Cybersecurity · Sri Lanka
Cybersecurity regulation in Sri Lanka (2026)
Sri Lanka shaded by its cybersecurity status
Sri Lanka lacks a comprehensive cybersecurity act — despite drafting six successive bills since 2019, a dedicated Cyber Security Act remained unenacted as of mid-2026, with the latest draft reportedly in final pre-presidential-approval stages. The operative framework is fragmented across the Computer Crimes Act 2007 (cybercrime offences), the Personal Data Protection Act 2022 (72-hour breach notification to the Data Protection Authority), and the Online Safety Act, backed operationally by Sri Lanka CERT and the National Cyber Security Operations Center. Passage of the pending Cyber Security Bill would establish a dedicated regulatory authority and formally designate Critical Information Infrastructure protections.
Key points
Computer Crimes Act No. 24 of 2007 is the foundational cybercrime statute, criminalising unauthorised access, data interference, denial-of-service attacks, and malware distribution; the High Court holds exclusive jurisdiction over offences. Critics note vague definitions and insufficient penalties given the modern threat landscape.
The Personal Data Protection Act No. 9 of 2022 — the first comprehensive data-protection law in South Asia — requires controllers to notify the Data Protection Authority within 72 hours of becoming aware of a personal data breach, with secondary notification to affected data subjects where risk is high. Draft implementing rules on breach notification procedures were published by the DPA for consultation.
A dedicated Cyber Security Bill — sixth iteration since 2019 — was reported nearing final stages for presidential assent as of June 2025. It would create a 'Cyber Security Regulatory Authority of Sri Lanka' as the apex body, codify Critical Information Infrastructure (CII) designation, and establish mandatory incident-reporting obligations for CII operators. As of early 2026 it had not yet been enacted.
Sri Lanka CERT (est. 2006), operating under the Ministry of Digital Economy, is the national incident-response team and a FIRST member. The National Cyber Security Operations Center (NCSOC) provides 24×7 SIEM, EDR, and WAF monitoring across Critical National Information Infrastructure entities on a voluntary/service basis; SLCERT logged over 12,650 complaints in 2025.
Sri Lanka ratified the Council of Europe Budapest Convention on Cybercrime (ETS 185), which entered into force on 1 September 2015, making it the first South Asian state party. Sri Lanka also signed the UN Convention against Cybercrime in 2025, reinforcing international mutual-legal-assistance obligations.
Industry experts, lawyers, and civil-society groups have raised sustained objections to the draft bill, particularly the proposal to place the operational SLCERT under the same authority that regulates cybersecurity service providers — seen as a conflict of interest — and concerns about potential digital-rights restrictions under broad security mandates.
Sri Lanka - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →