AmarnepalNepal Data
Government & law

Cyber Law in Nepal: Electronic Transactions Act 2063 & Cybercrime

Cyber law in Nepal is governed mainly by the Electronic Transactions Act 2063 (2008), whose much-cited Section 47 penalises illegal online publication with up to five years in jail and a fine of up to NPR 100,000. Disputes go to the Information Technology Tribunal, while the Individual Privacy Act 2075 (2018) protects personal data. A replacement IT and Cyber Security Bill is pending. Victims can report crimes to the Nepal Police Cyber Bureau.

Controlling cyber lawElectronic Transactions Act 2063 (2008)
Most-cited provisionSection 47 (illegal online publication)
Section 47 penaltyUp to 5 years jail and/or fine up to NPR 100,000
Dispute forumInformation Technology Tribunal (3 members); appeals to IT Appellate Tribunal
Privacy statuteIndividual Privacy Act 2075 (2018)
Constitutional basisConstitution of Nepal 2015, Article 28 (right to privacy)
Reporting agencyCyber Bureau, Nepal Police, Bhotahiti, Kathmandu
Replacement lawIT & Cyber Security Bill (2082) — passed by House of Representatives in 2025, pending in practice
In depth

What is cyber law in Nepal, and which law controls it?

Cyber law in Nepal is the body of statutes, rules and court directions that govern computers, the internet, electronic records and online conduct. The single most important instrument is the Electronic Transactions Act 2063, commonly cited in English as the Electronic Transactions Act 2008 (the 2063 refers to the Bikram Sambat year; the English commencement gazette is dated 2008). It is often called Nepal's 'cyber law' or 'IT Act' because it is the only dedicated statute that both legalises electronic transactions and criminalises computer-related offences.

The Act gives legal recognition to electronic records, digital (electronic) signatures and online contracts, so that a document in electronic form carries the same validity as a paper one. It sets up a licensing regime for certifying authorities that issue digital signature certificates, and it lists the computer offences that constitute cybercrime in Nepal. Because it predates smartphones and social media, courts and lawyers have had to stretch its provisions to cover modern online harms, which is a recurring source of controversy.

Above the Act sits the Constitution of Nepal 2015 (2072), whose Article 28 guarantees the right to privacy of a person, their residence, property, documents, data, correspondence and character, except in accordance with law. Two later statutes fill important gaps: the Individual Privacy Act 2075 (2018) protects personal data, and the Muluki (Criminal) Code 2074 (2017) covers offences such as online defamation and cheating that can also be committed through electronic means.

  • Electronic Transactions Act 2063 (2008) — the controlling cyber law and cybercrime statute
  • Constitution of Nepal 2015, Article 28 — fundamental right to privacy
  • Individual Privacy Act 2075 (2018) — personal data and privacy protection
  • Muluki (Criminal) Code 2074 (2017) — defamation, cheating and related offences that may occur online

The Electronic Transactions Act 2063 (2008) explained

The Electronic Transactions Act 2063 is organised into chapters covering electronic records and digital signatures, the Controller and certifying authorities, subscriber duties, computer-related offences, and the Information Technology Tribunal that hears disputes. Its stated purpose in the preamble is to make electronic transactions 'reliable and secure' and to regulate the generation, authentication and use of electronic records. It is administered under the Ministry of Communication and Information Technology, with the Office of the Controller of Certification overseeing digital signature providers.

The offences chapter is what most people mean by 'cyber crime Nepal'. It criminalises unauthorised access to a computer system (hacking), damage to computer source code and data, and the publication of illegal material in electronic form, among other acts. Penalties combine imprisonment and fines, and the Act has extraterritorial reach: an offence committed abroad using a computer system located in Nepal, or targeting a victim in Nepal, can be tried in Nepal.

Critics have long argued that the Act is outdated and too vague for the modern internet. It does not clearly address social media harassment, deepfakes, identity theft, ransomware or online child protection in dedicated language, so prosecutors lean heavily on its broad publication clause. Successive governments have promised a full replacement, but until a new law commences, the 2063 Act remains the operative cyber law of Nepal.

Section 47: the most-cited provision (and the most controversial)

Section 47 of the Electronic Transactions Act punishes the publication or display in electronic form of material that is contrary to public morality or decent behaviour, or that spreads hatred or jealousy against any person or community, or that jeopardises harmony among castes, communities, religions or nationalities. On conviction, an offender faces imprisonment of up to five years, a fine of up to NPR 100,000, or both. It is the provision people mean when they search for 'section 47 Nepal'.

