While Nepal’s digital infrastructure has expanded immensely over the last decade, its capacity to defend itself against the rising wave of cyber threats has not kept pace. This asymmetry has left the country vulnerable to attacks that can potentially erode national sovereignty, destabilise financial systems and degrade public confidence.

In recognition of these challenges, the government has taken some key actions. The introduction of the Cyber Security Policy 2024 and the creation of the National Cyber Security Centre demonstrate a more decisive policy priority for cybersecurity. Initiatives like the National Cybersecurity Conference have attempted to facilitate cross-sectoral cooperation. Awareness-raising, however, is only the beginning. The lack of effective legal frameworks, coordinated institutions and operational mechanisms continues to expose Nepal to serious threats ranging from cyber espionage by adversarial foreign agencies and ransomware attacks on essential services, to the spread of politically motivated disinformation.

The reality is clear: Cybersecurity today is national security. A few years ago, one of Nepal’s top commercial banks nearly lost its entire digital infrastructure to a cyberattack. A technical fluke saved its master database server, narrowly avoiding collapse. In another instance, the withdrawal of a foreign software vendor halted a critical national-level operation for over a year. These incidents underscore how tightly our national security is interwoven with digital systems. The failure of a single system can disrupt critical services and threaten public safety.

Locally developed technologies

Addressing Nepal’s cybersecurity challenges demands urgent reforms on multiple fronts. First, the country must take control over strategic sector applications. Critical services such as government emails, communications and mapping should be hosted and operated within Nepal, using locally developed technologies. Continued reliance on foreign platforms like Google Maps or Gmail carries geopolitical risks. Nepal must invest in local tech startups developing open-source alternatives such as “Galli Map”, ensuring service continuity even during international crises. Yet, as of today, we lack investment in sovereign tech, laws mandating data localisation and contingency planning for foreign platform shutdowns.

Another imperative is reducing reliance on foreign tech vendors. Much of Nepal’s government infrastructure runs on foreign-made hardware and software, which may already be compromised with backdoors. We must prioritise building secure local alternatives, such as encrypted national communication platforms, to replace tools like WhatsApp or Viber in government use. Open-source tools like Quantum Geographic Information System (QGIS) can replace foreign geospatial software for national mapping tasks.

Fintech regulation

Nepal’s fintech industry, which has grown with lightning speed in recent decades, also needs to be regulated so that its cybersecurity can keep up with its innovation speed. Regulatory bodies, such as Nepal Rastra Bank, should adopt international norms and standards for cybersecurity, like ISO/IEC 27001 or PCI DSS, to ensure platform integrity and protect user information. Practices including securing APIs, reporting breaches and planning incident response should be implemented to build long-term user trust and financial stability and growth.

A clear and safe 5G strategy is essential on the frontier of telecom innovation. Nepal must ensure that core network components of 5G are not supplied by vendors that have potential geopolitical risks. A transparent vendor assessment process and blocklist/allowlist approach are required. Like India and other regional players, Nepal must begin phasing out high-risk vendors in sensitive sectors, supported by open-source alternatives. Currently, there are no vendor audits, independent hardware verifications or a 5G transition plan that prioritises national interest.

Institutionalising cybersecurity

Cybersecurity must also be institutionalised through strategic international cooperation. Nepal needs formal cyber defence agreements and intelligence-sharing partnerships, but without overdependence on any single power bloc. A centralised, accountable cyber incident response body must be established, replacing the current fragmented and under-resourced structures. While Nepal’s Security Operations Centre (SOC) exists, it lacks jurisdiction and manpower to respond across sectors.

Equally pressing is the need to counter AI-powered disinformation campaigns. Generative AI has amplified misinformation at unprecedented scales. Nepal must invest in AI-based monitoring systems and fact-checking tools to detect and counter deepfakes, botnets and foreign influence operations. A dedicated Digital Integrity Unit should be formed with real-time surveillance and mitigation capabilities to secure public discourse.

Insider threats are another blind spot. Government systems administrators, contractors and technical personnel must undergo strict vetting to prevent internal sabotage. Regular tabletop exercises (TTX) must be mandated to ensure preparedness across ministries and security agencies.

Legal reform concerning cybersecurity is long overdue. Nepal needs an up-to-date, all-encompassing Cybersecurity Act. It should mandate a 72-hour breach notice, ransomware, espionage and deepfake use as an offence, and label industries like healthcare, fintech and data centres as critical infrastructure. These should be enacted into law and supported with an explicitly stated cybersecurity governance framework. That is not all. Cyber awareness must also be made a public agenda. Cyber hygiene and media literacy must be taught at schools and in the workplace to build an informed cyber society. Public servants need training programmes, and regular civilian-military cyber drills can build national readiness from scratch.

In terms of military preparedness, Nepal must take cues from its neighbours. India has a dedicated Defence Cyber Agency. Pakistan and Bangladesh also maintain military cyber units. Nepal must establish a formal military cyber command under the Nepal Army, capable of both defensive and offensive cyber operations. This unit should lead cyber war-gaming exercises and be empowered to engage in deterrent and pre-emptive actions during a national cyber crisis. Our current SOC only monitors activity that it cannot actively defend. A robust cyber command must coordinate with civilian agencies and respond to advanced threats in real time.

Critical hardware supply chains also need urgent reform. Third-party audits of imported defence, telecom and energy technologies are essential. Devices must be tested for firmware integrity and resistance to tampering. A secure sourcing protocol must be enforced, with risk-based vendor approval processes and customs checkpoints for strategic imports.

A national cybersecurity framework is also essential to support the private sector, especially during ransomware incidents or major breaches. Nepal needs a unified Computer Emergency Response Team (CERT) that can respond across sectors from fintech to private data centres. Currently, there is no single command chain to manage cyber crises, resulting in delays and potential escalation.

Finally, Nepal must plan to build internet resilience through satellite backup systems. Our current connectivity is almost entirely contingent on fibre-optic links through India, with minimal redundancy. Under natural disasters, geopolitical tension or sabotage, Nepal risks being digitally cut off. Strategic cooperation with providers like “Starlink” could offer high-availability backup connectivity for both defence and civilian use. We must act now to strengthen our cybersecurity posture.