6th March 2025, Kathmandu
The Department of Information Technology (DoIT) has called on all data centers and cloud service providers in Nepal to register with the government.
Data Center Cloud Services Directive
This is part of the new “Data Center and Cloud Services (Operation and Management) Directive, 2081”, which was introduced on Magh 15, 2081 (January 28, 2025). The directive aims to improve data security and ensure proper management of IT services.
Mandatory Registration for Service Providers
All existing data centers and cloud service providers must register with the DoIT before offering their services. Providers must submit their applications within the next six months. If they fail to do so, they will not be allowed to continue operations.
Purpose of the Directive
The directive encourages the secure storage of data created by both the public and private sectors within Nepal. It ensures that sensitive data is protected and stored in a safe manner. The goal is to make IT systems in data centers and cloud services reliable, secure, and efficient.
Required Documents for Registration
To register, data centers and cloud service providers must submit several key documents:
Company registration certificate
Fire safety and building completion certificates
Security and privacy policies
Business continuity plan
Location map and tier classification
Technical staff details
Security procedures
IP pool and electrical design details
If the provider does not own the building, they must submit a lease agreement. For cloud services, affiliation documents with ISPs and NSPs are also required.
Regulation for Financial Institutions
In line with these changes, Nepal Rastra Bank (NRB) has set a rule for payment service providers. They can only store their data in registered data centers. This ensures that financial institutions comply with the new standards for data security.
Separate Registration for Cloud and Data Centers
If a service provider offers both cloud services and data centers, they must register separately for each service.
Government Data Centers and IDMC Integration
The directive affects government-run data centers as well. All non-security government agencies must use the Integrated Data Management Center (IDMC) for data storage. Existing government data centers are required to move their data to the IDMC within a specified timeframe. However, government agencies can request approval to operate additional sites if necessary.
Strict Security and Compliance Measures
Providers must follow strict security protocols. These include:
Ensuring no unauthorized access to data.
Reporting security breaches to authorities.
Appointing a compliance officer to maintain standards.
Conducting annual security audits of the infrastructure.
Client Responsibilities
Clients must only use services from registered data centers and cloud providers.
Building a Secure IT Infrastructure
The government’s directive aims to create a secure and efficient IT environment in Nepal. By requiring all service providers to register, the government seeks to improve data protection and security in the country. Data centers and cloud service providers must apply for registration within six months to comply.
For more: Data Center Cloud Services Directive