Cyber Crime Law in Nepal 2026: Offences, Penalties & Reporting

Most Nepalis discover cyber crime law the moment something happens to them. A hacked Facebook account at 11 pm. An OTP that turned out to be a bank-fraud setup. A sextortion message from a Telegram account that has already moved to a second number. A defamatory post that, by morning, has fifteen thousand shares. In that moment the relevant questions are not academic: which Section, which authority, how fast, what evidence to preserve, what bank to call, and what NOT to do (delete the chat history, confront the attacker, post a public denial). The framework that answers those questions is the Electronic Transactions Act 2063 (2008), the Cyber Bureau of Nepal Police at Bhotahiti, and a small constellation of supplementary statutes — the Privacy Act 2075, the Criminal Code 2074 defamation provisions, and, when it finally arrives, the Information Technology and Cybersecurity Bill 2080 (2024) that is poised to replace ETA.

This guide is the 2026 (2083 BS) pillar deep-dive on cyber crime laws in Nepal — the full statutory framework, the Chapter 9 cyber-offences catalogue (Sections 44 to 58), the section-by-section penalty map, the Cyber Bureau complaint procedure with the 9851286770 hotline and online portal, the first-48-hours evidence-preservation playbook, the social-media-platform coordination route through Meta / Google / TikTok / Viber liaisons, the 2022 Supreme Court directive on the misuse of Section 47 against journalists and social-media commentators, the supplementary statutes that work in parallel with ETA, the pending IT & Cybersecurity Bill 2080, and the forum split between the IT Tribunal and the District Court. For the dedicated law-text companion see our Electronic Transaction Act 2063 explainer; for the Cyber Bureau deep-dive see our Cyber Bureau Nepal guide; for related social-media offences see our social media crime laws guide.

Alpine Law Associates — Nepal Bar Council-registered cyber-law team handling Cyber Bureau complaints for victims of hacking, OTP fraud, sextortion and online defamation, and defence representation for clients charged under Section 47 or other cyber-offence provisions.

Speak with our lawyers today →

What law governs cyber crime in Nepal?

The principal statute is the Electronic Transactions Act 2063 (2008), enacted on 24 Bhadra 2063 BS and published in the Nepal Gazette as Nepal's first comprehensive cyber-law framework. The Act runs to 12 chapters and 80 sections; the cyber-offences chapter is Chapter 9, spanning Sections 44 to 58, and the rest of the Act covers electronic records, digital signatures, certifying-authority licensing, the Controller of Certifying Authorities, the Information Technology Tribunal, and the IT Appellate Tribunal. The Nepali statutory text is published by the Nepal Law Commission; the English translation is hosted on multiple government portals.

Three supplementary statutes operate in parallel with ETA:

• Privacy Act 2075 (2018) — Nepal's first dedicated privacy statute, governing the collection, processing and protection of personal data, with a 3-month complaint window to the District Court and penalties up to 3 years and NPR 30,000. The Act is constitutionally anchored in Article 28 of the Constitution of Nepal 2072, which makes privacy a fundamental right. See our privacy laws in Nepal guide.
• National Criminal (Code) Act 2074 (2017) — Sections 305 to 307 codify defamation: Section 305 (slander, oral defamation) up to 1 year and NPR 10,000; Section 306 (libel, written or published defamation) at a higher tier; Section 307 (defamation through electronic or mass media) adds an additional year on top of the base sentence. These provisions overlap with ETA Section 47 in many online-defamation prosecutions. See our Nepal defamation law guide.
• BAFIA 2073 and Children's Act 2075 — sector-specific statutes that overlay cyber offences: BAFIA covers banking-fraud and unauthorised financial transactions where cyber means are used; the Children's Act covers online sexual offences and exploitation involving minors with stricter penalties.

The investigating authority for cyber crime is the Cyber Bureau of Nepal Police, headquartered at Bhotahiti, Kathmandu, established in 2017 under the Central Investigation Bureau (CIB). The Bureau coordinates nationally with District Police Offices and internationally with Meta, Google, TikTok, Viber and Interpol for cross-border evidence retrieval. The Bureau operates the online complaint portal at cyberbureau.nepalpolice.gov.np, the 24-hour hotline 9851286770, and the email channel cyberbureau@nepalpolice.gov.np.

