Data Center and Cloud Service Directive, Nepal, 2081

For the sake of securing data and strengthening the cloud service industry of the nation, the Data Center and Cloud Service (Operation and Management) Directive, 2081 was introduced by the Government of Nepal through the Ministry of Communications and Information Technology. This directive aims to regulate the establishment, management, and operation of data centers and cloud services in Nepal under the provisions of the Electronic Transactions Act, 2006. 

 

The directive sets strict compliance, security, and reliability requirements, thereby ensuring that service providers meet high operational standards. It has established a regulatory framework for any entity-government, public, or private-that is involved in the storage of data or cloud computing services.

This article shall thus serve as a complete guide for data center operators and cloud service providers, outlining their requirements, obligations, and industry standards needed for compliance with the directive.

 

1. Registration Requirements for Data Centers and Cloud Service Providers

 

Mandatory Registration

Before offering services, all data centers and cloud service providers must register with the Department of Information Technology (DoIT).

Documents Required for Cloud Service Provider Registration

Organizations providing cloud services must submit:

Application Process for Existing Providers

All current data center operators and cloud service providers operating at the time this directive takes effect must collect the necessary documents for registration and submit an application for approval to the Department of Information Technology within six months of the directive’s enforcement (starting from February 12, 2025).

Re-registration for Modifications or New Establishments

• Any changes in data center or cloud service operations necessitate re-registration with updated certifications.
• During the investigation and physical inspection of applications, the Department of Technology may require data center and cloud service providers to submit necessary documents for the listing process.
• If the Department of Information Technology confirms that all required procedures are fulfilled after investigation and physical inspection, it may list the data center and cloud service within one month.
• Service providers planning to operate both data center and cloud services under this section must obtain separate listings for each.

2. Compliance Obligations for Data Centers and Cloud Service Providers

a) Security and Compliance Standards

Data centers and cloud service providers must adhere to international security standards, including:

b) Access and Service Quality Standards

c) Incident Reporting

• Any unauthorized access or security breaches must be reported to the Department of Information Technology and the National Cyber Security Center immediately.
• Necessary measures must also be taken to prevent and eliminate unauthorized access.
• Providers must ensure that security incidents are investigated and resolved promptly.
• A forensic investigation may be requested if deemed necessary.

d) Annual Data & Compliance Updates

Service providers must update their details and compliance status to the Department of Information Technology by the end of Poush each year.

e) Government owned Data Center and Cloud Service Provider Obligation

For government data centers, arrangements must be made to store only the data of government agencies.

• Government data centers and government-owned cloud services operated by ministries, departments, and government entities must comply with this directive and shall not operate in a manner that contradicts its provisions.
•  Government agencies running institutional data centers and cloud services at the time this directive takes effect must transfer them to the government data center within the timeframe set by the Board of Directors. However, if a government agency provides sufficient justification to operate a Primary or Secondary Site, the Board of Directors may approve the request based on its suitability.

f) Additional Obligations

• Appropriate server racks should be arranged.
• Network equipment (eg. firewalls, routers, and switches) should be available.
• Servers and storage devices should be available.
• Proper HVAC (Heating, Ventilation, and Air Conditioning) arrangements should be made.
• Proper fire extinguishers and other fire safety arrangements.
• Adequate and regular availability of internet and electricity.
• An IP pool should be made available.
• Necessary technical manpower should be available.
• An Access Control System should maintain.
• Manpower for the physical security shall be arranged.
• A proper arrangement of Closed-Circuit Television (CCTV) should be in place.
• A Network Operation Center (NOC) should be established.
• Security devices should be arranged as required to ensure the security.
• Arrangements should be made for colocation of customers' servers for data storage.
• Regular backups of stored data should be arranged.
• Technical personnel should be certified or have relevant experience.
• Only authorized personnel should be allowed to enter the server location.
• A system should be in place for maintaining visitor records.
• At least three months Closed-Circuit Television (CCTV) footage should be stored.
• Ensure physical destruction of HDD that data cannot be recovered.

3. List Removal Consideration

Conditions for Removal

The Department of Information Technology may remove a data center or cloud service provider from the official list under the following circumstances:

• If it is discovered that the conditions outlined in the directive have not been met.
• If data stored in the data center or cloud is found to have been misused.
• If the organization is dissolved.
• If the data center or cloud service operator requests the cancellation of their registration.

Process of Removal

In cases of non-compliance or data misuse, the service provider will be given 15 days to submit an explanation before being removed from the list. 

The Department may conduct further investigations based on the response provided.  

• If no explanation is submitted or if the investigation confirms non-compliance, the Department will remove the provider from the list within seven days.
• If a provider voluntarily applies for deregistration, the Department will process the request accordingly.  

The names of removed service providers will be published in a national daily newspaper and on the Department’s official website.

4. Tier Classification for Data Centers

The data center will be assigned a tier rating based on its physical infrastructure and the services it offers. Data center service providers must submit the tier rating certificate to the Department of Information Technology within one year of the data center’s listing. Furthermore, any data center storing government data must achieve a tier three or higher rating, as outlined in the Directive annexure.  

Data centers must be classified according to the Uptime Institute’s Tier Classification, which evaluates reliability and infrastructure redundancy.

5. Customer Responsibilities

• Users must only engage with registered service providers.
• If a provider is found non-compliant, customers must immediately secure their data and migrate to an alternative.
• In case of unauthorized access, users must report incidents and support forensic investigations.

6. Functions, duties and powers of the Integrated Data Management Center:

• Prepare the necessary colocation infrastructure and equipment to provide information technology services to government bodies and ensure adequate colocation space.
• Ensure the continuous availability of cloud and virtual resources required for hosting government information technology systems.
• Establish the necessary Service Level Agreements (SLAs) for colocation services and cloud/virtual resource provisioning for each government body.
• Ensure the continuity of data center and cloud services through SLAs.
• Conduct security audits of data centers and cloud services at least once a year.

7. Regulatory Oversight & Enforcement

The Department of Information Technology is responsible for:

• Monitoring and auditing compliance.
• Publishing a list of registered providers on its website.
• Issuing notices for non-compliance and revoking registrations if necessary.

A provider can be removed from the official list for:

• Failing to meet compliance standards.
• Misusing stored data.
• Voluntarily opting out of registration.

The Integrated Data Management Center will oversee government data storage, ensuring secure hosting, resource allocation, and compliance.

8. Conclusion

Nepal’s Data Center and Cloud Service Directive, 2081 represents a significant milestone in enhancing cybersecurity, compliance, and data sovereignty. Although it introduces operational challenges, it also establishes the groundwork for a secure and scalable digital infrastructure.

For data centers and cloud service providers, adhering to security and operational requirements early on will be essential to ensure business continuity. As Nepal transitions to a more regulated cloud environment, this directive lays the foundation for a secure, reliable, and transparent digital ecosystem.