Under Sections 6 and 7 of the Standardization and Quality Control Regulations issued pursuant to the Imports and Exports (Control) Act, No. 1 of 1969, importers of certain designated goods are required to submit all relevant documentation concerning such goods to both the Director General of Sri Lanka Customs and the Director General of the Sri Lanka Standards Institution prior to customs clearance. Where necessary, product samples shall be subject to testing in accordance with the applicable "Sri Lanka Standards". Samples submitted to the Sri Lanka Standards Institution will be assessed for conformity with these standards in accordance with the conformity assessment procedures and guidelines established by its Director General. In addition, Section 9 stipulates that no importer may sell, offer for sale, use, or distribute certain specified goods without the prior approval of the Director General of the Sri Lanka Standards Institution. Among the goods falling within this regulatory scope are primary cells and batteries, as well as PVC insulated, non-armoured cables.
The 2024 Regulation repeals the Imports and Exports Control (Standardization and Quality Control) Regulations 2017, which contained similar provisions.

The Telecommunications Regulatory Commission of Sri Lanka lists Virtual Private Network (VPN) services among the services that have been issued a license in the country. However, the regulatory text mandating the license has not been identified.

The Telecommunications Regulatory Commission of Sri Lanka lists e-mail services among the services that have been issued a license in the country. However, the regulatory text mandating the license has not been identified.

The Personal Data Protection Act introduces Sri Lanka’s first comprehensive legal framework dedicated to the regulation and safeguarding of personal data. This landmark legislation seeks to define and reinforce the rights of data subjects, while also providing for the establishment of the Data Protection Authority of Sri Lanka. Among its notable provisions are the requirement for data controllers and processors to implement a data protection management programme, and the imposition of specific conditions governing the use of personal data for direct marketing purposes.
The Personal Data Protection Act serves as the principal statute governing personal data in Sri Lanka. However, several regulations and directions issued under sector-specific legislation continue to provide detailed guidance on data protection. These include: the Financial Consumer Protection Regulations No. 1 of 2023, which impose obligations closely aligned with those set out in the Personal Data Protection Act, particularly in relation to the handling of financial consumers’ personal information; and Special Direction No. 91, issued on 17 May 2023, which establishes data protection requirements applicable to e-commerce entities and platform operators, with the aim of safeguarding consumer rights in digital environments.
Prior to the enactment of this legislation, Sri Lanka lacked a unified legal instrument addressing data protection and privacy. Instead, various sector-specific statutes—such as the Computer Crimes Act No. 24 of 2007, the Banking Act No. 30 of 1988, the Electronic Transactions Act No. 19 of 2006, the Right to Information Act No. 12 of 2016, and the Telecommunications Act No. 25 of 1991—acknowledged the importance of privacy and confidentiality in a fragmented manner.

In accordance with Schedules I and II of the "Subscriber SIM Cards (Subscriber Identification Modules – SIM) Regulations No. 01 of 2019", all licensed digital cellular mobile service providers are mandated to retain subscriber information and furnish such data to the relevant authorities upon request. Notably, the Regulations do not stipulate a specific duration for which this data must be retained.

Pursuant to Section 24 of the Personal Data Protection Act, a data controller is mandated to undertake a Data Protection Impact Assessment (DPIA) prior to initiating any processing activity that involves: (i) the systematic and extensive evaluation of personal data or special categories of personal data, including profiling; (ii) the systematic monitoring of publicly accessible areas or telecommunication networks; or (iii) any processing operation prescribed by regulation, taking into account the scope and associated risks of such processing. In addition, the controller is obliged to conduct a new DPIA whenever there is a substantive alteration in the methodology, technology, or procedural framework employed in the processing activity for which a DPIA has previously been completed.
In addition, in accordance with Section 20 of the Act, it is incumbent upon every data controller to designate or appoint a Data Protection Officer (DPO) to ensure adherence to the provisions of the Act under specified circumstances. These include instances where the processing of personal data is undertaken by a ministry, governmental department, or public corporation—excluding the judiciary when acting in a judicial capacity. Additionally, the obligation to appoint a DPO arises where the core processing activities of the controller or processor involve: (i) operations which, by their nature, scope, or purpose, necessitate regular and systematic monitoring of data subjects; (ii) the processing of special categories of personal data; or (iii) processing activities that, by virtue of their nature and impact, pose a risk of harm to the rights of data subjects as safeguarded under the Act.

