Cybersecurity · Nepal

Cybersecurity regulation in Nepal (2026)

ProposedElectronic Transactions Act 2063 (2008); National Cyber Security Policy 2080 (2023); Nepal Rastra Bank Cyber Resilience Guidelines (2023); Information Technology and Cyber Security Bill 2082 (passed lower house August 2025, enactment pending)Country index 72 · B

Nepal shaded by its cybersecurity status

Nepal's operative cybersecurity framework rests on the Electronic Transactions Act 2063, which criminalises hacking and unauthorised access but contains no mandatory breach-notification or cross-sector incident-reporting duties. The Cabinet-approved National Cyber Security Policy 2080 (2023) and the newly established National Cyber Security Centre (NCSC, January 2024) provide a policy and coordination layer. A comprehensive Information Technology and Cyber Security Bill 2082 passed Nepal's House of Representatives in August 2025 and, once fully enacted, would replace the ETA 2063 with modern mandatory incident-reporting and Critical Information Infrastructure (CII) protection obligations.

Key points

Foundational law – ETA 2063

The Electronic Transactions Act 2063 (enacted 2008) is Nepal's primary cyber statute. It criminalises hacking, fraud, and unauthorised access with penalties of NPR 50,000–300,000 and 6 months to 3 years imprisonment, but imposes no general breach-notification obligation or structured incident-reporting regime.

source 1 ↗source 2 ↗

National Cyber Security Policy 2080

Nepal's Cabinet approved the National Cyber Security Policy 2080 in August 2023—the country's first dedicated cybersecurity policy. It calls for provincial CERTs, ethical-hacking promotion, and digital-literacy programmes, but is an executive policy instrument rather than binding legislation.

source 1 ↗source 2 ↗

National Cyber Security Centre (NCSC)

Nepal established the NCSC on 24 January 2024 as the national body to coordinate and resolve cybersecurity incidents. In January 2025 it issued a 102-point advisory covering mandatory software updates, MFA, and voluntary incident reporting, though it currently lacks statutory enforcement authority under the ETA 2063.

source 1 ↗source 2 ↗

IT & Cybersecurity Bill 2082 – proposed legislation

The Information Technology and Cyber Security Bill 2082 was registered in the House of Representatives in June 2025 and passed the lower house. It would replace the ETA 2063, introduce mandatory breach notification, a CII protection regime, AI governance provisions, and heavier penalties (up to NPR 1,000,000 and 5 years imprisonment). Full enactment into law has not been confirmed as of mid-2026.

source 1 ↗source 2 ↗

Financial sector – NRB Cyber Resilience Guidelines

Nepal Rastra Bank issued Cyber Resilience Guidelines in August 2023 for banks, payment service providers, and payment service operators. Requirements include two-factor authentication, disaster-recovery sites, ISO 27001-aligned controls, continuous monitoring, and mandatory IT audits every two years—currently the most binding sector-specific cybersecurity obligations in force.

source 1 ↗source 2 ↗

Breach notification – cross-sector gap

No general statutory breach-notification or cross-sector incident-reporting duty exists under current law. The NRB guidelines impose reporting duties on the financial sector only. The draft IT & Cybersecurity Bill 2082 would introduce mandatory notification for the first time across sectors upon enactment.

source 1 ↗source 2 ↗

Nepal - other topics

Crypto & Digital Assets Artificial Intelligence Data & Privacy Digital Payments & Fintech Digital Nomad & Residency Internet & Online Safety Starting a Business

Read in:Spanish French German Portuguese Hindi

Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →