Sri Lanka’s NPP Government is not merely drafting cybersecurity laws it is repositioning the island within a complex web of regional tech diplomacy, AI geopolitics, and cross-border security concerns. The digital economy push, still in its infancy, is unfolding simultaneously with delicate engagements involving India and Pakistan, exposing the strategic balancing act behind the policy narrative.
President Anura Kumara Dissanayake’s participation at the AI Impact Summit in India signalled Colombo’s recognition that artificial intelligence is no longer optional for governance or industry. Regional cooperation is increasingly vital as AI reshapes security doctrines, financial systems, and information warfare capabilities. Yet Sri Lanka enters this arena without a formalised national AI policy, relying instead on a broader cybersecurity strategy and ad hoc institutional development.
The proposed Cyber Security Bill seeks to create a central regulatory authority capable of enforcing compliance across critical infrastructure. Officials maintain that the move is essential as digitalisation accelerates from online State services to cloud-based financial systems. However, the infrastructure foundation remains uneven, and digital literacy gaps persist across both public and private sectors.
Simultaneously, Sri Lanka has introduced a digital nomad visa programme aimed at attracting foreign technology professionals. The initiative promises foreign exchange inflows and knowledge transfer. But experts acknowledge that in a cloud-driven AI ecosystem, geographical presence is largely irrelevant to cyber risk. Malicious exploitation can originate anywhere, underscoring the limitations of border-based controls in digital governance.
Geopolitically, Colombo is walking a narrow corridor. Alongside strengthening technology engagement with India, discussions have also taken place with Pakistan on cybersecurity cooperation particularly in relation to narcotics trafficking networks that operate transnationally. Maintaining neutrality while deepening digital security ties with rival regional powers requires diplomatic precision.
Foreign policy officials stress that engagements are evaluated on technical merit and national interest rather than ideological alignment. Yet in South Asia’s charged security environment, even technical cooperation can carry strategic implications. Cybersecurity agreements often intersect with intelligence-sharing protocols and infrastructure dependencies, areas where sovereignty concerns can quickly surface.
At home, the Sri Lanka Unique Digital Identity (SLUDI) project exemplifies this tension. While authorities insist sovereign control will be preserved despite foreign technical involvement, the project highlights how digital infrastructure inevitably intersects with foreign expertise and supply chains.
The broader question is whether Sri Lanka’s digital ambitions are advancing faster than its institutional maturity. With no publicly articulated national digital policy, limited AI governance frameworks, and a nascent innovation ecosystem, the Government is attempting to construct regulatory, diplomatic, and technological pillars simultaneously.
If executed transparently and strategically, this multi-track approach could position Sri Lanka as a secure, neutral digital hub in the region. If mismanaged, it risks regulatory overreach at home and strategic entanglements abroad.
For a Government elected on promises of systemic reform, the digital domain presents both opportunity and peril. The coming years will reveal whether Sri Lanka can transform from a cautious adopter into a confident architect of its own digital future without compromising sovereignty, neutrality, or economic competitiveness in an increasingly contested cyber landscape