New SIM Card Rules India 2026: KYC, SIM Limit & Key Changes

Introduction

India's SIM card ecosystem just got a hard reset. The Department of Telecommunications and TRAI didn't announce minor tweaks — they restructured the entire framework from the ground up, targeting fraud that cost Indians an estimated ₹18,000 crore in 2025 alone. Fake SIMs bought for ₹50 apiece. Scammers running WhatsApp operations from Cambodia and Myanmar. OTP fraud that wiped out savings in minutes. The old system had gaps everywhere, and criminals knew exactly where each one was. The new SIM card rules close most of them — but they also change how millions of legitimate users buy, use, and manage their mobile connections.

What Is the New SIM Card Rule? The Core Changes Explained

Mandatory e-KYC — No Exceptions, No Workarounds

Paper-based KYC is dead. The new SIM card rules make Aadhaar-based e-KYC mandatory for every new SIM purchase and every SIM replacement. But the old loophole — using a printed Aadhaar with someone else's photo — has been closed too. It is mandatory to capture demographic details by scanning the QR code in the printed Aadhaar, not just eyeballing the document at a retail counter. That QR scan pulls verified data directly from the UIDAI database. Fakes don't survive it.

In case of a SIM replacement, the KYC process needs to be completed within 24 hours of incoming and outgoing SMS facilities, meaning there's a brief lockout window after swapping. That 24-hour SMS suspension seems minor. But it's the specific window that SIM swap fraudsters exploited to intercept OTPs and drain bank accounts while the real user couldn't receive alerts. The rule kills that window.

SIM Limits Per Person — Hard Cap, Hard Consequences

Individuals can own a maximum of 9 SIM cards across all operators. For Jammu and Kashmir and the Northeast, the limit is 6. Anyone holding more gets their extra SIMs deactivated automatically, and potential legal action follows. The limit isn't just a number — it's the enforcement mechanism behind the anti-fraud architecture. Bulk SIM hoarders running spam and scam operations at scale simply cannot function if they can't accumulate numbers in volume.

Bulk connections for businesses got overhauled entirely. The government has discontinued provisions of bulk connections. Businesses must undergo individual KYC verification for each SIM card purchase. These SIMs must not be sold or used for personal purposes. Legitimate enterprises using SIMs for machine-to-machine operations need to register each one separately under a documented business entity. The days of buying 500 SIMs with a single corporate ID and distributing them loosely are finished.

Vendor Registration — The Rule That Hits Dealers Hardest

Point-of-Sale Agents Must Register. No Grace Period Forever.

This rule caused the most friction at the distribution level. SIM card sellers must register with telecom operators, complete police verification, and submit documents like Aadhaar or passport. Telecom operators and vendors must sign agreements detailing roles, responsibilities, and consequences for violations. Every roadside shop, every franchise counter, every authorised reseller — all of them had to go through this process.

The penalty for non-compliance is not symbolic. Dealers face a penalty of ₹10 lakh if found violating the norms. A PoS agent failing to comply may get terminated or face a three-year blacklist. Three years out of the telecom distribution business is a serious economic consequence for small operators who depend on commissions. The 12-month window to complete registration already passed for most. Enforcement is the phase happening now.

SIM Binding — The Biggest New Rule Most People Haven't Registered Yet

This is the rule that fundamentally changes how messaging apps work in India. And it's not a minor tweak to terms of service — it's a structural mandate from the DoT.

The Department of Telecommunications has mandated that all instant messaging platforms implement SIM Binding. This means a user must have the physical SIM card active in their smartphone to use a messaging app associated with that number. WhatsApp. Telegram. Signal. All of them. If the SIM isn't physically present and active in the device, the app won't work for that account. The account doesn't just become limited — it deactivates.

Why does this matter so much? Because the primary scam operation that devastated hundreds of thousands of Indians ran like this: buy a SIM, set up a WhatsApp number, run the fraud, then throw the SIM card away before police could trace it. Untraceable. Fast. Scalable. Scammers bought bulk fake SIMs for ₹50 each, ran WhatsApp scams, then ditched the cards. I4C data shows 70% of fraud occurred via unverified Indian numbers.  SIM Binding makes the discard-and-run model impossible. The account dies when the SIM disappears.

Web-based versions of messaging apps will require re-authentication every six hours to ensure the primary device still contains the authorized SIM. That six-hour check exists specifically to block the scenario where someone registers an account on a phone with a real SIM, then moves to a web-based session to continue operating after the SIM is discarded.

The DoT gave platforms 90 days from November to implement. Full enforcement is expected in mid-2026.

CNAP — Caller Name Presentation: Fraud Caller Exposure

Impersonation fraud — the "bank official calling from SBI" scam, the "income tax officer" call, the fake "customs clearance agent" — all of these rely on anonymous caller display. The caller's number shows up, the victim has no idea who it actually is, and the script runs.

TRAI has directed all telecom operators to roll out Caller Name Presentation. With CNAP, users will see the verified name of the caller on their screen for all incoming calls. This name is pulled directly from the KYC data provided when the SIM card was purchased.  Verified. Not self-declared. The name showing on the screen is the one tied to the Aadhaar linked during SIM purchase — which the fraudster cannot fake without a genuine identity.

