• Plans to establish Cyber Security Regulatory Authority with enforcement powers
• Officials dismiss data sovereignty concerns over SLUDI project
• Cloud-based AI threats, digital nomad inflows addressed under existing laws

The Government is planning to introduce pivotal legislative and infrastructure initiatives to secure its rapidly expanding digital economy. At the forefront of this national initiative is the proposed Cyber Security Bill, a legal framework designed to address the vulnerabilities of modern digital governance. 

As Sri Lanka accelerates its transition towards a fully digitalised economy, integrating services from State administration to private financial transactions, the Government is concurrently navigating a complex landscape of cybersecurity enhancements, emerging technological threats, and delicate regional diplomatic balancing. 

The ambitious push for digitalisation encompasses a wide array of strategic initiatives that demand rigorous oversight. These range from the introduction of the digital nomad visa and the drafting of the aforementioned Cyber Security Bill to strategic participation in global technology summits. 

The successful implementation of these interconnected initiatives requires coordinated efforts across the digital economy sector, the public security apparatus, national cybersecurity agencies, and foreign diplomatic missions.

New regulatory authority

With critical State infrastructure increasingly reliant on interconnected digital networks, the stakes for national security are significantly high. The Government recognises that a passive approach to digital threats is no longer sufficient. 

Deputy Minister of Digital Economy Eranga Weeraratne provided an explanation of the Government’s systematic approach to establishing a robust and centralised regulatory environment through the new cybersecurity legislation. The primary objective is to move beyond mere monitoring and institute legally binding enforcement mechanisms.

“We are introducing the Cyber Security Bill to establish a Cyber Security Regulatory Authority, ensuring we can strengthen that sector significantly compared to its current state. At present, the cybersecurity aspect is governed by the Sri Lanka Computer Emergency Readiness Team (Sri Lanka CERT), which provides guidelines to safeguard against cyberattacks and responds when entities face such threats. 

“However, that organisation cannot enforce cybersecurity implementations across digital platforms. Therefore, there must be a regulatory body to publish enforcement and compliance requirements, and to enforce the application of those measures in all critical infrastructure, both public and private. To establish this regulatory body, we must have a proper legal framework, which is what the Cyber Security Bill aims to achieve,” Weeraratne noted.

Addressing concerns regarding potential operational overlaps and jurisdictional conflicts between the proposed regulatory body and existing State entities, the Deputy Minister provided a clear distinction of roles to ensure streamlined governance and efficient threat response mechanisms without bureaucratic duplication.

“The National Cyber Security Operations Centre (NCSOC) serves as a monitoring arm. It provides feedback and early responses, but it cannot enforce the application of security. If an entity runs digital platforms without proper security, the monitoring arm cannot execute any enforcement unless there is penalisation. There will be no conflict between these entities because one is the regulatory body and the other is the execution body. 

“The execution body is Sri Lanka CERT, while the regulatory body is what the new act will create. It is similar to the telecommunications sector, where the Telecommunications Regulatory Commission of Sri Lanka is the regulatory body and Sri Lanka Telecom is the service provider,” Weeraratne clarified. 

Echoing the urgent need for structured national defence mechanisms, Sri Lanka CERT Lead Information Security Engineer Charuka Damunupola elaborated on the critical operational steps that had already been taken to protect State assets from sophisticated cyber intrusions. 

“A few months ago, we opened the NCSOC, which was officially launched by the President. This centre operates as the main focal point for detecting and identifying cyber threats targeting critical Government infrastructure. Based on this, we will be able to identify any threats directed at critical information systems in Sri Lanka. 

“As part of our infrastructure development, we are following a digital blueprint in coordination with the Ministry of Digital Economy. This blueprint outlines how Government infrastructure, other entities, and data will be connected over the next few years,” Damunupola stated.

Securing State infrastructure and the SLUDI project

A critical component of this comprehensive infrastructure blueprint is the Sri Lanka Unique Digital Identity (SLUDI) project. This initiative aims to streamline citizen services and enhance e-governance capabilities across all sectors. 

However, it has drawn significant public attention regarding data sovereignty, particularly due to the planned involvement of a foreign Master Systems Integrator (MSI) in the development phase. Weeraratne firmly dismissed these security concerns, outlining the operational safeguards designed to protect national data integrity and ensure complete sovereign control over the system. 

“There will be no risks. Although some individuals have attempted to highlight security issues for short-sighted political advantages, there is no real threat. We will ensure that there are no data access points available to any external parties. 

“The MSI is responsible for building the platforms and handing them over to Sri Lanka. Thereafter, a local entity known as the Managed Service Provider (MSP) will handle all management and daily operations of that platform. The MSI is solely for initial platform development and delivery. We want to implement this project quickly and our target for introduction is towards the end of the third or fourth quarter of 2026,” Weeraratne said.

Digital nomad visas and cloud-based AI threats

Further to the above initiatives, Sri Lanka is also actively inviting global talent to contribute to its economy through the newly introduced digital nomad visa programme. This programme is expected to bring foreign exchange and facilitate knowledge transfer within the local technological ecosystem. 

Addressing the specific administrative mechanisms of this programme, Weeraratne outlined the careful vetting process currently being established by the Government to ensure only legitimate professionals gained entry. 

“The visa is intended for people who are interested in working here. There is a process currently being implemented to verify the authenticity of their interest in obtaining a digital nomad visa. If they qualify, they will be granted the visa. There are various categories of visas that have been granted,” he stated. 

The anticipated influx of foreign technology professionals specialising in advanced fields such as Artificial Intelligence (AI) has inevitably raised questions regarding potential new vulnerabilities entering the country. When questioned about the specific infrastructure in place to neutralise such risks, Weeraratne clarified that the nature of modern AI processing rendered geographic location largely irrelevant to the threat level. 

