Sri Lanka’s proposed Cyber Security Bill, which has faced prolonged delays, multiple revisions, and sustained scrutiny from industry experts and civil society, is reportedly nearing its final stages before submission to the President for approval.
While the Government maintains that necessary amendments are being made to address stakeholder concerns, various technology experts, legal professionals, and media representatives continue to express unease regarding the scope of the bill and its potential impact on digital rights and governance.
This follows a series of developments over the past year, during which both the legislative process and policy debates surrounding the bill have advanced incrementally. The latest official statement from Deputy Minister of Digital Economy Eranga Weeraratne last month confirmed that the draft legislation was under final review at the Legal Draftsman’s Department and that the Government was prioritising its passage.
Weeraratne stated that the proposed law would establish a dedicated Cyber Security Regulatory Authority (CSRA), tasked with overseeing and enforcing national cybersecurity policy, monitoring cyber threats, and ensuring compliance with digital security standards.
However, despite official reassurances, specific concerns persist over the breadth of powers assigned to the proposed authority, its relationship with military cyber operations, and the lack of publicly available information regarding a related piece of legislation – the Defence Cyber Command Act of 2023 – which is repeatedly referenced in the bill but remains undisclosed.
ISACA stance
The initiative to formulate a national cybersecurity law gained momentum several years ago, with the primary objective of fortifying Sri Lanka’s digital infrastructure against emerging cyber threats. In its earlier form, the draft bill drew criticism from industry associations, particularly the Information Systems Audit and Control Association (ISACA) Sri Lanka Chapter, over governance and operational concerns.
Former President of the ISACA Sri Lanka Chapter Lakmal Embuldeniya confirmed that the industry had engaged in consultations and provided feedback on a previous draft almost a year ago.
One of the principal issues highlighted was the proposal to place the operational Sri Lanka Computer Emergency Readiness Team (Sri Lanka CERT) under the same authority responsible for regulating cybersecurity services. This arrangement was identified as a potential conflict of interest, commonly referred to as a ‘maker-checker’ issue, where the entity setting the rules would also be enforcing and executing them.
According to Embuldeniya, these concerns were acknowledged and addressed at the time, leading to a decision to limit the proposed CSRA’s role strictly to regulatory functions and not operational responsibilities.
He also revealed that discussions had since slowed due to ongoing debates over whether Sri Lanka should implement separate military and civilian cybersecurity laws. As of two weeks ago, a meeting involving the President and other stakeholders took place to review the matter, although no public updates or new drafts have been released since.
Commenting on the current status of the proposed Cyber Security Bill, Embuldeniya confirmed that while earlier industry comments had been addressed, the process had since slowed due to ongoing policy debates and procedural delays.
“The last time we engaged on this, we gave our comments on the previous draft and those were addressed,” he said, noting that this had happened almost a year ago. He added: “Since then, what I have heard from discussions, although I can’t name sources, is that the authorities are still deciding whether there should be a separate military cyber law and a separate civil cyber law. That debate is still unresolved.”
Another key development, according to Embuldeniya, is a decision to rename the proposed governing body from Cyber Security Authority to Cyber Security Regulatory Authority.
Explaining the rationale behind this, he said: “Initially, they planned to bring Sri Lanka CERT under this authority as an operational arm. But concerns were raised, including by us, about a conflict of interest, where the regulator and the operational entity would essentially be one and the same. It’s like having both the maker and the checker in the same position.”
He noted that the authorities were now focusing solely on the regulatory aspect, avoiding any overlap that could compromise governance.
However, the legal process is yet to move forward. “As far as I know, the amended draft hasn’t been sent to the Legal Draftsman for final drafting,” he said.
When asked who was responsible for forwarding the draft, Embuldeniya noted that while the original drafting committee was appointed by Sri Lanka CERT, there were now plans to form a new committee, which would include industry representatives and other stakeholders to review and finalise the draft.
“Once finalised, it should either go to the Legal Draftsman through Sri Lanka CERT or the Ministry of Digital Economy,” he added.
Regarding high-level discussions, Embuldeniya confirmed that there had been a meeting involving key parties and the President a couple of weeks ago. “Yes, there was a meeting – not very recently, but around two weeks back – where they discussed the way forward. But to my knowledge, there haven’t been further meetings in the last week or so,” he said.
