

• Telecommunications Act, 2023
• Telecom Cyber Security Rules, 2024 (Amended)
• Telecommunication Cybersecurity Amendment Rules, 2025

Non-compliance with these directives could invite legal action, penalties, or even suspension of services under the applicable provisions of telecom and cybersecurity law.

Impact on Messaging Platforms and Users

For Messaging Platforms

• Companies must modify their core app architecture to ensure real-time SIM authentication.
• Must implement secure logout and re-login protocols for web and desktop versions.
• Required to maintain logs, submit compliance data, and align with security audits.

For Users

• Users will be unable to access messaging services without the original, active SIM card in the device.
• Web versions will be auto-logged out every six hours, ensuring revalidation.
• The move may affect cross-device accessibility and user convenience but is aimed at reducing fraud risk.

Broader Context: A Cybersecure Telecom Vision

The DoT’s push for SIM-binding is part of India’s broader effort to secure its telecom ecosystem and digital identity infrastructure, especially as the volume of cyber frauds linked to spoofed numbers and cloned apps continues to grow.

The Mobile Number Verification mandate, first recommended in 2025, is a key element in tackling impersonation, identity theft, and fake account creation, especially in app-based communication and social media platforms.

These rules also align with global best practices where identity-linkage and session control form the core of secure communications.

Key Takeaways

• Issued By: Department of Telecommunications (DoT), Government of India
• Date of Announcement: November 29, 2025
• Applicability: All App-Based Communication Services (e.g., WhatsApp, Telegram, Arattai)
• Key Mandates
• Continuous SIM-binding to access services
• Web logout every six hours with QR-based re-login
• 90-day implementation deadline
• 120-day compliance report submission
• Legal Basis: Telecommunications Act 2023, Telecom Cyber Security Rules 2024 (Amended), Cybersecurity Amendment Rules 2025
• Penalty for Non-Compliance: Legal action under relevant telecom and cybersecurity laws