Section 18.2 of the Computer Crime Act confers authority upon a designated expert or police officer to obtain information—such as subscriber details and traffic data—held by a service provider, and to intercept wire or electronic communications without a warrant, provided that the following conditions are met: (i) the investigation must be conducted with urgency; (ii) there exists a substantial risk that evidence may be lost, destroyed, altered, or rendered inaccessible; and (iii) the preservation of confidentiality is necessary.
For the purposes of the Act, the term "expert" denotes a public officer possessing the requisite qualifications and experience in electronic engineering or software technology, who is appointed by the Minister responsible for science and technology, in consultation with the Minister of Justice, through an order published in the Gazette. The term "service provider" encompasses any public or private entity that enables its clients to communicate via a computer system, as well as any entity that processes or stores computer data or information on behalf of such a provider or its clients.

Pursuant to Section 7 of Schedule I and Section 7 of Schedule II of the "Subscriber SIM Cards (Subscriber Identification Modules – SIM) Regulations No. 01 of 2019", all digital cellular mobile service operators are obligated to provide access to their databases or networks, upon request by the Telecommunications Regulatory Commission of Sri Lanka, for the purpose of obtaining subscriber information and data.

Section 33 of the Online Safety Act confers upon experts appointed to assist the Online Safety Commission the authority, for the purposes of an investigation under the Act, to access any information system, computer, or computer programme, as well as any data or information contained therein, in order to perform their designated functions. Additionally, such experts are empowered to compel individuals to disclose traffic data. Notably, it has been reported that these investigatory powers do not necessitate the acquisition of judicial warrants for accessing user data.
It is reported that the enforcement of the Online Safety Act was halted in January 2025. The Government announced that it will not enforce the Act in its current form and that it will be implemented following modifications.

A basic legal framework on intermediary liability for copyright infringement is absent in Sri Lanka's law and jurisprudence.

Section 27 of the Online Safety Act establishes a safe harbour regime for intermediaries with regards to the dissemination of prohibited material. It provides that any individual or entity engaged in the provision of services such as internet intermediation, telecommunications, public internet access, computing resources, email, short messaging services (SMS), multimedia messaging services (MMS), or one-to-one live aural communication shall not be held liable for the dissemination of a prohibited statement transmitted through an online platform owned, operated, or controlled by such a provider. Nor shall they be liable for enabling end users to access, via such a platform, a communication link containing a prohibited statement authored by a third party. In addition, where a false or prohibited statement, or other unlawful material, is removed within six months of the Act’s commencement, or where such material has been uploaded or tampered with by third parties, neither the owner of the online account nor the internet service provider shall bear liability in relation to the content in question.
It is reported that the enforcement of the Online Safety Act was halted in January 2025. The Government announced that it would not enforce the Act in its current form and that it would be implemented following modifications.

It is reported that an ICT Agency's decision requires the provision of a citizen’s national identity card number to access to public Wi-Fi hotspots.

Under Section 3 of the “Subscriber SIM Cards (Subscriber Identification Modules - SIM) Regulations No. 01 of 2019”, every operator shall comply with the regulatory measures specified in Schedules I and II for the registration of SIM cards of retail and corporate subscribers, respectively. Under Schedule I, each operator must obtain a duly completed and signed application form from the retail subscriber, including the following mandatory details: national identity card number, permanent address, and new telephone number. Under Schedule II, each operator must ensure that the application is accompanied by a true copy of the certificate of business registration and a list containing the name, national identity card number or driving licence number or passport number, permanent address, and present address of the employees of the corporate subscriber who are obtaining connections under the corporate package.

Reports indicated that several independent and other websites were subject to access restrictions in 2024. In addition, in April 2022, it was reported that the Telecommunications Regulatory Commission, acting on directives from the Ministry of Defence, suspended access to various social media platforms in Sri Lanka. The services affected included Facebook, YouTube, Twitter, Instagram, and WhatsApp. This suspension was lifted after 15 hours. A similar restriction was imposed in 2019, during which access to platforms such as Facebook, Facebook Messenger, Viber, Snapchat, and Instagram was blocked. Additionally, the use of the TunnelBear Virtual Private Network (VPN) was also restricted.

It is reported that Voice over Internet Protocol (VoIP) is currently not permitted in Sri Lanka. However, the Telecommunications Regulatory Commission of Sri Lanka (TRCSL) has established a list of categories of users, customers, and clients who are eligible to apply for an exemption. These include licensed public switched telephone network (PSTN) operators and their affiliates, authorised call centres and business process outsourcing (BPO) operators, as well as customers engaged in international logistics, international banking, information technology, and software development and support services, along with licensed internet service providers.