DoT's SIM-binding Mandate Creates New Compliance Challenge The SIM binding mandate has divided opinion: supporters welcome the better security, while critics argue that it is causing unnecessary disruption.

The latest directive from the Department of Telecommunications (DoT) has created a new compliance challenge for messaging platforms like WhatsApp and Telegram, which must deploy SIM binding and periodic web-sessions logouts in the next three months. This compliance challenge, however, may not remain exclusive to messaging apps and could expand to more digital platforms across sectors such as banking, e-commerce, and more.

The heart of the matter is the Telecommunication Cybersecurity Amendment Rules, 2025, which introduces a new category called Telecom Identifier User Entities (TIUEs). These entities are ones which use telecom identifiers such as mobile numbers or IMEI numbers to register and identify users. The new category brings more digital service providers than just popular messaging apps like WhatsApp or Snapchat under the ambit. For now, however, the DoT has sent the directive to messaging platforms, reports MediaNama.

Entrepreneur India has reached out to WhatsApp and Telegram for a response.

The SIM binding move, however, has become polarising as advocates are cheering the efforts to bring more security whereas critics say it's disruptive.

Lt. Gen Dr SP Kochhar, Director General at COAI, which represents telecom service providers like Jio, Airtel, and Vodafone Idea, hailed the SIM binding move stating: "Such continuous linkage ensures complete accountability and traceability for any activity undertaken by the SIM card and its associated Communication App, thereby closing long-persistent gaps that have enabled anonymity and misuse."

The COAI noted that presently, app-based communication services link to a subscriber's mobile SIM card only once during initial installation and verification. Thereafter, these applications continue to function even if the SIM is removed, replaced or deactivated - creating significant scope for fraud. The new directive mandates that all relevant communication apps ensure continuous linkage between the application and the SIM/phone number used for registration, thereby creating a more accountable digital environment by curbing anonymous misuse and protecting users in the online space.

"COAI firmly believes that this mechanism will significantly reduce spam and fraudulent communications perpetrated through these platforms and help mitigate financial frauds. Telecom operators stand fully committed to supporting seamless implementation of this directive," he added.

Security expert and threat researcher Noel Varghese explains that there have seen cases recorded across the country where WhatsApp registered phone numbers, that have since been deactivated or surrendered, continue to receive messages (including OTP's), when the SIM gets assigned and linked with the Aadhar of the new holder.

The new SIM Card holder is unable to access WhatsApp messages, as a new login attempt on a different device is subjected to a OTP Verification. The same issue persists if WhatsApp accounts are not protected by Multi Factor Authentication or if WhatsApp assigned number is not changed, right before deactivation. The new sim binding feature will be a step in the right direction to combat this, owing to the problem statement above - where services linked to the number cease if the registered SIM is not being used anymore

"In the unfortunate case of phones or SIM cards getting misplaced, it can prove to be difficult for WhatsApp Business users as important documents and messages get sent / received for ease of accessibility. Timely reporting via the CEIR interface in Sanchar Saathi and the Telecom Service Provider can help in providing intimation about lost assets, respectively," he said.

Inconvenience; Tech loopholes, and more

As the name implies, SIM binding makes it compulsory to use a particular device which has been used for running a TIUEs' platform. Some of the concerns are that a lot of users, including business ones, use multiple devices with the same account. Moreover, requiring a six-hour periodic log-out creates more problems for those using the Web version of the messaging platform. WhatsApp, in particular, is likely to be the most affected given its scale in India.

It's worth noting that millions of people use WhatsApp for Business in India. According to an estimate, India has over 15 million active users, nearly a third of the global user base for WhatsApp for Business. A lot of businesses, such as independent cloud kitchens, resellers and other small ventures, run exclusively on WhatsApp for communication, marketing and sales.

"Many businesses rely on WhatsApp Web or desktop apps to manage conversations now they will need to reauthenticate often, which disrupts workflow especially for disparate teams," technology lawyer and SFLC founder Mishi Choudhary told Entrepreneur India.

