SRI LANKA'S DIGITAL GAMBLE: BUILDING IDENTITY INFRASTRUCTURE WHILE THE SAFETY NET IS STILL BEING WOVEN

Colombo is racing to unify its cyber defences and launch a biometric national ID — but its data protection law remains partially unenforceable, and the gap between ambition and governance is widening.

Analysis · 11 min read · Sri Lanka · Digital Identity · Data Protection · June 2026

Sri Lanka is doing something bold and something risky at the same time — and both happen to be the same thing. Within the next few months, the country is expected to launch the Sri Lanka Unique Digital Identity system, a MOSIP-based biometric national ID programme that will assign every citizen a unique digital identifier linked to fingerprint, facial and iris data. Simultaneously, it is pushing toward a Unified National Cybersecurity Framework designed to consolidate the fragmented defences of government agencies, financial institutions and telecommunications providers into a coherent national response to rising digital fraud.

The ambition is real. So is the problem. The Personal Data Protection Act that is supposed to govern how all that biometric and identity data is collected, stored and used remains only partially in force. Four years after its passage, Sri Lanka's data protection regime is still waiting on regulations, enforcement capacity and full operationalisation. The country is building the house while the foundations are still being laid.

That tension — between the pace of digital transformation and the readiness of the legal and institutional frameworks meant to protect citizens within it — is the defining challenge of Sri Lanka's digital moment.

THE FRAUD LANDSCAPE DRIVING URGENCY

The impetus for the Unified National Cybersecurity Framework is not abstract. Speaking at the SL Scam Shield Executive Breakfast Forum in Colombo, Deputy Minister of Digital Economy Eranga Weeraratne described a threat environment that has evolved well beyond what traditional security architectures were designed to handle.

"It is critical to understand the importance of cybersecurity as a fundamental aspect of national security, moving beyond a mere technical concern," Weeraratne said — framing language that echoes what policymakers from the UAE to Oman have been saying with increasing urgency across the region.

The specific threats he outlined are the ones now driving security upgrades across every digitally connected economy: AI-enabled voice cloning, synthetic identity fraud, account takeover attacks and identity theft at scale. What makes these threats particularly acute for Sri Lanka is the timing. The country is in the middle of a digital identity rollout. Every new enrolment into SL-UDI expands the biometric dataset that, if breached or fraudulently enrolled against, could create irreversible harm to citizens — because unlike a password or an account number, you cannot change your fingerprints.

The current cybersecurity environment, Weeraratne acknowledged, is fragmented. Government agencies, banks and telecoms each operate their own security perimeters with limited coordination between them. That fragmentation creates exactly the kind of jurisdictional gaps that fraudsters exploit — the same dynamic that investigators in Ranchi, India recently documented when tracing cyber fraud proceeds through mule accounts opened with tampered Aadhaar cards at remote addresses, deliberately chosen for their distance from enforcement activity.

THE TECHNICAL SHIFT: FROM RULES TO GRAPHS

The most technically substantive element of the Deputy Minister's remarks concerns how Sri Lanka intends to upgrade its fraud detection architecture. Traditional rule-based security systems — if transaction exceeds X, flag it; if login comes from unusual location, block it — are increasingly inadequate against modern fraud. They are static, and fraud is not.

Weeraratne pointed specifically to Graph Neural Networks as the analytical approach that represents the meaningful evolution. GNNs are particularly effective at identifying what rule-based systems structurally cannot: multi-layered, distributed fraud patterns that only become visible when you map the relationships between entities — accounts, devices, locations, individuals — rather than inspecting each transaction in isolation.

A synthetic identity attack, for example, combines real identity fragments with fabricated ones to create a plausible but fictitious person. No single data point reveals the fraud; the pattern only emerges when you trace connections across accounts, applications and behaviours simultaneously. GNNs are built for exactly this kind of relational analysis. The Scam Shield platform, developed locally by Google Cloud and NCINGA and praised by Weeraratne at the forum, represents an early instantiation of this approach for the Sri Lankan context.

