Under Section 3 of the “Subscriber SIM Cards (Subscriber Identification Modules - SIM) Regulations No. 01 of 2019”, every operator shall comply with the regulatory measures specified in Schedules I and II for the registration of SIM cards of retail and corporate subscribers, respectively. Under Schedule I, each operator must obtain a duly completed and signed application form from the retail subscriber, including the following mandatory details: national identity card number, permanent address, and new telephone number. Under Schedule II, each operator must ensure that the application is accompanied by a true copy of the certificate of business registration and a list containing the name, national identity card number or driving licence number or passport number, permanent address, and present address of the employees of the corporate subscriber who are obtaining connections under the corporate package.

Reports indicated that several independent and other websites were subject to access restrictions in 2024. In addition, in April 2022, it was reported that the Telecommunications Regulatory Commission, acting on directives from the Ministry of Defence, suspended access to various social media platforms in Sri Lanka. The services affected included Facebook, YouTube, Twitter, Instagram, and WhatsApp. This suspension was lifted after 15 hours. A similar restriction was imposed in 2019, during which access to platforms such as Facebook, Facebook Messenger, Viber, Snapchat, and Instagram was blocked. Additionally, the use of the TunnelBear Virtual Private Network (VPN) was also restricted.

Sri Lanka has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

Sri Lanka possesses a national telecommunications regulatory body, namely the Telecommunications Regulatory Commission of Sri Lanka (TRCSL). Nevertheless, concerns have been raised regarding the extent of its institutional independence from governmental influence. Reports indicate a persistent pattern of governmental interference in the Commission’s decision-making processes. In addition, since the organisational restructuring of the Ministry of Technology in October 2022, the TRCSL has operated under the purview of this Ministry.

Section 26 of the Personal Data Protection Act provides that, where a public authority processes personal data as a controller or processor, such personal data shall be processed exclusively in Sri Lanka. The Act provides for the possibility to process personal data in a third country deemed adequate, but this exception only applies to specific categories of personal data identified by the Data Protection Authority, in consultation with the relevant controller or processor and the relevant regulatory or statutory body.
Public authority is defined as a Ministry, any Department or Provincial Council, local authority, statutory body or any institution established by any written law, or a Ministry, any Department or other authority or institution established or created by a Provincial Council.

Section 26 of the Personal Data Protection Act provides that a controller or processor other than a public authority may process personal data under the following circumstances:
- in a country deemed adequate pursuant to an adequacy decision;
- in a country not deemed adequate, only where such controller or processor ensures compliance with the obligations imposed under Part I, Part II, and Sections 20, 21, 22, 23, 24, and 25 of Part III of Act No. 9; or
- in the absence of an adequacy decision or appropriate safeguards, in certain special instances listed in Section 26(5).

Sri Lanka has entered into an agreement that entails binding commitments to permit the cross-border transfer of data. Art. 9.9 of the "Free Trade Agreement between the Democratic Socialist Republic of Sri Lanka and the Republic of Singapore" stipulates that each party shall allow the transfer of information by electronic means, including personal data, across borders when such transfers are necessary for the conduct of business by a covered person.

Sri Lanka is a party to the Patent Cooperation Treaty (PCT).

Sri Lanka maintains a well-defined framework of copyright exceptions, grounded in the principle of fair use, which permits the lawful utilisation of copyrighted material without prior authorisation. These provisions are codified in Sections 11 and 12 of the Intellectual Property Act.

Reports indicate that music and software piracy is prevalent in Sri Lanka. International firms operating within the recording, software, and film industries assert that insufficient protection and enforcement of intellectual property rights significantly undermine their commercial interests in the country.

Sri Lanka has not adopted the World Intellectual Property Organization (WIPO) Copyright Treaty.

Sri Lanka has not adopted the World Intellectual Property Organization (WIPO) Performances and Phonograms Treaty.

Pursuant to Section 5 of the Right to Information Act, where a public authority requests access to information—including trade secrets protected under the Intellectual Property Act—such a request shall not be refused if the disclosure is warranted by an overriding public interest.

Sri Lanka currently lacks a comprehensive legal framework dedicated to the robust protection of trade secrets. Nonetheless, certain limited provisions address aspects of this issue. The principal legislative instrument governing matters related to unfair competition and the protection of undisclosed information, including trade secrets, is the Intellectual Property Act, No. 36 of 2003. This Act affords statutory protection to individuals and entities seeking legal redress against the unauthorised disclosure, acquisition, or utilisation of confidential information. In addition to statutory remedies, common law avenues remain accessible for the enforcement of rights in such cases. However, the existing legal regime does not provide for the formal registration of trade secrets.

Under Section 17.10 of the Telecommunications Act, as amended in 2024, the Commission shall have the authority to issue directions to any operator to whom a licence has been issued, requiring the sharing of any infrastructure owned or used by such operator with another operator specified by the Commission. The Act’s definition of infrastructure includes passive infrastructure.
Section 7 of the Telecommunications Infrastructure Sharing Regulations released in 2024 states that these Regulations establish an infrastructure sharing regime that enables the sharing of applicable telecommunications infrastructure among the requesting operators, sharing operators, and owning operators.