Sri Lanka has staked out one of the most ambitious digital governance programmes in the developing world, allocating 35.6 billion LKR (roughly $120 million) in its 2026 budget to modernise public services, establish a national digital identity system, and embed privacy-by-design across the entire machinery of state. For European policymakers who have spent years debating the tension between innovation and data rights, the speed and coherence of Colombo's approach is striking, and instructive.
Privacy as the Foundation, Not an Afterthought
Sri Lanka's Personal Data Protection Act (PDPA), enacted in 2022, draws heavily on the architecture of the EU's General Data Protection Regulation. It grants citizens meaningful control over their personal data, mandates privacy-by-design for all organisations handling information, and enforces principles of consent, data minimisation, and purpose limitation across sectors including healthcare, finance, and telecommunications.
The parallels with European regulation are deliberate. European Data Protection Board chair Anu Talus has consistently argued that GDPR's global influence lies precisely in its exportability: jurisdictions that align with its standards create interoperable trust frameworks that benefit cross-border data flows. Sri Lanka's PDPA is a textbook example of that export in action, and it matters for European firms operating in South Asian markets who now face familiar compliance terrain rather than a patchwork of opaque local rules.
For Wojciech Wiewiorowski, the European Data Protection Supervisor, the model also underlines a point he has pressed repeatedly in Brussels: that privacy legislation is not a brake on digital transformation but the precondition for citizens to trust it. Sri Lanka's government has taken that argument seriously in a way that some EU member states, still dragging their feet on national GDPR enforcement, arguably have not.
Three Flagship Programmes Driving Change
The investment is organised around three core initiatives. The e-Government Gateway consolidates access to public services into a single online portal, replacing the fragmented departmental web of legacy systems. The National Digital Identity programme uses blockchain technology to issue secure, verifiable credentials to every citizen, with a nationwide rollout targeted for 2026. Complementing both is a digital payments infrastructure designed to shift government transactions away from cash, increasing transparency and reducing opportunities for corruption.
The digital identity project carries a $1.6 million initial price tag and is being built with Indian technical partnerships and $35 million in Indian government funding. Five Indian firms have been shortlisted for the contract. The use of blockchain for identity is worth watching closely: EU member states pursuing similar ambitions under the European Digital Identity (eIDAS 2.0) framework are grappling with the same interoperability and security questions, and a working deployment at national scale in Sri Lanka will generate real-world evidence that European architects need.
AI Integration: Ambition Backed by Ethical Guardrails
Artificial intelligence sits at the heart of the transformation agenda. Government departments are deploying predictive analytics for policy-making, automating routine administrative tasks, and strengthening cybersecurity posture through AI-assisted monitoring. The government is simultaneously developing ethical AI frameworks covering procurement, deployment, and oversight, with explicit commitments to fairness, transparency, and accountability.
That combination of deployment ambition and regulatory guardrails mirrors the logic of the EU AI Act, which came into force in August 2024. The Act classifies many public-sector AI applications as high-risk, requiring conformity assessments, human oversight mechanisms, and bias testing. Sri Lanka is arriving at similar conclusions through its own policy process, which suggests a degree of convergence in global thinking about responsible AI in government that European institutions should actively encourage through bilateral technical dialogues.
The Digital Economy Blueprint sets a 2030 target to grow Sri Lanka's digital economy to $15 billion, with digital exports reaching $5 billion. To coordinate delivery, the government is establishing two new bodies: the Digital Economy Authority and GovTech Sri Lanka. The latter, modelled partly on the UK's Government Digital Service, will oversee coherent policy implementation and alignment with international best practice.
Flagship Initiatives at a Glance
- National Digital Identity: Blockchain-based credentials for all citizens; $1.6 million initial investment; 2026 rollout target.
- Digital Economy Blueprint: $15 billion digital economy goal by 2030; digital exports target of $5 billion; new Digital Economy Act in year one.
- e-Grama Niladhari: Local government digitalisation programme; $98 million total investment; 2026 launch.
Implementation Risks Are Real
The ambition is credible. The execution risk is significant. Sri Lanka faces persistent digital literacy gaps, a rural connectivity deficit, and cybersecurity threats that are growing faster than defensive capacity. The digital divide is not an abstract concern: if the e-Government Gateway becomes the only viable channel for accessing public services, citizens without reliable internet access are effectively excluded from the state.
The government's mitigation strategy includes targeted digital education programmes, infrastructure investment in underserved rural areas, public servant training in data science and AI ethics, and inclusive design mandates to ensure accessibility for disabled citizens. These are the right commitments on paper. Whether they receive sustained funding and political attention beyond the 2026 budget cycle is the harder question.
European observers should recognise the pattern. Member states from Romania to Bulgaria have launched digital public service initiatives with similar fanfare, only to stall on last-mile infrastructure and change management. The lesson from those experiences is that technology procurement is the easy part; organisational transformation and citizen adoption are where programmes succeed or fail.
Why This Matters for Europe's Digital Public Sector Agenda
The EU and UK are not passive spectators here. European development finance institutions and technology firms have significant interests in how South Asian digital infrastructure develops. A Sri Lanka that builds its digital state on GDPR-compatible foundations and eIDAS-adjacent identity architecture is a natural partner for European interoperability agreements and data-sharing frameworks.
More broadly, Sri Lanka's programme is a live test of whether privacy-first digital governance can be delivered at pace and at meaningful scale outside the wealthy OECD bloc. If it succeeds, it strengthens the case that the European regulatory model is practically viable globally, not merely aspirational. If it stumbles, the lessons will be equally valuable for Brussels policymakers refining the implementation guidance for the AI Act and the Data Governance Act.
Either way, European institutions should be paying close attention. The digital governance choices being made in Colombo today will shape the interoperability landscape that European firms and citizens encounter across South Asia for the next decade.
Comments
Sign in to join the conversation. Be civil, be specific, link your sources.