India’s SIM-binding mandate: recalibrating digital identity, traceability and telecom cybersecurity

Tony Verghese, Partner

JSA (J Sagar Associates), Advocates & Solicitors, Bengaluru

tonyverghese@jsalaw.com

Radhika Gupta, Partner

JSA (J Sagar Associates), Advocates & Solicitors, Bengaluru

radhika.gupta@jsalaw.com

Uddhav Gupta, Associate

JSA (J Sagar Associates), Advocates & Solicitors, Bengaluru

uddhav.gupta@jsalaw.com

On 28 November 2025, the Department of Telecommunications (DoT) within the government of India issued the Directions for SIM Binding for Prevention of Misuse of Telecommunication Identifiers or Telecommunication Equipment or Telecommunication Network or Telecommunication Services for Ensuring Telecom Cyber Security (‘Directions’). These Directions were issued under the Telecommunications (Telecom Cyber Security) Rules 2024 (‘Cyber Security Rules’), framed pursuant to the Telecommunications Act 2023.

The Directions apply to Telecommunication Identifier User Entities (TIUEs), a regulatory category that includes app-based communication platforms using Indian mobile numbers as identifiers. Messaging and communication services such as WhatsApp, Telegram, Signal, Snapchat, JioChat, Arattai, Josh and Sharechat fall within the practical scope of the mandate to the extent that they rely on Indian telecom identifiers for user registration and authentication.

The SIM-binding Directions represent one of the most consequential regulatory interventions in India’s digital communications ecosystems in recent years. They signal a structural shift from number-based onboarding to persistent telecom-linked identity validation.

Conceptual framework: what is continuous SIM binding?

Continuous SIM binding refers to a regulatory requirement that a communication platform account remain functionally linked to the Subscriber Identity Module (SIM) originally used for its registration. In operational terms, this means:

• if the registered SIM is removed from the primary device, deactivated, replaced or ported, the platform must suspend the account’s functionality;
• the user must re-verify using the same valid SIM before regaining access; and
• web and desktop sessions must periodically expire-within a prescribed outer limit (not later than six hours) and re-authenticate through the SIM-linked primary device, typically via QR-based linking or secure revalidation protocols.

This model introduces a persistent identity tether between a telecom-verified mobile number and the digital communication account associated with it. Unlike earlier onboarding-only verification, the requirement is dynamic and ongoing.

Importantly, the Directions do not alter the physical SIM card or telecom core network architecture. The binding mechanism operates at the application and authentication layer through telecom-validated signals.

Statutory basis under the Telecommunications Act 2023

The legal foundation for the Directions lies in the Telecommunications Act 2023, which consolidates and modernises India’s telecom regulatory regime. The Act empowers the central government to prescribe measures to prevent misuse of telecommunication identifiers and ensure cybersecurity within telecommunication networks and services.

A telecommunication identifier includes mobile numbers and related identifiers used for accessing telecommunication services. By requiring platforms to maintain a live link between user accounts and verified SIMs, the DoT is exercising its rule-making authority to address systemic misuse of such identifiers.

The Cyber Security Rules 2024 – under which the Directions were issued – specifically authorise regulatory interventions to prevent:

• misuse of telecom identifiers;
• fraudulent access to telecom services; and
• threats to national telecom cybersecurity architecture.

The SIM-binding mandate thus reflects a regulatory determination that app-level account detachment from telecom-verified identifiers constitutes a cybersecurity vulnerability.

Regulatory rationale: fraud, impersonation and enforcement gaps

Indian regulators and law enforcement agencies have repeatedly highlighted the exponential growth of cyber-enabled fraud, particularly through over-the-top (OTT) messaging platforms. Common fraud typologies include:

• digital arrest scams;
• impersonation of law enforcement or regulatory officials;
• SIM-swap-linked fraud chains;
• investment and loan application scams; and
• multi-layered mule-account operations.