Pilots showed a 40% fraud drop in test circles where CNAP was active. That's not a marginal improvement. That's structural disruption to the impersonation business model. CNAP is expected to reach full nationwide rollout through 2026, with Jio and Airtel already in the testing phase.

90-Day Cooling Period — Recycled Numbers and the Fraud They Enabled

A disconnected SIM number won't be reissued for 90 days, preventing immediate misuse. The 90-day cooling period for previously deactivated numbers adds another layer of security, giving authorities time to investigate any suspicious activity.

The problem this solves is real and was happening at scale. A fraudster's SIM gets deactivated. The number gets reissued quickly to someone new. That new subscriber's bank accounts, UPI, and messaging apps still have the old number attached — and whoever picks up the recycled number can potentially intercept OTPs meant for the previous holder. A 90-day gap between deactivation and reissue cuts that exploitation window to zero for most banking cycles.

Inactive SIM Rules — The Secondary SIM Problem

Millions of Indians carry dual-SIM phones. One SIM for primary use, one for a secondary operator kept alive for data plans or specific network coverage. The new rules create real pressure on those secondary SIMs. SIM cards inactive for 30 days may have outgoing services suspended, and after 45 days, incoming services may be blocked. 

But here's where the 90-day prepaid balance rule matters as a counterweight. If a SIM remains inactive for over 90 days and the user has a prepaid balance of ₹20, the amount will be deducted to extend the SIM's activation for an additional 30 days. The ₹20 balance essentially acts as an automatic stay-alive mechanism for infrequently used SIMs — as long as some credit exists, the SIM survives the inactivity check.

BSNL users have a specific advantage here. Government-owned BSNL SIMs remain active for 180 days without any recharge — the longest validity window in the Indian market by a significant margin. For users keeping a BSNL connection alive purely as a backup number, this is a meaningful operational difference from private operators.

The TAFCOP Portal — A New Tool for SIM Audit

The Telecom Analytics for Fraud Management and Consumer Protection portal gives any Indian citizen a way to check how many SIM cards are registered against their Aadhaar ID — and flag and block any they didn't authorise. This became operationally important alongside the new rules because the enforcement mechanism for the 9-SIM limit depends on accurate ID linkage data.

If a SIM card was fraudulently issued against someone's Aadhaar — which happened extensively before the e-KYC mandate — that person now has a straightforward way to identify it and request deactivation. Law enforcement and DoT systems can act on those reports without the affected person having to file complex complaints.

What the New Rules Mean for Different User Groups

Regular Prepaid Users

The changes are mostly invisible in day-to-day usage. e-KYC during purchase is faster than paper-based methods, not slower. The 9-SIM limit doesn't affect anyone with a typical 1–3 SIM setup. CNAP on calls is a net positive — names on screen add trust to legitimate calls. The only friction comes if someone swaps SIMs frequently while traveling, which may log them out of messaging apps under SIM Binding.

Small Business Owners

No more bulk SIM purchases without individual KYC on each card. Businesses running customer service lines, delivery coordination, or field staff communications need to register each SIM individually under proper documentation. The process is more thorough. But the paperwork is manageable for legitimate operations.

eSIM Users

SIM Binding creates specific ambiguity for eSIM users. The rule mandates an active physical or registered eSIM in the device — but switching eSIM profiles on dual-profile devices could trigger account lockouts on messaging apps depending on how each platform implements the check. This is the edge case most likely to generate user confusion during the mid-2026 enforcement rollout.

Penalties for Breaking the New SIM Card Rules

The penalty structure is not soft.

• Selling SIM cards without proper dealer registration: ₹10 lakh fine + 3-year blacklist
• Fraudulent SIM issuance by a PoS agent: termination of the agent agreement + potential criminal prosecution
• Exceeding the per-person SIM limit: automatic deactivation of excess SIMs + potential legal action
• Bulk SIM misuse (using business SIMs for personal purposes): operator-level penalties under Telecom Act provisions

The government has taken these steps considering the severity of scams caused by fake SIMs, and penalties for breaking these rules include fines and imprisonment. The imprisonment provision is what separates this from earlier, softer regulatory postures. The government is treating SIM fraud as a criminal matter, not just a compliance lapse.

Conclusion

The SIM card new rules India rolled out through 2023–2026 represent the most comprehensive overhaul of India's mobile identity framework since Aadhaar-linked verification was first introduced. Mandatory e-KYC with QR scanning. Hard limits of 9 SIMs per identity. A 90-day cooling period before number reuse. Strict dealer registration with financial penalties for violations. SIM Binding tying messaging accounts to physically active cards. And CNAP putting verified caller names on every incoming call screen.

The fraud numbers demanded this. ₹18,000 crore lost in 2025. 70% of cases running through unverified numbers. Scam factories operating from overseas with disposable Indian SIMs. The old system made all of it too easy. The new framework makes most of it structurally impossible — not just harder. Regular users will barely notice the difference. Fraudsters, bulk SIM dealers, and impersonation scammers are facing a system that was specifically redesigned to shut down every loophole they depended on.