A new directive by the Department of Telecommunications (DoT) that would effectively stop online messaging apps like WhatsApp, Telegram, and Signal from working without an active SIM within the device, is being viewed as a step toward broader regulatory oversight by the DoT over OTT (Over-the-top) communication platforms.
The directive appears to confirm what tech giants like Apple, Google, Meta, Snap Inc., and others had previously feared: the Telecom Act, 2023 – which grants extensive powers to the DoT to regulate the telecom sector – may also encompass OTT applications and internet services.
While former telecom minister Ashwini Vaishnaw had, at the time, clarified publicly to the media that OTTs are not under the ambit of the law, lawyers said that the new directive suggests otherwise.
“The directive does represent an expansive interpretation of the DoT’s power since it effectively involves regulation of online messaging apps such as WhatsApp and Signal. Traditionally, this has been under MeitY’s jurisdiction, and I think there is jurisdictional overreach here,” Vrinda Bhandari, Advocate-on-record, Supreme Court of India, told The Indian Express.
Aishwarya Kaushiq, Partner, BTG Advaya, also said that the directive opens the door to a wider claim of jurisdiction, “since it treats any service using a mobile number as falling within the DoT’s cyber-security framework.” “A more reasonable view could be that the DoT’s powers should stay limited to true telecom-identifier security issues, and should not be used to control how unrelated digital services work internally, which may have greater ramifications,” he added.
The telecom department said that it sent notices to WhatsApp, Telegram, Snapchat, Arattai, Sharechat, Josh, Jiochat, and Signal on November 28, requiring them to ensure that a user’s SIM card is “continuously” linked to their accounts. This means that users would be unable to access these apps on devices that do not contain the active SIM linked to their profiles.
Additionally, users of companion web instances (such as WhatsApp Web) will be logged out every six hours and made to re-link their accounts using QR codes. The measure, which seeks to curb rising digital fraud in the country, has raised several concerns among users, digital rights advocates and other stakeholders who fear the directive threatens users’ privacy and complicates access for those using messaging platforms across multiple devices, especially in professional set-ups.
Story continues below this ad
“Continuous SIM-binding would create a significant risk for presumption that the SIM card-holder is liable for fraudulent activity on their account, and the burden will be on the user to displace that presumption. If this takes the form of a criminal trial, then the process itself is the punishment,” Bhandari said.
Experts have also flagged technical hurdles in implementation of SIM-binding, which messaging apps may not be able to do on their own. “While SIM-binding directly targets high-volume, automated fraud—particularly synthetic identity attacks in customer onboarding processes—it represents a static defense that can be easily bypassed or become a nuisance for legitimate users if not expertly implemented,” Apeksha Kaushik, Principal Analyst, Gartner, told The Indian Express.
Legal basis of the directive
Since the Telecommunications Act, 2023, partially went into effect in June 2024, the DoT has been gradually notifying various sets of rules to put key parts of the revamped telecom legislative framework into action. They cover important aspects such as internet shutdowns, cybersecurity, lawful surveillance, and setting up of telecom infrastructure in the country, among others.
In October 2025, the DoT notified the Telecommunications (Telecom Cyber Security) Amendment Rules, 2025, which paved the way for the creation of a Mobile Number Validation (MNV) platform to verify telecom identifiers like phone numbers. It also introduced a new compliance category called Telecommunication Identifier User Entities (TIUEs) defined as “a person, other than a licensee or authorised entity, which uses telecommunication identifiers for the identification of its customers or users, or for provisioning, or delivery of services.”
Story continues below this ad
The DoT notices sent to WhatsApp and others mandating SIM-binding have been issued under these Rules.
“The Telecom Act, 2023 and the Telecom Cyber Security (TCS) Rules give the DoT some authority to issue security-related directions to entities that use telecom identifiers, including app-based messaging platforms. This provides a basis for requiring certain safeguards around phone-number–based registrations,” Kaushiq said.
“At the same time, the Rules do not expressly mention measures like continuous SIM-binding, which directly affect how these apps function and how users access them across devices,” he said.
When asked about the three-month compliance timeline, Bhandari said, “There is no set legal standard for what is an acceptable timeline to implement a government directive. For instance, the DPDP (Digital Personal Data Protection) Rules give 18 months. However, I do think that the short timelines are problematic given the absolute lack of public consultation.”
Story continues below this ad
Payments versus messaging apps
In 2021, State Bank of India (SBI) launched a SIM-binding feature for its mobile app users, and most banking apps in India have SIM-binding enabled. Additionally, the Securities and Exchange Board of India (SEBI) has proposed to mandate a similar requirement to reign in fraudulent trading.
To note, security experts have said that UPI and banking apps do not perform true SIM-binding due to technical challenges; instead they rely on a form of device-binding. While the RBI has mandated device-binding for all regulated entities, the National Payments Corporation of India is said to maintain a whitelist of UPI apps that comply with its rules on SIM- and device-binding.
“The DoT’s directive also creates a de facto whitelist since only messaging apps that implement SIM-binding and related security requirements will continue to function for Indian users, effectively limiting the market to compliant platforms,” Kaushiq said.
“However, unlike the NPCI model in the UPI ecosystem, which involves an explicit, published list of authorised apps, the DoT has not created a formal approval or permission list. Instead, it has imposed uniform compliance conditions that indirectly produce the same effect,” he added.
Story continues below this ad
Telcos versus OTT players
Telecom operators in India have always supported the need for SIM-binding. Welcoming the new directive as a “first-in-the-world regulatory measure” to prevent cyber fraud, the Cellular Operators Association of India (COAI), which represents all three private telcos, said, “Such continuous linkage ensures complete accountability and traceability for any activity undertaken by the SIM card and its associated Communication App, thereby closing long-persistent gaps that have enabled anonymity and misuse.”
The telecom industry body further urged the DoT to ensure that app-based communication services implement “maximum possible mitigation of risks for subscribers across all communication channels.”
However, the directive has emerged as another front for a standoff between telcos and OTT players in the country.
The Broadband India Forum (BIF), an industry body that represents major technology firms like Meta, Google, and others, flagged “serious concerns” over the directive and urged the DoT to “pause the current implementation timelines, open a formal stakeholder consultation, constitute a technical working group of OS providers, TIUEs, licensees, and security experts, and ultimately adopt a risk-based and proportionate framework consistent with constitutional standards of necessity and least intrusive means.”