Table of content
-
Data Center and Cloud Service Law in Nepal: Key Highlights
01. Law Relating to Operation and Management of Data Center and Cloud Service in Nepal
Data Center and Cloud Service (Operation and Management) Directives, 2025 (2081) (hereinafter referred to as “Directive”) was issued by the Ministry of Communication and Information Technology on 28th January, 2025 (2081/10/15). This Directive was enacted under Section 79 of Electronic Transaction Act, 2006 A.D. The Directive aims to ensure mandatory registration, provides operational guidelines, security standards and compliance requirements for the establishment of secure and reliable data management entities for private, public and government sectors.
Through this article readers will be able to understand the key provisions such as mandatory registration, required documentation, tier rating, compliance obligation and removal from the list of Service Provider under Data Center and Cloud Service (Operation and Management) Directive.
02. Key Terms as defined by the Directive
The Directive provides specific definition for following terms:
- Data: Data is any information, knowledge, concept or instruction that are produced by computers, computers systems and computer networks which includes any text, number, images, audio, animation or audiovisual.
- Data Center: A facility developed by government, public and private sectors equipped with computer systems, telecommunications and storage systems to organize, process, store and disseminate large amount of data.
- Cloud Service: Infrastructure both hardware and software developed for the hosting of the information processing system utilizing data center service or other sources for government, public, and private sectors.
- Service Provider: Those entities that operates and manages the data center and cloud services.
03. Registration Requirement for Data Center and Cloud Service in Nepal
The directive mandates compulsory registration for the Data Centers and Cloud Service Providers with the Department of Information and Technology (herein referred as “Department”) before offering their services.
Once the documents are submitted to the Department and upon inspection, the Department may list the Service Provider and provides the registration certificate within one month from date of application.
The existing Service Providers must apply for the registration within six months until 31st July, 2025 from the date of enactment (28th January, 2025).
04. Document required for the registration of data center in Nepal
The directive has provided separate documents list required for the registration of Data Center which are listed below:
| S.N | Documents For Data Center |
|---|---|
| 1 | Certificate of Incorporation of Company/Firm |
| 2 | Security and Privacy Policy of the Organization |
| 3 | Details relating to the Business Continuity Plan |
| 4 | Details of IP Pool available |
| 5 | Ensuring Fire Safety |
| 6 | Building Completion Certificate |
| 7 | Map Location of the Data Center |
| 8 | Details regarding the tier of the Data Center |
| 9 | Details of Technical manpower involved in Data Center |
| 10 | Details of procedures to be followed for the physical security of the Data |
| 11 | High level electricity design |
| 12 | For the Data Centers in operation, a certificate related to the Information Security Standards for both DC and DR must be submitted within 6 months of the enactment of the Directive i.e before 31st July, 2025. |
05. Documents required for the Registration of Cloud Service in Nepal
The directive has provided separate documents list required for the registration of Cloud Service which are listed below:
| S.N. | Documents For Cloud Service |
|---|---|
| 1 | Certificate of the Incorporation of Company/Firm |
| 2 | Security and Privacy Policy of the Organization |
| 3 | Documents related to the Business Continuity Plan |
| 4 | Details of the IP Pool available |
| 5 | Details of the Technical manpower involved in the operation of the cloud service |
| 6 | Map Location of the Data Center where the cloud service is operated |
| 7 | Agreement with the Data Center |
| 8 | Details regarding affiliation with ISP/NSP |
| 9 | For Cloud Services currently in operation, a certificate related to the Information Security Standards must be submitted within 6 months of listings. |
06. Tier Rating of the Data Center
Directive has categorized tier rating of Data Center based on physical infrastructure. Data Centers must obtain a tier rating based on their physical infrastructure and services, following the international standard of Uptime Institute’s classification which is mentioned in the below table:
| S.N. | Basic | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
|---|---|---|---|---|---|
| Distribution path for Power and cooling | 1 | 1 | 1 active + 1 alternative | 2 actives | |
| Active Component Redundant | N | N | N+1 | 2(N+1) | |
| Backbone Redundancy | No | No | Required | Required | |
| Horizontal Cabling Redundancy | No | No | No | Optional | |
| UPS/ Generator | Optional | Required | Required | Dual Systems Required | |
| Concurrently Maintainable | No | No | Yes | Yes | |
| Fault Tolerant | No | No | No | Yes | |
| Minimum Uptime per year | 99.671% | 99.749% | 99.982% | 99.995% | |
| Maximum Downtime per year | 28.8 hours | 22 hours | 1.6 hours | 26.3 minutes | |
| Power backup requirement | 12 hours | 12-24 hours | 24-48 hours | 48+ hours |
07. Compliance Requirement for Data Center and Cloud Service in Nepal
The Directive has created the following compliance requirement for the Service Provider which are as mentioned:
a. Annual Compliance: The Service Provider must provide annual security audits and submit annual compliance details to the Department.
b. Compliance Officers: The Service Provider shall appoint compliance officer or partner with an authorized institution to adhere with the international standards.
c. Report unauthorized access: In case of unauthorized access, the Service Provider must report to the authority immediately and take action regarding the breach promptly.
c. Building Secure Infrastructure: The Service Provider must maintain robust technical infrastructure (server racks, network equipment, servers, storage, and HVAC systems), physical security, fire safety, monitoring infrastructure and network equipment.
08. Removal of Data Center and Cloud Service
The Service Providers may be removed from the Department’s list in following case:
a. Request for Cancellation: The registration may be cancelled as per the request application by the Service Providers.
b. Non-compliance: The department may cancel the registration if the Service Provider does not comply with this directive, fails to maintain compliance or does not submit required documents.
Date of Publication: June 4 , 2025
Disclaimer: . This article published on website of the law firm is just for information purpose only. It shall not be taken as the legal advice, advertisement, personal communication, solicitation or inducement. Bhandari Law and Partners or any of the team members of the firm shall not be liable for the consequence arising of the information provided. As the factual situation may be different on your case, thereof if you need further legal advice on the subject matter, please Contact Us.
Related Professionals:
Frequently Asked Question
Loading FAQs...
For quick legal assistance:
You can directly call to our legal expert: +977-9808811027
Even can call or drop a text through What’s app , Viber, Telegram and We Chat at the same number.
Also can do email on : info@lawbhandari.com
contact us
Phone :,
,Connect with our professional lawyers in Nepal :
Follow Our Law Firm on Social Media :