Under Section 115A of the Customs Ordinance, no goods may be imported into Sri Lanka except by a registered importer. According to the Sri Lanka Trade Portal, all importers, regardless of the type of goods, must present a valid Tax Identification Number (TIN) in order to complete their registration in the customs system. In addition, certain categories of goods are subject to import control and require an import control licence issued by the Controller of Imports and Exports, which must be obtained separately prior to importation.

Pursuant to Art. 4.11 of the Imports and Exports (Control) Act, No. 1 of 1969, no person may import goods into Sri Lanka without a valid licence issued by the Controller of Imports and Exports. Art. 14 further specifies that the Minister of Finance, Economic Stabilization and National Policies can issue regulations to prohibit or regulate the import of certain goods.
The latest Consolidated Customs Import Control List of controlled goods whose import requires a licence includes telecommunication equipment and other transmission apparatus, including used smartphones (HS 8517.13.10), used isotopes other than those classified under heading 28.44 (HS 2845.90), radio navigational aid apparatus (HS 8526.91), among others.
Furthermore, under Art. 2 of the Special Import Licence and Payment Regulations, No. 1 of 2011, only certain operators may import controlled goods. These are (i) individuals, trading either in their own name or under a business name, who are citizens of Sri Lanka; (ii) firms, partnerships, or other entities duly registered in Sri Lanka; (iii) public and private companies incorporated under the Companies Act, No. 7 of 2007; and (iv) non-nationals holding a valid visa authorising residence in Sri Lanka.

Pursuant to Art. 21.1 of the Sri Lanka Telecommunications Act, No. 25 of 1991, the import of any telecommunication apparatus in Sri Lanka is prohibited unless carried out under the authority of a valid licence issued by the Telecommunications Regulatory Commission. As established in Art. 21.2, such licences are subject to conditions determined by the Commission, including the payment of a prescribed fee and compliance with specific restrictions. Under Art. 21.3, the Commission retains the power to revoke any licence for non-compliance with licensing conditions, failure to make required payments, or breach of applicable regulations.

Sri Lanka’s import regime is reportedly characterised by high entry barriers and regulatory opacity. It is reported that the discretionary nature of import approval processes contributes to regulatory unpredictability, as agencies do not follow uniformly applied standards or procedures. Requirements often vary by product or authority, creating significant compliance challenges for importers. Foreign stakeholders have expressed concern that previous administrations failed to adequately consult the private sector before introducing new regulatory measures. In addition, regulatory bodies responsible for evaluating imported products reportedly face limited technical capacity, further complicating the approval process.

Under Section 115A of the Customs Ordinance, no goods may be exported from Sri Lanka except by a registered exporter. According to the Sri Lanka Trade Portal, all exporters, regardless of the type of goods, are required to register with several institutions, including the Sri Lanka Export Development Board (EDB), the Inland Revenue Department (to obtain a Tax Identification Number and, if applicable, a VAT number), and Sri Lanka Customs. While mandatory registration with the EDB has been revoked by Extraordinary Gazette No. 2118/60 of 11 April 2019, the EDB continues to maintain a voluntary exporter registration scheme. To complete the registration process with these bodies, exporters must submit the original Business Registration Certificate or Certificate of Incorporation, along with other supporting documentation and completed application forms.

Pursuant to Art. 21.1 of the Sri Lanka Telecommunications Act, No. 25 of 1991, the export of any telecommunication apparatus in Sri Lanka is prohibited unless carried out under the authority of a valid licence issued by the Telecommunications Regulatory Commission. As established in Art. 21.2, such licences are subject to conditions determined by the Commission, including the payment of a prescribed fee and compliance with specific restrictions. Under Art. 21.3, the Commission retains the power to revoke any licence for non-compliance with licensing conditions, failure to make required payments, or breach of applicable regulations.

The Radio and Telecommunications Terminal Equipment (RTTE) Type Approval Rules govern the type approval procedures in Sri Lanka. While local laboratory testing is not mandatory, Section 14 requires that testing must still be undertaken by laboratories accredited by the International Laboratory Accreditation Cooperation (ILAC), ensuring that test results are recognised and accepted. In accordance with Section 10, these certified laboratory reports verify the device’s compliance with safety, radiofrequency performance, and electromagnetic compatibility standards.

