In August 2020, pursuant to the Imports and Exports (Control) Regulations No. 05 of 2020, the Government of Sri Lanka announced the suspension of import licences for a range of goods listed in Schedule 1 of the Regulations. These goods, which ordinarily require an import control licence for entry into the country, were temporarily restricted from importation in response to the economic repercussions of the COVID-19 pandemic. The suspension took effect on 18 August 2020 and, as of 2024, remains in force for several product categories, thereby continuing to prohibit their importation. According to the 2024 Consolidated Import Control List, import control licences remain suspended for various items, including used automatic data processing machines (HS 8471.30.10), used monitors, and projectors not incorporating television reception apparatus, among others.

Under Section 115A of the Customs Ordinance, no goods may be imported into Sri Lanka except by a registered importer. According to the Sri Lanka Trade Portal, all importers, regardless of the type of goods, must present a valid Tax Identification Number (TIN) in order to complete their registration in the customs system. In addition, certain categories of goods are subject to import control and require an import control licence issued by the Controller of Imports and Exports, which must be obtained separately prior to importation.

Pursuant to Art. 4.11 of the Imports and Exports (Control) Act, No. 1 of 1969, no person may import goods into Sri Lanka without a valid licence issued by the Controller of Imports and Exports. Art. 14 further specifies that the Minister of Finance, Economic Stabilization and National Policies can issue regulations to prohibit or regulate the import of certain goods.
The latest Consolidated Customs Import Control List of controlled goods whose import requires a licence includes telecommunication equipment and other transmission apparatus, including used smartphones (HS 8517.13.10), used isotopes other than those classified under heading 28.44 (HS 2845.90), radio navigational aid apparatus (HS 8526.91), among others.
Furthermore, according to Art. 2 of the Special Import Licence and Payment Regulations, No. 1 of 2011, only certain operators can import controlled goods. These are (i) individuals, trading either in their own name or under a business name, who are citizens of Sri Lanka; (ii) firms, partnerships, or other entities duly registered in Sri Lanka; (iii) public and private companies incorporated under the Companies Act, No. 7 of 2007; and (iv) non-nationals holding a valid visa authorising residence in Sri Lanka.

Pursuant to Art. 21.1 of the Sri Lanka Telecommunications Act, No. 25 of 1991, the import of any telecommunication apparatus in Sri Lanka is prohibited unless carried out under the authority of a valid licence issued by the Telecommunications Regulatory Commission. As established in Art. 21.2, such licences are subject to conditions determined by the Commission, including the payment of a prescribed fee and compliance with specific restrictions. Under Art. 21.3, the Commission retains the power to revoke any licence in the event of non-compliance with licensing conditions, failure to make required payments, or breach of applicable regulations.

Sri Lanka’s import regime is reportedly characterised by high entry barriers and regulatory opacity. It is reported that the discretionary nature of import approval processes contributes to regulatory unpredictability, as agencies do not follow uniformly applied standards or procedures. Requirements often vary by product or authority, creating significant compliance challenges for importers. Foreign stakeholders have expressed concern that previous administrations failed to adequately consult the private sector before introducing new regulatory measures. In addition, regulatory bodies responsible for evaluating imported products are reportedly constrained by limited technical capacity, further complicating the approval process.

Under Section 115A of the Customs Ordinance, no goods may be exported from Sri Lanka except by a registered exporter. According to the Sri Lanka Trade Portal, all exporters, regardless of the type of goods, are required to register with several institutions, including the Sri Lanka Export Development Board (EDB), the Inland Revenue Department (to obtain a Tax Identification Number and, if applicable, a VAT number), and Sri Lanka Customs. While mandatory registration with the EDB has been revoked by Extraordinary Gazette No. 2118/60 of 11 April 2019, the EDB continues to maintain a voluntary exporter registration scheme. To complete the registration process with these bodies, exporters must submit the original Business Registration Certificate or Certificate of Incorporation, along with other supporting documentation and completed application forms.
Art. 4.1 of the Imports and Exports (Control) Act, No. 1 of 1969, also mandates that the export of certain goods may only be conducted under the authority of a valid licence issued by the Controller of Imports and Exports and in full compliance with the conditions attached thereto. Goods that require a licence include, among others, telecom equipment, as specified in Art. 21.1 of the Sri Lanka Telecommunications Act, No. 25 of 1991.

The Radio and Telecommunications Terminal Equipment (RTTE) Type Approval Rules govern the type approval procedures in Sri Lanka. While local laboratory testing is not mandatory, Section 14 requires that testing must still be undertaken by laboratories accredited by the International Laboratory Accreditation Cooperation (ILAC), ensuring that test results are recognised and accepted. In accordance with Section 10, these certified laboratory reports verify the device’s compliance with safety, radiofrequency performance, and electromagnetic compatibility standards.

Under Sections 6 and 7 of the Standardization and Quality Control Regulations issued pursuant to the Imports and Exports (Control) Act, No. 1 of 1969, importers of certain designated goods are required to submit all relevant documentation concerning such goods to both the Director General of Sri Lanka Customs and the Director General of the Sri Lanka Standards Institution prior to customs clearance. Where necessary, product samples shall be subject to testing in accordance with the applicable "Sri Lanka Standards". Samples submitted to the Sri Lanka Standards Institution will be assessed for conformity with these standards in accordance with the conformity assessment procedures and guidelines established by its Director General. In addition, Section 9 stipulates that no importer may sell, offer for sale, use, or distribute certain specified goods without the prior approval of the Director General of the Sri Lanka Standards Institution. Among the goods falling within this regulatory scope are primary cells and batteries, as well as PVC insulated, non-armoured cables.
The 2024 Regulation repeals the Imports and Exports Control (Standardization and Quality Control) Regulations 2017, which contained similar provisions.

