Chapter–1 Preliminary
1. Short Title and Commencement:

(1) These Rules may be called â€œElectronic Transaction Rules, 2064 (2007) .
(2) These Rules shall come into force immediately.

2. Definitions: In these Rules, unless the subject or context
otherwise requires,-

(a) “Act” means the Electronic Transaction Act, 2063 (2006).
(b) “Auditor” means a person appointed under Rule 26 for auditing the annual work performance of the Certifying Authority.

Chapter-2
Procedures of Electronic Record and Generation and Security of Digital Signature
3. To Certify Electronic Record:

(1) A person intending to certify the electronic record or the information kept in electronic form by digital
signature may certify such record or information by fulfilling the following procedures:-

(a) by creating hash result by the use of hash function by means of software contained in one’s computer,
and
(b) by creating a digital signature from the result under Clause (a) by the use of private key of the person
affixing the digital signature by means of software.
(2) Any electronic record certified by digital signature created under Sub-rule (1) and the digital signature certifying such record shall be deemed to be a legally recognized electronic record and digital
signature.

4. Verification of Digital Signature: While verifying any electronic record or information certified through the digital signature under Rule 3 by creating a new digital signature having used public key by means of hash function, the digital signature contained in such electronic record or information, as the case may be, shall be deemed to be of originator’s electronic record or information if the verifying software verifies the digital signature by showing the following conditions:

(a) If such digital signature corresponds to the digital signature created after tallying with the public key of the person affixing the digital signature.
(b) If the hash result extracted by means of public key by the  verifier and the original hash result extracted from the digital signature contained in the electronic record are identical.

5. Secured Electronic Signature and Record:

1) if the result under Clauses (a) and (b) of Rule 4 is generated, while testing and verifying any digital signature created under Rule 3, then such a digital signature shall be deemed to be a secured digital signature.

(2) If the result under Clauses (a) and (b) of Rule 4 is generated, while testing and verifying any electronic record certified by the digital signature under Rule 3, then such an electronic record shall be deemed to be a secured electronic record.
(3) If there is a ground to believe that no change of any type has been made by any means in the electronic record tested and verified under Sub-rule (2), from the time of its generation in electronic structure to the time of its test and verification, then such a record shall be deemed to be an electronic record.

6. Quality Standard Concerning Information Technology to be maintained by the Certifying Authority:

(1) The parameter of standard of quality of service relating to information technology required to be maintained by the Certifying Authority shall be such as may be specified, from time to time, by the Controller.

(2) Where the quality standard is not specified under Sub-rule (1), the parameter of a quality standard of service relating to information technology to be maintained by the Certifying Authority shall be as specified in Schedule 1.
(3) The parameter of quality standard specified by the Controller under Sub-rule (1) shall have to make public by publication of notice in any national-level daily newspaper.

7. Receipt of Acknowledgement of Electronic Record: Except in a case where the originator specifies in relation to any electronic record that such an electronic record shall be binding on him only after the receipt of information or acknowledgement of receipt of such electronic record by him/her from addressee; the information or the
acknowledgement of receipt obtained from the addressee of the electronic record shall be received already by the originator within a period of Three days from the date of receipt of such an electronic
record. Provided that, the duration under this Rule shall not be applied where the matter of exchange of any electronic record has been accepted by a mutual agreement between originator and addressee.

8. Time of Receipt of the Electronic Record: Except as otherwise agreed between originator and addressee, any electronic record shall be  considered to have been received at the following time:
(a) The time of receipt of record sent to any computer system owned or operated by addressee him/herself and to the address of the system which has been received in such computer system.
(b) The time of receipt of such information from the computer system by the addressee in the circumstance other than those referred to in Clause (a).

Chapter-3 Provision relating to Controller and Certifying Authority

9. Qualification of Controller:

(1) Government of Nepal may appoint a person having the following qualification in the Office of Controller:-
(a) One who has obtained at least Bachelor Degree in law from a recognized academic institution and who has at least Ten years of experience in the field of information technology; or
(b) One who has obtained at least Master’s Degree in information technology or in any subject equivalent  thereto from a recognized academic institution and who has at least Ten years of experience in the field of information technology.
(2) Government of Nepal shall, in order to appoint a person in the Office of the Controller from among the persons having qualification under Sub-rule (1), invite application publicly.
(3) Government of Nepal shall, on the basis of suitability, appoint a person in the Office of Controller from among the applicants received upon the invitation of application under Sub-rule (2).

