The End of the Advisory Era: Enter the NCSRA
For years, Sri Lanka’s enterprise and government cybersecurity posture relied heavily on a cooperative, advisory model. The Sri Lanka Computer Emergency Readiness Team (SLCERT) operated primarily as a guiding hand, offering incident response assistance, threat intelligence, and best-practice advisories without the legal mandate to enforce them. As of April 30, 2026, when the Cabinet officially approved the new Cyber Security Bill, that era effectively ended.
Expected to be tabled in Parliament by July or August, according to recent statements by Waruna Sri Dhanapala, Secretary to the Ministry of Digital Economy, the legislation establishes the National Cyber Security Regulatory Authority (NCSRA). The NCSRA fundamentally dismantles the purely advisory framework, replacing it with legally binding enforcement mechanisms. The Authority will have the power to issue sweeping security directives, conduct compulsory audits, and prosecute non-compliant entities in Magistrate Court to recover aggressive financial penalties.
The most critical provision within the Bill is the framework for Critical National Information Infrastructure (CNII). While regional peers like Singapore utilize their Cybersecurity Act to strictly designate specific vital sectorsu2014such as energy, water, and bankingu2014Sri Lanka’s proposed CNII provision grants the NCSRA expansive leeway. The Authority can designate any public or private system as a CNII if its disruption impacts national security, the economy, or public health. Once designated, an organization cannot opt out. They are legally bound to report breaches within 24 hours and must adhere to stringent, externally mandated security standards. Initial non-compliance carries fines of up to Rs. 1 million, which double for repeat violations.