Pursuant to Art. 21.1 of the Sri Lanka Telecommunications Act, No. 25 of 1991, the import of any telecommunication apparatus in Sri Lanka is prohibited unless carried out under the authority of a valid licence issued by the Telecommunications Regulatory Commission. As established in Art. 21.2, such licences are subject to conditions determined by the Commission, including the payment of a prescribed fee and compliance with specific restrictions. Under Art. 21.3, the Commission retains the power to revoke any licence in the event of non-compliance with licensing conditions, failure to make required payments, or breach of applicable regulations.

Sri Lanka’s import regime is reportedly characterised by high entry barriers and regulatory opacity. It is reported that the discretionary nature of import approval processes contributes to regulatory unpredictability, as agencies do not follow uniformly applied standards or procedures. Requirements often vary by product or authority, creating significant compliance challenges for importers. Foreign stakeholders have expressed concern that previous administrations failed to adequately consult the private sector before introducing new regulatory measures. In addition, regulatory bodies responsible for evaluating imported products are reportedly constrained by limited technical capacity, further complicating the approval process.

Under Section 115A of the Customs Ordinance, no goods may be exported from Sri Lanka except by a registered exporter. According to the Sri Lanka Trade Portal, all exporters, regardless of the type of goods, are required to register with several institutions, including the Sri Lanka Export Development Board (EDB), the Inland Revenue Department (to obtain a Tax Identification Number and, if applicable, a VAT number), and Sri Lanka Customs. While mandatory registration with the EDB has been revoked by Extraordinary Gazette No. 2118/60 of 11 April 2019, the EDB continues to maintain a voluntary exporter registration scheme. To complete the registration process with these bodies, exporters must submit the original Business Registration Certificate or Certificate of Incorporation, along with other supporting documentation and completed application forms.
Art. 4.1 of the Imports and Exports (Control) Act, No. 1 of 1969, also mandates that the export of certain goods may only be conducted under the authority of a valid licence issued by the Controller of Imports and Exports and in full compliance with the conditions attached thereto. Goods that require a licence include, among others, telecom equipment, as specified in Art. 21.1 of the Sri Lanka Telecommunications Act, No. 25 of 1991.

The Radio and Telecommunications Terminal Equipment (RTTE) Type Approval Rules govern the type approval procedures in Sri Lanka. While local laboratory testing is not mandatory, Section 14 requires that testing must still be undertaken by laboratories accredited by the International Laboratory Accreditation Cooperation (ILAC), ensuring that test results are recognised and accepted. In accordance with Section 10, these certified laboratory reports verify the device’s compliance with safety, radiofrequency performance, and electromagnetic compatibility standards.

Under Sections 6 and 7 of the Standardization and Quality Control Regulations issued pursuant to the Imports and Exports (Control) Act, No. 1 of 1969, importers of certain designated goods are required to submit all relevant documentation concerning such goods to both the Director General of Sri Lanka Customs and the Director General of the Sri Lanka Standards Institution prior to customs clearance. Where necessary, product samples shall be subject to testing in accordance with the applicable "Sri Lanka Standards". Samples submitted to the Sri Lanka Standards Institution will be assessed for conformity with these standards in accordance with the conformity assessment procedures and guidelines established by its Director General. In addition, Section 9 stipulates that no importer may sell, offer for sale, use, or distribute certain specified goods without the prior approval of the Director General of the Sri Lanka Standards Institution. Among the goods falling within this regulatory scope are primary cells and batteries, as well as PVC insulated, non-armoured cables.
The 2024 Regulation repeals the Imports and Exports Control (Standardization and Quality Control) Regulations 2017, which contained similar provisions.

The Telecommunications Regulatory Commission of Sri Lanka lists Virtual Private Network (VPN) services among the services that have been issued a license in the country. However, the regulatory text mandating the license has not been identified.

The Personal Data Protection Act introduces Sri Lanka’s first comprehensive legal framework dedicated to the regulation and safeguarding of personal data. This landmark legislation seeks to define and reinforce the rights of data subjects, while also providing for the establishment of the Data Protection Authority of Sri Lanka. Among its notable provisions are the requirement for data controllers and processors to implement a data protection management programme, and the imposition of specific conditions governing the use of personal data for direct marketing purposes.
The Personal Data Protection Act serves as the principal statute governing personal data in Sri Lanka. However, several regulations and directions issued under sector-specific legislation continue to provide detailed guidance on data protection. These include: the Financial Consumer Protection Regulations No. 1 of 2023, which impose obligations closely aligned with those set out in the Personal Data Protection Act, particularly in relation to the handling of financial consumers’ personal information; and Special Direction No. 91, issued on 17 May 2023, which establishes data protection requirements applicable to e-commerce entities and platform operators, with the aim of safeguarding consumer rights in digital environments.
Prior to the enactment of this legislation, Sri Lanka lacked a unified legal instrument addressing data protection and privacy. Instead, various sector-specific statutes—such as the Computer Crimes Act No. 24 of 2007, the Banking Act No. 30 of 1988, the Electronic Transactions Act No. 19 of 2006, the Right to Information Act No. 12 of 2016, and the Telecommunications Act No. 25 of 1991—acknowledged the importance of privacy and confidentiality in a fragmented manner.

