Chapter 4 Provisions Relating to Controller and Certifying Authority:
13. Appointment of the Controller and other Employe es:
(1) Government of Nepal may, by notification in the Nepal Gazette, designate any Government officer or appoint any person who has qualifications as
prescribed in the office of the Controller.
(2) Government of Nepal may, in order to assist the Controller to perform his/her functions to be performed under this Act, appoint or assign a
Deputy Controller and other employees as required. The employees so appointed or assigned shall perform their functions under the general direction
and control of the Controller.
14. Functions, Duties and Powers of the Controller :
The functions, duties and powers of the controller shall be as follows:-
(a) To issue a license to the certifying Authority,
(b) To exercise the supervision and monitoring over the activities of Certifying Authority,
(c) To fix the standards to be maintained by certifying authority in respect to the verification of digital signature,
(d) To specify the conditions to be complied with by the certifying authority in operating his/her business,
(e) To specify the format of the certificate and contents to be included therein,
(f) To specify the procedures to be followed by the certifying authority while conducting his/her dealings with the subscribers,
(g) To maintain a record of information disclosed by the certifying authority under this act and to make provision of computer database accessible to
public and to update such database,
(h) To perform such other functions as prescribed.
15. License to be obtain ed: No person shall perform or cause to be performed the functions of a certifying authority without obtaining a license under this
16. Application to be submitted for a License :
(1) Any person willing to work as Certifying Authority by issuing a certificate under this Act and who has the qualifications as prescribed shall have to submit an application to the controller in a format as prescribed accompanied by a fee as prescribed for obtaining a license for the certification.
(2) The applicant applying under Sub-section (1) shall also attach the following documents:
(a) Details regarding certification,
(b) Documents to prove the identification and verification of the applicant,
(c) Statements specifying the financial resources, human resources and other necessary facilities,
(d) Such other documents as prescribed.
(3) The controller may, if he/she thinks necessary, ask the applicant to serve additional documents and details in connection to examine the
appropriation of the applicant as to perform the function of Certifying Authority. If the necessary additional documents and details are so asked, no
actions shall be taken upon the application of the applicant unless he/she submits such documents and details.
17. Other Functions and Duties of the Certifying Authority :
Other functions and duties of the certifying authority, other than those to issue a certificate, to suspend or revoke it, shall be as prescribed.
18. Procedure for granting of a license :
(1) The Controller may, on receipt of an application under section 16, after considering the qualification of applicant and also the documents and statements decide upon within a period of two months of receipt of such application whether or not such a person possesses the financial, physical and human resources, and other facilities as prescribed and whether or not a license should be issued to such an applicant and a notice to that effect shall be given to him.
(2) While deciding upon the issuance of a license under Sub-section
(1), the Controller may inspect the facilities, financial and physical resources of the applicant.
(3) If the Controller decides to issue a license under Sub-section (1), a license in the prescribed format shall be issued to the applicant specifying the
period of validity of the license and also the terms and conditions to be followed by him.
(4) Other procedures relating to the issuance of a license shall be as prescribed.
19. Renewal of License:
(1) A license obtained by Certifying Authority shall have to renew in each year,
(2) A Certifying Authority desirous to renew the license under Sub- section (1), shall have to submit and application in the prescribed format to the
Controller at least two months prior to the expiry of the period of validity of such a license along with such renewal fee as prescribed,
(3) If an application is submitted for renewal, under Sub-section (2), the Controller shall have to decide whether to renew the license or not, after
completing the procedures as prescribed one month prior to the expiry date of validity of such a license,
(4) While deciding to reject to renew a license, the applicant shall be given a reasonable opportunity to present his/her statement in this regard.
20. License may be suspended :
(1) If the documents or statement and statement of financial and physical resources submitted by the certifying authority before the Controller in order to obtain a license are found incorrect or false or the conditions to be complied with in course of operation of business is not complied with or this Act of the Rules framed hereunder are found to be violated, the Controller may suspend the license of the certifying authority till the inquiry in this regard is completed. Provided that, Certifying Authority shall be given the reasonable opportunity to present his/her defense prior to such suspension of a license.
(2) Other procedures concerning suspension of license and other provisions related thereto be as prescribed.
21. License may be revoked:
(1) If the controller believes, after completion of an inquiry in connection to any activity of Certifying Authority, made duly, as prescribed, that any of the following circumstances have been occurred, the Controller may revoke a license issued under this Act, at any time, as he deems
to be appropriate:
(a) If the Certifying Authority fails to comply with the liabilities under this act and the rules made thereunder.
