Pursuant to Art. 4.11 of the Imports and Exports (Control) Act, No. 1 of 1969, no person may import goods into Sri Lanka without a valid licence issued by the Controller of Imports and Exports. Art. 14 further specifies that the Minister of Finance, Economic Stabilization and National Policies can issue regulations to prohibit or regulate the import of certain goods.
The latest Consolidated Customs Import Control List of controlled goods whose import requires a licence includes telecommunication equipment and other transmission apparatus, including used smartphones (HS 8517.13.10), used isotopes other than those classified under heading 28.44 (HS 2845.90), radio navigational aid apparatus (HS 8526.91), among others.
Furthermore, under Art. 2 of the Special Import Licence and Payment Regulations, No. 1 of 2011, only certain operators may import controlled goods. These are (i) individuals, trading either in their own name or under a business name, who are citizens of Sri Lanka; (ii) firms, partnerships, or other entities duly registered in Sri Lanka; (iii) public and private companies incorporated under the Companies Act, No. 7 of 2007; and (iv) non-nationals holding a valid visa authorising residence in Sri Lanka.

Section 18.2 of the Computer Crime Act confers authority upon a designated expert or police officer to obtain information—such as subscriber details and traffic data—held by a service provider, and to intercept wire or electronic communications without a warrant, provided that the following conditions are met: (i) the investigation must be conducted with urgency; (ii) there exists a substantial risk that evidence may be lost, destroyed, altered, or rendered inaccessible; and (iii) the preservation of confidentiality is necessary.
For the Act, the term "expert" denotes a public officer possessing the requisite qualifications and experience in electronic engineering or software technology, who is appointed by the Minister responsible for science and technology, in consultation with the Minister of Justice, through an order published in the Gazette. The term "service provider" encompasses any public or private entity that enables its clients to communicate via a computer system, as well as any entity that processes or stores computer data or information on behalf of such a provider or its clients.

Section 33 of the Online Safety Act confers upon experts appointed to assist the Online Safety Commission the authority, for an investigation under the Act, to access any information system, computer, or computer programme, as well as any data or information contained therein, to perform their designated functions. Additionally, such experts are empowered to compel individuals to disclose traffic data. Notably, it has been reported that these investigatory powers do not require the issuance of judicial warrants to access user data.
It is reported that the enforcement of the Online Safety Act was halted in January 2025. The Government announced that it would not enforce the Act in its current form and that it would be implemented following modifications.

A basic legal framework on intermediary liability for copyright infringement is absent in Sri Lanka's law and jurisprudence.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Sri Lanka's law and jurisprudence.
Section 27 of the Online Safety Act establishes a safe harbour regime for intermediaries regarding the dissemination of 'prohibited statements'. It provides that any individual or entity engaged in the provision of services such as internet intermediation, telecommunications, public internet access, computing resources, email, short messaging services (SMS), multimedia messaging services (MMS), or one-to-one live aural communication shall not be held liable for the dissemination of a prohibited statement transmitted through an online platform owned, operated, or controlled by such a provider. Nor shall they be liable for enabling end users to access, via such a platform, a communication link containing a prohibited statement authored by a third party. In addition, where a false or prohibited statement, or other unlawful material, is removed within six months of the Act’s commencement, or where such material has been uploaded or tampered with by third parties, neither the owner of the online account nor the internet service provider shall bear liability in relation to the content in question.
It is reported that the enforcement of the Online Safety Act was halted in January 2025. The Government announced that it would not enforce the Act in its current form and that it would be implemented following modifications.

It is reported that an ICT Agency's decision requires the provision of a citizen’s national identity card number to access to public Wi-Fi hotspots.

Under Section 3 of the “Subscriber SIM Cards (Subscriber Identification Modules - SIM) Regulations No. 01 of 2019”, every operator shall comply with the regulatory measures specified in Schedules I and II for the registration of SIM cards of retail and corporate subscribers, respectively. Under Schedule I, each operator must obtain a duly completed and signed application form from the retail subscriber, including the following mandatory details: national identity card number, permanent address, and new telephone number. Under Schedule II, each operator must ensure that the application is accompanied by a true copy of the certificate of business registration and a list containing the name, national identity card number or driving licence number or passport number, permanent address, and present address of the employees of the corporate subscriber who are obtaining connections under the corporate package.
In accordance with Schedules I and II of the "Subscriber SIM Cards (Subscriber Identification Modules – SIM) Regulations No. 01 of 2019", all licensed digital cellular mobile service providers are mandated to retain subscriber information and furnish such data to the relevant authorities upon request. Notably, the Regulations do not specify a specific retention period for this data.

Reports indicated that several independent and other websites were subject to access restrictions in 2024. In addition, in April 2022, the Telecommunications Regulatory Commission reportedly suspended access to various social media platforms in Sri Lanka at the Ministry of Defence's direction. The services affected included Facebook, YouTube, Twitter, Instagram, and WhatsApp. This suspension was lifted after 15 hours. A similar restriction was imposed in 2019, during which access to platforms such as Facebook, Facebook Messenger, Viber, Snapchat, and Instagram was blocked. Additionally, the use of the TunnelBear Virtual Private Network (VPN) was also restricted.

Pursuant to Sections 11(j) and 49(1)(b) of the Online Safety Act, websites providing social media functionalities to end-users in Sri Lanka are required to register to offer their services. The precise procedures for such registration will be prescribed through regulations enacted under the authority of the Act.
It is reported that the enforcement of the Online Safety Act was halted in January 2025. The Government announced that it would not enforce the Act in its current form and that it would be implemented following modifications.

It is reported that news websites are required to register with the Ministry of Mass Media of Sri Lanka under the Cabinet Decision No. 12/1037/37/019-1 of 13.08.2012 (however, this decision is not available online). According to the "Procedure of Registration of Websites", applications are subject to review by a panel appointed by the Secretary of the Ministry of Mass Media.

It is reported that Voice over Internet Protocol (VoIP) is currently not permitted in Sri Lanka. However, the Telecommunications Regulatory Commission of Sri Lanka (TRCSL) has established a list of categories of users, customers, and clients who are eligible to apply for an exemption. These include licensed public switched telephone network (PSTN) operators and their affiliates, authorised call centres and business process outsourcing (BPO) operators, as well as customers engaged in international logistics, international banking, information technology, and software development and support services, along with licensed internet service providers.

The Telecommunications Regulatory Commission of Sri Lanka lists Virtual Private Network (VPN) services among those licensed in the country. However, the regulatory text mandating the license has not been identified.

The Telecommunications Regulatory Commission of Sri Lanka lists e-mail services among the services that have been licensed in the country. However, the regulatory text mandating the license has not been identified.

The Telecommunications Regulatory Commission of Sri Lanka lists data processing services related to the air transport industry among the services licensed in the country. However, the regulatory text mandating the license has not been identified.

Sri Lanka does not currently operate a comprehensive personal data protection regime. Instead, data protection is addressed through a range of sector‑specific legislative instruments, including the Computer Crimes Act No. 24 of 2007, the Banking Act No. 30 of 1988, the Electronic Transactions Act No. 19 of 2006, the Right to Information Act No. 12 of 2016, the Telecommunications Act No. 25 of 1991, the Financial Consumer Protection Regulations No. 1 of 2023, and Special Direction No. 91. In recognition of this regulatory gap, the Personal Data Protection Act has been enacted; however, to date, no definitive commencement date has been announced.