A recurring enforcement challenge has been that messaging accounts remain active even after the SIM originally used for registration has been:

• fraudulently obtained;
• discarded;
• transferred; or
• deactivated.

In such cases, traceability may technically lead to a mobile number, but the number may no longer be physically linked to the perpetrator. The absence of persistent SIM validation enables fraud actors to exploit the residual operational life of app accounts.

In late 2025, the Supreme Court of India initiated suo motu proceedings concerning the alarming rise of digital frauds. The Court reportedly emphasised the need for coordinated institutional action involving telecom authorities, financial regulators and digital platforms. The judicial intervention added urgency to regulatory responses addressing telecom-identifier misuse.

Within this enforcement context, continuous SIM binding is intended to create a ‘digital anchor’ linking virtual communication accounts to know your customer (KYC)-verified telecom subscribers. The policy objective is to reduce the operational window for fraudsters who rely on number detachment and SIM churn.

Alignment with broader identity governance trends

The SIM-binding Directions reflect a broader regulatory trend toward harmonised digital identity assurance across sectors.

In banking and financial services, customer due diligence and KYC norms are persistent rather than one-time events. Account revalidation mechanisms exist for high-risk activities. By contrast, messaging platforms have historically operated with onboarding-only verification tied to phone number possession at a single point in time.

The DoT’s intervention narrows this regulatory asymmetry. It effectively extends telecom identity assurance into the app-layer domain, bringing messaging services closer to regulated identity ecosystems.

From a governance standpoint, this represents a shift from platform-centric authentication to telecom-anchored identity continuity.

International context: absence of a global mandate

No comparable jurisdiction currently mandates continuous SIM presence verification for messaging applications as a matter of telecom law.

International standard-setting bodies such as the International Telecommunication Union (ITU) and the GSM Association (GSMA) establish standards for:

• SIM architecture;
• subscriber identity frameworks;
• secure provisioning;
• eSIM management; and
• roaming protocols.

However, neither ITU Recommendations nor GSMA technical specifications prescribe mandatory persistent SIM-to-application binding for OTT messaging services.

India’s approach therefore constitutes a domestic regulatory innovation rather than the implementation of an internationally harmonised telecom standard. This divergence may raise interoperability, compliance and jurisdictional questions for global platforms operating across multiple regulatory environments.

Technical architecture and practical implementation

From a technical standpoint, SIM binding does not involve modification of SIM hardware or telecom switching systems. Instead, it is implemented through software-layer authentication mechanisms.

Because modern mobile operating systems restrict direct third-party access to low-level identifiers such as international mobile subscriber identity (IMSI) or international mobile equipment identity (IMEI), platforms rely on permitted APIs and telecom-validated authentication flows. Binding mechanisms may include:

• periodic SIM presence validation;
• network-based number activity confirmation;
• telecom-integrated mobile number validation (MNV) checks; and
• session expiration and forced re-authentication protocols.

The MNV system, introduced through amendments to the cyber security framework, is intended to allow platforms to verify whether a number corresponds to a legitimately issued and active SIM.

Importantly, SIM binding is algorithmic and reversible. It does not create a cryptographically irreversible hardware lock. If regulatory requirements change, platforms can adjust the software logic governing validation without altering SIM hardware.

Nevertheless, implementation will require substantial architectural changes, particularly for platforms with end-to-end encrypted models where authentication design is central to security guarantees.

Operational and user-level implications

Multi-device usage

The requirement that web and desktop sessions expire within six hours introduces friction for users relying on multi-device workflows. Many professionals use messaging platforms across:

• laptops;
• tablets;
• office desktops and
• secondary mobile devices.

Mandatory periodic logout may disrupt enterprise usage patterns and reduce convenience, especially where the primary SIM-bearing device is not readily accessible.