Apeksha Kaushik, Principal Analyst at Gartner tells Entepreneur India that the shift has profound implications: Enterprises must view disinformation security as a core business risk, as A 2025 Gartner survey of 302 cybersecurity leaders revealed that deepfake incidents are increasingly impacting organizations, with 43% reporting at least one audio call incident and 37% experiencing deepfakes in video calls.

DoT's SIM-binding rule will fundamentally change how both small and large businesses in India use messaging apps by making account ownership and activity traceable to a verified SIM, raising the bar for security and accountability.

Kaushik added that for small businesses, this could mean greater protection against fraud and impersonation, but also increased operational complexity and onboarding hurdles, especially for those with limited IT resources. Large enterprises, meanwhile, may benefit from enhanced compliance and reduced risk, but must invest in scalable infrastructure and support to manage SIM verification for thousands of users and devices.

"The key takeaway is that while SIM-binding promises stronger digital trust, businesses of all sizes will need to adapt their workflows, invest in user education, and leverage automation to ensure seamless compliance and customer experience. To make it better, regulators and platforms should publish detailed guidelines, easy-to-use tools, and support for edge cases like shared devices or remote workers," Kaushik said.

Ritesh Bhatia, founder of V4Web Security, tells Entrepreneur India that SIM binding does help strengthen security, but it is far from being fool-proof.

"It only locks an app to a SIM, not to a real identity. As long as fake and mule SIMs circulate and social-engineering remains rampant, fraudsters will always find a way around the system. It must be treated as one layer of defence, not the entire shield," he added.

Bhatia also advised watchfulness to businesses, fintech or large-scale platforms, on considering SIM binding as a 'silver bullet'.

"Without stronger KYC enforcement, robust identity proofing, device control, and transaction monitoring, fraudsters will simply pivot to other vectors (fake SIMs, social engineering, credential theft). As someone already doing cybercrime investigations, I expect many organised fraud rings to adapt quickly like using fake/mule SIMs, synthetic identities, or hybrid attacks that combine social engineering + device-oriented fraud. Hence the real value of SIM binding is as part of a multi-layered security architecture, not as a standalone "fool-proof" fix," he further explained.

Well-intended, but at what cost? Asks BIF

One of the most scathing criticisms has come from Broadband India Forum (BIF), an independent policy forum and think-tank, on the SIM-binding issue.

"BIF stands ready to work constructively with the Government to strengthen India's telecom cybersecurity architecture. However, the apprehension during earlier consultations that digital and OTT services may inadvertently be brought under telecom-style obligations now stands visibly manifest in the present directions. This makes it all the more essential that any measure of this magnitude must be backed by legislative sanction, and respect jurisdictional boundaries and undergo transparent, consultative scrutiny so it causes minimal disruption for millions of genuine users and businesses," BIF President TV Ramachandran said in a statement.

The think-tank in a post explained that the SIM-binding and forced periodic logout requirements could impose material inconvenience and service disruption on ordinary users, while offering limited incremental benefit against sophisticated fraud networks. Ordinary use cases—such as travellers and NRIs who rely on Wi-Fi to use their Indian numbers abroad, professionals who depend on uninterrupted web-client access during an 8–10 hour workday, families and multi-SIM users who routinely separate their primary SIM from their messaging number, and elderly or low-literacy users who struggle with repeated re-authentication—stand to be disproportionately affected.

The result is a consumer cost imposed in the absence of consultation, impact assessment, or proportionality, and one that risks degrading user experience for compliant, law-abiding citizens, the think-tank further said.

Summing up,

The SIM-binding mandate shows a critical, yet polarising, effort to enhance India's digital security architecture by improving traceability and accountability. India definitely needs a more robust and updated technology given the rise in cybercrime and frauds. Even as the objective is to close security gaps and mitigate fraud, critics are of the opinion that it could be a regulatory overreach and causes unnecessary inconveniences to businesses as well as individuals. This issue is unlikely to fade quickly, given the backlash, specifically from privacy advocates, and the separate controversy over the mandatory installation of the Sanchar Saathi app. Will there be a middle ground over this? We will find out very soon.