The government has already notified the Telecom Cyber Security Rules in 2024 and updated them again in 2025. The new SIM-binding rules will rewrite how Indians use their messaging apps. People will now no longer be able to run apps like WhatsApp, Telegram or Signal on a device without the active SIM card inside it.
That means no more using WhatsApp on a phone with a different SIM, no more shifting between devices freely, and far more frequent logouts on web versions of these messaging applications. The notification, issued on November 28, 2025, has come into force with immediate effect.
Which issue is being addressed?
“It has come to the notice of Central Government that some of the App Based Communication Services that are utilizing Mobile Number for identification of its customers/users or for provisioning or delivery of services, allows users to consume their services without availability of the underlying Subscriber Identity Module (SIM) within the device in which App Based Communication Services is running and this feature is posing challenge,” the document reads.
The government has already notified the Telecom Cyber Security Rules in 2024 and updated them again in 2025. These rules apply to apps and services that use mobile numbers to identify their users or deliver services. The rules define these apps as Telecommunication Identifier User Entities. They must follow all government instructions meant to prevent the misuse of mobile numbers, telecom devices, networks, and services.
What are the new rules?
- From 90 days of issue of the instructions, ensure that the App Based Communication Services is continuously linked to the SIM card installed in the device, making it impossible to use the app without that specific, active SIM.
- From 90 days of issue of the instructions, ensure that the web service instance of the Mobile App is logged out periodically (not later than 6 hours) and allows the user to re-link the device using a QR code.
- These directions come into effect immediately and will remain active until the DoT changes or withdraws them.
- The Department of Telecommunications directs all TIUEs that use mobile numbers for identifying users or delivering services to follow new requirements.
- All such apps must submit compliance reports to the DoT within 120 days from the date these directions are issued.
- Non-compliance will lead to action under the Telecommunications Act, 2023, the Telecom Cyber Security Rules, 2024 (as amended), and other applicable laws.
DoT’s clarification on SIM-binding
“Subscriber Identity Module (SIM) within the device in which App Based Communication Services is running and this feature is posing challenge to telecom cyber security as it is being misused from outside the country to commit cyber-frauds,” the DoT clarified.
“Discussions on this with prominent service providers were on for last few months. Given the seriousness of the issue, It had become necessary to issue directions to such App Based Communication Services to prevent the misuse of telecommunication identifiers and to safeguard the integrity and security of the telecom ecosystem,” it added.
