WhatsApp Mandates SIM-Binding in India

The directive is part of the Telecommunications (Telecom Cyber Security) Amendment Rules, 2025, introduced by the Department of Telecommunications (DoT) in November 2025. The government's primary motivation is to combat a surge in digital scams and cybercrime, with officials noting that criminals often authenticate an Indian number once and then operate the account remotely, sometimes from outside the country. This new regulation is a direct response to escalating cyber fraud losses in India, which crossed ₹22,800 crore in 2024. Scams like "GhostPairing," where attackers exploit WhatsApp's device-linking feature to hijack accounts without needing a password or SIM swap, have become increasingly common. The government aims to make accounts more traceable by tying them to a live, KYC-verified SIM. For users of web-based services like WhatsApp Web, sessions will now automatically log out every six hours, requiring re-authentication by scanning a QR code from the primary phone with the active SIM. This directly impacts businesses and individuals who rely on continuous desktop access for work, as it introduces regular interruptions. The rule significantly curtails the flexibility of multi-device usage. Features that allow messaging apps to be used on tablets or secondary phones without the primary device being online will now depend on the registered SIM being physically present in the main phone, potentially disrupting workflows for many users. Industry body Broadband India Forum (BIF), which includes members like Meta and Google, has pushed back, arguing the directive is "unconstitutional" and that telecom laws should apply to operators, not messaging platforms. Despite this resistance, the government did not extend the February 28 compliance deadline. This move aligns with India's broader governance model of creating a telecom-verified digital identity, similar to Aadhaar-linked services and KYC-driven banking. It shifts messaging platforms from being treated as private tech companies to regulated digital utilities that are part of the national digital infrastructure. While the government states the rule is essential for national security, critics argue it creates a single point of failure. A stolen phone could give a thief immediate access to messaging accounts, and the constant verification process may force apps to collect a richer stream of user metadata. For businesses using automated or multi-agent customer support systems via WhatsApp, the changes pose a significant challenge. The constant need for a physical SIM and frequent web logouts may render many existing CRM integrations and shared login systems unworkable, pushing companies towards more stable, official WhatsApp Business API solutions.