Concerns grow as DoT issues SIM-binding order for apps

The Broadband India Forum (BIF) has voiced serious concern over the Directions for SIM Binding issued by the Department of Telecommunications (DoT) on 28 November 2025. These directions require app-based communication services to remain constantly linked to the specific SIM card inserted in a user’s device and mandate compulsory six-hour logouts for users accessing services via web or desktop platforms.

Although the DoT has described the measures as an effort to curb cyber-fraud originating from abroad, BIF argues that the directives raise fundamental questions of jurisdiction, proportionality and consumer impact.

It further observes that the obligations extend far beyond the mandates set out in the Telecom Act or the purpose of the Telecom Cyber Security Rules. BIF notes with disappointment that such wide-reaching directives have been issued without public consultation, user-impact assessment or adequate implementation timelines.

A central concern for BIF is what it regards as jurisdictional overreach. During previous consultations on the Draft Telecom Cyber Security Amendments, BIF had warned that the creation of the Telecommunication Identifier User Entity (TIUE) category could be misapplied to regulate OTT platforms and digital services.

These services fall squarely under the IT Act and the purview of the Ministry of Electronics and Information Technology (MeitY), not the Telecom Act. BIF maintains that the Telecommunications Act does not empower the DoT to regulate OTT communication platforms, nor does it provide a legal basis for imposing telecom-style operational requirements on them.

Despite this, the current SIM-binding directions impose such obligations on a select group of applications, without transparency or public participation. According to BIF, the directives exceed the statutory framework, blur established jurisdictional boundaries and exemplify regulatory overreach without legislative backing.

BIF also warns that the SIM-binding requirement and the mandatory periodic logouts could cause significant disruption for legitimate, law-abiding users while offering limited additional protection against sophisticated fraud networks.

Many ordinary scenarios risk being affected, including the experience of travellers and NRIs who rely on Wi-Fi to use their Indian numbers abroad, professionals who depend on uninterrupted web-client access throughout a standard working day, families and multi-SIM users who separate their primary SIM from their messaging number, and elderly or low-literacy users who may struggle with repeated authentication prompts. 

In BIF’s view, these disruptions amount to a consumer burden introduced without consultation, proportionality assessment or evidence of necessity, and could degrade user experience for millions of compliant citizens.

In addition, BIF highlights the issue of selective application. The directions cover only certain services while leaving out others that operate in an identical manner. This creates clear avenues for regulatory arbitrage, as malicious actors may simply migrate to platforms not subject to the new obligations. It also results in unequal treatment of similar services and could lead to distortions in the digital communications market.

BIF questions the overall effectiveness of SIM binding as a tool for combating cyber-fraud. The primary sources of fraud,such as the procurement of Indian SIM cards through mule networks, remote access of devices located within India, and well-documented fraud clusters like Jamtara, remain largely unaffected by the new obligations.

Meanwhile, the requirements raise serious concerns about technical feasibility due to operating system restrictions, particularly within iOS, the complexities of dual-SIM and eSIM usage, and the extensive architectural redesigns that TIUE-designated services would be compelled to undertake. BIF argues that a narrow focus on SIM-binding risks diverting attention from far more impactful measures, including robust enforcement of SIM-KYC norms and coordinated action between telecom operators, financial intermediaries and law-enforcement agencies.

Given these issues, BIF urges the DoT to pause the current implementation timelines and initiate a formal, transparent stakeholder consultation. It recommends establishing a technical working group comprising OS providers, TIUEs, licensees and security specialists to develop a risk-based and proportionate framework that aligns with constitutional standards of necessity and minimal intrusion.

BIF President T.V. Ramachandran emphasised the organisation’s willingness to collaborate with the Government to strengthen India’s telecom cybersecurity architecture. He stated that the concerns raised during earlier consultations, specifically, that digital and OTT services might inadvertently be subjected to telecom-style obligations, have materialised in the current directions.

He added that measures of such consequence must be supported by legislative sanction, must respect jurisdictional boundaries and must undergo transparent, consultative scrutiny to minimise disruption for millions of genuine users and businesses across the country.