Data Centers, Cloud Services Must Get Permit Under New IT Bill

The government has introduced a new bill requiring data centers and cloud service providers to obtain a license before operating. According to Section 43 of the recently registered Information Technology and Cybersecurity Bill, companies offering such services must secure authorization from the relevant department under the Ministry of Communication and Information Technology.

The bill exempts organizations operating data centers or cloud services solely for internal use. However, providers already in operation will be required to obtain a license within one year of the law’s enforcement. Licensed companies must submit updated reports annually, while the responsible department will carry out inspections at least twice a year.

Currently, there is no law regulating data center and cloud services. A ministerial decision introduced interim regulations last year, requiring service providers to be listed with the Department of Information Technology. The new bill aims to bring these companies formally under legal oversight. Operating without a license could result in fines of up to Rs 500,000.

Section 44 of the bill also allows the storage of information systems in data centers or cloud platforms, except in cases restricted by the government. With growing investments in data infrastructure, the government is pushing to regulate the sector through legislation.

Domain Registration and Renewal Fees

The bill introduces provisions on domain registration and management, placing authority under the same department. Domain operators will be subject to guidelines ensuring reliable and secure operations.

Any individual or institution registering a domain under the “.np” extension must do so through designated agencies. Registered domains will need to be renewed every two years by paying a prescribed fee. Currently, “.np” domains are free and do not require renewal. Government agencies must register their domains under “.gov.np,” although renewal fees will not apply to them. Existing domain holders must register within six months of the law’s enactment.

Additionally, Section 74 mandates that all government bodies and public institutions establish and operate their own websites for information and service delivery. These websites must comply with minimum security and operational standards set by the ministry.

The bill also brings the already-established National Cybersecurity Center under legal authority. The center was created in 2024 under the National Cybersecurity Policy.

Headquartered in Kathmandu Valley, the center will be led by a joint secretary-level official from the ministry, with sufficient staff assigned for operations. Its responsibilities will include monitoring and analyzing cybersecurity risks, ensuring 24/7 surveillance of critical information infrastructure, assessing cyber incidents, and responding to threats affecting national security, the economy, defense, public health, and essential services.

The center will also oversee cybersecurity practices adopted by infrastructure owners, develop technical standards, run a digital forensic lab, and draft licensing requirements for cybersecurity service providers. Furthermore, it will coordinate with foreign computer emergency response teams, conduct cybersecurity audits, and deploy rapid assistance teams equipped with technical experts to address emerging cyber risks.