Because its wording is broad and undefined, Section 47 has become the default charge for a wide range of online conduct: hate speech, obscene content, defamatory Facebook or TikTok posts, and criticism of officials. Digital-rights researchers report that a large share of cases at the Kathmandu District Court over the past decade have been Section 47 expression cases rather than genuine fraud or hacking, and that many accused were arrested quickly, sometimes without a direct victim complaint. Journalists and ordinary social-media users have been prosecuted under it, drawing repeated criticism from press-freedom and civil-society groups.

The Supreme Court and the Office of the Attorney General have both flagged the problem. The Supreme Court has urged that Section 47 be read in light of the Act's commercial preamble and has issued directions to curb its misuse against journalists, while a government legal review has described the provision as unclear and contradictory and called for reform. Even so, the section remains on the books and continues to be used, which is why replacing or narrowing it is a central demand in the debate over Nepal's cyber law.

  • Targets online content deemed against public morality, or that spreads hatred or disrupts communal harmony
  • Maximum penalty: up to 5 years imprisonment and/or a fine up to NPR 100,000
  • Frequently used for social-media defamation, obscenity and speech cases, not only fraud
  • Repeatedly criticised as vague and misused against journalists and citizens

The Information Technology Tribunal and appeals

The Electronic Transactions Act creates a specialised Information Technology Tribunal to adjudicate computer-related offences and disputes under the Act. It is a three-member body chaired by a law member who is, or is qualified to be, a district-court judge, sitting with an information-technology member and a commerce member, each holding a relevant master's degree and several years of experience. This structure is meant to bring technical expertise to cases that ordinary courts may find difficult.

Parties dissatisfied with a Tribunal decision, or with an order of the Controller or a certifying authority, may appeal to a three-member Information Technology Appellate Tribunal, again chaired by a senior law member, with appeals generally to be filed within 35 days. Questions of law can ultimately reach the Supreme Court, which is how higher-court guidance on provisions such as Section 47 has emerged.

In practice, many high-profile speech and defamation prosecutions under Section 47 have been handled through the ordinary district-court criminal process rather than the Tribunal, and the specialised tribunals have at times been under-resourced. This gap between the law on paper and its day-to-day application is one reason reformers want a clearer institutional design in any successor legislation.

The Individual Privacy Act 2075 (2018) and data protection

The Individual Privacy Act 2075 came into force in 2018 to translate the constitutional right to privacy into a working statute. It protects the privacy of a person's body, family, residence, property, documents, correspondence and character, and it regulates how public bodies and institutions collect, store and use personal information. Collecting someone's personal data generally requires the consent of the person concerned, and individuals are given rights to be informed about, access and correct their information.

The Act treats sensitive personal information — such as caste, ethnicity, political affiliation, religious belief, physical or mental health, and biometric details — with special protection, and it prohibits unauthorised recording, listening to or disclosing private matters. Breaches can attract imprisonment and fines, and aggrieved individuals may claim compensation, generally by filing with the relevant district court within a short limitation period of the incident.

Nepal's privacy regime, however, has notable gaps. Unlike modern data-protection laws in many countries, the Act does not create an independent data-protection authority or regulator to enforce standards, and it lacks detailed rules on cross-border data transfers and large-scale corporate data processing. These weaknesses are frequently cited alongside the outdated Electronic Transactions Act as reasons Nepal needs comprehensive new digital legislation.

The pending IT & Cyber Security Bill and the social-media debate

For years, governments have tried to replace the ageing Electronic Transactions Act. An earlier Information Technology Bill 2075 was heavily criticised by journalists and rights groups for threatening free expression and privacy, and it was withdrawn. Its successor, the Information Technology and Cyber Security Bill (registered as the 2082 bill), is intended to give fuller legal recognition to electronic records and to address digital signatures, data privacy, critical information infrastructure, hacking and AI-era crimes with modern definitions and penalties.