International travel and dual-SIM environments

Indian users travelling internationally often swap their domestic SIM for a local SIM to manage roaming costs. Under continuous SIM binding, removal of the Indian SIM could suspend platform functionality unless the user retains the SIM in a dual-SIM or eSIM configuration.

In multi-SIM devices, determining which SIM is bound to the account may introduce technical ambiguity. Platforms must ensure that validation logic accurately distinguishes between active and inactive SIM contexts.

Impact on eSIM adoption

As India expands eSIM adoption, the regulatory framework must accommodate remote provisioning and profile switching. Binding logic must be compatible with dynamic SIM profile management without causing unintended service disruptions.

Privacy and constitutional considerations

Continuous SIM binding increases the coupling between telecom identifiers and application-layer usage. While the objective is fraud mitigation, the measure may raise privacy considerations.

Under Indian constitutional jurisprudence, particularly the proportionality framework articulated in Puttaswamy (2017)[1], any restriction affecting privacy must satisfy:

• legality;
• legitimate state aim;
• necessity;
• proportionality (least intrusive means); and
• procedural safeguards.

The SIM-binding mandate has a clearly articulated legitimate aim-fraud prevention and telecom cybersecurity. However, its long-term defensibility may depend on demonstrating that:

• less intrusive alternatives would be insufficient;
• data collection is minimised;
• oversight and accountability mechanisms exist; and
• implementation does not result in disproportionate surveillance potential.

Careful calibration of data retention, audit and integration practices will be essential to mitigate privacy risks.

Compliance and industry response

Platforms designated as TIUEs must redesign authentication systems, integrate telecom verification channels and maintain compliance records subject to regulatory scrutiny.

Industry response has been mixed

The Cellular Operators Association of India (COAI) has reportedly supported measures enhancing telecom security and national resilience, reflecting telecom operators’ interest in strengthening the integrity of mobile identifiers.

Conversely, the Broadband India Forum (BIF) has expressed concerns regarding short implementation timelines, absence of extensive public consultation and the potential disproportionate impact on digital innovation and user experience.

Global OTT platforms may also examine whether compliance obligations create jurisdictional tensions in cross-border operations.

Jurisdictional and enforcement dimensions

A notable legal question concerns the extraterritorial reach of the Directions. Many messaging platforms are headquartered outside India. However, to the extent that they use Indian telecom identifiers and operate within Indian jurisdictional territory, they fall within the regulatory ambit of the Telecommunications Act 2023.

Enforcement mechanisms may include:

• compliance audits;
• directives under telecom security provisions; and
• potential restrictions on service availability in case of non-compliance.

The interplay between telecom regulation and intermediary liability frameworks under information technology laws may also evolve as regulators refine enforcement strategies.

Policy outlook and implementation challenges

Before the implementation deadline of 28 February 2026, several issues still remained salient:

• technical readiness of platforms;
• harmonisation with device-level privacy protections;
• standardised integration protocols for MNV systems;
• clear compliance guidance and FAQs; and
• mechanisms for user grievance redressal.

A phased rollout or regulatory sandbox approach could mitigate transitional disruptions. Structured stakeholder consultation may also enhance legitimacy and reduce litigation risk.

Conclusion

India’s SIM-binding mandate marks a pivotal shift in digital communications governance. By tethering app-based accounts to verified telecom identifiers on a continuous basis, the DoT seeks to close enforcement gaps that have facilitated cyber fraud, impersonation and telecom misuse.

The measure reflects a security-oriented regulatory philosophy that prioritises traceability and identity continuity. Yet its long-term viability will depend on constitutional defensibility, technical feasibility, stakeholder consultation and careful balancing of security objectives with user convenience and privacy safeguards.

If implemented with procedural rigour, transparency and proportionality, the SIM-binding framework may redefine digital identity assurance in India’s telecom ecosystem. However, its ultimate success will hinge not merely on regulatory ambition, but on calibrated execution that preserves both cybersecurity and public trust in India’s rapidly evolving digital landscape.[2]