Are you seeking clarity on cybersecurity laws Nepal framework for your business or personal protection? The Electronic Transactions Act 2063 and Individual Privacy Act 2075 form the foundation, while the draft IT and Cyber Security Bill 2024 promises major reforms. This comprehensive guide explains exactly how cybersecurity laws Nepal work, what protections exist, and how to comply with evolving digital regulations.
Cybersecurity laws Nepal are governed by multiple statutes including the Electronic Transactions Act 2063 (2008), the Individual Privacy Act 2075 (2018), and the National Cyber Security Policy 2023. These laws criminalize unauthorized access, data theft, cyber fraud, and privacy violations while establishing frameworks for digital signatures, electronic records, and data protection. Understanding these provisions is essential for businesses, individuals, and government entities operating in Nepal's rapidly expanding digital economy.
Cybersecurity laws Nepal refer to the legal framework governing digital activities, electronic transactions, data protection, and cybercrime prevention in Nepal. The primary legislation is the Electronic Transactions Act, 2063 (2008), supplemented by the Individual Privacy Act 2075 (2018), National Penal Code 2074, and sector-specific regulations from Nepal Rastra Bank and other authorities.
| Year (AD) | Milestone | Significance |
|---|---|---|
| 2008 | Electronic Transactions Act, 2063 enacted | Foundation of Nepal's cyber law |
| 2015 | Constitution of Nepal guarantees privacy as fundamental right (Article 28) | Constitutional basis for data protection |
| 2018 | Individual Privacy Act, 2075 enacted | First comprehensive privacy legislation |
| 2020 | National Cyber Security Policy approved by Cabinet | Strategic cybersecurity framework |
| 2023 | National Cyber Security Policy 2023 (revised) | Updated strategic roadmap |
| 2024 | Draft Information Technology and Cyber Security Bill | Proposed comprehensive update |
The cybersecurity laws Nepal ecosystem operates under multiple statutes:
| Legal Instrument | Key Provisions | Regulatory Authority |
|---|---|---|
| Electronic Transactions Act, 2063 (2008) | Cybercrime definitions, digital signatures, electronic records, penalties | Nepal Police Cyber Bureau, Judiciary |
| Individual Privacy Act, 2075 (2018) | Personal data protection, consent requirements, privacy rights | District Courts |
| Individual Privacy Regulation, 2077 (2020) | Detailed implementation of Privacy Act | Relevant ministries |
| National Penal Code, 2074 (2017) | Fraud, cheating, identity theft, general criminal provisions | Nepal Police, Judiciary |
| National Cyber Security Policy, 2023 | Strategic framework, institutional roles, national priorities | Ministry of Communications and IT |
| NRB Unified Directives | Banking cybersecurity, digital payment security, reporting | Nepal Rastra Bank |
| Social Network Directives, 2023 | Social media regulation, content moderation, privacy | Ministry of Communications |
| Draft IT and Cyber Security Bill, 2024 | Proposed comprehensive update, National Cyber Security Center | Pending enactment |
The Electronic Transactions Act is the cornerstone of cybersecurity laws Nepal, establishing both enabling provisions for digital commerce and criminal penalties for cyber offenses.
| Offense | Section | Maximum Penalty | Description |
|---|---|---|---|
| Pirating/Destroying Computer Source Code | 46 | 3 years + NPR 200,000 fine | Unauthorized alteration of protected source code |
| Unauthorized Access | 47 | 3 years + NPR 200,000 fine | Accessing computer systems without authorization |
| Damage to Computer Information System | 48 | 3 years + NPR 200,000 fine | Destroying, damaging, deleting, or altering computer data |
| Publication of Illegal Materials | 49 | 5 years + NPR 100,000 fine | Publishing prohibited content online |
| Confidentiality Breach | 50 | 2 years + NPR 10,000 fine | Divulging confidential information without authority |
| Computer Fraud | 54 | 2 years + NPR 100,000 fine | Fraudulent use of digital signatures, payment cards |
| False Statements for Licenses | 51 | 2 years + NPR 100,000 fine | Lying to obtain digital signature certificates |
| Unauthorized Certification | 52 | 2 years + NPR 100,000 fine | Operating as certifying authority without license |
Cybersecurity laws Nepal hold corporate bodies accountable for cyber offenses:
| Scenario | Liability |
|---|---|
| Offense by corporate body | Chief executive or responsible officer deemed liable |
| Consent, knowledge, or negligence of director/manager | Both corporate body and individual officer liable |
| Offense committed outside Nepal affecting Nepali systems | Legal action may still be taken in Nepal |
The Individual Privacy Act 2075 (2018) establishes comprehensive cybersecurity laws Nepal provisions for personal data protection.
