India SIM binding mandate: key points
Indiaโs Department of Telecommunications has ordered major messaging apps to implement continuous SIM binding and frequent web re-authentication to curb fraud, with compliance expected in early 2026.
Coverage and compliance timeline
The directive applies to app-based communication platforms that use mobile numbers as identifiers, including WhatsApp, Telegram, Signal, Snapchat, ShareChat, JioChat, Josh, and regional players like Arattai. Platforms have roughly 90 days to build SIM-binding capabilities and submit compliance reports thereafter, with the enforcement window described as early 2026. Non-compliance may invite action under the Telecommunications Act and the Telecommunication Cybersecurity Rules.
What SIM binding requires in practice
Apps must continuously verify that the SIM linked to the registered number is present and active on the device, not just at account setup. If the SIM is removed, replaced, deactivated, or moved to a different device, the app must stop working until re-verified. Additionally, web sessions (e.g., WhatsApp Web) must auto-logout every six hours, forcing users to re-link via QR code. This effectively ends long-lived web sessions and reduces the utility of multi-device usage without the primary phone nearby.
Legal basis: TIUE and cybersecurity rules
Although over-the-top messaging apps were excluded from the telecom licensing scope in the 2023 Act, the Telecommunication Cybersecurity Amendment Rules 2025 introduced a new categoryโTelecommunication Identifier User Entitiesโbringing platforms that rely on phone numbers under cybersecurity oversight. This gives DoT the authority to direct TIUEs on identifier misuse and ecosystem integrity, even as they remain outside traditional telecom licensing.
Why this policy matters now
The move reflects a policy pivot toward identity assurance and traceability as cyber fraud accelerates across messaging channels.
Fraud context driving the move
Authorities say criminals exploit todayโs one-time number verification and long-lived sessions, continuing to use accounts after SIM swaps, SIM removals, or device changesโoften from overseasโmaking attribution and takedown harder. High-profile scams such as digital-arrest and impersonation schemes have largely ridden on popular messaging apps, amplifying the pressure on platforms to harden identity controls.
Shift to platform-level identity accountability
Carriers, represented by the Cellular Operators Association of India (COAI), have favored stronger binding of OTT identities to mobile subscriptions to improve traceability and spam control. Digital platforms, represented by the Internet and Mobile Association of India (IAMAI), argue this extends telecom-style obligations to internet services and risks service disruption. The new TIUE framework signals that identifier hygiene is now a shared responsibility between networks and apps.
Whoโs affected and how
The directive will change user experience, enterprise workflows, and developer roadmapsโespecially for Indiaโs largest messaging ecosystems.
Impact on consumers and travelers
People who swap SIMs, use dual-SIM or eSIM, or travel abroad with a local SIM could face repeated re-verification and potential lockouts. Households in which multiple people share devices or rotate SIMs will see more friction. Long-lived WhatsApp Web sessions will reset midday, complicating day-to-day use without the primary device present.
Impact on enterprises and SMBs
Teams that rely on WhatsApp or Telegram for customer support, field force coordination, or order management will need to plan for six-hour web logouts and SIM continuity on corporate devices. BYOD policies that allow multiple numbers or frequent SIM swaps will generate session churn and support tickets. Customer communications that assume always-on messaging may need fallback channels such as verified SMS or voice for continuity.
Implications for app developers and product teams
India-specific builds will likely be required, since these obligations do not exist in most other markets. Multi-device and companion app features may need rethinking to maintain end-to-end encryption guarantees while enforcing on-device SIM presence. Robust re-auth flows, customer education, and exception handling for eSIM, roaming, and dual-SIM will be critical to avoid churn.
Role of telecom operators and APIs
Carriers can play a larger role by exposing network-side verification and fraud APIs, enabling platforms to validate SIM presence and detect SIM swaps without collecting excessive device data. This aligns with GSMA Open Gateway efforts and CAMARA-based APIs such as Number Verification and SIM Swap Detection, creating new B2B monetization and security partnerships.
