Pursuant to Art. 3 of the Electronic Commerce Act, 2081 (2025), any firm, company, or institution that is duly registered and authorised under the prevailing law to trade in goods or services may engage in electronic commerce, subject to compliance with the Act.
Art. 4(1) further requires each business entity conducting electronic commerce to establish an electronic platform. Once the platform is established, Art. 5(1) obliges the business entity to submit an electronic application to be listed on the Department's electronic commerce portal. The application must include, inter alia, the business name and address, the registering authority, the registration certificate number, the VAT registration number or permanent account number, and contact details, including a telephone number, email address, social media link, and contact address.
In addition, Art. 1(3) provides that the Act applies throughout Nepal and also extends to persons residing or staying outside Nepal who supply goods or services within Nepal through electronic commerce.

In March 2021, Nepal’s central bank, the Nepal Rastra Bank (NRB), issued Forex Circular No. 10/2077-78 (dated 2077/12/08), amending the Unified Foreign Exchange Circular–2076 by introducing a new Clause 7 on foreign-currency prepaid cards for online purchases from abroad. This reform enabled licensed Class “A” commercial banks and national-level Class “B” development banks to issue foreign-currency prepaid cards, thereby opening access to international online payments that had previously been infeasible with cards issued by Nepali banks.
Clause 7 authorises the use of these cards for the purchase of goods and services online from overseas, but imposes an annual cap of USD 500 (or the equivalent in convertible currency). In practice, this cap limits the value of cross-border e-commerce transactions that individuals can conduct each year using such cards. This rule was subsequently incorporated into the Nepal Rastra Bank’s consolidated foreign-exchange unified circular framework, including Unified Circular-2079 (2022), which tightened the use of these USD 500 prepaid cards by restricting payments for specified merchant category codes, and later the Revised Unified Circular-2023.

It is reported that Nepal imposes an identity requirement for SIM registration. Anyone wanting to purchase a SIM card has to provide their national ID card or a passport in case of foreigners to activate a new prepaid SIM card.

Pursuant to Arts. 6 and 7 of the "Directives on the Operation of Social Networking 2023", operators of social network platforms (SNPs) are required to establish a point of contact within Nepal to handle grievances related to platform usage. This designated contact must identify and address content disseminated on social networks that violates the law. Additionally, under Art. 8, SNPs must develop algorithms and implement measures to prevent the dissemination of information that contradicts prevailing laws. According to Art. 3.7, the Ministry of Communications and Information Technology may ban any SNP from operating in Nepal if it does not comply with these requirements.
Art. 2 of the Directive defines SNPs as Internet or information technology-based operating systems available to the public, such as Facebook, TikTok, Viber, Pinterest, WhatsApp, Messenger, Instagram, YouTube, LinkedIn, WeChat, and others, that allow individuals or organisations to exchange ideas or information with each other or to disseminate user-created content.

It is reported that Nepal blocked Telegram in July 2025 due to government concerns about online fraud. It is further reported that, in September 2025, Nepal directed the blocking of 26 social media platforms, including Facebook, Instagram, WhatsApp, YouTube, X, LinkedIn, Reddit, Signal, and Snapchat, on the grounds that they had not enlisted with the Ministry as required under the Directives for Managing the Use of Social Networks, 2023. Reports indicate that, except for Telegram, these platform restrictions were subsequently lifted within the same year.

The indicator "7.2.4 - Government Internet shut down in practice" of the V-Dem Dataset, which measures whether the government has the technical capacity to actively make internet service cease, thus interrupting domestic access to the internet or whether the government has decided to do so, has a score of 3 in Nepal for the year 2025. This corresponds to "Rarely but there have been a few occasions throughout the year when the government shut down domestic access to Internet."

It is reported that the Nepal Telecommunications Authority (NTA), the executive authority for the supervision and administration of services in the telecommunications sector, is independent from the government in the decision-making process.

Section 9.4 of the IoT/M2M Regulatory Framework stipulates that personally‑indefinable information (that is, data that cannot be used to identify a specific individual) must be stored exclusively within Nepal. Moreover, at least one copy of all relevant data must be stored within Nepal. However, the provision does not specify what 'relevant data' is. Furthermore, the same provision encourages 'complete data localisation', which is also not clarified.

Pursuant to Rule 7A of the National Broadcasting Regulation, licensed over-the-top (OTT) operators offering services to customers or generating revenue within Nepal are obligated to establish a cache server in Nepal. These operators are required to register customers on a server located in Nepal before granting access to their content and must retain detailed customer information. Additionally, all transaction records must be securely stored on a Customer Management System Server. However, the regulation does not clearly define the term "Customer Management System Server" or specify whether such a server must be physically situated within Nepal and directly managed by the OTT service providers. The regulation defines OTT as the broadcasting of content on demand via the internet, encompassing media streaming services delivered through various platforms utilising internet connectivity

Section 3.7 of the "Data Center and Cloud Service (Operation and Management) Directives, 2081 (2025)" provides that, in the context of government data centres and cloud service provision, the security agencies of the government of Nepal are mandatorily required to use data centre and cloud services operated by the Integrated Data Management Center. According to its official website, the Integrated Data Management Centre operates under the Department of Information Technology and serves as the government of Nepal's implementing agency. Furthermore, Section 3.9 stipulates that, upon the commencement of the Directives, government bodies operating data centres and cloud services on a departmental or agency basis shall transfer such facilities to the government data centre within the timeframe specified by the steering committee; however, where a government body submits a request, supported by sufficient justification, to operate a primary or secondary site, the steering committee may grant consent for the operation of such a site based on its suitability.

Section 12.4 of the Privacy Act requires the consent of the data subject for the disclosing, making public, or transferring of the following data: details relating to a medical examination; details relating to property and income; further information relating to employment; details relating to family matters; biometric data and fingerprints; signatures or electronic signatures; further information concerning the political affiliation and voting; and further information about profession and business. The term 'transfer' may signify the transfer of personal data outside Nepal, thereby requiring specific consent from the individual. However, there is no clear evidence about the applicability of this requirement to cross-border data transfers.

Nepal has not joined any agreement with binding commitments to open transfers of data across borders.

Nepal lacks a comprehensive data protection regime. Nevertheless, the Individual Privacy Act 2075 (वैयक्तिक गोपनीयता सम्बन्धी ऐन, २०७५ ) enforces the constitutional right to privacy, incorporating provisions on the collection, storage, and disclosure of data, and mandates individual consent before the collection of personal information. Privacy in Nepal is further governed by the Individual Privacy Regulation 2077 (2020), which regulates the implementation of the Privacy Act, and the Data Act 2079 (2022), which regulates the generation, management, storage, and publication of data, delineating the responsibilities of data controllers, producers, and users.

Rule 8 of the National Broadcasting Regulation stipulates that Over-the-Top (OTT) service providers must maintain a record of the programmes they transmit for a minimum of 60 days. In addition, these records must be made accessible to the Ministry of Communications and Information Technology and other governmental authorities for investigations. The term "OTT" refers to the broadcasting of content on demand via the internet, encompassing media streaming services delivered through various platforms that utilise internet connectivity.

The Electronic Transactions Act establishes a safe harbour regime for intermediaries for copyright infringements. According to Art. 43, network service providers are not subject to criminal or civil liability arising from third-party content. The only exception is if the network service provider publishes the content, knowing it contravenes the law.