Operating cyber security company in Nepal requires compliance with multiple regulatory frameworks including the Companies Act 2063, Electronic Transaction Act 2063, Draft Information Technology and Cyber Security Bill 2080 (2024), and National Cyber Security Policy 2023. The cybersecurity industry in Nepal is experiencing unprecedented growth, driven by increasing digital threats and government initiatives to strengthen national digital security. Company registration is completed at the Office of Company Registrar (OCR) with minimum capital of NPR 100,000 for domestic companies and NPR 5 million for foreign investment.
For entrepreneurs and investors seeking to establish cybersecurity firms, understanding the legal requirements, licensing procedures, and compliance obligations becomes essential. This guide examines the step-by-step registration process, regulatory framework, and operational requirements for cybersecurity companies in Nepal.
Cyber security company registration in Nepal refers to the legal process of establishing a technology-based business entity specializing in information security services, cyber defense solutions, data protection, and digital risk management. Under the Companies Act 2063, cybersecurity firms are registered as private limited companies or public limited companies depending on scale and investment structure.
The cybersecurity sector in Nepal encompasses diverse services including network security, threat intelligence, vulnerability assessment, penetration testing, security auditing, incident response, and cloud security. These services are governed by the Electronic Transaction Act 2063, Individual Privacy Act 2075, and the forthcoming Information Technology and Cyber Security Bill 2080.
Unlike general IT companies, cybersecurity firms face additional regulatory scrutiny due to their involvement with sensitive data, critical infrastructure protection, and national security considerations. The Draft Cyber Security Bill 2024 mandates specific licensing for data centers and cloud service providers, with compliance requirements extending to security audits and data localization.
The cybersecurity legal framework in Nepal comprises multiple statutes and policies governing digital security operations:
| Legislation/Policy | Key Provisions | Applicability |
|---|---|---|
| Companies Act 2063 | Company incorporation, governance, shareholder rights | All cybersecurity companies |
| Electronic Transaction Act 2063 | Digital signatures, cybercrime penalties, security standards | Electronic security services |
| Draft IT and Cyber Security Bill 2080 (2024) | Data center licensing, CII protection, security audits, data localization | Data centers, cloud providers, critical infrastructure |
| National Cyber Security Policy 2023 | Strategic framework, institutional arrangements, capacity building | All cybersecurity operators |
| Individual Privacy Act 2075 | Personal data protection, consent requirements, breach penalties | Data processing companies |
| Data Act 2079 | Data governance, public data management, digital transformation | Government data contractors |
| Foreign Investment and Technology Transfer Act 2075 | FDI procedures, technology transfer, repatriation | Foreign-owned cybersecurity firms |
Draft Information Technology and Cyber Security Bill 2080 (2024):
This landmark legislation introduces significant requirements for cybersecurity companies:
National Cyber Security Policy 2023:
The Policy establishes a Steering Committee chaired by the Minister of Communications and Information Technology, with members including the Nepal Rastra Bank Governor, Secretaries from key ministries, and FNCCI President. This high-level coordination ensures cybersecurity alignment across government and private sectors.
Cybersecurity company registration in Nepal follows the standard company incorporation procedure with additional technology sector considerations. The process typically requires 7 to 15 working days for domestic companies and 30 to 45 days for foreign investment cases.
Visit the Office of Company Registrar website or office to verify name availability. Submit a name reservation application with three proposed names following naming guidelines. The name should reflect technology or cybersecurity services. Pay the prescribed fee of NPR 100 per name. Obtain name reservation approval, which remains valid for 35 days.
Naming Tips:
Draft the Memorandum of Association (MOA) defining:
Prepare Articles of Association (AOA) outlining:
Both documents must comply with Company Act 2063 requirements. For cybersecurity companies, clearly listing services in the objectives section is mandatory.