In accordance with Schedules I and II of the "Subscriber SIM Cards (Subscriber Identification Modules – SIM) Regulations No. 01 of 2019", all licensed digital cellular mobile service providers are mandated to retain subscriber information and furnish such data to the relevant authorities upon request. Notably, the Regulations do not stipulate a specific duration for which this data must be retained.

Pursuant to Section 24 of the Personal Data Protection Act, a data controller is mandated to undertake a Data Protection Impact Assessment (DPIA) prior to initiating any processing activity that involves: (i) the systematic and extensive evaluation of personal data or special categories of personal data, including profiling; (ii) the systematic monitoring of publicly accessible areas or telecommunication networks; or (iii) any processing operation prescribed by regulation, taking into account the scope and associated risks of such processing. In addition, the controller is obliged to conduct a new DPIA whenever there is a substantive alteration in the methodology, technology, or procedural framework employed in the processing activity for which a DPIA has previously been completed.
In addition, in accordance with Section 20 of the Act, it is incumbent upon every data controller to designate or appoint a Data Protection Officer (DPO) to ensure adherence to the provisions of the Act under specified circumstances. These include instances where the processing of personal data is undertaken by a ministry, governmental department, or public corporation—excluding the judiciary when acting in a judicial capacity. Additionally, the obligation to appoint a DPO arises where the core processing activities of the controller or processor involve: (i) operations which, by their nature, scope, or purpose, necessitate regular and systematic monitoring of data subjects; (ii) the processing of special categories of personal data; or (iii) processing activities that, by virtue of their nature and impact, pose a risk of harm to the rights of data subjects as safeguarded under the Act.

Section 18.2 of the Computer Crime Act confers authority upon a designated expert or police officer to obtain information—such as subscriber details and traffic data—held by a service provider, and to intercept wire or electronic communications without a warrant, provided that the following conditions are met: (i) the investigation must be conducted with urgency; (ii) there exists a substantial risk that evidence may be lost, destroyed, altered, or rendered inaccessible; and (iii) the preservation of confidentiality is necessary.
For the purposes of the Act, the term "expert" denotes a public officer possessing the requisite qualifications and experience in electronic engineering or software technology, who is appointed by the Minister responsible for science and technology, in consultation with the Minister of Justice, through an order published in the Gazette. The term "service provider" encompasses any public or private entity that enables its clients to communicate via a computer system, as well as any entity that processes or stores computer data or information on behalf of such a provider or its clients.

Pursuant to Section 7 of Schedule I and Section 7 of Schedule II of the "Subscriber SIM Cards (Subscriber Identification Modules – SIM) Regulations No. 01 of 2019", all digital cellular mobile service operators are obligated to provide access to their databases or networks, upon request by the Telecommunications Regulatory Commission of Sri Lanka, for the purpose of obtaining subscriber information and data.

Section 33 of the Online Safety Act confers upon experts appointed to assist the Online Safety Commission the authority, for the purposes of an investigation under the Act, to access any information system, computer, or computer programme, as well as any data or information contained therein, in order to perform their designated functions. Additionally, such experts are empowered to compel individuals to disclose traffic data. Notably, it has been reported that these investigatory powers do not necessitate the acquisition of judicial warrants for accessing user data.
It is reported that the enforcement of the Online Safety Act was halted in January 2025. The Government announced that it will not enforce the Act in its current form and that it will be implemented following modifications.

A basic legal framework on intermediary liability for copyright infringement is absent in Sri Lanka's law and jurisprudence.

Section 27 of the Online Safety Act establishes a safe harbour regime for intermediaries with regards to the dissemination of prohibited material. It provides that any individual or entity engaged in the provision of services such as internet intermediation, telecommunications, public internet access, computing resources, email, short messaging services (SMS), multimedia messaging services (MMS), or one-to-one live aural communication shall not be held liable for the dissemination of a prohibited statement transmitted through an online platform owned, operated, or controlled by such a provider. Nor shall they be liable for enabling end users to access, via such a platform, a communication link containing a prohibited statement authored by a third party. In addition, where a false or prohibited statement, or other unlawful material, is removed within six months of the Act’s commencement, or where such material has been uploaded or tampered with by third parties, neither the owner of the online account nor the internet service provider shall bear liability in relation to the content in question.
It is reported that the enforcement of the Online Safety Act was halted in January 2025. The Government announced that it would not enforce the Act in its current form and that it would be implemented following modifications.

It is reported that an ICT Agency's decision requires the provision of a citizen’s national identity card number to access to public Wi-Fi hotspots.