10. Terms of Office, Conditions of Service and Facility of Controller:

(1) The term of office of the Controller appointed under Rule 9 shall be of Five years and he/she may be reappointed.
(2) Other terms and conditions and facilities of service of the Controller shall be as specified by Government of Nepal at the time of appointment.

11. Functions, Duties and Powers of the Controller: In addition to the functions, duties and powers referred to in Section 14 of the Act; other functions, duties and powers of the Controller shall be as follows:

(a) To monitor, cause to be monitored the functions performed by the Certifying Authority;
(b) To carry out necessary supervision in relation to the matter as to whether or not the Certifying Authority has performed the duties as referred to in the licence , and, if it is not found to have been performed, cause it to be done accordingly;
(c) To specify the quality standard of service to be rendered by  the Certifying Authority;
(d) To specify the terms required to be specified at the time of issuance of a licence to the Certifying Authority;

(e) To appoint an auditor as per necessity;
(f) To monitor the functions and activities to be performed by the Auditor;
(g) To perform such other functions as may be specified by Government of Nepal from time to time; and
(h) To perform such other functions as may be required to implement the objectives of the Act and these Rules.

12. Application to be filed for the Licence for Certification:

1) Any person, firm or company having the following qualification, desirous to act as a Certifying Authority, shall have to file an application along with the application fee of Five Hundred Rupees to the Controller in the
format as referred to in Schedule-2:
(a) One who has paid-up capital of at least Ten Million Rupees or the assets equivalent thereof;

(b) In case of a foreign firm or company where at least twenty per cent shares are under the ownership of a
Nepali citizen or firm or company; Provided that, the Controller may provide such exemption from not applying the provision of this Clause wholly or partly, as he/she deems fit, to a firm or company desirous to act as a Certifying
Authority that agrees a condition to fulfill (recruit) all the workers or employees from among the Nepali citizen having produced also necessary technical human resource in Nepal within one year from the date of operation and executes a contract accordingly.

(c) One who has technical human resources required for performing the functions as a Certifying
Authority;
(d) One who has at least Ten years of experience in computer related works;
(e) Where there is no person as a board of director who has been convicted by a court in any criminal
offence.
(2) The following documents shall be included in the application to be filed under Sub-rule (1):
(a) Certificate of registration of the firm or company;
(b) Other necessary documentary evidence certifying the paid-up capital and assets of the firm or
company;

(c) An original copy of bank guarantee equivalent to  Two Million Five Hundred Thousand Rupees with a time period of Six months issued by any commercial bank within the Nepal as a warranty for commencing the act of certification within Six months from the date of receipt of such a licence where a licence is received as a Certifying Authority;
(d) The details of joint venture, if any, in the computer related works with any foreign person, firm,
company or institution;
(e) The evidence of any agreement, if any, made in relation to the performance of computer related works on a joint venture with any foreign person, firm, company or institution; and
(f) Other details as may be requested by the Controller.

13. Inquiry into the Application:

(1) While conducting an inquiry into the application under Sub-rule (1), the Controller may issue an order to
furnish the documents or details under Sub-rule (1) of Rule 12, if such documents or details are found not to have been submitted or found to be inadequate.
(3) The applicant shall have to submit the additional documents or details as may be requested by the Controller under Sub-rule (2).

14. Issuance of a Licence :

(1) While conducting an inquiry into the application under Rule 13, the Controller shall, if he/she deems appropriate to give a licence to the applicant, grant a licence to the applicant in the format as referred to in Schedule-3, within Sixty days from the registration of the application upon collecting Twenty-Five Thousand Rupees as a fee for the licence .

(2) Where the Controller has, in addition to the documents attached with the application filed under Sub-rule (1) of Rule 12, requested the applicant for additional documents or details under Subrule (2) of Rule 13, then the date of receipt of such additional documents or details shall be deemed to be the date of registration of the application.
(3) Upon investigation under Rule 13, the Controller shall, if he/she deems inappropriate to issue a licence to the applicant, have to inform the applicant with reason thereof in writing within Sixty days from the date of filing of the application.

15. Duration of a Licence : The licence of the Certifying Authority granted under Rule 14 shall remain valid for a period of Two fiscal years.

16. Renewal of a Licence :

(1) The Certifying Authority desirous to  renew the licence received by it shall file an application to the Controller in the format as referred to in Schedule-4 along with Twenty Thousand Rupees as renewal fee including a bank guarantee under Clause (d) of Sub-rule (2) of Rule 12 Thirty days in advance before the expiry of duration as referred to in Rule 15.
(2) The Controller shall decide on the matter whether or not it shall renew a licence within Fifteen days from the registration of the application file for the renewal of a licence under Sub-rule (1).
(3) If a decision has been taken to renew the licence under Subrule
(2), the licence shall be returned to the applicant after denoting the  content of renewal in the concerned licence .