Technical and compliance implications for apps
SIM binding at scale requires careful systems design to balance security, privacy, and reliability.
Required architectural changes
Platforms will need continuous SIM presence checks tied to the registered MSISDN, with strong device binding and secure token rotation. On Android, developers can leverage carrier information and telephony signals with appropriate permissions; on iOS, limited SIM access necessitates network-side verification via operator APIs. Web session management must be redesigned for automatic logout and seamless re-linking with minimal user friction.
Identity, privacy, and security trade-offs
Continuous verification must not compromise end-to-end encryption. Data minimization is essential; apps should avoid persisting IMSI/ICCID where not strictly needed and prefer ephemeral proofs from operator APIs. Special handling is needed for eSIM profiles, dual-SIM devices, and lawful SIM changes to prevent false positives and unintended lockouts.
Testing and SRE considerations at scale
Edge casesโroaming transitions, poor coverage, intermittent operator API timeouts, and device changesโmust be exhaustively tested. Rate-limiting, graceful degradation, and robust retry strategies are required to avoid mass sign-outs during network incidents. Observability that correlates auth failures with SIM state and carrier events will speed incident response.
Risks, challenges, and open questions ahead
Key uncertainties remain around feasibility, user impact, and long-term efficacy against fraud.
Feasibility concerns and user impact
Critics argue scammers already misuse SIMs obtained with forged credentials, so binding may shift rather than solve risk. The six-hour web logout could impair productivity in workplaces where desktops are the primary access channel. Accessibility and shared-device use in lower-income segments need explicit accommodations.
Interoperability and product fragmentation
India-only requirements create engineering overhead and product divergence, especially for global apps with end-to-end encryption and multi-device parity. Clarity on acceptable verification methods, exception policies, and audit expectations will determine implementation complexity.
Governance, consultation, and process gaps
Industry bodies have raised concerns about limited consultation and the breadth of TIUE obligations. Clear guidance on incident reporting, user redress in case of wrongful lockouts, and thresholds for enforcement will be important to maintain trust.
Action checklist for compliance and continuity
Telecoms, OTT platforms, and enterprises should prepare for both compliance and continuity.
Steps for OTT messaging platforms
Stand up an India track for SIM binding and six-hour web session controls; integrate carrier verification via GSMA Open Gateway or equivalent APIs; design resilient re-auth flows for eSIM, dual-SIM, and roaming; publish transparent user guidance; and instrument analytics to monitor false positives and churn. Engage DoT early with implementation questions and exception proposals.
Steps for enterprises using messaging
Audit workflows dependent on WhatsApp or similar tools; plan device policies that minimize SIM swaps; update SOPs for six-hour re-logins; enable alternate channels like verified SMS, voice, or in-app chat; and brief customer-facing teams ahead of changeover. For regulated sectors, document business continuity and customer consent flows.
Steps for telcos and aggregators
Productize Number Verification and SIM Swap Detection APIs with strict privacy controls; build SLAs to support mission-critical OTT traffic; and co-create reference integrations with major platforms. Prepare consumer communications clarifying how legitimate SIM changes will be handled to prevent lockouts.
Milestones to watch through early 2026
Execution details over the next few months will determine whether the policy reduces fraud without degrading user experience.
Upcoming rule clarifications
Expect guidance on acceptable verification signals, handling for eSIM and dual-SIM, roaming exceptions, assisted reactivation for users without network access, and compliance reporting formats.
Ecosystem moves and partnerships
Watch for platform announcements from Meta/WhatsApp, Telegram, and Signal; operator API launches under GSMA Open Gateway; and statements from COAI and IAMAI that hint at potential compromises.
Enforcement posture and timelines to monitor
Monitor whether the 90-day build window and early-2026 enforcement timeline hold, whether grace periods are offered for complex use cases, and how regulators address unintended service disruptions during rollout.
