Cyber Security Bill Sri Lanka 13-07-2023 (Draft)
Cyber Security Bill Sri Lanka 13-07-2023 (Draft)
Cyber Security Bill Sri Lanka 13-07-2023 (Draft)
Short title and 1. (1) This Act may be cited as the Cyber Security Act, No. of 2023.
date of
operation
(2) The provisions of Part VII of this Act shall come into operation on
such date as the Minister may appoint by Order published in the Gazette.
(3) The provisions except the provisions of Part VII of this Act shall
come into operation on the date on which the Bill becomes an Act of
Parliament.
PART 1
1
13.07.2023
(c) to prevent, detect, mitigate and respond to cyber security
threats and incidents effectively and efficiently;
(d) to provide for creation of a safe and secure cyber security
environment; and
(e) to ensure effective coordination and collaboration with the
Defence Cyber Command of Sri Lanka established under the
Defence Cyber Command Act, No. of 2023 (hereinafter
referred to as the “Command”) to deal with matters on
cyber security in relation to the national security.
Powers, duties 4. (1) The powers, duties and functions of the Authority shall be
and functions
of the
to-
Authority (a) function as the national point of contact for civilian
cyber security and to ensure national cyber security
readiness;
2
13.07.2023
(d) assess the progress of implementation of national
cyber security strategies, policies, standards,
guidelines, action plans and projects by government
institutions, and in other relevant sectors and make
recommendations to improve cyber security
resilience;
3
13.07.2023
(j) monitor the designated CNIIs owned by government
and other relevant sectors through the National Cyber
Security Operation Centre in order to detect,
investigate and respond to potential cyber threats and
incidents in respect of matters relating to the civilian
aspects of cyber security;
4
13.07.2023
security and related matters for relevant officers and
authorities in Sri Lanka;
5
13.07.2023
(w) coordinate the conduct of sectoral cyber security drills,
from time to time, to improve overall cyber security
readiness;
(z) open and maintain bank accounts with any bank as may
be determined by the Authority;
6
13.07.2023
(ad) do all such other acts which are not inconsistent with
the provisions of this Act or any other written law as
may be expedient for the accomplishment of the
objects of the Authority
(2) The Authority shall, for the purpose of giving effect to the
provisions of this Act, designate, in consultation with the owner of any
Critical National Information Infrastructure, an officer of such Critical
National Information Infrastructure as an Information Security Officer in
accordance with such criteria as shall be prescribed.
Powers, duties 6. (1) The powers, duties and functions of Authority shall be
and functions
of the
exercised, discharged and performed by a Board of Directors (hereinafter
Authority to be referred to as the “Board”) consisting of –
exercised,
discharged and
performed by a (a) the following ex-officio members, namely: -
Board of
Directors (i) the Secretary to the Ministry of the Minister to whom
the subject of information and cyber security is
assigned or an Additional Secretary of such Ministry
nominated by the Secretary of such Ministry;
7
13.07.2023
(b) four persons appointed by the President, (hereinafter
referred to as the “appointed members”) each of whom
shall have over fifteen years of experience and
demonstrated professional excellence in the fields of
cyber security, information and communication
technology, public or corporate sector administration,
management, law or finance.
Chairperson of 7. (1) (a) The President shall appoint from among the appointed
the Board
members, a member of the Board who has demonstrated effective
leadership qualities in public or private sector entities to be the Chairperson
of the Board.
(b) The Chairperson shall hold office for the period of his
membership of the Board.
(2) The President may for reasons assigned therefor, remove the
Chairperson from the office of Chairperson.
(3) The Chairperson may resign from his office by letter addressed
to the President and such resignation shall be effective from the date on
which it is accepted by the President.
Term of office 8. (1) Every appointed member shall, unless he vacates office earlier,
of the
appointed
by death, resignation or removal, hold office for a period of three years
members from the date of his appointment.
(2) Any appointed member of the Board who vacates office shall,
unless he has been removed from office under subsection (4), be eligible
for re-appointment for not more than one further term of office, whether
consecutive or otherwise.
8
13.07.2023
resignation shall take effect from the date on which the resignation is
accepted in writing by the Minister.
(4) The President may, for reasons assigned therefor remove any
appointed member from office and who has been so removed from office
shall not be eligible for re-appointment as a member of the Board or to
serve the Board in any other capacity.
(7) Where any appointed member of the Board fails to attend three
consecutive meetings of the Board without obtaining prior approval from
the Chairperson for absence, such member shall be deemed to have
vacated his office at the conclusion of the third meeting and the Minister
shall appoint another person to fill such vacancy in the manner provided
for in subsection (5).
9
13.07.2023
(c) is under any law in force in Sri Lanka found or declared to
be of unsound mind;
Meetings of 11. (1) The Director-General of the Board appointed under section
the Board
15 shall summon all the meetings of the Board.
(2) The Chairperson shall preside at every meeting of the Board and
in the absence of the Chairperson from any meeting of the Board, any
appointed member elected by the members present shall preside at such
meeting.