17. Renewal of a Licence may be Denied:

(1) The Controller may, in the following cases, deny to renew a licence of the Certifying Authority:
(a) If the Certifying Authority has not furnished any documents or details required to be furnished along
with the application to be filed for the renewal;
(b) If any documents or details having in ownership or access of the Certifying Authority are not submitted
as may be requested by the Controller;
(c) If the Controller has obtained a reliable ground that the firm or company obtaining a licence to act as a
Certifying Authority is in the process of liquidation;

(d) If the Certifying Authority has become insolvent and a case relating thereto is under consideration in
any court within Nepal;
(e) If the bank guarantee submitted by the Certifying Authority is suspended or forfeited by the
Controller;
(f) If the firm or company obtaining a licence as a Certifying Authority and the board of director or
proprietor or partner thereof is convicted for an offence of deceit, fraud and forgery in any act
related with one’s transaction or for the offences under the Act;

(g) If the Certifying Authority is found to be unsuccessful to comply or cause to be comply with the guidelines relating to security of electronic record or the procedures of certification submitted by it or contravenes such guidelines or procedures of certification;
(h) If the report on performance of work is not  submitted;
(i) If it is found, from the report on work performance, inappropriate to allow the Certifying Authority to
perform the work of certification.
(2) Prior to taking any decision on a matter for not renewing licence under Sub-rule (1), a reasonable opportunity shall be given to the Certifying Authority for presenting its clarification having specified the reason for the denial of renewal of its licence.

(3) If clarification is not submitted under Sub-rule (2) or the clarification submitted is found to be unsatisfactory, the Controller shall, after making a decision for not making renewal of a licence, give the information thereof to the Certifying Authority.
(4) If a decision has been taken for not making renewal of a licence under Sub-rule (3), a notice thereof shall be published in any national-level daily newspaper.

18. Functions to be commenced:

(1) The Certifying Authority shall commence the act of certification under the licence only after the fulfillment of the followings functions:
(a) Recognition should be given by the Controller to the details relating to the process of certification submitted to the Controller by the Certifying Authority.

(b) The Certifying Authority shall have to create its key pair and a public key of such keys shall have to hand over to the Controller.
(c) There should be consent of the Controller or an officer assigned by him/her to the physical and technical structures, prepared by the Certifying Authority, required for the issuance and  management of digital signature certificate.
(d) The evidence of the matter that an arrangement of mutual certification with other certifying authority
has already been made, and shall have to furnish to the Controller by the Certifying Authority.
(2) Duration for commencing the acts under Rule (1) by the Certifying Authority shall not be more than Six months from the date on which the said Authority has obtained a licence of certification.

19. Procedures to be followed upon Suspension of Licence:

(1) If the  circumstance warrants to suspend a licence of any Certifying Authority under Section 20 of the Act, the Controller shall have to fulfill the following procedures:
(a) To ask the Certifying Authority a written explanation in relation to divergence found in the documents, details, financial and physical sources submitted at the time of issuance of a licence ;
(b) To ask the Certifying Authority a justification of cash and other financial sources owned by the Certifying Authority for the purpose of making investigation in relation to divergence found in capital structure submitted at the time of issuance of licence ;

(c) To cause the bank account, remained in the name of such a Certifying Authority or its relatives, to be
frozen until the justification of financial sources is received under Clause (b).
(2) Where an explanation is asked in writing under Clause (a) of  Sub-rule (1), the Certifying Authority shall have to submit an explanation in writing to the Controller within Three days from the date on which such an explanation is so asked.
(3) The Controller may, if he/she deems a reasonable ground to suspend a licence of the Certifying Authority by the actions taken under Sub-rule (1), suspend the licence of such a Certifying Authority.

(4) If a licence of any Certifying Authority is required to be suspended under Sub-rule (3), then the duration of such a suspension shall not be more than Thirty days.
(5) The proceeding of the licence suspended shall have to finalize within a period referred to in Sub-rule (4).
(6) A notice of suspension of a licence of the Certifying Authority, made under Sub-rule (3), shall have to publish in any national-level daily newspaper.
(7) The cost, incurred in course of publication of a notice under Sub-rule (6), shall be borne by the concerned Certifying Authority.