Required documents for cybersecurity company registration:
| Document Category | Specific Requirements |
|---|---|
| Identity Documents | Citizenship certificates of all promoters and directors (notarized) |
| Photographs | Recent passport-size photos of promoters and directors |
| Office Proof | Registered office rental agreement or ownership certificate |
| Bank Proof | Bank voucher showing minimum paid-up capital deposit |
| Consent Letters | Director appointment acceptance letters |
| Share Agreement | Share subscription agreement among promoters |
| Name Approval | OCR name reservation approval letter |
| Foreign Approval | DOIT approval for foreign investors (if applicable) |
Submit the complete application package to OCR with applicable registration fees.
The Office of Company Registrar reviews submitted documents for:
Upon satisfactory verification, OCR issues the company registration certificate with a unique company registration number. This certificate legally establishes the cybersecurity company's existence.
Visit the Inland Revenue Office with the company registration certificate to apply for Permanent Account Number (PAN). Submit PAN application with required documents and obtain PAN certificate immediately.
VAT registration is mandatory if annual turnover exceeds:
Most cybersecurity companies exceed these thresholds and must register for VAT.
Register the cybersecurity company at the local municipal office where the registered office is located. Submit:
Obtain municipal business operation license, which must be renewed annually.
Under the Draft IT and Cyber Security Bill 2080, data centers and cloud service providers must obtain specialized licenses from the Department of Information Technology within one year of the Bill's enactment. Security audit firms may require certification from relevant government security agencies.
Capital requirements vary based on company type and ownership structure:
| Company Type | Minimum Authorized Capital | Minimum Paid-up Capital | Foreign Investment |
|---|---|---|---|
| Private Limited (Domestic) | NPR 100,000 | NPR 25,000 (25%) | Not applicable |
| Private Limited (Foreign Investment) | NPR 5,000,000 | NPR 5,000,000 (100%) | Minimum NPR 5 million |
| Public Limited | NPR 10,000,000 | NPR 2,500,000 (25%) | Minimum NPR 50 million |
| IT Export-Oriented | NPR 100,000 | NPR 25,000 | NPR 5 million (foreign) |
Foreign Investment Notes:
After completing cybersecurity company registration, ongoing compliance obligations must be fulfilled:
| Compliance Category | Requirement | Frequency |
|---|---|---|
| Annual General Meeting | Shareholder meeting for financial approval | Within 6 months of fiscal year end |
| Annual Return Filing | Submission to OCR with financial statements | Within 1 month of AGM |
| Tax Returns | Income tax filing | By mid-January (Poush end) |
| VAT Returns | Monthly or quarterly based on turnover | Monthly/quarterly |
| Social Security Fund | Employee contributions | Monthly |
| Municipal License Renewal | Business operation permit | Annually |
| Cybersecurity Audits | Security assessment for CII companies | As mandated by Bill |
| Data Protection Compliance | Privacy Act adherence | Continuous |
Critical Compliance: 3-Month Rule
Within 90 days of registration, companies must file "Share Lagat" (Shareholder Details) at OCR. Failure results in compounding fines.
Cybersecurity companies must comply with Individual Privacy Act 2075 when handling personal data:
Key Compliance Requirements:
| Requirement | Implementation |
|---|---|
| Consent | Explicit written consent before data collection |
| Purpose Limitation | Data use limited to stated collection purpose |
| Security Measures | Encryption, access controls, authentication |
| Data Subject Rights | Access, correction, deletion, objection rights |
| Breach Response | Immediate mitigation and affected individual notification |
| Cross-Border Transfer | Restricted; government/financial/health data must stay in Nepal |
Penalties for Non-Compliance:
The Draft Cyber Security Bill 2080 mandates CII identification and protection:
CII Sectors Include:
CII Operator Obligations:
Opportunity for Cybersecurity Companies:
CII operators must engage licensed cybersecurity firms for audits and compliance, creating significant business opportunities for registered and certified companies.