(3) The quorum for any meeting of the Board shall be five members
including the Chairperson if he is present at such meeting.
10
13.07.2023
(5) All questions for decision at any meeting of the Board shall be
decided by vote of the majority of members present and voting at such
meeting. In the case of an equality of votes, the Chairperson or the
member presiding in the absence of the Chairperson shall, in addition to
his vote, have a casting vote.
Remuneration 12. The members of the Authority other than ex-officio members,
of members
may be remunerated in such manner in consultation with the Minister
assigned the subject of Finance and shall carry out their functions subject
to such terms and conditions as may from time to time be determined by
the President.
Act, decision 14. Any act, decision or proceeding of the Board shall not be invalid
or proceeding
of the Board
by reason only of the existence of any vacancy in the Board or any defect
not to be in the appointment of a member of the Board.
invalid
11
13.07.2023
PART II
Director- 15. (1) The Board shall appoint a Director General of the Authority
General of the
Authority
who have achieved eminence, integrity and has proven professional
expertise in providing leadership to public sector or private sector, and
who shall not be a member of any political party.
(3) The Board shall not appoint any person as the Director General
of the Authority, if such person –
(4) The Director General shall, subject to the general directions and
control of the Board –
12
13.07.2023
(5) The Director General shall hold office for a period of three years
from the date of appointment and shall be eligible for reappointment.
(7) The Director General shall attend the meetings of the Board but
shall not have the right to vote at any such meeting.
(8) The Director General may be removed from office by the Board
with the approval of the Minster in the event that -
(9) The Director General may with the approval of the Board,
delegate to an officer of the staff of the Authority, in writing any power or
function assigned to him by this Act and such officer shall exercise and
discharge such power or function subject to the direction and control of
the Director General.
Officers and 16. (1) Notwithstanding anything to the contrary in any other
employees of
the Authority
written law, the Authority may create cadre positions and employ officers
and employees as it considers necessary for the efficient discharge of its
functions and may fix their salaries and wages or other remuneration,
13
13.07.2023
benefits and pensions of such officers and employees for the purposes of
carrying out its duties and functions under the provisions of this Act.
(4) The Authority shall not appoint any person to the staff of the
Authority where such person–
Appointment 17. (1) At the request of the Authority any officer in the public
of public
officers to the
service may, with the consent of the officer and the Public Service
staff of the Commission established by the Constitution be temporarily appointed to
Authority the Authority for such period as may be determined by the Authority or
with like consent, be permanently appointed to such staff.
14
13.07.2023
(3) Where any officer in the public service is permanently
appointed to the staff of the Authority, the provisions of subsection (3) of
section 14 of the National Transport Commission Act, No. 37 of 1991, shall
mutatis mutandis, apply to and in relation to such officer.
(4) Where the Authority employs any person who has agreed to
serve the Government for a specified period, any period of service to the
Authority by that person shall be regarded as service to the Government
for the purpose of discharging the obligations of such agreement.
(5) The Authority may with the consent of such officer or employee
propose secondment of its officers or employees to other state institutions
or regulatory authorities in Sri Lanka or abroad for a period determined by
the Board on an assignment agreed upon between such institution and
the Authority. The period of secondment shall be deemed to be
considered as service to the Authority.
Winding up of 18. (1) The Sri Lanka Computer Emergency Readiness Team Private
the CERT
Private (Ltd)
(Ltd) (in this Act referred to as the “CERT Private (Ltd)”) which is
incorporated as a company under Companies Act, No.07 of 2007, shall be
wound up with effect from the date on which the Bill becomes an Act of
Parliament.
15
13.07.2023
(3) The provisions relating to winding up of Companies specified
in the Companies Act, No.07 of 2007 shall mutatis mutandis apply in
respect of the winding up of the CERT Private (Ltd), under this section.
Officers and 19. (1) Notwithstanding the winding up of the CERT Private (Ltd)
employees of
the staff of the
in terms of section 17, the officers and employees of the CERT Private (Ltd)
CERT Private who on the day immediately preceding the date on which the Bill becomes
(Ltd) an Act of Parliament be offered employment in the Authority on such
terms and conditions as may be agreed upon the Authority and such
officers and employees.
(3) All officers and employees who are offered employment in the
Authority and who have expressed the desire to accept employment in
the Authority shall become employees of the staff of the Authority with
effect from the date of acceptance of employment.
PART III
CRITICAL NATIONAL INFORMATION INFRASTRUCTURE
16
13.07.2023
Designation of 20. (1) The Authority shall, in consultation with relevant
a computer
system &c. as
authorities, identify any computer, computer program, computer system
Critical or any related device located wholly or partly in Sri Lanka, as a Critical
National National Information Infrastructure.
Information
Infrastructure
(2) The Authority shall, when any computer, computer program,
computer system or any related device is identified as a Critical National
Information Infrastructure, inform such fact to the owner computer,
computer program, computer system or any related device and the
relevant regulatory authority which regulates or supervises such Critical
National Information Infrastructure of such owner.