20. Procedures for Revocation of a Licence:

(1) The Controller shall, while revoking a licence of the Certifying Authority under sub-section (1) of Section 21, fulfill the following procedures:

(a) The Controller shall, with respect to revocation of a  licence of the Certifying Authority, give an opportunity of presenting case in relation to the accusation charged against the Certifying Authority by specifying reasons of the revocation of licence and giving a time-limit of Seven days to it.
(b) The controller may, if it considers fit to ask any additional documents or details in relation to the defense presented by the Certifying Authority within the time-limit as referred to in Clause (a), issue order in that respect to the Certifying Authority to submit such documents or details within Three days.
(2) The controller may, if the defense presented by the Certifying Authority under Clauses (a) and (b) is found to be unreasonable, give order of revocation of licence of the Certifying Authority.
(3) The Certifying Authority shall be liable to a reasonable compensation for the damage and loss caused to anybody by the reason of the intentional or negligent act or activities of the Certifying Authority or its employees, as the case may be, or by the reason of noncompliance of any order made under the Act, these Rules or by the
Controller.
(4) The compensation referred to in Sub-rule (3) shall be deducted from the bank guarantee of the Certifying Authority given under Clause (d) of Sub-rule (2) of Rule 12.
(5) The bank guarantee, equivalent to the amounts leftover after the deduction for compensation under Sub-rule (4), shall have to be release within Fifteen days from the date of revocation of a licence.

21. Certifying Authority may stop the Business: Any certifying Authority may, by fulfilling the following procedures, stop the business relating to certification:
(a) By giving a written notice to the Controller prior to at least Ninety days from the date on which the business relating to certification is intended to stop or the time-limit of a licence of the Certifying Authority is expired;
(b) By publishing, prior to at least Sixty days from the date on which the business is intended to stop after giving a notice under Clause (a), a public notice thereof in the national-level daily newspaper;
(c) By giving a notice that the business is going to be stopped by it prior to at least Sixty days of the stopping of the business to all the subscribers operated under it and other Certifying Authorities of which the arrangement of certification of digital signature has mutually been made.
(d) By dispatching the notices under Clauses (a), (b) and (c) through email with digital signature or by registry from the post;
(e) By revoking all the digital signatures issued by it whether or not there is a request made by any subscriber within the date specified by it to stop the business;
(f) By making arrangement for stopping the business without causing, to the extent possible, inconvenience to the subscribers;
(g) By making an arrangement to secure the documents, records relating to the acts or transactions carried out by it or the digital signature certificate issued by it for a period up to seven years  from the date on which the business is stopped;

(h) By making an arrangement for providing compensation of an amount equivalent to the fees to be charged to obtained a new certificate to the subscribers of digital signature certificate issued after specifying a duration which may remain valid even after the date on which it may stop the business;
(i) By giving the Controller, after deleting a private key by the  Certifying Authority, the information of time and date of the deletion after the expiry of duration of validity of subscriber’s certificate.

22. To Deposit Royalty: The Certifying Authority shall have to deposit as a royalty at least Two per cent amount of the total income, received for the issuance of digital signature certificate by it, within the first week of every month to the Office of the Controller or any bank or financial institution specified by him/her.

23. Other Functions, Duties and Powers of the Certifying  Authority: In addition to the functions, duties and powers referred to in Section 17 of the Act, other functions, duties and powers of the  Certifying Authority shall be as follows:
(a) To determine procedure for issuing a certificate;
(b) To determine procedure to be followed upon suspension and  revocation of a certificate;
(c) To determine procedure for releasing suspension of certificate, if any;
(d) To conduct necessary monitoring on the matter as to whether or not an act has been performed pursuant to the certificates issued.

24. The Controller may make inquiry:

(1) Where the Controller believes with the fact that no compliance of the Act or Rules has been   made, as the case may be, by the Certifying Authority or other concerned person, as the case may be, the Controller him/herself may
make necessary inquiry in that respect or cause the same to be done through any other officer employee.

(2) While making or causing an inquiry to be done under Sub-rule
(1), the Controller or the Officer employee assigned by him/her, as the case may be, shall have to comply with the following procedures:
(a) To cause the concerned Certifying Authority or other person concerned, as the case may be, to be appeared before him/her and to make an inquiry with him;
(b) To form an inquiry committee under the coordination of the Controller or the officer employee assigned by him/her comprising of, among others, an expert of the concerned subject if the inquiry is deemed to be done in a particular subject and to initiate the proceeding of inquiry;
(c) To suspend or revoke the licence , as the case may be, of the Certifying Authority if so deemed, as a
result of inquiry under Clause (b);
(d) To cause a reasonable compensation to be provided  for the loss and damage caused to anybody else due
to noncompliance the Act or these Rules by the Certifying Authority or any other person concerned.