When asked whether ISACA’s expectations for the draft remained unchanged, Embuldeniya responded: “Yes. Our primary concern was always the ‘maker-checker’ issue. We objected to a scenario where the authority would both regulate and operate cybersecurity services. From what I have heard, it seems they have decided not to include Sri Lanka CERT within the authority and to stick to a regulatory mandate, but we will need to see the new draft to confirm this.”
He reiterated the need for transparency in the process and careful scrutiny of the final bill once it was released. “At this point, we are still waiting to see what exactly they will propose,” he said.
Cyber Security Regulatory Authority
The previously draft Cyber Security Bill establishes a comprehensive regulatory framework for overseeing civilian cybersecurity matters in Sri Lanka.
As outlined in Section 3(1)(a) and (b), it creates an authority known as the Cyber Security Regulatory Authority of Sri Lanka, which would serve as the apex executive body for cybersecurity governance. Under Section 3(2), the CSRA would be constituted as a corporate body with perpetual succession, legal standing, and the capacity to sue and be sued in its corporate name.
Section 6(1) of the draft bill details the composition of the CSRA’s board of directors, including representatives from various Government and regulatory agencies.
Members would include the director general of the Defence Cyber Command established under the Defence Cyber Command Act of 2023; the secretary to the ministry responsible for cybersecurity; the secretary to the Treasury; the director general of the Telecommunications Regulatory Commission; the chairperson of the Information and Communication Technology Agency (ICTA); and four individuals appointed by the president based on expertise in relevant fields such as cybersecurity, public administration, or law.
The bill also addresses the designation of Critical National Information Infrastructure (CNII) in Section 20. It empowers the CSRA, in consultation with relevant authorities, to classify any computer system, programme, or infrastructure deemed vital to national security, public health, or economic stability as CNII. Owners of such infrastructure would be notified of the designation, with the CSRA retaining discretion to publish this information in the Government gazette.
A recurring point of contention is the bill’s integration with the Defence Cyber Command Act of 2023, which remains unpublished and inaccessible to the public. The draft Cyber Security Bill frequently references this act, including provisions under Section 2(e) and Section 4(b), which outline coordination and operational support roles between the CSRA and the Defence Cyber Command on matters concerning national security.
Cybersecurity professionals and legal experts have raised concerns that, in the absence of publicly available information on the Defence Cyber Command Act, it is difficult to assess the extent of military involvement in civilian cybersecurity affairs.
Questions have also arisen over potential overlaps between civilian regulatory functions and military cyber operations, as well as the possible implications for individual privacy, freedom of expression, and press freedom.
Section 18(1) of the draft bill proposes the dissolution of Sri Lanka CERT, currently operating as a company under the Companies Act No.7 of 2007. Upon enactment of the new law, Sri Lanka CERT would be rebranded as the Sri Lanka Computer Emergency Response Team and incorporated under the CSRA, focusing solely on incident response operations.
All assets, liabilities, functions, and staff would be transferred to the CSRA, with the winding-up process conducted in accordance with existing corporate law.
This provision has also faced scrutiny from industry groups, including ISACA, which recommended the removal of certain clauses in the draft Cyber Security Bill relating to the winding-up process. ISACA argued that these clauses are redundant, as the procedures for dissolving a company are already comprehensively covered under the Companies Act No.7 of 2007.
In their feedback, ISACA and other technology experts recommended revisions to the bill’s definition of CNII to align with international standards such as those outlined in the National Institute of Standards and Technology SP 800-53 Framework, which emphasises the protection of systems essential to national security, economic prosperity, public health, and safety.
Additionally, they called for the establishment of an explicit accountability framework within the bill, detailing reporting mechanisms, transparency in decision-making processes, independent audits, and protocols to address potential conflicts of interest among the CSRA’s board members.
Several media organisations and legal associations have also flagged concerns over the potential for the bill’s provisions to be used for online surveillance, website blocking, and suppression of criticism against the Government. These concerns are compounded by the lack of clarity regarding the Defence Cyber Command Act’s contents and powers.
According to Deputy Minister Weeraratne’s latest statement, the bill remains under review at the Legal Draftsman’s Department. Multiple unofficial sources have indicated that the final draft is expected to be forwarded to the President shortly, although an exact timeline has not been confirmed.
When contacted, Sri Lanka CERT Senior Information Security Engineer and Spokesman Charuka Damunupola also stated that the amendments were currently with the Legal Draftsman’s Department. He added that they were being reviewed to determine whether the scope or content of the proposed Cyber Security Bill overlapped with that of the Defence Cyber Command Act.