What is AI regulation in Sri Lanka?
AI regulation: countries and regions
Sri Lanka does not yet have a dedicated AI Act. Its AI regulation is emerging through a mix of hard law and policy: the Personal Data Protection Act, overseen by the Data Protection Authority, plus a draft national AI strategy that proposes a Responsible AI Framework, an AI governance framework and a National Centre for AI. In practice, AI teams should focus on data protection, automated decision making, impact assessment, procurement and cross-border data handling.
What this means
Sri Lanka's current AI framework is better understood as "AI governance in formation" than as a finished AI code. The binding rules that matter most today come from general law, especially the Personal Data Protection Act No. 9 of 2022, rather than from an AI-specific statute. That means many AI questions in Sri Lanka are really questions about personal data, profiling, accountability, security, transparency and user rights.
In South Asian terms, Sri Lanka is taking a distinctive path. Official materials from the Data Protection Authority describe its personal data law as the first standalone law of its kind in South Asia, and the government is pairing that GDPR-influenced architecture with an adoption-focused national AI strategy. The strategy matters, but it is still best read as a policy direction and governance signal, not as a complete set of AI rules with the force of a dedicated AI Act.
Why it matters
For organisations that build, buy or deploy AI in Sri Lanka, the real issue is not whether a product is labelled "AI". The real issue is what the system does with personal data, whether it profiles people, whether a person can challenge a harmful machine-led decision, whether the organisation can explain and govern the system, and whether data leaves Sri Lanka through cloud or model providers.
That matters to founders, banks, hospitals, schools, public bodies, outsourcers and procurement teams alike. Sri Lanka's draft AI strategy encourages adoption in fields such as healthcare, education, agriculture and public services, but the legal guardrails come mainly from data protection law. So governance has to sit inside product design, vendor selection, privacy notices, contracts, security controls and escalation routes, not in a strategy slide deck alone.
How it works
There is no dedicated AI Act yet
Sri Lanka's official materials reviewed for this article do not show a dedicated AI statute comparable to a standalone AI Act. Instead, the country is building its position through a general personal data law, regulator-led instruments, digital economy policy and a draft national AI strategy. So the current framework is a mix of hard law and emerging soft law.
Binding duties mainly come from personal data law
The Personal Data Protection Act No. 9 of 2022 is the main binding law that will affect many AI deployments. It applies to processing that takes place wholly or partly within Sri Lanka, and it also reaches some organisations outside Sri Lanka where they offer goods or services to people in Sri Lanka or specifically monitor behaviour in Sri Lanka. The Act requires lawful processing, defined purposes, data minimisation, accuracy, retention limits, integrity, confidentiality and transparent notices. It also creates recognised legal bases for processing, including consent, contract, legal obligation, emergency, public interest and legitimate interests.
AI can trigger higher-governance duties
The Act becomes especially relevant where an AI system uses profiling, special-category data, or serious automated decision making. Sri Lanka's law gives data subjects a right to request review of a decision based solely on automated processing where that decision has created, or is likely to create, an irreversible and continuous impact on their rights and freedoms, subject to stated exceptions. The Act also requires a personal data protection impact assessment before certain higher-risk processing, including systematic and extensive evaluation of personal data, including profiling, and systematic monitoring of publicly accessible areas or telecommunications networks. Ministries and government departments must designate a Data Protection Officer, and other controllers or processors must do so where their core processing involves regular and systematic monitoring, special-category data at scale, or risky processing of the kind set by the law and future guidance.
Cross-border AI use needs contractual and governance care
This matters because many AI stacks rely on offshore cloud, model APIs, analytics providers and support teams. The 2025 amendment to the PDPA changed the cross-border data flow rules. In broad terms, controllers and processors may move data across borders if they comply with the Act's core obligations and adopt instruments specified by the Data Protection Authority to secure enforceable safeguards. The amended law also preserves narrower gateways such as explicit consent, contract necessity, legal claims, public interest and emergencies. For public authorities, extra limits remain for categories of data that may later be prescribed. In practice, this makes vendor due diligence, data maps, processor clauses and hosting architecture central to AI compliance.
The Data Protection Authority is the key regulator
The Data Protection Authority of Sri Lanka is the core institution for personal data compliance. The Act gives it powers to regulate processing, issue rules and directives, investigate, hear matters within its remit and shape the detailed compliance layer around the statute. The DPA has also published draft regulations and directives for public consultation on personal data protection impact assessments, personal data breach notifications, appointment of Data Protection Officers, exercise of rights and appeals, inquiry procedure, fees and instruments for processing personal data outside Sri Lanka. That shows that Sri Lanka's AI-relevant compliance layer is still being built in detail.
The AI strategy is soft law and institution-building
Sri Lanka's National AI Strategy, in the version publicly available, is a draft strategy for public consultation. It is still important because it shows the government's preferred direction of travel. The draft strategy is explicitly adoption-focused, iterative and safeguard-led. It proposes a Responsible AI Framework first, followed by a broader AI Governance Framework as capacity grows. It also proposes a Responsible AI Advisory Council, public engagement mechanisms, and a National Centre for AI under a future Digital Transformation Agency. The strategy emphasises transparency, fairness, human-centricity, safety, privacy, accountability, contestability and redress, and it signals alignment with UNESCO and OECD principles.