25. Procedures for recognition of a Foreign Certifying Authority:
(1) Any Certifying Authority, obtaining a licence for certification under the laws of a foreign country, desirous to act as a Certifying Authority within Nepal, may file an application before the Controller attaching the following documents and details mentioning that it is desirous to act as a Certifying Authority within the Nepal:
(a) certified copy of the licence obtained to act as a Certifying Authority in abroad;
(b) details of paid up capital or assets, as the case may be;
(c) evidences and details showing that the terms and qualification to be fulfilled by the Certifying Authority under the Act and these Rules, are met;
(d) other details as asked by the Controller.
(2) The Controller shall, if he/she deems, from the documents and details received along with the application under Sub-rule (1), appropriate for recognition to such a foreign Authority to act as a Certifying Authority, submit to Government of Nepal for approval by proposing the conditions required to be followed by such an Authority.
(3) Government of Nepal may, if the submission for approval has been made before Government of Nepal under Sub-rule (2), give permission to act as a Certifying Authority after making any modification or alteration, if so required, to the conditions proposed by the Controller.
(4) If the approval from Government of Nepal is obtained under Sub-rule (3), a notice of the recognition so granted to act as a Certifying Authority shall be published in the Nepal Gazette mentioning the conditions, if any, required to be abided by such a foreign Authority after receiving fees and bank guarantee to be charged upon the grant of a
licence to such a foreign Authority to act as a Certifying Authority under these Rules.

(5) If the conditions specified in the notice under Sub-rule (4) are not complied with or an act is committed in contravention to the Act or these Rules, as the case may be, the Controller shall with the approval from Government of Nepal revoke the recognition of such Certifying Authority and publishes a notice thereof in the Nepal Gazette.

 

Chapter-4  Provisions relating to Auditor and Audit of Performance

26. Appointment of Auditor:

(1) The Controller may, as per the necessity, appoint an Auditor in each year on contract to audit the
performance of the Certifying Authority.
(2) While making appointment in the Office of the auditor under Sub-rule (1), it shall be done from among the persons having the  following qualifications:-
(a) One who has at least Bachelor’s Degree in information technology or any subject equivalent thereto, from a recognized academic institution and has at least Ten years experience in computer field; or
(b) One who has at least Bachelor’s Degree in management, finance or commercial law from a recognized academic institution and has Ten years experience in computer field.

27. Remuneration and Facility of Auditor:

The remuneration and facility of the auditor shall be as specified in the contract made at the time of his/her appointment.

28. Procedures of Performance Audit:

1) The auditor may, while conducting the audit of performance of the Certifying Authority, ask for the following details:

(a) Details of the entire functions performed by the Certifying Authority throughout the year;
(b) The detail of the certificates issued by the Certifying Authority throughout the year;
(c) Matter relating to monitoring and evaluation made by the Certifying Authority with respect to the
functions mentioned in the certificate issued under Clause (b);
(d) Statement of the amounts received by the Certifying Authority for the issuance of certificate  throughout the year.
(2) The Controller shall, after the receipt of details referred to in Sub-rule (1), have to comply with the following procedures while conducting audit of the performance of the Certifying Authority:-
(a) to observe the security procedure adopted by the Certifying Authority to secure its electronic
record;
(b) to observe the physical security procedure to be connected to an electronic record;
(c) to evaluate the information technology quality standard being used by the Certifying Authority;
(d) to examine the services rendered to the subscribers  by the Certifying Authority;
(e) to analyze the entire certification practices of the Certifying Authority;

(f) to evaluate into the matter as to whether or not the terms of agreement and understanding reached between a subscriber or other concerned party and the Certifying Authority are followed;
(g) to evaluate the matter as to whether or not the directions given from time to time by the Controller
under the laws in force, and the terms referred to in the licence are followed;
(3) The auditor shall, after making evaluation under Sub-rule (2), have to submit the report thereof to the Controller within a period of Three months from the date of commencement of the business by him/her.
(4) The following matters shall, in addition to other matters, be included in the report under Sub-rule (3):
(a) The errors found from the audit conducted by him/her for the performance of the Certifying
Authority throughout the year;
(b) The details of any additional directions, if any, required to be given to the Certifying Authority;
(c) The details of any action, if any, required to be taken against the Certifying Authority.

