Govt sets 90-day deadline for WhatsApp, Telegram, and Arattai to enforce SIM-device binding against cyber fraud

In a significant regulatory shift, the Indian government has directed major messaging and Over-The-Top (OTT) communication platforms, including WhatsApp, Telegram, Signal, Snapchat, JioChat, Arattai, ShareChat, and Josh, to strictly tie user access to active SIM cards.

This directive was issued by the Department of Telecommunications (DoT) under the new Telecommunication Cybersecurity Amendment Rules, 2025. The move marks the first instance where app-based communication services will be regulated similarly to traditional telecom operators.

All affected OTT communication platforms have a 90-day window to implement continuous SIM-to-device binding. This mandates that users must have an active SIM card in their device to access the platform's services.

The mandate also introduces several stringent compliance requirements:

Periodic Logouts: Web and app-based platforms must enforce periodic logouts, occurring at least once every six hours.

Re-authentication: Re-authentication will be handled via a QR-code-based system.

New Designation: These platforms are now designated as Telecommunication Identifier User Entities (TIUEs).

TIUEs must complete compliance within the 90-day period. A detailed compliance report must be submitted to the DoT within 120 days. Non-compliance could lead to action under the Telecommunications Act, 2023, the Telecom Cyber Security Rules, 2024 (as amended), and other applicable laws.

The primary objective of the new rules is to close cybersecurity loopholes. Officials indicate that some platforms currently permit mobile number-based login even when the corresponding SIM card is not present in the device. This loophole has reportedly been exploited to facilitate cross-border cyber fraud. The Cellular Operators Association of India (COAI) had previously advocated for mandatory SIM binding as a security measure.

Additionally, TIUEs will be required to utilize a Mobile Number Validation (MNV) Platform to verify users. They may also be instructed to suspend identifiers used to access services in sensitive cases, further strengthening regulatory oversight and security protocols.