The Ministry of Communication and Information Technology under Government of Nepal introduced Data Center and Cloud Service (Operation and Management) Directives, 2081 (2024 A.D) (“Data Center and Cloud Service Directives”) which was approved by ministerial level on 2081.10.15. Data Center and Cloud Service Directives seek to enhance data security, ensure data sovereignty, and promote efficient service delivery across both public and private sectors.
This article provides for the general overview of the Data Center and Cloud Service Directives, enlistment requirements for data centre and cloud sservice providers, tier rating, and other compliance requirements.
I. Definitions
The key definitions under Data Center and Cloud Service Directives are as follows:
a. Data Centre: A center with the necessary infrastructure for the storage of data and the operation of information technology systems by the government, public and private sectors.
b. Cloud Service: The hardware and software-integrated infrastructure prepared by a data centre service provider or other entity to operate (host) information technology systems developed by the government, public and private sectors.
c. Data: A formal representation of information, knowledge, or instructions gin the form of letters, numbers, images, sounds, or audio-visuals that are being formally prepared or have been prepared for its use in a computer, computer system, or computer network, or produced by a computer, computer system or computer network.
II. Enlistment Requirements
All data centers and cloud service providers must register with the Department of Information Technology (“DOIT”) before commencing operations.
Existing service providers must apply for registration within six months of the Directive’s enforcement date, i.e., by July 31, 2025 (as the Directive was enacted on January 28, 2025).
III. Required Documents
| S.N. | Documents |
| 1. | Company or firm registration certificate |
| 2. | Security and privacy policy |
| 3. | Business Continuity Plan (BCP) |
| 4. | Technical personnel details |
| 5. | IP pool details |
| S.N. | Additional documents for Data Centre | Additional documents for Cloud Services |
| 1. | Fire safety assurance certificate | Agreement with a registered data center |
| 2. | Building completion certificate | ISP/NSP affiliation details |
| 3. | Tier classification of the data center (Tier I, II, III, or IV) | Information Security Related Standard certificate |
| 4. | Physical security methods used | IT Service Management Standard certificate |
| 5. | High-level electrical design and layout | |
| 6. | Agreement with land/building owner (if rented) | |
| 7. | Information Security Standard certificate for both Data Center (DC) and Disaster Recovery (DR) |
Upon receiving all required documents, DOIT will conduct a physical inspection of the infrastructure. If satisfied, DOIT will issue a Certificate of Enrollment within one month from the date of application. Also, DOIT holds the authority to cancel the enrollment if the service provider is found in violation of the Data Center and Cloud Service Directives.
IV. Tier rating of the data centre
Data Centers will receive a “Tier Rating” based on their physical infrastructure and services, categorized as:
| Criteria | Tier 1 | Tier 2 | Tier 3 | Tier 4 |
| Distribution Path (Power/Cooling) | 1 | 1 | 1 Active / 1 Alternative | 2 Active |
| Redundant Active Component | N | N | N+1 | 2(N+1) |
| Redundancy – Backbone | No | No | Yes | Yes |
| Redundancy – Horizontal Cabling | No | No | No | Optional |
| UPS/Generator | Optional | Yes | Yes | Dual Systems |
| Concurrently Maintainable | No | No | Yes | Yes |
| Fault Tolerant | No | No | No | Yes |
| Availability (Uptime/Year) | 99.671% | 99.749% | 99.982% | 99.995% |
| Maximum Downtime/Year | < 28.8 hours | < 22 hours | < 1.6 hours | < 26.3 minutes |
| Power Backup Requirement | 12 hours | 12–24 hours | 24–48 hours | 48+ hours |
The data center service provider must submit the tier rating certificate to the DOIT within one year of listing. Further, any data centre storing governmental data must have at least 3 3-tier rating or above.
V. Compliance Requirements for Data Center and Cloud Services in Nepal
Under the Data Center and Cloud Service Directives, the following compliance obligations are imposed on data center and cloud service providers:
a) Service providers must conduct annual security audits and submit compliance reports to the Department of Information Technology (DOIT), verifying adherence to data security and operational standards.
b) Each service provider must either:
- Appoint a dedicated compliance officer, or
- Collaborate with an authorized institution to ensure conformity with international best practices and standards (such as ISO/IEC 27001, ITIL, etc.).
c) In the event of any unauthorized access or security breach, the service provider is obligated to:
- Immediately notify the relevant authority (DOIT), and
- Take prompt remedial actions to mitigate the breach.
d) Service Providers must ensure the development and maintenance of a secure, resilient infrastructure, which includes:
- High-standard technical equipment (e.g., servers, network switches, racks, storage systems, HVAC systems)
- Physical and digital security systems, including access control, CCTV, and fire safety mechanisms
- Continuous monitoring of network and infrastructure integrity.
VI. Removal of Enlistment of Data Center and Cloud Service Providers
Under the Data Centre and Cloud Service Directives, the DOIT can remove a service provider from its official registry under the following circumstances:
a. Voluntary Cancellation: A service provider may submit a formal request for cancellation of its registration. Upon verification, the Department may approve and process the removal.
b. Non-Compliance: The Department reserves the right to cancel the enlistment if the service provider:
- Fails to comply with the provisions of the Directive,
- Neglects to maintain required standards, or
- Does not submit mandatory documents or updates as required by the regulatory framework.
VII. Integrated Data Management Center
The Data Centre and Cloud Service Directives provides for the establishment of Integrated Data Management Center (the “Center”) for the purpose of ensuring robust infrastructure for government digital operations. Its primary responsibilities include:
- Infrastructure Management: Provision of colocation facilities and necessary technical infrastructure for government IT systems.
- Continuity of Services: Ensuring the uninterrupted operation of cloud and virtual resources for government systems in alignment with Service Level Agreements (SLAs).
Disclaimer: This article is for general informational purposes only and does not constitute legal advice, advertisement, personal communication, solicitation or inducement. No attorney-client relationship is created through this content. Gandhi & Associates assumes no liability for any consequences resulting from actions taken based on information contained herein.
For quick legal assistance:
Phone/Viber/WhatsApp: +977 9709035477
For specific legal advice regarding data centre and cloud service enlistment in Nepal, please contact our office to schedule a consultation with our experts.