Data Center and Cloud Service Law in Nepal: Key Highlights

Data Center and Cloud Service Law in Nepal: Key Highlights

01. Law Relating to Operation and Management of Data Center and Cloud Service in Nepal

Data Center and Cloud Service (Operation and Management) Directives, 2025 (2081) (hereinafter referred to as “Directive”) was issued by the Ministry of Communication and Information Technology on 28th January, 2025 (2081/10/15). This Directive was enacted under Section 79 of Electronic Transaction Act, 2006 A.D. The Directive aims to ensure mandatory registration, provides operational guidelines, security standards and compliance requirements for the establishment of secure and reliable data management entities for private, public and government sectors.

 

Through this article readers will be able to understand the key provisions such as mandatory registration, required documentation, tier rating, compliance obligation and removal from the list of Service Provider under Data Center and Cloud Service (Operation and Management) Directive. 

 

 

02. Key Terms as defined by the Directive

The Directive provides specific definition for following terms:

 

  • Data: Data is any information, knowledge, concept or instruction that are produced by computers, computers systems and computer networks which includes any text, number, images, audio, animation or audiovisual.
  • Data Center: A facility developed by government, public and private sectors equipped with computer systems, telecommunications and storage systems to organize, process, store and disseminate large amount of data.
  • Cloud Service: Infrastructure both hardware and software developed for the hosting of the information processing system utilizing data center service or other sources for government, public, and private sectors. 
  • Service Provider: Those entities that operates and manages the data center and cloud services.

 

03. Registration Requirement for Data Center and Cloud Service in Nepal

The directive mandates compulsory registration for the Data Centers and Cloud Service Providers with the Department of Information and Technology (herein referred as “Department”) before offering their services. 

 

Once the documents are submitted to the Department and upon inspection, the Department may list the Service Provider and provides the registration certificate within one month from date of application.

 

The existing Service Providers must apply for the registration within six months until 31st July, 2025 from the date of enactment (28th January, 2025).

 

04. Document required for the registration of data center in Nepal

The directive has provided separate documents list required for the registration of Data Center which are listed below: 

 

S.NDocuments For Data Center
1Certificate of Incorporation of Company/Firm
2Security and Privacy Policy of the Organization
3Details relating to the Business Continuity Plan
4Details of IP Pool available
5Ensuring Fire Safety
6Building Completion Certificate
7Map Location of the Data Center
8Details regarding the tier of the Data Center
9Details of Technical manpower involved in Data Center
10Details of procedures to be followed for the physical security of the Data
11High level electricity design
12For the Data Centers in operation, a certificate related to the Information Security Standards for both DC and DR must be submitted within 6 months of the enactment of the Directive i.e before 31st July, 2025.

 

 

05. Documents required for the Registration of Cloud Service in Nepal

The directive has provided separate documents list required for the registration of Cloud Service which are listed below:

 

S.N.Documents For Cloud Service
1Certificate of the Incorporation of Company/Firm
2Security and Privacy Policy of the Organization
3Documents related to the Business Continuity Plan
4Details of the IP Pool available
5Details of the Technical manpower involved in the operation of the cloud service
6Map Location of the Data Center where the cloud service is operated
7Agreement with the Data Center
8Details regarding affiliation with ISP/NSP
9For Cloud Services currently in operation, a certificate related to the Information Security Standards must be submitted within 6 months of listings.

 

06. Tier Rating of the Data Center

Directive has categorized tier rating of Data Center based on physical infrastructure. Data Centers must obtain a tier rating based on their physical infrastructure and services, following the international standard of Uptime Institute’s classification which is mentioned in the below table:

S.N.BasicTier 1Tier 2Tier 3Tier 4
Distribution path for Power and cooling111 active + 1 alternative2 actives
Active Component RedundantNNN+12(N+1)
Backbone RedundancyNoNoRequiredRequired
Horizontal Cabling RedundancyNoNoNoOptional
UPS/ GeneratorOptionalRequiredRequiredDual Systems Required
Concurrently MaintainableNoNoYesYes
Fault TolerantNoNoNoYes
Minimum Uptime per year99.671%99.749%99.982%99.995%
Maximum Downtime per year28.8 hours22 hours1.6 hours26.3 minutes
Power backup requirement12 hours12-24 hours24-48 hours48+ hours

 

 

07. Compliance Requirement for Data Center and Cloud Service in Nepal

The Directive has created the following compliance requirement for the Service Provider which are as mentioned: 

 

a. Annual Compliance: The Service Provider must provide annual security audits and submit annual compliance details to the Department.

b. Compliance Officers: The Service Provider shall appoint compliance officer or partner with an authorized institution to adhere with the international standards.

c. Report unauthorized access: In case of unauthorized access, the Service Provider must report to the authority immediately and take action regarding the breach promptly.

c. Building Secure Infrastructure: The Service Provider must maintain robust technical infrastructure (server racks, network equipment, servers, storage, and HVAC systems), physical security, fire safety, monitoring infrastructure and network equipment.

 

08. Removal of Data Center and Cloud Service

The Service Providers may be removed from the Department’s list in following case:

 

a. Request for Cancellation: The registration may be cancelled as per the request application by the Service Providers. 

b. Non-compliance: The department may cancel the registration if the Service Provider does not comply with this directive, fails to maintain compliance or does not submit required documents.



 

Date of Publication: June 4 , 2025 

 

Disclaimer: . This article published on website of the law firm is just for information purpose only. It shall not be taken as the legal advice, advertisement, personal communication, solicitation or inducement. Bhandari Law and Partners or any of the team members of the firm shall not be liable for the consequence arising of the information provided. As the factual situation may be different on your case, thereof if you need further legal advice on the subject matter, please Contact Us

Related Professionals:

Frequently Asked Question

Loading FAQs...

For quick legal assistance:

You can directly call to our legal expert: +977-9808811027

Even can call or drop a text through What’s app , Viber, Telegram and We Chat at the same number.

Also can do email on : info@lawbhandari.com

contact us

Phone :,

,

Connect with our professional lawyers in Nepal :

Follow Our Law Firm on Social Media :

CONTACT FORM: REACH OUT TO US AT ANY TIME

Full Name

Email

Phone Number

publication