Total Registration Costs:
| Cost Component | Amount (NPR) |
|---|---|
| Name Reservation | 100 per name |
| Company Registration Fee | 0.1% of authorized capital (min 1,000) |
| Stamp Duty on MOA/AOA | 1,000 |
| PAN Registration | Free |
| VAT Registration | Free |
| Municipal License | 500-5,000 |
| Legal Documentation | 10,000-50,000 |
| Notarization | 500-2,000 |
| Total Estimated | 15,000-75,000 |
Timeline Summary:
| Process Stage | Duration |
|---|---|
| Name Reservation | 1-2 days |
| Document Preparation | 2-3 days |
| OCR Verification | 3-5 days |
| Certificate Issuance | 1 day |
| PAN/VAT Registration | 1-2 days |
| Municipal Registration | 2-3 days |
| Standard Total | 7-15 days |
| Foreign Investment (with DOIT) | 30-45 days |
Cybersecurity company registration involves: (1) Name reservation at OCR, (2) MOA/AOA preparation with cybersecurity objectives, (3) Document submission with citizenship and office proof, (4) OCR examination and certificate issuance, (5) PAN/VAT registration at Inland Revenue Office, and (6) Municipal business licensing. Foreign investors require additional DOIT approval.
Domestic cybersecurity companies require minimum NPR 100,000 authorized capital with NPR 25,000 paid-up. Foreign investment requires minimum NPR 5 million fully paid-up capital. Public limited companies need NPR 10 million authorized capital.
Under the Draft IT and Cyber Security Bill 2080, data centers and cloud service providers must obtain licenses within one year of enactment. Security audit firms may require certification from government security agencies. General cybersecurity consulting currently operates under standard IT company registration.
Yes, foreigners can own cybersecurity companies with minimum NPR 5 million investment and DOIT approval under Foreign Investment and Technology Transfer Act 2075. Technology transfer agreements require separate approval. Profits can be repatriated according to NRB regulations.
Cybersecurity companies must comply with the Individual Privacy Act 2075, Data Act 2079, and Electronic Transaction Act 2063. The Draft Cyber Security Bill 2080 introduces additional data localization requirements for government, financial, and health data.
Standard registration takes 7-15 working days. Foreign investment cases require 30-45 days due to DOIT approval and Nepal Rastra Bank verification. Expedited processing is available for additional fees.
Ongoing compliance includes: annual general meetings, annual return filing with OCR, income tax returns by mid-January, monthly/quarterly VAT returns, Social Security Fund contributions, annual municipal license renewal, and cybersecurity audit compliance (when Bill enacted).
Yes, data localization is mandated under the Draft Cyber Security Bill 2080 for government, financial, and health service providers. Critical Information Infrastructure operators must store certain sensitive data within Nepal. Cross-border transfer restrictions apply.
Penalties include: up to 3 years imprisonment and NPR 30,000 fines under Privacy Act for data breaches; business license revocation; contract termination; and reputational damage. The Draft Bill proposes enhanced penalties for CII operators.
Opportunities include: CII security audits (mandatory under Draft Bill), government digital security contracts, banking sector compliance services, healthcare data protection, cloud security services, incident response, and cybersecurity training/education.
Operating cyber security company in Nepal presents significant opportunities in a rapidly growing digital economy. The Draft Information Technology and Cyber Security Bill 2080 and National Cyber Security Policy 2023 create a structured regulatory environment with mandatory compliance requirements driving demand for professional cybersecurity services.
For entrepreneurs and investors, understanding the registration process, capital requirements, licensing obligations, and compliance frameworks ensures successful market entry. The 7-15 day registration timeline for domestic companies and established legal protections under the Companies Act 2063 provide a favorable business environment.
With foreign investment permitted, data localization requirements creating service demand, and CII protection mandates generating audit opportunities, Nepal's cybersecurity sector offers promising prospects for registered and compliant operators.
Need Legal Assistance for Cybersecurity Company Registration?
Attorney Nepal PVT LTD specializes in IT company registration, cybersecurity compliance, foreign investment facilitation, and technology sector legal services. Our experienced team navigates OCR procedures, DOIT approvals, and regulatory compliance for cybersecurity entrepreneurs.
Contact us today for confidential consultation:
Register your cybersecurity company. Ensure full legal compliance.
Disclaimer: This blog provides general legal information for educational purposes only and does not constitute legal advice. Laws change frequently, and individual circumstances vary. Consult a qualified attorney for specific legal guidance. The Draft Information Technology and Cyber Security Bill 2080 is pending enactment—monitor official sources for updates.
March 17, 2026 - BY Admin