Status still needs a live commencement check
One important caution is legal status. The architecture of the PDPA is clear, but the live commencement picture is messy in official materials. Older DPA pages still refer to 18 March 2025 as the date when key operative parts would begin. However, an official Ministry of Digital Economy statement in March 2025 said that the earlier enforcement date had been amended and that fresh dates would be announced after the amendment bill was enacted. The Personal Data Protection (Amendment) Act No. 22 of 2025 then changed the commencement machinery so that provisions other than section 1 come into force on date or dates appointed by the Minister by Gazette. That means teams should check the latest Gazette and DPA notices before relying on any single commencement date stated online.
Examples
A hospital or health-tech provider introducing AI-assisted triage, diagnostics or patient-priority tools would be working with data concerning health, which Sri Lanka treats as special-category personal data. If the tool profiles patients or supports decisions with serious effects, the controller should identify a lawful basis, assess whether a personal data protection impact assessment is required, and preserve a route for human review where machine-only decisions could have an irreversible and continuous impact.
A ministry or department deploying an AI chatbot, transcription tool or document classifier on a foreign cloud would need to treat the project as a governance exercise, not just an IT purchase. The organisation would need to look at controller and processor roles, DPO obligations, transparency notices, security measures, and the amended cross-border data flow rules. The DPA's draft directives on data processed outside Sri Lanka are directly relevant here.
An SME using AI for hiring, fraud screening or customer scoring cannot assume the issue is only technical accuracy. The PDPA creates duties around legal basis, purpose limitation, transparency, risk mitigation and data subject rights. At the same time, the draft AI strategy signals where Sri Lankan governance is heading: fairness, explainability, accountability, contestability and practical responsible-AI controls.
Common misunderstandings
"Sri Lanka already has a full AI Act." It does not appear to. The current approach is mostly a mix of personal data law, regulator-made instruments and draft policy.
"Data protection only matters if you are a big platform." It can matter to any organisation using AI on personal data, including local SMEs, public bodies, hospitals and schools.
"Consent is always the only lawful basis for AI." It is not. Sri Lanka's PDPA also recognises other legal bases such as contract, legal obligation, public interest, emergency and legitimate interests.
"If we host the model overseas, Sri Lankan law stops applying." Not necessarily. The Act has extra-territorial reach and the cross-border rules are a live issue for AI procurement.
"There is no user protection against AI-only decisions." The PDPA includes a right to request review of certain decisions based solely on automated processing.
Risks and boundaries
The biggest boundary is status. Sri Lanka's direction of travel is visible, but not all of it is live law. The national AI strategy publicly available for review is still a draft strategy for public consultation. Planned items such as a Responsible AI Framework, a Responsible AI Advisory Council, a mature AI Governance Framework, a National Centre for AI and a future Digital Transformation Agency are policy proposals, not the same thing as obligations already fixed by statute.
There is also a real commencement-date caution around the PDPA. Some official DPA pages still state that key parts became enforceable on 18 March 2025. But an official ministry statement in March 2025 said that date had been amended by Gazette No. 2427/34, pending the amendment bill, and the October 2025 amendment changed the commencement machinery again so that provisions come into force on ministerial dates by Gazette. So the legal design is clear, but the precise live date for each operative part should be checked before launch or advisory work.
Finally, AI projects in Sri Lanka may also be affected by sector-specific law, procurement rules, constitutional principles, cyber-security measures and future regulator guidance. This page explains the framework; it is not legal advice for a specific deployment.
What to do next
Start with an AI and data inventory. Identify which systems touch personal data, special-category data, profiling or machine-only decisions. Then assign lawful bases, refresh privacy notices, and put rights-handling into an operational workflow rather than a policy document.
Review vendors and hosting. If data moves through overseas cloud, foundation model APIs, support desks or annotators, check the amended cross-border data flow rules, processor clauses, security controls and audit rights. Treat this as a board-level procurement and trust issue, not a narrow technical configuration point.
For higher-risk uses, build impact assessment and human oversight early. Link product, legal, security, procurement and compliance teams. Follow DPA instruments and Gazettes closely, because the detailed compliance layer is still evolving, and watch the AI strategy package as it moves from draft policy toward practical governance expectations.
FAQs
Does Sri Lanka have a dedicated AI law?
Not at the time of research. The main binding rules come from the PDPA and other general digital law, while the national AI strategy is policy rather than a standalone AI statute.
Who regulates AI in Sri Lanka?
The Data Protection Authority regulates personal data processing under the PDPA. AI policy also sits with the Ministry of Digital Economy, and the draft AI strategy proposes a National Centre for AI under a future Digital Transformation Agency.
Does Sri Lankan law apply to foreign AI vendors?
It can. The PDPA reaches some organisations outside Sri Lanka where they offer goods or services to people in Sri Lanka or specifically monitor behaviour in Sri Lanka.
Do people have rights against AI-only decisions?
Yes. The PDPA gives data subjects a right to request review of certain decisions based solely on automated processing where those decisions have created, or are likely to create, an irreversible and continuous impact on rights and freedoms, subject to stated exceptions.
Can we use overseas cloud or foundation model providers?
Potentially yes, but only with care. Cross-border data flows are addressed in the amended PDPA, and the DPA has also consulted on draft directives and related instruments for processing personal data outside Sri Lanka.
Is the national AI strategy legally binding now?
Not in the same way as an Act of Parliament. The official strategy document publicly available for review is a draft for public consultation, so it is best read as direction of travel and a governance signal, not as a complete set of enforceable AI rules.
What should teams verify before launch?
Verify the latest Gazette commencement dates for the PDPA, whether the system uses personal or special-category data, whether profiling or machine-only decisions are involved, and whether any cross-border vendor or hosting arrangement needs extra safeguards.