The House of Representatives passed a version of the Information Technology and Cyber Security Bill in 2025, but as of 2026 the Electronic Transactions Act 2063 still remains the governing cyber law in day-to-day practice while the replacement completes the legislative process. A separate Social Media Bill, aimed at regulating platforms, drew intense criticism over free-speech and control concerns and was reported withdrawn in early 2026. Readers should treat the exact status of these bills as fast-moving and verify current details before relying on them.

Digital-rights organisations have warned that several provisions in the draft cyber-security legislation are vague and broad, could expand surveillance, and may not adequately cover social-media harms or technology-facilitated gender-based violence. The core tension in Nepal's cyber-law reform is therefore the same one that surrounds Section 47: how to give the state effective tools against genuine cybercrime without creating a new instrument for censoring lawful online speech.

How to file a cybercrime complaint in Nepal

Victims of online fraud, hacking, account takeover, blackmail, non-consensual intimate images, harassment or impersonation can report to the Cyber Bureau of Nepal Police, the central agency for cybercrime investigation, located in Bhotahiti, Kathmandu. Complaints can be made in person, by email to the Bureau, or through the online reporting form on the Cyber Bureau website; outside the Kathmandu Valley, complaints can also be lodged at the nearest police office or through provincial cyber units, which coordinate with the Bureau.

Before filing, preserve evidence: take screenshots, save URLs, usernames, phone numbers, chat logs, transaction details and any emails, and note dates and times. A written application describing the incident, together with a copy of a valid photo ID such as citizenship, passport or driving licence, is normally required. Do not delete the offending content or your own account, because the digital trail is central to any investigation and prosecution.

The Bureau assesses the complaint, may summon parties, gathers digital evidence and, where an offence is established, forwards the case for prosecution under the Electronic Transactions Act or the relevant provision of the Criminal Code. Time matters: some related claims (for example under the privacy law) carry short limitation periods, so it is wise to report promptly and, for serious matters, consult a lawyer. Contact numbers and the current online form should be confirmed on the official Cyber Bureau website, as details can change.

  • Where: Cyber Bureau, Nepal Police, Bhotahiti, Kathmandu — or the nearest police office / provincial cyber unit
  • How: in person, by email to the Bureau, or via the online complaint form on the Cyber Bureau website
  • Bring: a written complaint with dates and details, plus a copy of a valid ID (citizenship/passport/licence)
  • Evidence: screenshots, URLs, usernames, chat logs, transaction records — do not delete the content
  • Then: the Bureau investigates and, if an offence is found, forwards the case for prosecution
Questions

Cyber Law in Nepal: Electronic Transactions Act 2063 & Cybercrime — FAQ

What is cyber law in Nepal?+

Cyber law in Nepal is the set of rules governing computers, the internet and electronic records. It is anchored by the Electronic Transactions Act 2063 (2008), supported by the Individual Privacy Act 2075 (2018) and Article 28 of the Constitution, and enforced with help from the Nepal Police Cyber Bureau.

What is the Electronic Transactions Act 2063?+

It is Nepal's main cyber law, commonly dated 2008 in English. It gives legal recognition to electronic records and digital signatures, licenses certifying authorities, defines computer offences such as hacking and illegal online publication, and creates the Information Technology Tribunal to hear disputes.

What is Section 47 of the Electronic Transactions Act?+

Section 47 punishes publishing or displaying online material that is against public morality, or that spreads hatred or disrupts communal harmony. The penalty is up to five years in prison, a fine of up to NPR 100,000, or both. It is Nepal's most-used and most-criticised cyber provision, often applied to social-media posts.

How do I file a cyber crime complaint in Nepal?+

Report to the Cyber Bureau of Nepal Police in Bhotahiti, Kathmandu, in person, by email, or through the online form on its website; outside the Valley you can go to the nearest police office. Bring a written complaint with dates and details, a copy of a valid ID, and preserved evidence such as screenshots and URLs.

Is online defamation a cyber crime in Nepal?+

Yes. Defamatory or hateful online content is frequently prosecuted under Section 47 of the Electronic Transactions Act, and defamation can also be pursued under the Muluki (Criminal) Code 2074. Privacy breaches may additionally fall under the Individual Privacy Act 2075.

Does Nepal have a data protection law?+

Yes, the Individual Privacy Act 2075 (2018) protects personal and sensitive data, requires consent for data collection, and lets individuals access, correct and seek compensation for misuse. However, it does not create an independent data-protection regulator, a gap reformers say new legislation should fix.

Related topics

← All topics