---

For web or browser-based logins, users must be logged out at least every six hours and offered a QR-code-based method to relink their account.

---

India’s Department of Telecommunications (DoT) has directed major messaging and social media apps, including WhatsApp, Telegram and Signal, to ensure their services cannot be used unless the phone’s SIM card remains active and inserted in the device, according to a government direction reported by Medianama.

The move follows amendments to India’s telecom cybersecurity rules, which place app-based communication platforms in a new regulatory category called “Telecommunication Identifier User Entities” (TIUEs). These entities must verify users’ mobile numbers through the government’s Mobile Number Validation platform and comply with cybersecurity instructions issued by the DoT.

Under the new rules, TIUEs must implement SIM binding within 90 days. Apps will be required to block access if the linked SIM card is removed or deactivated.

For web or browser-based logins, users must be logged out at least every six hours and offered a QR-code-based method to relink their account.

The DoT says some apps currently allow users to stay logged in even after removing the SIM, a gap it claims is being exploited from abroad for cyber fraud.

The Cellular Operators Association of India (COAI) has supported SIM binding, arguing it will improve traceability.

“The communication service cannot operate without the authenticated SIM physically inserted in the device,” the industry group said in an earlier statement, adding that this could reduce spam and financial fraud.

However, some cybersecurity observers say SIM binding may offer limited protection, noting that fraudsters often use forged IDs to obtain fresh SIM cards and quickly replace them. Others have raised concerns about the accuracy of India’s telecom subscriber database, pointing out that earlier verification measures have not significantly reduced fraud.

TIUEs must file compliance reports within 120 days, and the DoT says violations could invite action under the Telecommunications Act and related cybersecurity rules.