What are the cyber offences under ETA Chapter 9?

Chapter 9 of ETA 2063 (Sections 44 to 58) catalogues the cyber-specific offences with their penalties. The principal offences in everyday practice:

• Section 44 — Pirating, destroying, or damaging computer source code. Knowingly destroying, altering, or pirating computer source code that is required by law to be maintained. Punishment: up to 3 years imprisonment, fine up to NPR 200,000, or both. This is the source-code-integrity provision, primarily relevant to software firms, audit cases, and intellectual-property disputes.
• Section 45 — Unauthorised access (hacking). Knowingly accessing any computer, computer system or network, or any information stored on it, without authority. Up to 3 years and NPR 200,000. This is the headline "hacking" provision — used in Facebook account takeovers, email-account compromise, server intrusions, and password theft cases.
• Section 46 — Damage to computer or data. Knowingly damaging, deleting, or disrupting any computer, data or network. Same penalty band. Used for malware deployments, DDoS attacks, and intentional data destruction.
• Section 47 — Publishing illegal electronic content. Publishing or displaying any material in electronic form that is contrary to law, contrary to public morality or decent behaviour, that spreads hatred against any caste community religion or nationality, or that constitutes defamation, harassment or insult. Punishment: up to 5 years imprisonment, fine up to NPR 100,000, or both. This is the single most-prosecuted ETA provision and the principal subject of free-speech criticism (see below).
• Section 48 — Confidentiality of information. Disclosure of confidential information accessed in the course of employment under the Act. Reserved primarily for breaches by certifying authorities and IT-tribunal staff.
• Section 49 — Pirating software / circumventing copy protection. Copying, distributing or selling unauthorised software. Covers software piracy and licence circumvention.
• Section 51 — Computer fraud. Obtaining property, services, or financial advantage by deceit through a computer system. Up to 2 years and NPR 100,000. This is the OTP-fraud, phishing, social-engineering, and crypto-scam provision in everyday casework.
• Section 52 — Abetment of cyber offence. Aiding, encouraging, or facilitating any cyber offence. Up to NPR 50,000 fine.
• Sections 53–58 — Procedure, prosecutor designation, investigation powers, and the IT Tribunal framework.

The penalty bands in Chapter 9 were set in 2008 and have not been increased by Finance Act amendments since — the NPR 100,000 to NPR 200,000 figures reflect 2008 price levels. Prosecutorial practice and the IT Tribunal sentencing range have moved with general inflation, but the statutory caps remain at the 2008 figures pending the IT & Cybersecurity Bill 2080 (2024) reform.

The Cyber Bureau — where complaints are filed and investigated

The Cyber Bureau of Nepal Police at Bhotahiti, Kathmandu is the gateway authority for every cyber-crime complaint in the country. It was established in 2017 under the Central Investigation Bureau (CIB) framework, and operates with national coordination through District Police Offices and international coordination through Meta, Google, TikTok, Viber and Interpol for evidence retrieval on cross-border investigations. Contact channels:

• Online portal: cyberbureau.nepalpolice.gov.np — click "Online Complaint / उजुरी दर्ता", fill identity and contact details, upload evidence files.
• Hotline: 9851286770 (24 hours), plus the office numbers 01-4219044 / 01-4214400.
• Email: cyberbureau@nepalpolice.gov.np — short factual summary with evidence attached.
• In person: Cyber Bureau office, Bhotahiti, Kathmandu (inside the Valley); outside the Valley, complaints can be filed at the nearest Nepal Police District Office, which forwards to the Bureau.

For our dedicated walk-through of the complaint process, evidence requirements, expected timelines, and what happens after filing, see the Cyber Bureau Nepal guide.

