India's SIM Binding Rule Now Live
India's mandatory SIM binding rule for messaging apps like WhatsApp is now in effect. The regulation requires a user's account to be linked to an active, physical SIM card in the device, a move aimed at curbing fraud. This directly impacts businesses using WhatsApp for commerce, creating potential friction for merchants with shared devices and users on multi-device setups without a primary SIM.
The new SIM binding regulation is an initiative by India's Department of Telecommunications (DoT) under the Telecom Cyber Security Rules, 2024. This directive, which took effect on March 1, 2026, requires messaging platforms to ensure a user's account is continuously linked to the physical, KYC-verified SIM card in their primary device. The rule applies to a range of platforms including WhatsApp, Telegram, Signal, Snapchat, ShareChat, JioChat, Arattai, and Josh for all India-registered accounts. This policy ends the previous "verify-once" model where an app would remain active even if the SIM was removed after initial setup. The government's stated goal is to enhance national security and combat the rise of online financial fraud, digital arrest scams, and SIM-swap fraud by improving the traceability of users. Communications Minister Jyotiraditya Scindia has publicly supported the measure as a necessary step to prevent the misuse of telecom identifiers. For users, a primary impact is on multi-device access. Sessions on linked devices like WhatsApp Web or desktop apps will now automatically log out every six hours, requiring re-authentication by scanning a QR code from the primary phone with the active SIM. This continuous verification process will happen in six-hour intervals to confirm the SIM's presence. This isn't the first application of SIM binding in India; the technology is already a standard security feature in many banking and UPI payment apps to authorize transactions. The Reserve Bank of India (RBI) has been pushing for stronger multi-factor authentication in digital payments to move beyond the vulnerabilities of SMS-based OTPs. The directive has faced resistance from industry body Broadband India Forum (BIF), which includes Meta and Google as members. BIF has questioned the legality of the directive, arguing that telecom laws apply to operators, not messaging platforms which are now categorized as Telecommunication Identifier User Entities (TIUE) under the new rules. The regulations cover both physical SIM cards and eSIM profiles. If an account is linked to an eSIM, the profile must remain active on the device to avoid a logout. Frequent travelers who swap SIMs or users with Wi-Fi-only secondary devices may face repeated interruptions and re-authentication prompts. The government provided a 90-day compliance window for platforms starting November 28, 2025, and has stated that no extensions would be granted. Companies are also required to submit compliance reports to the Department of Telecommunications within 120 days.