(b) If it is found that the Certifying Authority has submitted false or incorrect document or statement at the time of submitting an application
for obtaining a license or for its renewal, as the case may be.
(c) If the Certifying Authority operates business in such a manner so that it shall make adverse effect to the public interest or to the national
(d) If the Certifying Authority commits any act that is defined as an offence under this Act or the Rules framed hereunder.
(2) The Controller shall, prior to revocation of a license under Sub- section (1), provide a reasonable opportunity to the Certifying Authority to
present his/her defense.
(3) Other procedures concerning revocation of a license shall be as prescribed.
22. Notice of Suspension or revocation of a License :
(1) Where a license of any Certifying Authority is suspended or revoked under Section 20 or 21, as the case may be the Controller shall give a written notice to the Certifying Authority of such suspension or revocation, as the case may be, to such a certifying Authority and shall keep such a notice in his computer database and also publish in the electronic form.
(2) The Controller shall publish the notice of suspension or revocation of a license at least in two daily newspapers in Nepali and English
languages for two times.
Provided that, there shall be no effect to any decision of suspension or revocation, as the case may be, made by the Controller under Section 20 or 21,
merely on the ground of non-publication of such a notice.
23. Recognition to Foreign Certifying Authority may be given :
(1) The Controller may with the prior approval of Government of Nepal, and subject to such conditions and restrictions as may be prescribed, by notification in the
Nepal Gazette, recognize any Certifying Authority who has obtained a license to certify under any foreign law. Any foreign Certifying Authority so
recognized may issue the certificates under this Act or the Rules made thereunder throughout the Nepal.
(2) The procedures to be adopted in providing the recognition to a foreign Certifying Authority as referred to in Sub-section (1), shall be as
24. The Controller may issue Orders :
(1) The Controller may, in order to cause to fulfill the responsibilities in regard to issuance of a certificate by the Certifying Authorities, issue directives, from time to time. It shall be a duty of the Certifying Authority to comply with such directives.
25. The Controller may delegate po wer: The Controller may, in order to perform the function to be performed by him/her delegate to any officer
subordinate to him/her to exercise all or any of his/her powers under this Act or the Rules framed thereunder.
26. The Controller may investiga te:
(1) The Controller may, if he/she believes that this Act or the Rules framed hereunder are not complied with by the Certifying Authority or by other concerned person, conduct him/herself or cause any officer to conduct necessary investigation in that regard.
(2) It shall be a duty of Certifying Authority to assist the investigations, referred to in Sub-section (1).
(3) The procedure to be followed by the Controller or any other officer in respect to investigation referred to in Sub-section (1) shall be as
27. Performance Audit of Certifying Authority:
(1) The Controller may conduct or cause to be conducted performance audit of the Certifying Authority in each year.
(2) The Controller may, for the purpose of the performance audit referred to in Sub-section (1), appoint any recognized auditor, who has
expertise in computer security or any computer expert.
(3) The Controller shall publish the report of the performance audit in the electronic form made under Sub-section (1) by maintaining in his/her
(4) The qualification of the performance auditor or remuneration and the procedures of such audit shall be as prescribed.
(5) The Controller shall fix the standard of the service of Certifying Authority and publish a notice thereof publicly for the information to the
28. The Controller to have the Access to Computers and data
: (1) The Controller shall, if there is a reasonable ground to suspect that provision of this Act and Rules framed hereunder has been violated, have the power to have the access to any computer system, apparatus, devices, data, information system or any other materials connected with such system.
(2) The Controller may, for the purpose of Sub-section (1), issue necessary directives to the owner of any computer system, apparatus, device,
data, information system or any material connected with such system or to any other responsible person to provide technical or other cooperation as he/she
(3) It shall be the duty of the concerned person to comply with such directive issued under Sub-section (2).
29. Record to be maintained :
(1) The Controller shall maintain records of all Certificates issued under this Act.
(2) The Controller shall, in order to ensure the privacy and security of the digital signatures, perform following functions:
(a) To use Computer Security System,
(b) To apply security procedures to ensure the privacy and integrity of digital signature,
(c) To comply with the standard as prescribed,
(3) The Controller shall maintain and update computerized data base of all public keys in a computer system.
(4) For the purpose of verification of Digital Signature, the Controller shall make available a public key to any person requesting for such a key