What to do in the first 48 hours after a cyber attack

The first 48 hours after a cyber incident decide whether the file gets resolved or becomes one of the 70%+ of cyber complaints that stall at evidence stage. The discipline:

1. Preserve evidence without confronting the attacker. Take full-screen screenshots that include the URL bar, the date/time stamp, and any visible profile identifiers. Export chat histories (WhatsApp, Viber, Telegram, Messenger all have export functions). Save transaction receipts and bank SMS messages. Do not delete the chat or message — even if it is distressing — because deletion destroys evidence.
2. Do not respond to the attacker. Any reply, denial, or counter-allegation can be screenshotted by the attacker and used against you. Block the account silently and preserve evidence.
3. For financial fraud — call your bank immediately. Nepal Rastra Bank directives require banks to attempt transaction reversal within 24 hours where the customer reports the fraud promptly. The bank also raises an internal alert to the receiving bank, which may freeze the destination account before withdrawal. Speed determines whether the money is recoverable.
4. File the Cyber Bureau complaint within 48 hours. Use the online portal or the hotline; provide all the preserved evidence; obtain the complaint reference number. The reference number is the file identifier for all subsequent follow-up.
5. Notify the platform. Facebook, Instagram, TikTok, Telegram, and the others each have abuse-reporting flows that operate independently of the Cyber Bureau. Reporting parallelly may result in faster account removal, even before the Cyber Bureau's formal investigation reaches the platform.
6. Engage counsel for serious cases. Where the case involves sextortion (escalating threats), financial loss over NPR 100,000, doxxing, or impersonation of a public figure, engage counsel within the first 48 hours. Counsel can coordinate evidence preservation, bank-freeze applications, platform escalation, and Cyber Bureau follow-up in parallel.

Section 47 — the most-prosecuted and most-criticised provision

Of all the ETA 2063 cyber-offences, Section 47 is the one most likely to land in a real prosecution and the one most criticised by free-speech advocates. The section punishes publication or display of any electronic material that is "contrary to law, contrary to public morality or decent behaviour, that spreads hatred against any caste community religion or nationality, or that constitutes defamation, harassment or insult." The penalty is up to 5 years imprisonment, a fine up to NPR 100,000, or both. The deliberately broad drafting was useful in 2008 when the offence catalogue was being built quickly; the same breadth has, by 2026, become the operational concern.

Section 47 has been used in several contested categories of case:

• Revenge-content and image-without-consent cases — non-consensual sharing of intimate images, including sextortion material. This is the use-case where Section 47 is least controversial: the prosecution interest aligns with victim protection.
• Cyber-defamation cases — defamatory posts on Facebook, Twitter (X), TikTok and other platforms. Overlap with Criminal Code 2074 Sections 305-307 (slander, libel, electronic-media surcharge); prosecution sometimes proceeds on both bases.
• Hate-speech and incitement cases — posts targeting caste, ethnic, religious or national groups. The "spreads hatred" language is directly engaged.
• Critical-commentary cases against journalists and social-media commentators — the controversial category. Section 47 has been invoked against political commentary, satire, criticism of public figures, and investigative reporting. The Supreme Court issued a 2022 directive instructing the Government to tighten the Cyber Bureau's use of Section 47 to prevent abuse, and the draft IT & Cybersecurity Bill 2080 proposes to split the offence into narrower categories (defamation, hate speech, obscenity) each with clearer definitions.

For practical purposes in 2026, Section 47 is the live legal risk for anyone publishing critical or polemical content online in Nepal. Defence work routinely turns on (a) whether the alleged speech qualifies as "publication" within the section's scope, (b) whether the speech falls within a recognised exception (fair criticism, public-interest commentary), and (c) procedural compliance with the Supreme Court directive.

How does prosecution work — IT Tribunal vs District Court?

ETA 2063 establishes a dedicated Information Technology Tribunal as the first-instance forum for cyber-offence cases, with appeals to the Information Technology Appellate Tribunal. In practice, the forum split is more nuanced:

• Pure ETA cases — IT Tribunal. Where the offence is exclusively under ETA Chapter 9 (unauthorised access, source-code piracy, computer fraud without independent criminal-code engagement), the IT Tribunal is the trial court.
• Mixed cyber + criminal-code cases — District Court (often). Where the cyber offence overlaps with a Criminal Code 2074 provision (defamation under Sec 305-307, fraud, harassment, threat), prosecution often proceeds at the District Court under combined charges, with the cyber dimension as one count in a multi-count file.
• Privacy Act cases — District Court directly. The Privacy Act 2075 has its own 3-month complaint window and routes complaints to the District Court of the complainant's residence, not the IT Tribunal.
• Children's Act 2075 overlay — District Court with child-protection procedure. Online offences against minors fall under the Children's Act framework, with specialised procedures including in-camera proceedings and child-protection-officer involvement.