29. Period to audit performance:

While conducting audit of the annual performance by the Auditor, the Certifying Authority shall have to cause
the same to be completed within the following periods:-
(a) Within every Three months while causing to be conducted the audit of the depository;

(b) Within every Six months while causing to be conducted the audit of security procedure, physical security condition and business operation planning.

30. Disqualification of Auditor:

The following person may not be appointed in the Office of auditor:
(a) One who has taken any types of share or has a financial or commercial transaction or is deemed to have any types of interest, as the case may be, with the Certifying Authority the audit of performance of which is required to be conducted immediately;

(b) One who has economic or commercial interest with the Certifying Authority or its any employee, as the case may be;
(c) One who is a member of the same family of the Certifying Authority or its any employee.

Chapter-5 Provision relating to Digital Signature and Certificate

31. Application to be filed to obtain certificate:

(1) Any person, firm or company, desirous to obtain a certificate under Section 31 of the Act,  shall have to submit an application in a format as referred to in Schedule -5 to the Certifying Authority.
(2) The Certifying Authority shall conduct necessary inquiry into the application filed under Sub-rule (1). While so conducting inquiry, an inquiry shall made on the following matters in particular:-
(a) whether or not the application received is authentic or legally valid;
(b) whether or not the applicant enlisted in the list of doubtful (suspicious) subscribers;

(c) ground to believe that the applicant him/herself is, without the support of any other person, capable to
use such a certificate;
(d) whether or not the applicant has agreed to publish the details of certification in the Directory;
(e) whether or not an audit for the authenticity of identification of the details of procedure of
certification, submitted by the applicant, has already been conducted or completed.

(3) While conducting an inquiry pursuant to Sub-rule (2), the Certifying Authority may, if it deems necessary to ask any additional  details with the applicant, demand such details accordingly.
(4) It shall be a duty of the concerned applicant to furnish the additional details to the Certifying Authority if so asked under Sub-rule (3).

32. Issuing of a Certificate:

(1) The Certifying Authority shall, if it deems reasonable to grant a certificate, after conducting an inquiry into
the application filed pursuant to Rule 31, issue a certificate in a format as referred to in the Schedule-6 by fulfilling the following procedures:-
(a) A new certificate is required to be created;
(b) A key pair is required to be included in the certificate;
(c) The public key is required to be made available.

(2) An opportunity to verify that whether or not the details referred to in the certificate is correct, shall be given to the applicant prior to the issuance of a certificate pursuant to Sub-rule (1) and if the  applicant confirms the content to be correct after the verification by him/her, a certificate shall be issued to such an applicant upon receiving
One Hundred Rupees as fees for the certificate from the applicant.
(3) The certificate issued under Sub-rule (1) shall include a notice of one or more deposition where digital signature is recorded and the listing thereof shall be made where such a certificate is revoked or suspended.

(4) The certificate issued under Sub-rule (1) shall have to be published in the recorded depository.
(5) After the issuance of the certificate, if the Certifying Authority obtains any information on the matter which may affect the validity or credibility of such a certificate, it shall provide immediately with the information thereof to the subscriber obtaining a certificate.
(6) Period of validity of the certificate issued under Sub-rule (1) shall be as specified in that certificate.

33. Suspension of Certificate :

(1) The Certifying Authority may, in the following cases, suspend a certificate issued by it:
(a) if the Certifying Authority is satisfied with the fact that such a digital signature has been used or is
being to be used or is likely to be used for any illegal purpose or for the attainment of illegal  objectives;
(b) if the information of any criminal case instigated against a subscriber is under consideration in any
court has been obtained;
(c) if the Controller asks the Certifying Authority in written for the suspension of the certificate mentioning the fact that the certificate has been used or is being used or is likely to be being used in the act against public interest.
(2) While making suspension of any certificate under Clause (b) of Section 32 of the Act and Sub-rule (1), the Certifying Authority shall have to ask the concerned subscriber an explanation by giving a time period of Three days for presenting the case in writing having specified the reason for suspension.
(3) The Certifying Authority may, if the explanation furnished pursuant to Sub-rule (2) is found to be unsatisfactory or the explanation is not submitted, suspend the certificate so issued by it.
(4) The period of suspension of the certificate pursuant to Sub-rule
(3) shall not be more than Fifteen days.

34. Release of Suspension of Certificate:

(1) The Certifying Authority shall, by taking consideration into the explanation furnished by the subscriber under Sub-rule (2) of Rule 33, conduct necessary investigation into the matter as to whether or not the certificate has been
used in contravention of public interest.