| Category | Specific Data Types |
|---|---|
| Identity Information | Caste, ethnicity, birth, origin, religion, color, marital status |
| Contact Information | Address, telephone, email |
| Identification Numbers | Passport, citizenship, national ID, driving license, voter ID |
| Biometric Information | Thumb impressions, fingerprints, retina, blood group, other biometric data |
| Professional Information | Education, qualifications, professional opinions |
| Criminal Background | Criminal history, sentences served |
Section 27(2) defines sensitive personal information as data revealing:
| Right | Description | Limitation |
|---|---|---|
| Right to Data Privacy | Confidentiality of personal information | Subject to legal exceptions |
| Right to Consent | Informed consent required for collection | Public interest exceptions |
| Right to Information | Know purpose, nature, scope of collection | Limited to public entities for rectification |
| Right to Rectification | Correct wrong information | Only for public entity data |
| Right to Security | Protection against unauthorized access | Implementation by data collector |
| Violation | Penalty |
|---|---|
| Unauthorized collection/use of personal information | Up to 3 years imprisonment + NPR 30,000 fine |
| Breach of confidentiality | Up to 2 years imprisonment + NPR 10,000 fine (ETA) |
The National Cyber Security Policy 2023 provides the strategic framework for cybersecurity laws Nepal implementation.
| Objective | Implementation Strategy |
|---|---|
| Protect Critical Information Infrastructure | Identification, risk assessment, security standards |
| Enhance Cyber Threat Detection | National Cyber Security Center, CERT-NP capabilities |
| Develop Cybersecurity Workforce | Education, training, certification programs |
| Promote International Cooperation | Bilateral agreements, information sharing |
| Strengthen Legal Framework | IT and Cyber Security Bill, updated regulations |
| Institution | Role | Status |
|---|---|---|
| National Cyber Security Center (proposed) | Central coordination, threat monitoring, incident response | Pending Bill enactment |
| Computer Emergency Response Team Nepal (CERT-NP) | Technical incident handling, advisories | Operational |
| Cyber Bureau of Nepal Police | Cybercrime investigation, enforcement | Operational |
| Nepal Telecommunications Authority | Telecom sector cybersecurity | Active |
Nepal Rastra Bank has issued comprehensive cybersecurity laws Nepal directives for financial institutions:
| Requirement | Directive | Compliance |
|---|---|---|
| Information Security Policy | NRB Directive on IT Governance | Mandatory for all BFIs |
| Cybersecurity Framework | NRB Cybersecurity Guidelines | Risk-based implementation |
| Incident Reporting | Immediate reporting of cyber incidents | Within specified timeframes |
| Penetration Testing | Regular security assessments | Annual or bi-annual |
| Data Localization | Sensitive data within Nepal | For critical categories |
The E-Commerce Act 2025 and Social Network Directives 2023 establish cybersecurity laws Nepal obligations for digital businesses:
| Obligation | Requirement | Penalty for Non-Compliance |
|---|---|---|
| Data Privacy | Maintain confidentiality of personal information | Fine + imprisonment under ETA |
| User Rights | Provide access to amend/deactivate personal data | Administrative penalties |
| Content Moderation | Remove prohibited content, prevent privacy breaches | Fine up to NPR 50,000 + 6 months imprisonment |
| Local Registration | Register or appoint local representative | Operational restrictions |
The proposed Bill represents the most significant update to cybersecurity laws Nepal in nearly two decades.
