The Central Bank of Sri Lanka (CBSL) has issued a directive requiring licensed banks to report IT and cybersecurity incidents promptly, citing rising digital threats. 

Banks must now follow three reporting timelines: immediate (within 2 hours), detailed (within 14 days), and quarterly. 

This directive replaces the 2016 circular and aims to strengthen digital resilience and protect customer data.