The result, in everyday Cyber Bureau practice, is that the same incident may travel either to the IT Tribunal or the District Court depending on the charges the prosecutor elects. Defence counsel tracking a Cyber Bureau file should clarify the prosecutorial direction early, because the procedural rules, evidence framework, and sentencing range differ between the two forums.

The Privacy Act 2075 overlay

The Privacy Act 2075 (2018) is Nepal's first dedicated data-privacy statute, anchored in Article 28 of the Constitution of Nepal 2072 (privacy as a fundamental right). Where a cyber incident involves unlawful collection, use, or disclosure of personal data — independent of any ETA offence — the Privacy Act provides a separate remedy. Key operational features:

• Coverage: Bodily privacy, residential privacy, property privacy, personal data, electronic information, correspondence, and reputation.
• Consent requirement: Personal data may not be collected or processed without the individual's consent, except in defined statutory exceptions.
• Data-subject rights: Right to confidentiality, right to know about collection, right to access own data, right to rectification, right to erasure, right against unauthorised processing, and right to file a complaint with compensation.
• Forum and limitation: Complaint filed at the District Court of the complainant's residence within 3 months of the incident — a short window that catches many complainants out.
• Penalty: Up to 3 years imprisonment, fine up to NPR 30,000, or both. The fine cap is modest by international standards but the criminal-conviction record is the operative deterrent.
• Limitation: Unlike the EU GDPR, the Privacy Act has no dedicated data-protection authority, no mandatory breach-notification requirement, and no substantial financial penalties — gaps the data-protection community is pressing to close.

For the full privacy framework, the consent rules, the data-subject rights inventory, and the practical compliance discipline see our privacy laws in Nepal guide.

The pending IT & Cybersecurity Bill 2080 (2024)

ETA 2063 is now 18 years old. The Information Technology and Cybersecurity Bill 2080 (2024) was introduced in Parliament to replace ETA with a modern framework covering data protection, cybersecurity, critical-infrastructure protection, digital identity, certifying authorities, and an expanded offence catalogue with updated penalty bands. Civil-society groups including Digital Rights Nepal, Forum for Women Law and Development, and journalist associations have raised concerns about several provisions:

• Free-speech provisions — the replacement for Section 47 retains broad language that critics argue could continue the same misuse pattern against journalists and social-media commentators.
• Surveillance authorisations — provisions allowing data interception and metadata collection by designated agencies without clear judicial oversight thresholds.
• Platform-licensing requirements — mandatory local representation and licensing for foreign social-media platforms, with the September 2025 platform-ban episode as the live case study.
• Data-protection authority — the bill creates a regulator but the autonomy and resourcing provisions are seen as inadequate compared to international peer regulators.

The bill's passage timeline is uncertain. Practitioners should assume ETA 2063 remains the operative framework through 2026 and into the medium term, with the IT & Cybersecurity Bill 2080 framework as a planning consideration for medium-term compliance design rather than an immediate change.

How can Alpine Law Associates help?

Alpine Law Associates handles cyber-crime work from both ends — representing victims of hacking, OTP fraud, sextortion, online defamation, image-without-consent breaches, identity theft, and online harassment, and providing defence representation for clients charged under Section 47 or other cyber-offence provisions. Our cyber-law team is registered with the Nepal Bar Council and coordinates Cyber Bureau complaints, bank-freeze applications for financial fraud, platform-escalation through Meta / Google / TikTok / Viber abuse channels, and follow-through to the IT Tribunal or District Court depending on offence type.

For related work see our ETA 2063 explainer, Cyber Bureau Nepal guide, social media crime laws guide, privacy laws guide, and defamation law guide. As a full-service law firm in Nepal with a dedicated criminal-law practice area, we coordinate cyber-crime work alongside the broader criminal-law and corporate-data-protection workstreams in a single counsel relationship.

Speak with our lawyers today →

Last reviewed: April 2026