This shift — from reactive rule-matching to proactive pattern detection — is not just a technical upgrade. It is a philosophical one. It means the defence system is no longer waiting for known fraud signatures; it is looking for anomalous relationship structures that have not been seen before. For a country about to introduce a biometric identity system used across banking, government services and e-KYC, that capability is not optional. It is the minimum viable defence.

THE SL-UDI CONTEXT: AMBITION AT SCALE

The SL-UDI programme is one of the most significant infrastructure projects Sri Lanka has undertaken in a generation. Funded by a LKR 10.4 billion grant from the Government of India — with Sri Lanka contributing additional resources — the system is built on MOSIP, the Modular Open-Source Identity Platform originally developed in India and now deployed across more than a dozen countries globally.

The architecture is designed to be comprehensive: biometric authentication using fingerprints, facial recognition and iris scans; a federated authentication layer for integration with government agencies and private service providers; an e-Locker mobile application for digital service delivery; and, on paper, consent-based data sharing aligned with the Personal Data Protection Act.

Pilot launch was targeted for Q3 2026. The system, once fully deployed, will touch nearly every interaction between a citizen and the state — welfare delivery, passport and licence applications, banking onboarding, healthcare authentication. The case for it is strong: Sri Lanka's existing identity infrastructure has gaps, duplications and inefficiencies that a unified biometric system is well-suited to address. India's Aadhaar programme, which served as a conceptual model, has demonstrably improved financial inclusion and welfare delivery at scale.

The case for caution is equally strong. The decision to initially limit implementation bids to Indian firms drew criticism from civil society organisations concerned about foreign access to sensitive biometric data. The Ministry of Digital Economy responded that contractual terms would ensure all personal data remains under Sri Lankan jurisdiction. That assurance may be technically accurate. Whether it is institutionally enforceable is a different question — and one that points directly to the unresolved state of the data protection framework.

THE DATA PROTECTION GAP: A FOUR-YEAR WORK IN PROGRESS

Sri Lanka passed the Personal Data Protection Act — the PDPA — in March 2022, making it the first South Asian country to enact comprehensive data protection legislation. The achievement was significant. The implementation has been considerably less so.

Four years later, the substantive enforcement provisions of the PDPA remain partially unoperationalised. Only two parts of the law — those establishing the Data Protection Authority and the interpretation provisions — came into force in 2023. The remaining provisions, covering the core obligations of data controllers and processors, data subject rights, cross-border transfer rules and enforcement penalties, were subject to phased implementation timelines that have repeatedly slipped.

In October 2025, the Personal Data Protection (Amendment) Act No. 22 of 2025 extended the operational timelines by a further six months. As of mid-2026, the substantive provisions are expected to take full effect once the Data Protection Authority completes its staffing, institutional setup and issuance of key subsidiary regulations — activities described as still in progress.

This is not a minor administrative delay. It means that as Sri Lanka prepares to enrol millions of citizens into a biometric identity system, the legal framework governing how that biometric data must be protected, what rights citizens have over it, and what penalties apply for breaches or misuse, is still not fully enforceable.

There is also a structural concern about the law's penalties. Even once fully in force, the PDPA caps fines at LKR 10 million per violation. In local legislative context, that figure has weight. Against the global standard set by the EU's GDPR — which can impose fines of up to four percent of global annual turnover — it is modest. For large technology companies operating in Sri Lanka, it may not constitute a meaningful deterrent.

THE GOVERNANCE GAP: BETWEEN VISION AND ENFORCEMENT

The pattern is familiar across South and Southeast Asia. Governments with genuine digital transformation ambitions enact forward-looking legislation, then struggle to build the institutional capacity to operationalise it at the pace the legislation envisages. The gap between the law on paper and the framework in practice is not evidence of bad faith; it reflects the genuine difficulty of standing up regulatory institutions — recruiting specialists, drafting subsidiary regulations, establishing enforcement processes — in environments where the necessary talent is scarce and the administrative culture is not yet oriented toward data governance.

