In a significant move aimed at curbing digital fraud, the Department of Telecommunications (DoT) has issued a new directive requiring popular messaging platforms like WhatsApp, Telegram, and Signal to mandatorily link user accounts to their active SIM cards. The directive, issued under the Telecommunication Cybersecurity Amendment Rules of 2025, has been hailed by telecom industry body COAI as a crucial security measure, even as it sparks widespread concern among users and digital rights advocates over privacy and practicality.
Telcos Applaud, OTT Platforms Brace for Pushback
The Cellular Operators Association of India (COAI), which represents major telecom players including Bharti Airtel, Reliance Jio, and Vodafone Idea, has strongly endorsed the DoT's mandate. In a statement released on Monday, December 1, 2025, COAI Director General Lt. Gen. Dr. S.P. Kochhar described the move as a "landmark step" that would ensure complete accountability and traceability for activities on communication apps.
The industry body argued that this continuous linkage would close gaps that have allowed anonymity and misuse. Furthermore, COAI urged the DoT and the Reserve Bank of India (RBI) to mandate SMS OTP authentication for all financial transactions, emphasizing a need for uniform security across channels.
While telecom operators stand united in their support, Over-The-Top (OTT) communication platforms are anticipated to resist the new requirements, potentially setting the stage for a fresh industry confrontation. The Indian Express has sought comments from Meta (WhatsApp), Telegram, Signal, and Zoho regarding the directive.
Unanswered Questions and Privacy Alarms
The DoT's directive stems from the government's observation that some apps allow service consumption without the underlying SIM being present in the device, a loophole allegedly misused from outside India to commit cyber fraud. Currently, apps verify users via OTPs sent to mobile numbers or QR codes (for web versions), enabling use on devices without a SIM.
However, the new SIM-binding rule has raised several critical, unanswered questions:
- What happens when a user upgrades their SIM card (e.g., from 4G to 5G)?
- How will the process work when switching to a new smartphone?
- What are the protocols for replacing a lost or damaged SIM?
Digital rights advocates warn that the mandate could significantly erode user privacy, create obstacles for Indians traveling abroad, and complicate access for professionals who use messaging apps across multiple devices. The directive classifies these digital service providers as Telecommunication Identifier User Entities (TIUEs), bringing them under direct DoT oversight.
Compliance Deadlines and Implementation Details
The DoT has given TIUEs, including platforms like WhatsApp, Telegram, Signal, Snapchat, ShareChat, JioChat, and Josh, a 90-day window to ensure SIM cards remain continuously linked to user accounts. For companion web instances, platforms must log users out periodically (within 6 hours) and provide a QR-code-based method for relinking.
A compliance report must be submitted to the DoT within the next four months. The concept of SIM-binding isn't entirely new; several UPI apps, banking platforms, and even a recent SEBI proposal for trading accounts have explored similar active-SIM rules coupled with biometric checks to prevent fraud.
Yet, cybersecurity experts caution that SIM-binding alone may not be a silver bullet. Scammers often bypass KYC norms using mule accounts or forged identification documents to procure SIMs, meaning the root challenges in digital security remain multifaceted. The coming months will reveal how this push for traceability balances with the practical needs and privacy rights of millions of Indian users.