Under Sections 6 and 7 of the Standardization and Quality Control Regulations issued pursuant to the Imports and Exports (Control) Act, No. 1 of 1969, importers of certain designated goods are required to submit all relevant documentation concerning such goods to both the Director General of Sri Lanka Customs and the Director General of the Sri Lanka Standards Institution prior to customs clearance. Where necessary, product samples shall be tested in accordance with the applicable "Sri Lanka Standards". Samples submitted to the Sri Lanka Standards Institution will be assessed for conformity with these standards in accordance with the conformity assessment procedures and guidelines established by its Director General. In addition, Section 9 stipulates that no importer may sell, offer for sale, use, or distribute certain specified goods without the prior approval of the Director General of the Sri Lanka Standards Institution. Among the goods falling within this regulatory scope are primary cells and batteries, as well as PVC-insulated, non-armoured cables.
The 2024 Regulation repeals the Imports and Exports Control (Standardization and Quality Control) Regulations 2017, which contained similar provisions.

It is reported that news websites are required to register with the Ministry of Mass Media of Sri Lanka under the Cabinet Decision No. 12/1037/37/019-1 of 13.08.2012 (however, this decision is not available online). According to the "Procedure of Registration of Websites", applications are subject to review by a panel appointed by the Secretary of the Ministry of Mass Media.

Sri Lanka has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

Sri Lanka possesses a national telecommunications regulatory body, namely the Telecommunications Regulatory Commission of Sri Lanka (TRCSL). Nevertheless, concerns have been raised regarding the extent of its institutional independence from governmental influence. Reports indicate a persistent pattern of governmental interference in the Commission’s decision-making processes. In addition, since the Ministry of Technology's organisational restructuring in October 2022, the TRCSL has operated under the purview of this Ministry.

Sri Lanka has entered into an agreement that entails binding commitments to permit the cross-border transfer of data. Art. 9.9 of the "Free Trade Agreement between the Democratic Socialist Republic of Sri Lanka and the Republic of Singapore" stipulates that each party shall allow the transfer of information by electronic means, including personal data, across borders when such transfers are necessary for the conduct of business by a covered person.

Sri Lanka does not currently operate a comprehensive personal data protection regime. Instead, data protection is addressed through a range of sector‑specific legislative instruments, including the Computer Crimes Act No. 24 of 2007, the Banking Act No. 30 of 1988, the Electronic Transactions Act No. 19 of 2006, the Right to Information Act No. 12 of 2016, the Telecommunications Act No. 25 of 1991, the Financial Consumer Protection Regulations No. 1 of 2023, and Special Direction No. 91. In recognition of this regulatory gap, the Personal Data Protection Act has been enacted; however, to date, no definitive commencement date has been announced.

Section 18.2 of the Computer Crime Act confers authority upon a designated expert or police officer to obtain information—such as subscriber details and traffic data—held by a service provider, and to intercept wire or electronic communications without a warrant, provided that the following conditions are met: (i) the investigation must be conducted with urgency; (ii) there exists a substantial risk that evidence may be lost, destroyed, altered, or rendered inaccessible; and (iii) the preservation of confidentiality is necessary.
For the Act, the term "expert" denotes a public officer possessing the requisite qualifications and experience in electronic engineering or software technology, who is appointed by the Minister responsible for science and technology, in consultation with the Minister of Justice, through an order published in the Gazette. The term "service provider" encompasses any public or private entity that enables its clients to communicate via a computer system, as well as any entity that processes or stores computer data or information on behalf of such a provider or its clients.

Section 33 of the Online Safety Act confers upon experts appointed to assist the Online Safety Commission the authority, for an investigation under the Act, to access any information system, computer, or computer programme, as well as any data or information contained therein, to perform their designated functions. Additionally, such experts are empowered to compel individuals to disclose traffic data. Notably, it has been reported that these investigatory powers do not require the issuance of judicial warrants to access user data.
It is reported that the enforcement of the Online Safety Act was halted in January 2025. The Government announced that it would not enforce the Act in its current form and that it would be implemented following modifications.