Nepal’s Digital Push Faces Rising Cybersecurity Risks Amid Weak Legal Frameworks

Over the years, I have been closely observing the haste shown by South Asian governments in pursuing digital transformation. What is particularly seen in this pattern: new portals are launched, ministers proudly showcase dashboards, and citizens are happy at first. But within six months, a data breach occurs somewhere, and citizens’ sensitive information ends up being sold on some hacker forum.

Government officials then issue generic statements saying, “We are taking this seriously.” After that, the situation often remains unchanged. This time, I hope the situation will be different for Nepal. But looking at the current state, I cannot be that confident.

The dream is big, but so is the risk.

The 100-point ‘Government Reform Agenda’ of Prime Minister Balendra Shah (Balen) is one of the boldest steps in the history of Nepal. The agenda includes plans such as faceless passport distribution (so that citizens do not need to visit government offices), access to all government services through a single national ID, digital records of citizens’ financial assets, electronic health records in all government hospitals, and a centralized platform linking all 17 ministries directly to the Prime Minister’s Office.

This is certainly impressive. It is equally necessary. But its foundation is based on the framework of the cybersecurity law written in 2008.

This means that Nepal’s basic cyber law, the Electronic Transactions Act 2063, was drafted before the iPhone even existed.Since this law was implemented before modern digital risks like cloud computing and ransomware emerged, it has not been able to adequately address such problems today.

New laws such as the Privacy Act 2075 and the National Identity Card and Registration Act 2076 have been introduced. But all of them are fragmented and lack integration. They have not been able to encompass a completedigital governance system.

The problem of national identity cards that have not been discussed​

This is the issue that worries me the most. All the digital agendas within the entire 100-point list are focused on a single matter: treating the national identity card as the sole, universally accepted basis for accessing every government service. This is a risky approach because if something goes wrong, the entire system could collapse.

In engineering, there is a rule of ‘never create a single point of failure.’ However, Nepal is doing exactly that for its 30 million citizens. If there is a mistake in just one system or if data is stolen, the country's entire system could come to a halt. Therefore, the national identity card is not only a risk but also a “ticking time bomb.” 

Think once about what its practical meaning might be. If someone breaches the national ID database (and such attempts are inevitable over time), they do not steal only one type of data. They gain access to your health details, financial information, citizenship documents, and if you are a government employee, even sensitive employment records. In other words, they could have access to a person’s entire digital identity.

It is not that there are no laws related to identity management and privacy in Nepal. However, there is a lack of a detailed legal framework that sets clear technical and operational standards which includes the following issues:

• Data Storage and Encryption

• Access Control and Authentication

• Biometric Data Protection

• Incident Response and System Compromise

The National Identity Card and Registration Act, 2076 has clarified who should be issued an identity card. However, it has neglected how the collected data should be secured. This is not just a flaw in drafting but a structural design gap.  In the context of managing biometric data of millions of citizens, which is irreplaceable, this gap is a critical.

Country like India took years to address security weaknesses in system like Aadhar. Similarly, Estoniatook nearly two decades to build a mature and secure digital identity system. Meanwhile, Nepal is proposing to immediately make the national identity card the backbone of multiple systems without establishing adequate safeguard.

Lack of a data protection authority​

The Privacy Act 2075 has made provisions that require citizens’ information to be mandatorily kept secure. However, there is no separate ‘Data Protection Authority’ (authority related to data security) in Nepal to implement these privacy rules, investigate data theft, punish the guilty, or protect citizens’ rights over their personal data. 

It is already the year 2026, yet such an authority has still not been established. Meanwhile, for the first time in Nepal’s history, the government is taking steps to centralize as much citizens’ data as possible. Health records, financial information, complaints, performance records of civil servants; all of these are being stored in government systems. However, there is no independent regulatory body to monitor how this data is handled or protected.

This is not just a common administrative weakness, but also an institutional gap in Nepal’s digital governance.

What happens if something goes wrong?

If not today, then tomorrow, some problem will certainly arise in any system. This is due to the nature of complex systems rather than pessimism. So what happens then? 

