India Amends TCS Rules, 2025 with New Authentication Standards for Messaging Platforms

India’s latest amended cybersecurity rules require messaging apps to implement continuous SIM-based authentication and six-hour auto-logouts to prevent cross-border fraud while raising operational and privacy questions amongst telecom industry experts.

The Department of Telecommunications (DoT), Ministry of Communications, has introduced updates to the Telecommunication Cyber Security (TCS) Rules, 2024, through the Telecommunication Cyber Security (TCS) Amendment Rules, 2025. These regulatory updates aim to improve India’s cyber preparedness, reinforce the security of telecom identifiers, and safeguard the rapidly expanding digital ecosystem.

With sectors such as banking, fintech, e-commerce, logistics, and public services increasingly dependent on mobile numbers and device identifiers for authentication, the amendments address emerging security vulnerabilities and rising incidents of telecom-enabled cybercrime.

Telecom Identifier User Entities (TIUEs): Expanding regulatory responsibilities

The amendments introduce a new compliance category, Telecom Identifier User Entities (TIUEs), to account for the extensive and growing use of telecom identifiers such as mobile numbers, IMEIs, SIM identifiers, and IP addresses across the digital economy.

Entities covered under TIUEs

TIUE obligations apply to:

• Banks and financial institutions
• Fintech platforms and digital payment providers
• E-commerce and online service marketplaces
• Digital service providers and app-based businesses
• Any entity relying on telecom identifiers for user authentication or verification

Find Business Support

De-Risk Your Business with Multi-disciplinary Review and Legal Advisory

TIUEs are required to share telecom-identifier information with the central government under clearly defined and legally sanctioned circumstances. This is expected to support faster investigations and improve traceability of telecom-related cyber offenses. The entities must ensure responsible handling, storage, and protection of telecom identifiers in line with applicable privacy and data protection requirements.

Although the Telecommunications Act, 2023, exempted OTT messaging services from telecom licensing, the updated cybersecurity rules extend certain obligations to them, especially if they rely on mobile numbers for identity verification. As a result, OTT messaging platforms fall within the operational scope of TIUE-linked compliance.

Mandatory six-hour logout and sim binding for messaging apps

A significant feature of the amendments is the mandatory six-hour auto-logout for web and desktop versions of messaging applications. Additionally, the government has instructed major communication platforms, including WhatsApp, Telegram, Signal, Snapchat, and ShareChat, to ensure that their applications function only when the active SIM associated with the registered mobile number is present in the device.

While most messaging services authenticate users during onboarding, the new SIM-binding requirement mandates recurring checks to confirm that the registered SIM remains active in the device, creating a continuous linkage between user identity and device-level telecom identifiers.

Compliance timelines for TIUE entities

TIUEs and affected digital platforms must adhere to the following timelines:

• 90 days to implement continuous SIM-based authentication and linking
• Six-hour auto-logout enforcement across all web and desktop sessions
• 120 days to submit detailed and complete compliance reports to the authorities

Failure to comply may lead to enforcement action under the Telecommunications Act and the Telecom Cybersecurity Rules, underscoring the seriousness of these obligations.

Industry concerns regarding operational disruptions

Despite the security rationale, the regulatory updates have raised substantial concerns among industry stakeholders. Experts caution that the new requirements may disrupt businesses and professionals who depend on uninterrupted access to messaging platforms:

• Ongoing calls, customer interactions, and support sessions may abruptly terminate, causing operational delays for freelancers, entrepreneurs, and service teams.
• Users may miss important messages if logged out without notice.
• Frequent re-authentication interrupts workflow efficiency, especially for teams heavily reliant on WhatsApp Web, desktop apps, and shared-device access.

Organizations such as CUTS International (Consumer Unity & Trust Society) have argued that these disruptions could diminish user confidence and increase friction for both personal and business communication.

ALSO READ: India’s Telecom Sector: Market Outlook and Regulatory Landscape

Impact on small and mid-sized businesses

Small and mid-sized enterprises, particularly those coordinating logistics, customer service, dispatch operations, or field teams through messaging platforms, may experience operational slowdowns. When sessions expire frequently and reactivation requires access to the original SIM-linked device, routine workflows could become more cumbersome, potentially affecting productivity and service delivery.

Privacy implications and technical challenges

Experts highlight that repeated hardware-level SIM validation could affect user autonomy and raise questions about proportionality. Additionally, device ecosystems such as iOS impose restrictions on third-party applications detecting SIM status, making technical implementation more complex.

India currently appears to be the only major jurisdiction mandating SIM-dependent operating conditions for messaging applications. This could result in fragmented user experiences globally and require higher development and compliance investments from international platforms.

Security rationale behind the directive

The government’s position is grounded in internal investigations that identified cases where messaging applications remained accessible even when the SIM card linked to the account was removed. Such gaps have been exploited in cross-border fraud, identity spoofing, and cyber-enabled financial crimes.

Officials note that:

• Fraud networks frequently rely on long-term logged-in accounts and VoIP numbers to evade tracing.
• Mandatory SIM-based linkage could close critical vulnerabilities exploited for anonymity.
• Major telecom operators, represented by the Cellular Operators Association of India (COAI), have supported these measures as part of broader efforts to curb spam, cyber fraud, and threats to national security.

Other key enhancements under the TCS Amendment Rules, 2025

Mobile Number Validation (MNV) platform introduced

To tackle identity fraud and the proliferation of “mule accounts” in financial and digital services, the amendment formalizes the Mobile Number Validation (MNV) platform.

Key functions:

• Provides a secure, decentralized, and privacy-conscious mechanism for service providers to confirm that a mobile number genuinely belongs to the user of a given service.
• Helps prevent fraudulent use of mobile numbers in banking, digital wallets, e-commerce, and government platforms.
• Enhances the integrity of digital transactions and reduces impersonation risks.

Mandatory IMEI scrubbing for the second-hand device market

For the second-hand and refurbished smartphone market in India, the new compliance requirements are as follows:

• Every device must undergo IMEI-based verification against a centralized blacklist before being resold or refurbished.
• Protects buyers from inadvertently purchasing illegal or compromised devices.
• Supports law enforcement in tracking stolen mobile equipment.
• Improves accountability and operational standards within the resale ecosystem.

• Previous Article India Manufacturing Tracker 2025
• Next Article