New Delhi: The Centre has introduced sweeping cyber-security directions that will reshape how millions of Indians use popular messaging platforms, mandating that all app-based communication services remain continuously tied to a user’s active SIM card. The move, issued by the Department of Telecommunications on November 28 and now in immediate effect, seeks to close what the government describes as a major vulnerability exploited for cross-border cybercrime, with reported fraud losses crossing Rs 22,800 crore in 2024.
Under the new framework, providers of app-based communication services such as WhatsApp, Signal, Telegram, Arattai, Snapchat, Sharechat, Jiochat and Josh must ensure that their apps function only when the SIM card associated with the registered mobile number is physically present and active in the device. The requirement applies to all platforms that use mobile numbers for user identification or for delivering their services. Companies have been instructed to submit compliance reports to the DoT within 120 days.
In its order, the DoT said it had observed instances in which messaging apps continued to operate even after the underlying SIM was removed, deactivated, or taken overseas. According to the department, this operational flexibility has enabled the misuse of Indian numbers from outside the country, facilitating remote scams and impersonation calls. “This feature is posing challenge to telecom cyber security as it is being misused from outside the country to commit cyber-frauds,” the directive noted. The Ministry of Communications later stated that such activity has played a significant role in the surge of digital frauds, including phishing, investment scams, loan frauds and so-called digital arrest cases.
To curb these risks, the government has ordered what it calls mandatory continuous SIM-device binding. From 90 days after the issuance of instructions, app providers must ensure that communication services are inseparable from the SIM associated with the user’s registered mobile number, making it impossible to operate the app without that specific, active SIM. A senior official release said the measure “restore[s] traceability of numbers used in phishing, investment, digital arrest and loan scams” by anchoring every active account to a live, KYC-verified mobile number.
The rules also impose a strict regime for web versions of messaging apps. Within the same 90-day window, any web session must automatically log out at least once every six hours. Users wishing to continue must re-authenticate by re-linking the device through a QR code. According to the ministry, long-running web sessions have been a significant challenge because they allow fraudsters to remotely control accounts for extended periods without physical access to the SIM or device. “A session can currently be authenticated once on a device in India and then continue to operate from abroad, letting criminals run scams using Indian numbers without any fresh verification,” the ministry said. Automatic logout, it added, will shut down such prolonged sessions and reduce the scope for account takeover, session hijacking and remote-access misuse.
Officials drew parallels with banking and payment applications, where device binding and routine re-authentication are already in place to reduce the risk of unauthorised access. Extending similar safeguards to communication apps, they said, is necessary because these platforms have become central to cyber-fraud operations. The ministry clarified that the directions will not affect users whose SIMs are present in their handsets while roaming.
The DoT warned that failure to comply with the instructions will attract action under the Telecommunications Act, 2023, the Telecom Cyber Security Rules and other applicable laws. The directions will remain in force until amended or withdrawn. “DoT is committed to make India a cyber secure nation,” the ministry said.
The government maintains that the scale of cyber-fraud losses in 2024 has made regulatory intervention unavoidable. With financial damages exceeding Rs 22,800 crore, officials argue that uniform, enforceable measures are necessary to protect citizens and reinforce trust in India’s digital ecosystem. By forcing repeated verification and ensuring that both app and web sessions are tied to an active SIM, the government says it will raise barriers for criminal networks that rely on anonymity and remote access to operate across borders.