“While there could be individuals who attempt to misuse these opportunities, AI operations can be executed from anywhere in the current context. These AI platforms and tools are mostly processed on cloud platforms rather than on local servers. Therefore, that threat exists regardless of the digital nomad visa. We must remain vigilant regarding any illegal activities, but there is no special infrastructure globally that can completely prevent such misuse,” he explained. 

Corroborating this perspective from a technical enforcement standpoint, Damunupola expressed complete confidence in the existing legal frameworks to manage any potential misuse of technology by incoming digital nomads or other malicious actors operating within the nation’s borders. 

“We do not foresee any immediate risk based on the arrival of these professionals because we currently have the Computer Crime Act and the Online Safety Act, which is being finalised with modifications. Apart from these, we also have the Electronic Transactions Act No.19 of 2006 and the Payment Devices Frauds Act No.30 of 2006. If any criminal attempts to misuse this technology, most of our laws have provisions to take action against them. 

“Furthermore, we are prioritising public awareness programmes to educate citizens on the dangers and risks of using AI and social media. While we lack specific national AI policies, we have implemented a National Cyber Security Strategy spanning to 2029. With support from the Asian Development Bank (ADB), we are acquiring expertise in emerging technologies like Internet of Things, AI, and 5G to create an actionable plan,” Damunupola noted.

Int’l AI summits and regional cyber diplomacy

Beyond domestic policy formulation and infrastructure development, Sri Lanka is actively engaging in the international dialogue surrounding technological advancement. 

The recent participation of President Anura Kumara Dissanayake at the AI Impact Summit in India highlights the strategic importance placed on regional cooperation. Weeraratne emphasised the indispensable nature of AI in modern governance and industry as the primary driving force behind this high-level diplomatic visit. 

“AI is a technology that is very much needed for governance, industrial sectors, and the daily lives of citizens. It has become a critical component. This annual world summit, held in India this year, brings together world leaders and stakeholders to discuss the ethical aspects of AI and how it can be controlled to safeguard countries from AI-orientated warfare or cyberattacks. 

“Given the regional importance of AI and the presence of key political and economic organisations, it is an excellent venue to create collaborations and explore how Sri Lanka can benefit from this technology. We arranged numerous bilateral and commercial discussions during this event,” Weeraratne elaborated. 

Ministry of Foreign Affairs Spokesperson Thushara Rodrigo echoed these strategic sentiments, pointing to the broader economic implications of engaging with global technological leaders and participating in such critical summits to foster development. 

“It is an important summit in the current context of digital technologies and AI applications for economic development and societal benefits. This engagement is essential for Sri Lanka in the regional and global integration of our potential. Relations between India and Sri Lanka are deep in multiple areas, and these bilateral engagements are further enhanced through leader meetings,” Rodrigo said.

Balancing bilateral security and foreign policy neutrality

While digital economy initiatives progress rapidly and technological partnerships with India strengthen, Sri Lanka is concurrently managing its technological partnerships within the delicate context of broader regional security. The geopolitical landscape of South Asia demands careful navigation, especially concerning matters of intelligence, defence, and digital security. 

The recent visit by Pakistani Interior Minister Mohsin Naqvi included critical discussions on cybersecurity cooperation, occurring concurrently with Sri Lanka’s ongoing technology dialogues with India. Addressing the nature of these discussions, Minister of Public Security Ananda Wijepala clarified that the focus was heavily tied to combating transnational narcotics networks rather than pure technological alignment or defence posturing. 

“Since most drugs enter Sri Lanka from Pakistan, we discussed collaborating on cybersecurity and how, on a global scale, most drugs transit through Pakistan and Afghanistan. We mainly discussed how we could prevent such phenomena. 

“A delegation is supposed to arrive in Sri Lanka for further talks, and I was invited to visit Pakistan as well. No decisions have been made yet, but we stated that we would send a delegation there and that theirs would arrive here. 

“We cannot make decisions between countries without presenting them to the Cabinet. We expressed an agreement to hold a preliminary discussion to understand Pakistan’s methods, after which the Cabinet and the Attorney General will be informed, and a Memorandum of Understanding can be signed,” Wijepala explained. 

Regarding the intricate diplomatic balance required to engage both India and Pakistan on technological and security fronts simultaneously, Foreign Ministry Spokesperson Rodrigo maintained that the Government’s approach was firmly rooted in historical neutrality, transparency, and mutual respect for all neighbouring nations. 

He further stressed that technical cooperation programmes were evaluated strictly on their merit and benefit to Sri Lanka, ensuring they did not compromise broader strategic relationships. 

“Both India and Pakistan are good friends of Sri Lanka and strong neighbouring countries. This is our fundamental approach to our relationships. We have a better understanding among the three countries in shaping our ties. Our engagements are for the benefit of our national interest. 

“The people have elected the new administration with great expectations, and we will work with every state with a transparent and genuine approach, keeping in mind that both India and Pakistan are friendly countries. Every country faces different issues, and we trust the diplomatic approach will resolve them peacefully. 

“Transparency will be the spirit of our engagements, as it is a basic principle of democracy. Our approach prioritises the best interest of Sri Lanka through technical assessments of any engagement,” Rodrigo said. 

As Sri Lanka charts its course through the complex realities of the digital age, the convergence of robust domestic legislation, proactive infrastructure development, and cautious diplomatic engagement will ultimately determine its success. 

The multifaceted foundation being laid today through the Cyber Security Bill and balanced international partnerships aims to construct a resilient digital ecosystem capable of supporting long-term economic stability and national security. The true test for the administration will lie in the effective and impartial enforcement of these newly established frameworks and the nation’s ongoing ability to adapt to the relentless and unpredictable pace of global technological evolution.