India's New Cybersecurity Rules Force WhatsApp Web Logouts Every Six Hours

India's government has implemented new telecommunications cybersecurity regulations that will significantly impact how messaging platforms operate, requiring WhatsApp users to be automatically logged out of web services every six hours as part of enhanced security measures.

The Telecommunication Cybersecurity Amendment Rules, 2025, notified by the Department of Telecommunications in October, introduce mandatory continuous SIM card verification for all messaging applications, fundamentally changing how platforms like WhatsApp, Telegram, and Signal function in the Indian market.

Regulatory Framework and Implementation

The new regulations establish a category called Telecommunication Identifier User Entity (TIUE), encompassing platforms that use mobile numbers for user verification. This framework now governs major messaging services including WhatsApp, Telegram, Signal, Snapchat, and several domestic applications.

Under these rules, platforms must ensure their services remain continuously linked to the SIM card used during initial registration. Users cannot access applications if their registered SIM card is not physically active in their device, a process technically known as SIM binding.

Companies have 90 days to implement these changes and must submit compliance reports within four months. The regulations specifically mandate that companion web services like WhatsApp Web automatically log users out every six hours maximum.

Government Rationale and Security Concerns

Officials justify these measures as essential for combating cybercrime and digital fraud. The Department of Telecommunications expressed concern about app-based communication services allowing users to operate without active SIM cards, creating vulnerabilities for international cybercriminals.

The Cellular Operators Association of India explained that current binding processes occur only during installation, after which applications function independently. This creates opportunities for misuse, particularly by fraudsters exploiting inactive or foreign SIM cards for phishing scams and financial fraud targeting Indian users.

Government officials believe continuous SIM verification will help identify and block fraudulent activities, addressing challenges in tracking scammers who exploit messaging platforms from outside India.

Industry Concerns and User Impact

While the telecommunications sector initially supported SIM binding principles, industry representatives now raise concerns about practical implications for everyday users. The regulations could create significant obstacles for international travellers who typically switch to local SIM cards while maintaining access to messaging services.

Business operations may face disruption as frequent mandatory logouts from WhatsApp Web could interrupt workplace communication routines. Many professionals rely on desktop messaging services during office hours, often without their mobile devices readily available.

Industry experts question the effectiveness of these measures, noting that sophisticated fraudsters often use SIM cards obtained through illegal channels with forged documentation. Despite strict verification systems in banking and digital payment applications, financial fraud remains persistent.

Regional and Strategic Implications

These regulations reflect India's broader approach to digital sovereignty and cybersecurity, particularly relevant given the country's strategic position in the Indo-Pacific region. The measures align with global trends toward increased platform regulation while addressing specific regional security challenges.

For WhatsApp's estimated 500 million Indian users, the changes represent a trade-off between convenience and security. While the platform may become less seamless, enhanced verification could potentially reduce exposure to cyber threats.

The implementation of these rules demonstrates India's commitment to balancing technological innovation with national security requirements, setting precedents that may influence regulatory approaches across other democratic nations facing similar cybersecurity challenges.