Full Report
India's Department of Telecommunications (DoT) has issued directions to app-based communication service providers to ensure that the platforms cannot be used without an active SIM card linked to the user's mobile number. To that end, messaging apps like WhatsApp, Telegram, Snapchat, Arattai, Sharechat, Josh, JioChat, and Signal that use an Indian mobile number for uniquely identifying their
Analysis Summary
# Regulation/Compliance: Mandatory SIM-Binding for App-Based Communication Services in India
## Overview
This directive mandates that all App-Based Communication Service Providers (ABCSPs) operating in India must ensure that their services can only be used when an active SIM card, linked to a Know Your Customer (KYC)-verified mobile number, is present and linked to the user/device. This aims to curb fraud, scams, cross-border misuse, and the exploitation of deactivated mobile numbers.
## Key Details
- **Issuing Authority:** India's Department of Telecommunications (DoT)
- **Effective Date:** Compliance required within **90 days** of the directive issuance (implied date around December 2, 2025).
- **Jurisdiction:** Applicability is mandatory for all communication service platforms using an Indian mobile number for user identification (Telecommunication Identifier User Entity - TIUE) within India.
- **Status:** Final directive, implemented via an amendment to the **Telecommunications (Telecom Cyber Security) Rules, 2024.**
## Requirements
### Mandatory Requirements
1. **Active SIM Requirement:** Platforms must ensure that app-based communication services *cannot* be used unless an active SIM card linked to the user's mobile number is installed in the device.
2. **Continuous Linkage:** The application session must remain continuously linked to the active SIM card installed in the device.
3. **Web Session Re-authentication:** Web/desktop service instances of messaging platforms must be **periodically logged out every six hours**.
4. **QR Code Re-linking:** Following the periodic logout, users must re-link their device, typically via a QR code mechanism, which implicitly re-verifies the active SIM linkage.
5. **KYC Traceability:** All active accounts and their web sessions must be traceable back to a KYC-verified SIM card to allow authorities to trace fraudulent activity.
### Recommended Practices
*None explicitly mentioned as 'recommended' in the context of these mandatory security measures. The focus is entirely on immediate, non-optional compliance.*
## Affected Organizations
- **Industries:** App-Based Communication Service Providers (Messaging and Calling Apps).
- **Organization Size:** Not specified; applies universally to all providers operating in this segment.
- **Geographic Scope:** Applicable to services targeting or utilizing Indian mobile numbers within India.
- **Examples:** WhatsApp, Telegram, Snapchat, Arattai, Sharechat, Josh, JioChat, and Signal.
## Compliance Timeline
- **Directive Issued:** Implied around December 2, 2025.
- **Full deadline:** **90 days** from the issuance of the directive (i.e., approximately early March 2026).
## Implementation Guidance
### Assessment Phase
- **Review Current Authentication:** Assess how current platform sign-on and session management handle SIM removal, deactivation, or overseas usage.
- **Identify TIUEs:** Inventory all services reliant on Indian mobile numbers for user identification.
### Implementation Phase
- **SIM Binding Logic:** Implement technical controls to verify the continuous presence and validity of an active SIM card linked to the KYC record for application functionality.
- **Session Management Adjustment:** Develop and deploy logic to enforce automatic logouts for all web/desktop sessions every six hours.
- **Re-authentication Workflow:** Establish a streamlined (but mandatory) mechanism (e.g., QR code scanning from the primary device) for users to seamlessly re-link after a timed logout.
### Validation Phase
- **Stress Testing:** Test scenarios where the SIM card is removed mid-session or where a web session attempts to stay active beyond the six-hour limit without re-verification.
- **MNV Integration (Implicit):** Prepare to utilize the planned Mobile Number Validation (MNV) platform for enhanced validation of TIUEs as needed by agencies.
## Technical Requirements
1. **SIM Telemetry/Verification:** Ability to continuously verify that the device hosting the app possesses an active, verified SIM card.
2. **Periodic Session Invalidation:** A hardened, unbypassable timer mechanism for web sessions set to expire every 6 hours.
3. **Device Proximity/QR Verification:** Implementation of a secure, device-proximate re-authentication method (QR code) to refresh sessions.
4. **Deactivation Handling:** Immediate termination of service functionality if the linked SIM is detected as deactivated or removed.
## Penalties & Enforcement
- **Fines:** Not explicitly detailed in this summary excerpt, but non-compliance with DoT directives typically carries significant financial penalties.
- **Other Consequences:** Potential suspension or revocation of operating licenses for platforms failing to adhere to cybersecurity rules.
- **Enforcement:** Enforcement will be managed by the DoT, likely leveraging the planned Mobile Number Validation (MNV) platform to assist in tracing and verifying user identities linked to service accounts.
## Related Standards
- **Telecommunications (Telecom Cyber Security) Rules, 2024:** This is the regulatory framework under which this directive is implemented (via amendment).
- **KYC Standards:** Compliance inherently requires adherence to existing Indian KYC standards used for issuing the underlying mobile connections.
## Resources
- **Official Documentation:**
- Amendment to the Telecommunications (Telecom Cyber Security) Rules, 2024 (Link provided in source: `dot.gov.in/act-rules-content/3296`)
- Full Cybersecurity Rules 2024 (Link provided in source: `eservices.dot.gov.in/sites/default/files/circular-notifications/cybersecurity-rules-2024.pdf`)
- **Guidance Documents:** DoT press release regarding SIM-binding directions (Link to PIB provided in source).
- **Tools:** Preparation for integration with the forthcoming Mobile Number Validation (MNV) platform.
## Practical Recommendations
1. **Immediate Roadmap Creation:** Begin developing technical solutions for the strict 6-hour web session timeout immediately.
2. **Prioritize SIM Validation:** Allocate resources to engineering teams to implement robust, continuous checks for active SIM status, as this is the core mandate.
3. **Liaison with Telecom Operators:** Coordinate with local telecom providers where necessary to ensure the system can accurately verify active SIM status upon initial and periodic re-authentication.
4. **Document Compliance Rationale:** Maintain detailed documentation showing how the implemented controls directly address the risk of cross-border fraud enabled by long-lived, unverified web sessions.