| Area | Current Law | Proposed Change |
|---|---|---|
| National Cyber Security Center | No dedicated authority | Establishment of centralized agency |
| AI Regulation | No specific provisions | Framework for artificial intelligence governance |
| Data Breach Notification | No mandatory reporting | Mandatory breach disclosure requirements |
| Cross-Border Data Transfer | Unclear/limited | Regulated framework |
| Data Subject Rights | Limited (access, rectification) | Expanded rights (erasure, portability, objection) |
| Critical Infrastructure | General provisions | Specific protection standards |
| Gap | Impact | Proposed Solution |
|---|---|---|
| No data protection authority | Enforcement through courts only | Dedicated regulatory body |
| No mandatory breach notification | Delayed response to data breaches | Legal obligation to report |
| Limited AI governance | Unclear liability for AI harms | Specific AI provisions |
| Weak cross-border rules | Data exfiltration risks | Regulated transfers |
| Outdated ETA 2008 | Doesn't address modern threats | Comprehensive update |
| Channel | Contact | Jurisdiction |
|---|---|---|
| Cyber Bureau of Nepal Police | [email protected] | All cybercrimes |
| Online Complaint Portal | Nepal Police website | General cyber incidents |
| CERT-NP | [email protected] | Technical incidents, vulnerabilities |
| District Court | Direct filing | Privacy Act violations |
| Requirement | Implementation | Legal Basis |
|---|---|---|
| Consent Management | Obtain explicit consent before data collection | Privacy Act 2075 |
| Purpose Limitation | Use data only for stated purposes | Privacy Act 2075 |
| Security Measures | Implement reasonable technical and organizational safeguards | Privacy Act 2075 |
| Access Controls | Restrict data access to authorized personnel | ETA 2063 |
| Incident Response | Plan for breach detection, response, notification | Best practice |
| Staff Training | Educate employees on cybersecurity and privacy | Best practice |
| Regular Audits | Assess compliance and security posture | NRB directives (for BFIs) |
The Electronic Transactions Act, 2063 (2008) is the primary cybersecurity laws Nepal legislation, governing cybercrimes, digital signatures, and electronic records. The Individual Privacy Act 2075 (2018) supplements this with data protection provisions.
Penalties vary by offense: unauthorized access carries up to 3 years imprisonment + NPR 200,000 fine; publication of illegal materials carries up to 5 years + NPR 100,000 fine; privacy breaches carry up to 3 years + NPR 30,000 fine.
The Cyber Bureau of Nepal Police is the designated authority for cybercrime complaints, reachable at [email protected]. CERT-NP handles technical security incidents.
Yes. The Individual Privacy Act 2075 (2018) and Article 28 of the Constitution protect personal data, requiring consent for collection and mandating security safeguards. However, enforcement mechanisms remain limited compared to international standards like GDPR.
No. Unlike many countries, cybersecurity laws Nepal do not currently establish a dedicated data protection authority. The draft IT and Cyber Security Bill 2024 proposes creating such an authority.
Cyber offenses under the Electronic Transactions Act must generally be prosecuted within the limitation periods specified in the National Penal Code, typically ranging from 1-3 years depending on offense severity.
Yes. The ETA holds corporate bodies liable, with chief executives or responsible officers deemed personally liable unless they prove lack of knowledge or negligence.
Immediately: (1) contain the breach, (2) assess scope and impact, (3) document evidence, (4) notify affected individuals if feasible, (5) report to Cyber Bureau if criminal activity suspected, (6) implement corrective measures. While mandatory breach notification is not yet law, transparency is recommended.
Nepal ranked 94th out of 182 nations in the Global Cybersecurity Index 2020. The framework is considered developing, with significant gaps in data protection authority, breach notification, and AI governance that the draft 2024 Bill aims to address.
The draft Bill proposes: establishment of National Cyber Security Center, mandatory data breach notification, AI governance framework, expanded data subject rights, regulated cross-border data transfers, and strengthened critical infrastructure protection.
Navigating cybersecurity laws Nepal requires specialized legal expertise. Attorney Nepal PVT LTD provides comprehensive support:
Contact Attorney Nepal PVT LTD for expert guidance on cybersecurity laws Nepal compliance.
Disclaimer: This guide provides general information about cybersecurity laws Nepal requirements. Specific situations require professional legal assessment. Contact qualified legal practitioners for case-specific guidance.
About the Author: This comprehensive guide was prepared by technology law specialists at Attorney Nepal PVT LTD, Kathmandu, Nepal. The information reflects current legal frameworks as of April 2026.
Related Searches: cyber law Nepal, cybercrime punishment Nepal, data protection Nepal, Electronic Transactions Act Nepal, Individual Privacy Act Nepal, cyber security policy Nepal, cyber bureau Nepal, digital signature Nepal, hacking law Nepal, data breach Nepal, AI regulation Nepal, information technology bill Nepal
April 16, 2026 - BY Admin