Technology is omnipresent in today’s time. While developed as an asset to society, technology today is unfortunately utilised for many unscrupulous and nefarious purposes. These include cybercrimes such as identity theft, fraud, harassment and mass misuse of personal data, and other offences.
As per the latest press release by the Government, India experienced an exponential increase in cybersecurity incidents, rising from 10.29 lakh in 2022 to 22.68 lakh in 2024. This reflects the growing scale, sophistication and complexity of cyber threats in India. This trend is confirmed by the financial impact of cyber fraud recorded on the National Cyber Crime Reporting Portal [NCRP], which has registered losses amounting to ₹36.45 lakhs, indicating a growing financial toll on citizens.
More concerningly, India ranked 10th on the World Cybercrime Index [primarily due to cybercrimes like ransomware, credit card theft, and data and Identity theft], with cyber‑fraud losses exceeding ₹22,800 crore in 2024 alone.
One of the primary causes for this is the ease with which apps can be utilised without the Subscriber Identity Module [“SIM”] card physically being present in the device. Additionally, phone numbers can be purchased online without KYC verification and can be used even without the presence of a physical SIM card. Such activities remain unregulated by governmental bodies.
These can, however, be exploited by both international and domestic fraudsters to commit cybercrimes such as identity theft, phishing, impersonation, and other similar offences. These modern crimes are especially challenging to govern because of how easily they can circumvent traditional security frameworks.
As a means to combat this growing cybersecurity threat, as raised by several government agencies and a dedicated inter-ministerial group, comprehensive consultations were held between the Department of Telecommunications [“DoT”] and leading App-Based Communication Providers [“ACPs”] regarding technical feasibility. Consequently, the DoT issued a set of directions regarding “SIM Binding” for major ACPs for the prevention of misuse of telecommunication identifiers so as to ensure telecom cybersecurity on 28 November 2025 [“Directions”].
These ACPs include: WhatsApp, Telegram, Snapchat, Arattai, Sharechat, Josh, Jiochat and Signal.
These Directions have been issued under the Telecom Cyber Security Rules, 2024 [as amended in 2025] to protect the safety and integrity of the telecom ecosystem. Given that mandatory SIM binding is already a standard in banking and UPI industry applications, the DoT has now issued these Directions to include communication applications as a means to address cybercrimes, especially counter phishing, digital arrest, impersonation, and investment scams.
SIM BINDING
To understand the Directions released by the DoT, it is imperative to understand what SIM Binding actually is. SIM binding is a security measure that links a digital application to the specific physical SIM card used for registration. That is to say, the application will not run without the physical SIM card being present in the device.
Up until now, messaging applications, such as WhatsApp and Telegram, on various devices, could be used even without a physical SIM in the device. This has been a common practice on secondary devices, such as laptops, desktops and tablets, where these messaging applications could be accessed through the Web version or specialised applications that allow access after verification of the user via a one-time password [“OTP”] sent to the devices with the physical SIM.
Mandatory SIM binding implies, however, that such applications can no longer be accessed without the registered and KYC-verified SIM being physically present in the device.
WHAT DO THE DoT DIRECTIONS ACTUALLY CONTAIN?
The Directions introduce two primary technical mandates for ACPs to ensure security by continuous authentication of SIMs:
- FIRSTLY:
All ACPs must ensure that their app-based services are functional only when the SIM card linked to their services is physically present in the device. This means and includes the SIM card, which is associated with the mobile number that was first used at the time of registration [to identify users and provide services to them].
That is to say, the application can no longer work without the physical and active presence of the SIM card that was first used [aka registered and KYC-verified] to establish the identity of the user. Should the SIM be removed, deactivated, or swapped, the application is expected to cease functioning until a revalidation process is completed.
This is done with the intention of removing the anonymity behind which cybercriminals hide to exploit Indians.
- SECONDLY:
Further, all ACPs that provide web services in relation to the mobile application must ensure that all such web services are logged out periodically [not exceeding six hours]. However, the user must also be provided with the option to re-link through QR codes to continue accessing such services after logging out.
This means that all ACPs must periodically log out users from web services of their mobile applications [such as the WhatsApp Web service, which can be accessed by users of mobile applications on their secondary devices, including laptops and tablets], with the maximum running time being six hours per session. This is being implemented to prevent long-standing sessions from being hijacked for “digital arrest” scams, identity theft, fraud, or any other cybercrime. However, this six-hour limit might be re-discussed and subsequently raised to twelve to eighteen hours.
That being said, the users can resume access to the web service after reauthentication through QR code links to their registered SIM-enabled device. These QR codes must be provided to them by the ACPs to minimise any inconvenience caused by this stringent automatic logout and re-link policy.
Furthermore, the Directions specify a rigid enforcement timeline. The ACPs are required to implement them within 90 days of the date of the notice and submit a report on their implementation to the DoT within 120 days.
WHAT THESE DIRECTIONS SIGNIFY FOR USERS
While various industry leaders, such as the Cellular Operators Association of India [“COAI”], which represents major telecommunications leaders including Reliance Jio and Bharti Airtel, have lauded the Directions as a “necessary security safeguard” that will not significantly impede user convenience, the mandates have raised multiple issues for users.
For one, those relying on the use of a multi-device ecosystem [such as using WhatsApp Web on a laptop for work or schoolwork through the same account while the phone houses the SIM physically] will face frequent interruptions because of the periodic logouts, causing issues and hindrances to workflow. Additionally, in case of minor hardware issues, such as a damaged SIM or the loss/theft of the device containing the registered SIM, the frequent re-authentication required to prevent total cessation of access to the applications and their services cannot be possible.
Moreover, international travellers are also expected to face issues, as switching to a local foreign SIM card may result in the loss of access to home-country-registered applications, resulting in the forced purchase of expensive international-roaming packages on Indian SIM cards.
In fact, various groups, including the Broadband India Forum [“BIF”] and the Internet and Mobile Association of India [“IAMAI”] have raised concerns relating to the potential impact on user experience. Their concerns centre around the persons who travel internationally or use multiple devices, especially secondary devices.
Beyond possible user inconvenience, the Directions also raise significant questions regarding privacy and State overreach. The stringent mandates of the Directions require the persistent tracking of devices and app usage patterns, which can, in turn, enable access to user data without consent and constant tracking and location mapping. Furthermore, the Central Government has the authority to call for information from any Data Fiduciary or intermediary under the Digital Personal Data Protection Act of 2023 [Section 36]. This raises concerns that such data could be used for mass surveillance.
Ultimately, while these Directions signify the evolution of India’s digital governance and its commitment to combating the increasing cybercrimes, their success will depend on a delicate balance that ensures the coexistence of innovation and security, with the fundamental right to privacy and user convenience.