(2) While conducting investigation pursuant to Sub-rule (1), if it  is not found that it has been done under Sub-rule (1) of Rule 33, the Certifying Authority shall have to release the suspension of such a certificate.
Provided that, in case the certificate is suspended as per the direction of Controller in accordance with Clause (c) of Sub-rule (1) of Rule 33, the certificate shall be released only after obtaining an approval of the Controller.

35. Revocation of Certificate:

(1) While conducting inquiry under Rule 34 in relation to the certificate suspended as per Rule 33, if the cause of
suspension is proved, a time period of Three days shall be given to the concerned subscriber to present the reason and proof of not requiring the  certificate to be suspended.
(2) The Certifying Authority shall, if the explanation presented within the period as referred to in Sub-rule (1) is found to be unsatisfactory or the explanation is not submitted, revoke such a certificate.

(3) The explanation to be asked under Sub-rule (1) may be asked through e-mail with digital signature in the name of subscriber in the address furnished by him/her.

Chapter-6 Miscellaneous
36. Provision relating to certificate to be used by a Government
Agency:

(1) Government of Nepal shall, by publishing a public notice, invite application from the Certifying Authority desirous to issue a digital signature certificate to be used by the government Agency.
(2) Government of Nepal shall, from among the applications received under Sub-rule (1), designate a Certifying Authority which is deemed appropriate, as an Authority for issuing a digital signature certificate to be used by the government agency.
(3) The government agency interested to obtain a certificate may obtain the certificate from the Certifying Authority designated under Sub-rule (2).

37. Documents to be accepted in electronic form:

(1) Any government agency or the corporations owned by Government of Nepal, intending to accept documents in electronic form or any fees or amounts by electronic means, shall have to publish a public notice of taking, receiving or accepting of such documents, fees or amounts and shall disclose the electronic address where such documents in electronic form are sent.
(2) The documents, fees and amounts etc. of electronic form, sent with digital signature to the electronic address disclosed under Sub-rule
(1), shall be deemed to have been received or accepted by such an agency or corporation.

38. Security Guidelines to Comply:

(1) Working procedures and practices of the Certifying Authority shall be consistent with law.
(2) The Certifying Authority shall have to perform its business in a manner by which security, credibility and confidentiality of digital signature, information and other matters shall be fully ensured.
(3) Information technology and security guidelines to be used by the Certifying Authority shall be as issued by Government of Nepal. upon the recommendation of the Controller,
(4) The information technology and security policy to be used by the Certifying Authority shall be based on security guidelines issued in accordance with Sub-rule (3).

39. Delegation of Authority: The Controller may delegate any authority  conferred to him under these Rules to any officer employee subordinate to him/her.

40. English language may be used: While submitting an application, required to be filed, and issuing a licence , certificate or order or direction, required to be issued, pursuant to these Rules, the Controller or Certifying Authority or Subscriber may do so also by means of English language as per the necessity.

41. Alteration may be made in Schedule: The Controller may make necessary alteration or modification in the Schedule with the approval of Government of Nepal.

42. Repeal and Saving: (1) Electronic Transaction Rules, 2061 (2004) has been repealed.
(2) All the acts done or actions taken pursuant to the Electronic Transaction Rules, 2061 (2004) shall be deemed to have been done or pursuant to these Rules.

 

Schedule–1
(Relating to Sub-rule (2) of Rule 6)
Quality Standards relating to Information Technology
The Certifying Authority may bring into use the open standard and information
technology system of reliable standards recognized in the world. To carry out
different types of electronic transaction, at least the following standards shall
have to maintain.

Schedule–2
(Relating to Sub-rule (1) of Rule 12) The Controller,
Subject: Request for issuance of a licence to work as a Certifying Authority
I/We, hereby, submit this application to carry out business as a Certifying Authority in accordance with the Electronic Transaction Act, 2063 (2006) and the Electronic Transaction Rules, 2064 (2007). I/We, hereby, request to obtain the licence as the Certifying Authority.
(A) Individual/ Firm or Company’s:
1. Name:
2. Address of the Registered Office:
3. Addresses of other branch offices where transactions have been made:
4. P.E.N number and name and address of the office issuing it:

5. Name and address of I.S.P.:
6. Website Address:
7. E-mail, Telephone and Fax No.:-
8. Full Name, surname and address of all persons holding 10% or more
ownership or partnership of shares:
9. Paid issued capital/Total Assets: –
10. Total transaction of the previous year: –
11. Type of the digital signature as intended to be certified: –
12. Place in Nepal where the facility of certification shall be available:-