Sri Lanka's Data Protection Authority is currently engaged in stakeholder consultation and policy framework development, with initiatives expected to be unveiled through 2026. That work matters, and it is genuinely in progress. But the timeline creates a specific and pressing risk: SL-UDI will be live, collecting and processing the biometric data of Sri Lankan citizens, before the framework that is supposed to govern that data is fully enforceable.

The gap is not theoretical. It is the gap between what the system promises citizens — that their data is protected, that they have rights, that violations carry consequences — and what the legal and institutional infrastructure can currently deliver.

WHAT A COHERENT NATIONAL SHIELD ACTUALLY REQUIRES

Weeraratne's vision of a Unified National Shield — a coordinated cybersecurity framework spanning government, finance and telecommunications — is the right institutional response to a fragmented threat landscape. The question is what it takes to make that vision real.

Technical capability is necessary but not sufficient. Graph Neural Networks, AI-powered fraud detection and real-time threat intelligence sharing between CERT.LK, financial regulators and telecoms providers are all important components. But a unified cybersecurity framework also requires clear regulatory authority — the power to mandate minimum security standards across sectors, compel incident reporting and take enforcement action when organisations fail to meet their obligations.

That regulatory authority, in turn, requires the underlying data protection and cybersecurity legal framework to be fully operational. A national shield built on partially enforceable foundations is not a shield — it is an aspiration.

The interconnection between the three pillars of Sri Lanka's digital transformation — SL-UDI, the National Cybersecurity Framework and the PDPA — is not incidental. It is structural. The identity system generates the data. The cybersecurity framework is supposed to protect it. The data protection law is supposed to govern both. All three need to be operationally ready at roughly the same time for the system to function as designed.

Sri Lanka is currently running them on different timelines.

THE REGIONAL COMPARISON

Sri Lanka is not alone in facing this challenge, but it is facing it under conditions of particular pressure. India's Aadhaar, which serves as both a technical model and cautionary tale, was deployed at enormous scale before its data protection framework — the Digital Personal Data Protection Act — was finalised. The consequences included documented breaches, inadequate grievance redressal mechanisms and years of litigation over surveillance concerns.

Bangladesh is at an earlier stage of a similar journey. Nepal and Pakistan are each grappling with their own versions of the identity-infrastructure-without-governance problem.

What distinguishes Sri Lanka's position is that it has the legal architecture in place — the PDPA exists, the Data Protection Authority has been established, the framework is not absent but delayed. That is a meaningfully better starting position than countries that have built digital identity systems with no data protection law at all. The task is not to build the framework from scratch but to close the implementation gap before the consequences of that gap become visible in breach incidents, misuse cases or citizen harm.

The window for getting this right is still open. It is, however, narrowing.

THE BOTTOM LINE

Sri Lanka is attempting something genuinely difficult: building world-class digital public infrastructure — biometric identity, AI-powered fraud detection, unified cybersecurity governance — in a compressed timeframe, with limited institutional capacity and a data protection regime that is still maturing.

The ambition is appropriate. The threat landscape that Deputy Minister Weeraratne described at the Scam Shield forum is real, and the fragmented status quo is genuinely inadequate. A country that wants to position itself as a regional digital hub by 2030 cannot afford a patchwork cybersecurity architecture or an identity system that citizens do not trust.

But trust is built slowly and lost quickly. Sri Lanka is at the moment where the investments it makes — and the governance gaps it closes, or fails to close — in the next twelve months will shape whether citizens experience SL-UDI as a service that works for them or a vulnerability that exposes them.

The technical pieces are largely in place. The institutional and legal ones are nearly there. The work now is to close the remaining distance before the system goes live at scale — because the cost of getting it right beforehand is administrative, while the cost of getting it wrong afterwards is paid by citizens.

Sources: Biometric Update, ICTA Sri Lanka (SLUDI project documentation), Recording Law, DLA Piper Data Protection Guide, Groundviews, ID Tech Wire, Personal Data Protection Act No. 9 of 2022 and Amendment Act No. 22 of 2025, Ministry of Digital Economy (Sri Lanka). June 2026.