Nepal's Cybersecurity Landscape in 2026: NCA, NRB Mandates, and the Practical Reality

Nepal’s cybersecurity framework has been progressively maturing through 2020-2026. The combination of a more digitized economy, several high-profile incidents that pushed the regulatory conversation forward, and the broader regional context have produced a cybersecurity landscape that is meaningfully more developed than five years ago. I want to walk through where Nepal cybersecurity sits in 2026.

The institutional framework#

National Cyber Security Authority (NCA) — established under the IT Act framework, the NCA is positioned as the lead national cybersecurity coordinator. The NCA’s mandate covers policy coordination, incident response, and the broader strategy.

Nepal Police Cyber Bureau — handles cybercrime investigation, with substantial 2020-2026 capacity expansion.

National ID Management Center — operational for the national digital identity program.

Nepal Rastra Bank (NRB) — sectoral cybersecurity oversight for banks, financial institutions, and payment systems.

Nepal Telecommunications Authority (NTA) — telecom-sector cybersecurity oversight.

Securities Board of Nepal (SEBON) — for capital markets cybersecurity.

The institutional architecture is more developed than five years ago though substantially less mature than peer countries in the region.

NRB cybersecurity expectations#

The Nepal Rastra Bank has been the most-prescriptive sectoral regulator on cybersecurity:

BFI IT Guidelines (Banks and Financial Institutions IT Guidelines) provide the comprehensive framework for banking cybersecurity. The 2024 update tightened expectations around:

• Incident reporting with defined timelines.
• Information security organization at regulated entities.
• Asset management and inventory.
• Access control and identity management.
• Cryptography standards.
• Operations security.
• Communications security.
• System acquisition, development, and maintenance.
• Supplier relationships and third-party risk.
• Business continuity management.

The BFI IT Guidelines plus the Payment System Oversight Framework form the operational cybersecurity baseline for the financial sector.

The major incidents that shaped policy#

Several incidents have shaped Nepal’s cybersecurity policy direction:

The 2017 NIC Asia Bank SWIFT incident — substantial fraudulent SWIFT messages were sent from NIC Asia’s account, resulting in significant losses (some recovered). The incident was a catalyst for tightened SWIFT-related cybersecurity expectations across the Nepali banking sector.

Various distributed denial-of-service attacks on government and bank websites through 2020-2024.

Several ransomware incidents at Nepali businesses, though typically less publicly disclosed than international equivalents.

Phishing campaigns targeting Nepali bank customers — particularly intense in 2022-2024 with substantial customer education response from banks.

The cumulative effect has been a more cybersecurity-aware regulatory environment.

What enterprises should be doing#

For a Nepali enterprise in 2026:

1. Cybersecurity program appropriate to the entity’s risk profile.

2. Sector-specific compliance — NRB BFI IT Guidelines for financial entities; sector-specific for telecom, capital markets.

3. Incident response capability with the appropriate notification paths.

4. Vendor risk management — particularly important given the substantial use of international software and cloud services.

5. Employee training — the substantial increase in phishing attacks targets employees primarily.

6. Backup and recovery — for ransomware resilience.

7. Information security policies appropriate to size and complexity.

The capacity-building challenge#

A continuing challenge: Nepal’s cybersecurity workforce is small relative to the demand. Specialist cybersecurity engineers, SOC analysts, and security architects are scarce. The Nepal Engineering Council and Information Technology Professional Council have been developing certification frameworks; the supply takes time to develop.

Many enterprises rely on a combination of:

• Internal capability for routine work.
• Managed security service providers for substantial portions of operational work.
• International vendors for tooling.

The capacity-building work remains ongoing.

What’s coming in 2026 and 2027#

Three things to watch:

The National Cyber Security Policy 2024 implementation continues through 2026-2028 with progressive rollout of specific initiatives.

The Data Protection framework under development affects cybersecurity expectations.

Regional cooperation with India and broader South Asia continues to develop.

Where pdpspectra fits#

Our Kathmandu engineering team has substantial experience implementing cybersecurity programs for Nepali financial institutions, government entities, and enterprise clients. The combination of local context and international best-practices has been our value proposition. Our team does this work.

Related reading: the Nepal fintech post, the AI banking Nepal compliance post, and the India cybersecurity mandate stack post.

---

Nepal cybersecurity is maturing. Talk to our team about your Nepal cybersecurity program.