(B) Documents Attached:
1. Firm/Company Registration Certificate,
2. Audit Report of the previous year,
3. The details of the certification process intended to be used while
working as a Certifying Authority,
4. Certificate of tax clearance for up to the previous fiscal year,
5. Performance Bank Guarantee,
6. Bank Voucher or Receipt deposited for application fee,

7. Details exhibiting working experience in the related sector,
8. Attested copy of decision made by the Board of Directors to file an application in case of a firm or a company,
9. Other necessary documents required to be certify the qualification as referred to in Sub-rule (1) of Rule 12.
The qualification, to be met under the Electronic Transaction Act, 2064 (2006) and the Electronic Transaction Rules, 2064 (2007) has been met to work as a Certifying Authority and the details mentioned herein are true; if proved otherwise, I shall be liable to the consequence in accordance with law.
Seal of the Firm or Company Applicant’s
Signature: –
Name: –
Designation:
Date:

Schedule–3
(Relating to Sub-Rule (1) of Rule 14)
Licence
Licence No.: – Date of Issue:
This licence is, hereby, granted to Mr./Mrs./Ms.………………… (name of the individual/firm or company receiving the licence), having the following details, to work as a Certifying Authority for a period from ……………. to …………,
subject to be compliance with the Electronic Transaction Act, 2063 B.S. (2006)  and Electronic Transaction Rules, 2064 (2007) and the following conditions.
Details:
Name of (individual, firm or company) obtaining the licence:-
Address:
Place providing the service of certification:
Seal of the Office Controller’sSignature:

Name:
Date:

Conditions to be complied with by the Certifying Authority:-
(a)
(b)
(c)
Details of Renewal

 

Schedule – 4
(Relating to Sub-Rule (1) of Rule 16)
The Controller,
Subject: Request for Renewal
As this Authority has been working as a Certifying Authority and it is desirous  to continue the work of certification even for the upcoming year, I/ We have appeared to file this application by attaching herewith the voucher/receipt of
the payment of fees to be charged for the renewal. Therefore, I/We request for  renewal.
Documents Attached:
Original Certificate:
Voucher/ receipt of the payment of renewal fee:
Bank guarantee: –
Applicant’s,-

Signature:
Name and Designation of the signing the
application:-
Name of the Certifying Authority: –
Certificate No. and date of issue:

 

Schedule–5
(Relating to Sub-Rule (1) of Rule 31)
The…………………….. (Name of the Certifying Authority)
Subject: Request for Issuance of the Digital Signature
Certificate
As the certified digital signature is required to be obtained, I have filed this
application attaching the following documents and details.
1. Name, surname and address of the subscriber:
2. Legal status of the subscriber:
3. Certificate to identify the subscriber: –

3.1 In case of a natural person,-
(a) Citizenship or Passport No.: –
(b) Issuing office: –
(c) Date of issue: –
(d) Duration of validity (in case of the passport): –
3.2 In case of a firm, company or corporate body or agency,-
(a) Registration certificate or formation order, concerned Act
or notice issued in the Gazette:-
(b) Date of issue: –
(c) Issuing office: –

(d) Objectives:
4. For what purpose the digital signature is intended to obtain, the details
thereof:
a. For all types of possible transactions (mention the possible
details)
b. For banking purposes,
c. For other transactions relating to purchase and sale,
d. For the certification that any correspondence, in writing, is
issued by oneself except general transaction (Lenden).
5. Maximum threshold of each transaction if financial transaction, among
others, is intended to carry out:
The details stated above are true and correct; I shall submit other details
and proofs, as required by the Authority, at a time when so asked and I shall,
upon the issuance of licence , pay the fee therefor.

Applicant’s,-
Signature:
Name:
In case of a corporate body, seal of the office, signature, name and designation
of the person making application on behalf of the body:

 

1. Type of the digital signature certificate:
2. Signature Algorithm Identifier:
3. Details of the Public Key:
4. Validity period of the certificate :
Seal of the Certifying Authority Certificate Issuer’s,-
Signature:
Name:
Designation:
Date:

(Source: Nepal Law Commission)

Disclaimer: NepalArchives.Com has published Electronic Transactions Rules 2064 (2007) for the purpose of reference and information only, which were obtained from Nepal Government sources. If you found any discrepancies or misinformation with the content in this webpage, please kindly let us know and also refer to authorized sources of Nepal Government to get certified version of Electronic Transactions Rules 2064 (2007). NepalArchives.Com taken no guaranty of authenticity or existing validity of the contents in this webpage.