Reports indicated that several independent and other websites were subject to access restrictions in 2024. In addition, in April 2022, it was reported that the Telecommunications Regulatory Commission, acting on directives from the Ministry of Defence, suspended access to various social media platforms in Sri Lanka. The services affected included Facebook, YouTube, Twitter, Instagram, and WhatsApp. This suspension was lifted after 15 hours. A similar restriction was imposed in 2019, during which access to platforms such as Facebook, Facebook Messenger, Viber, Snapchat, and Instagram was blocked. Additionally, the use of the TunnelBear Virtual Private Network (VPN) was also restricted.

Sri Lanka has entered into an agreement that entails binding commitments to permit the cross-border transfer of data. Art. 9.9 of the "Free Trade Agreement between the Democratic Socialist Republic of Sri Lanka and the Republic of Singapore" stipulates that each party shall allow the transfer of information by electronic means, including personal data, across borders when such transfers are necessary for the conduct of business by a covered person.

The Personal Data Protection Act introduces Sri Lanka’s first comprehensive legal framework dedicated to the regulation and safeguarding of personal data. This landmark legislation seeks to define and reinforce the rights of data subjects, while also providing for the establishment of the Data Protection Authority of Sri Lanka. Among its notable provisions are the requirement for data controllers and processors to implement a data protection management programme, and the imposition of specific conditions governing the use of personal data for direct marketing purposes.
The Personal Data Protection Act serves as the principal statute governing personal data in Sri Lanka. However, several regulations and directions issued under sector-specific legislation continue to provide detailed guidance on data protection. These include: the Financial Consumer Protection Regulations No. 1 of 2023, which impose obligations closely aligned with those set out in the Personal Data Protection Act, particularly in relation to the handling of financial consumers’ personal information; and Special Direction No. 91, issued on 17 May 2023, which establishes data protection requirements applicable to e-commerce entities and platform operators, with the aim of safeguarding consumer rights in digital environments.
Prior to the enactment of this legislation, Sri Lanka lacked a unified legal instrument addressing data protection and privacy. Instead, various sector-specific statutes—such as the Computer Crimes Act No. 24 of 2007, the Banking Act No. 30 of 1988, the Electronic Transactions Act No. 19 of 2006, the Right to Information Act No. 12 of 2016, and the Telecommunications Act No. 25 of 1991—acknowledged the importance of privacy and confidentiality in a fragmented manner.

In accordance with Schedules I and II of the "Subscriber SIM Cards (Subscriber Identification Modules – SIM) Regulations No. 01 of 2019", all licensed digital cellular mobile service providers are mandated to retain subscriber information and furnish such data to the relevant authorities upon request. Notably, the Regulations do not stipulate a specific duration for which this data must be retained.

Pursuant to Section 24 of the Personal Data Protection Act, a data controller is mandated to undertake a Data Protection Impact Assessment (DPIA) prior to initiating any processing activity that involves: (i) the systematic and extensive evaluation of personal data or special categories of personal data, including profiling; (ii) the systematic monitoring of publicly accessible areas or telecommunication networks; or (iii) any processing operation prescribed by regulation, taking into account the scope and associated risks of such processing. In addition, the controller is obliged to conduct a new DPIA whenever there is a substantive alteration in the methodology, technology, or procedural framework employed in the processing activity for which a DPIA has previously been completed.
In addition, in accordance with Section 20 of the Act, it is incumbent upon every data controller to designate or appoint a Data Protection Officer (DPO) to ensure adherence to the provisions of the Act under specified circumstances. These include instances where the processing of personal data is undertaken by a ministry, governmental department, or public corporation—excluding the judiciary when acting in a judicial capacity. Additionally, the obligation to appoint a DPO arises where the core processing activities of the controller or processor involve: (i) operations which, by their nature, scope, or purpose, necessitate regular and systematic monitoring of data subjects; (ii) the processing of special categories of personal data; or (iii) processing activities that, by virtue of their nature and impact, pose a risk of harm to the rights of data subjects as safeguarded under the Act.

Section 18.2 of the Computer Crime Act confers authority upon a designated expert or police officer to obtain information—such as subscriber details and traffic data—held by a service provider, and to intercept wire or electronic communications without a warrant, provided that the following conditions are met: (i) the investigation must be conducted with urgency; (ii) there exists a substantial risk that evidence may be lost, destroyed, altered, or rendered inaccessible; and (iii) the preservation of confidentiality is necessary.
For the purposes of the Act, the term "expert" denotes a public officer possessing the requisite qualifications and experience in electronic engineering or software technology, who is appointed by the Minister responsible for science and technology, in consultation with the Minister of Justice, through an order published in the Gazette. The term "service provider" encompasses any public or private entity that enables its clients to communicate via a computer system, as well as any entity that processes or stores computer data or information on behalf of such a provider or its clients.

Pursuant to Section 7 of Schedule I and Section 7 of Schedule II of the "Subscriber SIM Cards (Subscriber Identification Modules – SIM) Regulations No. 01 of 2019", all digital cellular mobile service operators are obligated to provide access to their databases or networks, upon request by the Telecommunications Regulatory Commission of Sri Lanka, for the purpose of obtaining subscriber information and data.