Understanding Nepal's Data Center and Cloud Service Directive, 2081: Requirements, Obligations, and Standards

Introduction

In a bid to strengthen the data security and cloud service industry in Nepal, the Government of Nepal, through the Ministry of Communications and Information Technology, has introduced the Data Center and Cloud Service (Operation and Management) Directive, 2081. This directive, established under the Electronic Transactions Act, 2063 (2006 A.D.), aims to regulate the establishment, management, and operation of data centers and cloud services in the country.

The directive enforces compliance, security, and reliability standards while ensuring that service providers meet strict operational criteria. It also sets a regulatory framework for government, public, and private organizations involved in data storage and cloud computing.

This article will serves as a detailed guide for data center operators and cloud service providers to understand their requirements, obligations, and industry standards to maintain compliance under this directive.

1. Registration Requirements for Data Centers and Cloud Service Providers

Mandatory Registration

Before offering services, all data centers and cloud service providers must be registered with the Department of Information Technology (DOIT).

Documents Required for Data Center Registration

Organizations applying for data center registration must submit the following documents:

• Company/Firm Registration Certificate
• Building Construction Completion Certificate
• Fire Safety Assurance Certificate
• Security and Privacy Policy
• Business Continuity Plan (BCP) and Disaster Recovery (DR) documents
• Location Map of the Data Center
• Details of the Tier Rating
• Technical Personnel Information
• Physical Security Protocols and Procedures
• IP Pool Details Registered Under the Company’s Name
• High-Level Electrical Design
• Agreement with the Owner of the Premises (if rented)
• Compliance with Information Security Standards for Both DC & DR (for existing data centers)

Documents Required for Cloud Service Provider Registration

Organizations providing cloud services must submit:

• Company Registration Certificate
• Security and Privacy Policy
• Business Continuity Plan (BCP)
• Technical Personnel Details
• Map of the Data Center Hosting the Cloud Services
• Agreement with the Data Center
• ISP/NSP Affiliation Details
• IP Pool Details Registered Under the Provider’s Name
• Information Security Standards and IT Service Management Standards Certification (to be submitted within six months of listing)

Application Process for Existing Providers

All existing data center operators and cloud service providers at the time of this directive's enforcement must gather the required documents for registration and submit an application for approval to the Department of Information Technology within six months from the directive’s commencement (February 12, 2025).

Re-registration for Modifications or New Establishments

Any modifications in data center or cloud service operations require re-registration with updated certifications.

During the investigation and physical inspection of applications, the Department of Technology may request data center and cloud service providers to submit necessary documents for the listing process.

If the Department of Information Technology verifies that all necessary procedures are completed after investigation and physical inspection, it may list the data center and cloud service within one month.

Service providers intending to operate both data center and cloud services under this section must be listed separately.

2. Compliance Obligations for Data Centers and Cloud Service Providers

a) Security and Compliance Standards

Data centers and cloud service providers must adhere to international security standards, including:

• Data center operators must submit information security certification such as ISO 27001 for both DC and DR.
• Cloud service providers must submit certifications for both information security and IT service management standards such as ISO 27001, ISO/IEC 20000-1or SOC 2.
• The data center and cloud service provider shall conduct a security audit of its infrastructure at least annually.
• Service providers shall implement the necessary security measures to protect service recipient data and prevent unauthorized use and access without permission.
• Data center and cloud service providers shall adopt the necessary security standards to ensure the security of customer data in data centers and cloud environments.
• The data center and cloud service provider must appoint a compliance officer or engage a relevant organization to ensure compliance with international standards.

b)?Access and Service Quality Standards

• Data center and cloud service providers shall ensure equal access for all in service delivery.
• When operating any system through a cloud service, the security and backup of the system and data shall be explicitly stated in a bilateral agreement.
• The data center and cloud service provider shall comply with the instructions issued by the department and law enforcement agencies.
• If any individual or entity wishes to remove infrastructure from the data center or cloud and relocate the hosted systems elsewhere, necessary assistance shall be provided.
• If a data center or cloud service provider is terminated in accordance with prevailing laws, or if the relevant entity or individual wishes to relocate it, the transfer shall be carried out safely

c)?Incident Reporting

• Any unauthorized access or security breaches must be reported to the Department of Information Technology and the National Cyber Security Center immediately.
• In addition, necessary measures shall be taken to prevent and eliminate unauthorized access.
• Providers must ensure that security incidents are investigated and resolved swiftly.
• A forensic investigation may be requested if necessary.

d)??Annual Data & Compliance Updates

• Service providers must update their details and compliance status to the Department of Information Technology by the end of Poush each year.

e)?Government owned Data Center and Cloud Service Provider Obligation

• In the case of government data centers, arrangements shall be made to store only the data of government agencies.
• Government data centers and government-owned cloud services operating under ministries, departments, and government entities must comply with this directive and shall not operate in a manner inconsistent with its provisions.
• Government agencies operating institutional data centers and cloud services at the commencement of this directive must transfer them to the government data center within the time frame specified by the Board of Directors. However, if a government agency requests to operate a Primary or Secondary Site with sufficient justification, the Board of Directors may grant approval based on its suitability.

f)?Additional Obligations

• Appropriate server racks should be arranged to house the servers.
• Network equipment such as firewalls, routers, and switches should be available.
• Servers and storage devices should be available for data storage.
• Proper HVAC (Heating, Ventilation, and Air Conditioning) arrangements should be made.
• Proper fire extinguishers and other fire safety arrangements should be in place.
• Adequate and regular availability of internet and electricity should be ensured.
• An IP pool should be made available in the name of the data center operator.
• Necessary technical manpower should be available.
• An Access Control System should be arranged at the location where the data center servers are located.
• Manpower for the physical security of the data center should be arranged.
• A proper arrangement of Closed-Circuit Television (CCTV) should be in place in the data center, along with arrangements for Data Center Infrastructure Monitoring.
• A Network Operation Center (NOC) should be established for the regular monitoring of network equipment such as firewalls, routers, and switches.
• Security devices should be arranged as required to ensure the security of data stored in the data center.
• Arrangements should be made for colocation of customers' servers for data storage.
• Regular backups of stored data should be arranged.
• Technical personnel should be certified or have relevant experience.
• Only authorized personnel should be allowed to enter the server location.
• A system should be in place for maintaining visitor records at the data center.
• Closed-Circuit Television (CCTV) footage should be stored for at least the past three months.
• If hard disks need to be destroyed, arrangements should be made to ensure that data cannot be recovered.

3. List Removal Consideration

Conditions for Removal

The Department of Information Technology may remove a data center or cloud service provider from the official list under the following circumstances:

• If the Department finds that the conditions prescribed in the directive have not been complied with.
• If data stored in the data center or cloud is found to have been misused.
• If the organization is dissolved.
• If the data center or cloud service operator applies for cancellation of registration.

Process of Removal

• In cases related to non-compliance or data misuse, the service provider will be given 15 days to submit an explanation before being removed from the list.
• The Department may conduct further investigations based on the response.
• If no explanation is provided or if the investigation confirms non-compliance, the Department will remove the provider from the list within seven days.
• If a provider voluntarily applies for deregistration, the Department will process the request accordingly.
• The names of removed service providers will be published in a national daily newspaper and on the Department’s official website.

4. Tier Classification for Data Centers

The data center will be assigned a tier rating based on its physical infrastructure and the services it provides. Data center service providers must submit the tier rating certificate to the Department of Information Technology within one year of the data center’s listing. Additionally, any data center storing government data must obtain a tier three or higher rating, as specified in the Directive annexure.

Data centers must be classified according to Uptime Institute’s Tier Classification, which determines reliability and infrastructure redundancy:

Tier 1: Basic Infrastructure

• 99.671% uptime (maximum 28.8 hours downtime per year)
• 12-hour power backup
• No redundancy

Tier 2: Redundant Infrastructure

• 99.749% uptime (maximum 22 hours downtime per year)
• 12-24 hour power backup
• Redundant power & cooling infrastructure

Tier 3: Concurrently Maintainable (Required for government data storage)

• 99.982% uptime (maximum 1.6 hours downtime per year)
• 24-48 hour power backup
• Redundant backbone and active components

Tier 4: Fault Tolerant

• 99.995% uptime (maximum 26.3 minutes downtime per year)
• 48+ hour power backup
• Fully redundant power, cooling, and network infrastructure

5. Customer Responsibilities

• Users must only engage with registered service providers.
• If a provider is found non-compliant, customers must immediately secure their data and migrate to an alternative.
• In case of unauthorized access, users must report incidents and support forensic investigations.

6. Functions, duties and powers of the Integrated Data Management Center:

• To prepare the necessary colocation infrastructure and equipment for providing information technology services to government bodies and ensuring adequate colocation space.
• To ensure the continuous availability of cloud and virtual resources required for hosting government information technology systems.
• To establish the necessary Service Level Agreements (SLAs) for colocation services and cloud/virtual resource provisioning for each government body.
• To ensure the continuity of data center and cloud services through SLAs.
• To conduct security audits of data centers and cloud services at least once a year.

7. Regulatory Oversight & Enforcement

The Department of Information Technology is responsible for:

o??? Monitoring and auditing compliance.

o??? Publishing a list of registered providers on its website.

o??? Issuing notices for non-compliance and revoking registrations if necessary.

A provider can be removed from the official list for:

o??? Failing to meet compliance standards.

o??? Misusing stored data.

o??? Voluntarily opting out of registration.

The Integrated Data Management Center will oversee government data storage, ensuring secure hosting, resource allocation, and compliance.

8. Conclusion

Nepal’s Data Center and Cloud Service Directive, 2081 is a landmark regulation that strengthens cybersecurity, compliance, and data sovereignty. While it presents operational challenges, it also paves the way for a secure and scalable digital infrastructure.

For data centers and cloud service providers, early compliance with security and operational requirements will be crucial for business continuity. As the country moves toward a more regulated cloud environment, this directive sets the foundation for a secure, reliable, and transparent digital ecosystem in Nepal.

For full details, visit the official directive: Data Center and Cloud Service Directive, 2081