Currently, Nepal lacks a clear legal framework requiring mandatory data breach notification.For example, if a digital health record system is compromised (hacked), there is no concrete legal obligation to inform the affected patients within a specific time. Similarly, if data from any financial or administrative database is breached, there is no legal obligation with standards to notify the regulatory authorities or the general public in a timely manner.

This is not a hypothetical concern. Nepal has already experienced numerous incidents where data has leaked and systems have been compromised on government platforms, including public service portals and administrative databases. Such incidents often show the same pattern. That is, a data breach occurs, a general statement is issued. But after that, there is no systematic follow-up. The lack of clear legal responsibility seems to encourage this kind of trend.

Other countries have addressed this weakness through clear legal frameworks. For instance, the European Union’s ‘General Data Protection Regulation’ (GDPR) has a mandatory requirement to report certain types of data breach incidents within 72 hours. Countries like Australia have implemented systems that require compulsory notification after experiencing data breach incidents.

In contrast, Nepal has not yet been able to establish any legal mechanism comparable to this.

So what else can Nepal improve?

In my opinion, it is absolutely right to move this agenda forward. Nepal also needs it. The ‘Gen-Z’ generation, which played an important role in bringing Balen Shah to power, has been waiting for a long time for a government that actually works.

However, digital transformation done incorrectly is not only likely to fail but also proves to be very expensive. It becomes publicly exposed and creates an environment that erodes people’s trust for years. I have seen similar situations occur in other countries as well. In fact, when citizens’ data is stolen from government systems, they are angry at the hackers, but at the same time, they also lose trust in the entire digital government. Once fallen into such a pit of distrust, it is difficult to come out of it.

The good news is that Nepal still has time to strengthen its foundation. Many systems are not fully operational yet. The national ID card has still not become a universally mandatory standard everywhere. The financial record system is also not fully operational. We possibly still have 60 to 90 days. If the legal infrastructure and security testing are properly invested in during this period, instead of repairing after an incident, it is possible to give the right direction from the start on how to build these systems securely.

What should the Nepal government do?

1) Implementing comprehensive data protection law: Building on and further strengthening the Personal Privacy Act, 2075, a comprehensive ‘Data Protection Law’ should be introduced. This should be able to establish clear principles regarding data processing, users’ rights (access, correction, and deletion), consent, accountability, and cross-border data governance.

2) Establishing an independent Data Protection Authority: In order to maintain data protection in both public and private sectors and to monitor compliance, a ‘Data Protection Authority’ with sufficient legal powers, resources, and autonomy needs to be established as envisioned by the Privacy Act, 2075.

3) Implement a separate Cybersecurity Act: Implement a separate ‘Cybersecurity Act’ to address the gaps that could not be fully covered by the Electronic Transactions Act, 2063, and the National Cybersecurity Policy, 2080, providing a clear legal framework and institutional authority for cybercrime prevention, protection of critical infrastructure, and ‘incident response.’

4) Develop a Cybersecurity Manual for National Identity Cards: Draft a detailed cybersecurity guideline for the national identity card system in accordance with the essence of the National Cybersecurity Policy, 2080, to keep sensitive biometric and identity-related data secure.

5) Make ‘Data Breach Notification Mandatory’: Under the existing legal framework (for example: the Personal Privacy Act, 2018 and the Electronic Transactions Act, 2006), issue the ‘Regulations on Mandatory Data Breach Information.’ This should make it obligatory to promptly inform the relevant authority and the affected individuals in the event of a data breach.

6) Improve and strengthen ‘ITERT’: Further improving and strengthening the ‘Information Technology Emergency Response Team (ITERT)’, established under the 2075 directive, by ensuring its clear mandate, technical capacity, and operational autonomy.

7) Enhancing the capacity of the National Cyber Security Center: In accordance with the objectives of the ‘Digital Nepal Framework’ and the ‘National Cyber Security Policy, 2080’, increase the authority, coordinating role, and financial resources of the ‘National Cyber Security Center.’
 

पछिल्लो अध्यावधिक: चैत २२, २०८२ ११:२३

टिप्पणीहरू