Understanding India's New SIM Binding Requirements for WhatsApp, Telegram and Other Messaging Apps: Security Measures and Industry Response

India has implemented a mandatory active SIM linkage requirement for messaging applications such as WhatsApp, Telegram, and Signal to function on devices, with the government maintaining that this 'SIM binding' is crucial to address security vulnerabilities exploited by cybercriminals engaging in widespread digital fraud operations, often across borders.

This directive has created division among stakeholders. Mobile operators represented by COAI have expressed support, while digital platforms under the Broadband India Forum (BIF) have raised "serious concerns" regarding potential overreach and requested a delay in the implementation timeline.

The Department of Telecommunications (DoT) issued a directive on November 28 requiring messaging platforms to ensure within 90 days that their services only function with an active SIM in the user's device. Additionally, web versions of these applications must automatically log users out at least once every six hours, requiring re-authentication through QR code linking.

All providers of app-based communication services in India must submit compliance reports to the Telecom Department within 120 days of the directive. Non-compliance will result in penalties under the Telecommunications Act, 2023, Telecom Cyber Security Rules, and other applicable laws.

Currently, these communication applications link to a subscriber's mobile SIM during initial installation and verification but continue to function even if the SIM is subsequently removed, replaced, or deactivated.

This regulation affects users of various messaging platforms in India, including WhatsApp, Telegram, Signal, Arattai, Snapchat, Sharechat, Jiochat, and Josh.

The government justifies the 'SIM binding' requirement as "essential" to close a security vulnerability that cybercriminals exploit to conduct large-scale digital fraud operations. With cyber-fraud losses exceeding Rs 22,800 crore in 2024 alone, continuous SIM linkage and periodic logout requirements aim to ensure that every active account and web session is connected to a live, KYC-verified SIM, enabling traceability of numbers used in various scams including phishing, investment fraud, digital arrest, and loan scams.

The government has clarified that the directive does not affect situations where the SIM remains in the handset while the user is roaming.

Industry association COAI, whose membership includes major telecom providers Reliance Jio, Bharti Airtel, and Vodafone Idea, asserts that the directive will strengthen national security and protect citizens. They argue that continuous linkage ensures complete accountability and traceability for activities conducted through a SIM card and its associated communication application, closing "long-persistent gaps that have enabled anonymity and misuse." COAI has pledged to support seamless implementation of these directives.

In contrast, the Broadband India Forum (BIF), representing major technology companies including Meta and Google, contends that these directives raise significant questions regarding jurisdiction, consumer impact, and risk. BIF argues that these regulations create obligations extending beyond the Telecom Act's mandate or the purpose of the Telecom Cyber Security Rules. They have urged the government to suspend the implementation timeline and conduct stakeholder consultations regarding the SIM-binding requirement.