Digital Signature (DSC) in Nepal: Legal Validity, Licensed CAs, and How to Get One

In Nepal, a 'digital signature' is not a scanned image of a handwritten signature or a typed name. It is a cryptographic mechanism that binds the identity of a signer to an electronic record. Under the Electronic Transactions Act 2063, a digital signature is created using asymmetric cryptography (a mathematically linked private key and public key) so that anyone can verify, using the public key, that the record was signed with the corresponding private key and has not been altered since.

The signer's identity is vouched for by a Digital Signature Certificate (DSC), an electronic credential that links a person or organisation to their public key. Certificates follow the international X.509 standard and operate within a Public Key Infrastructure (PKI), the system of certificate authorities, repositories and revocation lists that lets relying parties trust a certificate they did not issue themselves.

Because the signature is bound to the document's content, any later tampering invalidates the signature, which is what gives digitally signed records their integrity and non-repudiation properties.

The legal foundation for digital signatures in Nepal is the Electronic Transactions Act 2063 (Bidyutiya Karobar Ain), authenticated on 18 Mangsir 2063 BS (4 December 2006) and operationalised through the Electronic Transaction Rules 2064. It is widely cited in English as the Electronic Transactions Act 2008, and it remains Nepal's principal statute on electronic records, digital signatures, certifying authorities and cyber offences.

Section 4 establishes that a digital signature has the same legal effect as a handwritten signature: where any law requires a document to be signed, that requirement is satisfied by an authenticated digital signature. Section 3 likewise gives electronic records the same legal status as written documents where they remain accessible for subsequent reference. Crucially, Section 18 limits the issuance of valid certificates to certifying authorities licensed by the Controller, so a signature is only legally equivalent to wet ink when it rests on a certificate from a licensed CA.

These provisions, read together with Nepal's evidence and procedure laws, make properly authenticated electronic records and digital signatures admissible in court. The evidentiary weight given to any particular record still depends on the integrity of the signing process and the trustworthiness of the certificate behind it.

The Act creates a national regulator, the Controller of Certification, whose office is the Office of the Controller of Certification (OCC), a Government of Nepal body that supervises Nepal's PKI ecosystem. The OCC does not sell certificates to ordinary users; instead it sets the rules of trust and oversees the authorities that do issue them.

The OCC's core functions include licensing and renewing licences for certifying authorities, specifying technical standards and interoperability guidelines (covering areas such as XML, PKCS#7/CMS and OCSP signature profiles), auditing licensed CAs, and investigating subscriber complaints. The OCC also operates the Root Certifying Authority of Nepal (RCAN), the apex trust anchor whose root certificate underpins every certificate chain issued by Nepalese CAs.

Below the Root Certifying Authority of Nepal sit the licensed certifying authorities (CAs) that actually issue Digital Signature Certificates to subscribers such as individuals, businesses, banks and government agencies. A CA must build the required infrastructure and obtain a licence from the Controller before it can issue certificates that carry legal effect.

Among the entities operating under this framework, Radiant InfoTech Nepal Pvt. Ltd. is a licensed certifying authority, and Nepal Certifying Company (NCC), established in 2013, acts as its registration authority (RA) and management partner, handling subscriber-facing enrolment and verification. Because the roster of licensed CAs can change over time, the authoritative, current list is published by the OCC on its official website.

Certificates are commonly issued in tiers, Class 1, Class 2 and Class 3, reflecting how rigorously the applicant's identity is verified. Higher classes involve stronger identity proofing and are generally required for higher-trust uses such as e-tendering and government transactions.

A Digital Signature Certificate is issued for a fixed term rather than indefinitely. In practice, certificates in Nepal are typically valid for one to two years, with the exact period set by the issuing CA's policy. To keep signing legally valid records, a subscriber must renew the certificate before it expires.

Certificates can also be suspended or revoked, for example if the private key is lost or compromised, if the certificate is misused, or by legal order. Revoked certificates are listed in certificate revocation lists (CRLs) that relying parties can check through the OCC's National Repository, so a signature made with a revoked or expired certificate will not verify as trusted.

Subscribers carry duties under the Act, most importantly safeguarding their private key, since control of the key is what makes the resulting signatures attributable to them.

Digital signatures support a range of paperless and secure-transaction services in Nepal. They are used for e-tendering and e-procurement, electronic filing and authentication of records with government bodies, secure banking and financial workflows, and signing or encrypting electronic documents and email. Because Section 4 equates them with handwritten signatures and the records are admissible as evidence, they enable legally binding online transactions without physical paperwork.

To obtain a DSC, an applicant approaches a licensed certifying authority or one of its registration authorities. The typical process involves choosing the appropriate certificate class, submitting an application form with identity and (for organisations) registration documents, completing identity verification through the registration authority, and then receiving the certificate, often delivered on a secure USB crypto-token that stores the private key.

Applicants should verify a provider's licensed status against the OCC's official records before applying, and keep the private-key token secure, since the certificate's legal value depends on both the licensing chain and the subscriber's control of the key.