Major technology industry associations have strongly opposed a recent directive from the Department of Telecommunications (DoT) that would require messaging applications to be continuously linked to an active SIM card. The move, aimed at curbing cybercrime, has sparked a significant debate between tech companies and telecom operators.
Industry Bodies Raise Alarm Over Business Impact
The Internet and Mobile Association of India (IAMAI) and the Broadband India Forum (BIF) have pushed back against the DoT's order. In a letter dated 8 December to Communications Minister Jyotiraditya Scindia, the IAMAI urged the department to reconsider and withdraw the directions for continuous SIM-binding.
The IAMAI, representing over 750 Indian and multinational firms, argued that mandatory periodic logouts would disrupt business workflows for micro, small, and medium enterprises (MSMEs). It stated that such interruptions would delay responses and harm daily operations. The body also highlighted challenges for international travellers, users of dual SIMs, or those accessing apps on secondary devices like laptops.
On the core issue of security, IAMAI contended that "there is limited evidence that SIM-binding or mandatory logouts would meaningfully reduce" cyber fraud. It pointed out that fraudsters often use fake IDs to obtain SIM cards, use them briefly, and discard them, meaning domestic fraud clusters would remain largely unaffected.
The DoT Directive and Technical Hurdles
The controversy stems from a 28 November letter from the DoT to companies owning apps like WhatsApp, Telegram, Signal, Snapchat, and Sharechat. The directive, issued under the amended Telecommunications (Telecom Cyber Security) Rules, 2024, mandates that services must remain linked to a user's active SIM and phone number. A user without an active SIM in their phone should be blocked from accessing these apps.
Furthermore, the rules require companies to automatically log users out of the web versions of these apps every six hours. Users can only log back in by re-linking their device using a QR code. Companies have been given until 28 February 2026 to comply and must submit compliance reports within 120 days of the directive's issuance.
Both IAMAI and BIF have raised technical implementation challenges, citing operating system-level restrictions (especially on iOS), and complexities involving dual-SIM phones and eSIMs. The BIF, in a statement on 2 December, also questioned the legal basis, arguing the Telecommunications Act does not authorize regulating OTT communication platforms in this manner.
Telecom Operators Welcome "Necessary Security Measure"
In stark contrast, telecom operators represented by the Cellular Operators Association of India (COAI) have welcomed the SIM-binding rule, terming it a "necessary security measure." They argue that tech companies are overstating their concerns.
COAI stated that SIM binding acts as a "layered defence" against a common vulnerability in digital communication. It emphasized that the feature is already standard in systems like UPI and payment apps, where the SIM only needs to be present and active, not necessarily using mobile data.
The association dismissed concerns about user inconvenience, stating the security benefits of automatic six-hour logouts from web versions "would far outweigh any inconvenience." COAI also clarified that SIM binding operates at the user-account level and does not disrupt enterprise messaging, CRM systems, or APIs, ensuring each account is tied to a verified SIM.
The DoT maintains that the rule is crucial to counter phishing, digital arrest, impersonation, and investment scams, noting that SIM binding is already standard in banking systems. The standoff sets the stage for further discussions as the February 2026 deadline approaches.