(b) be responsible –
17
13.07.2023
Authority to perform the duties and functions of the
Authority under this Act;
18
13.07.2023
(2) the Authority shall maintain the confidentiality of the
information supplied by the owner of Critical National Information
Infrastructure.
PART IV
Advisory 22. (1) There shall be a committee called the Advisory Committee
Committee on
Cyber Security
on Cyber Security (hereinafter referred to as the “Advisory Committee”).
(b) The Minister shall appoint one of the members of the Advisory
Committee as the Chairperson.
19
13.07.2023
(d) legal matters on cyber security and cybercrime;
(6) The Advisory Committee shall, within the period specified in the
referral referred to in subsection (4), make recommendations to the
Authority on any matter referred to it by the Authority.
PART V
ACCREDITATION OF CYBER SECURITY SERVICE PROVIDERS
Cyber security 23. (1) Any person or body of persons shall not engage in the
service
providers
business of providing the following cyber security services unless such
person or body of persons has been accredited by the Authority:-
20
13.07.2023
(2) Any person or body of persons who engages in cyber security
service specified in subsection (1) without having a valid accreditation
commits an offense and liable to an administrative penalty imposed under
section 24.
PART VI
Fund of the 24. (1) The Authority shall have its own fund (hereinafter referred
Authority
to as the “Fund”).
(3) There shall be paid out of the Fund all such sums as are required
to defray the expenditure incurred by the Authority in the exercise,
performance and discharge of its powers, duties and functions under this
Act or under any other written law and all such sums as are required to be
paid out of the Fund.
21
13.07.2023
PART VII
IMPOSITION OF PENALTIES
(6) The imposition of a penalty under this section shall not preclude
a supervisory authority or a regulatory authority from taking any other
regulatory measures including, but not limited to, the suspension of any
person from the carrying on of a business or profession or the cancellation
of a license or authority granted for the carrying on of a business or
profession, as may be permitted in terms of any applicable written law for
the regulation or supervision of the relevant business or profession.
22
13.07.2023
(7) Where a penalty is imposed under this section on a body of
persons, then -
23
13.07.2023
(2) Any person who prefer an application to the Court of Appeal
under subsection (1), shall deposit in cash as security such sum of money
equal to the penalty imposed under section 24, before the Registrar of the
Court of Appeal.
Financial year 27. (1) The financial year of the Authority shall be the calendar
and audit of
accounts
year.
PART VIII
MISCELLENEOUS
Power of entry, 28. (1) Any officer of the Authority specifically authorized in
inspection and
search
writing in that behalf by the Director General may where the Director-
General considers it necessary for the purpose of discharging the functions
of the Authority, and for the purpose of ascertaining whether the
provisions of this Act or any regulation made thereunder are being
complied with, -
24
13.07.2023
(d) question any person whom the Authority has reasonable
cause to believe that such person is an owner or
employee of such CNII.
(2) For the purpose of carrying out any function under subsection
(1), written consent to enter such premises shall be obtained from the
owner, occupier or the person in charge of such premises.
Authority to be 29. For the purpose of this Act, the Authority shall be deemed to
a scheduled
institution
be a scheduled institutions within the meaning of the Bribery Act (Chapter
within the 26) and the provisions of that Act, shall be construed accordingly.
meaning of the
Bribery Act
(Chapter 26)
25
13.07.2023
Members of 30. For the purpose of this Act all members of the Board, officers
the Board and and servants of the Authority shall be deemed to be public servants within
officers and
the meaning and for the purposes of the Penal Code (Chapter 19)
servants of the
Authority
deemed to be
public servants
(2) Any sum payable, for the acquisition of any immovable property
under the Land Acquisition Act for the Authority shall be paid out of the
Fund of the Authority.
Expenses in 32. (1) Any expense incurred by the Authority in any suit or
suit or prosecution brought by or against it before any Court, shall be paid out of
prosecution to
the Fund and any costs paid to or recovered by the Authority in any such
be paid out of
the Fund suit or prosecution shall be credited to the Fund.
Annual report 33. (1) The Authority shall within six months of the end of each
financial year, submit to the Minister an annual report of the activities
carried out by the Authority during that financial year, and cause a copy
each of the following documents to be attached to the report –
(a) the audited accounts of the Authority for the year along
with the Auditor-General’s report;
26
13.07.2023
(c) a report of proposed activities for the year immediately
following, the year to which such report and accounts
relate.
(2) The Minister shall lay copies of the report and documents
submitted under subsection (1) before Parliament within six months from
the date of receipt of such report.
Directions by 34. (1) The Minister may, from time to time, advise the Authority
the Minster informing changes in the government policy, and it shall be the duty of the
Authority to give effect to such directions in discharge of its powers, duties
and functions.
(2) The Minister may direct the Authority to furnish to him in such
form as he may require, returns, accounts and any other information
relating to the work of the Authority, and it shall be the duty of the
Authority to give effect to such directions.
Duty to 35. The Authority, or any other institution, entity or person who
maintain obtains information under this Act shall, maintain confidentiality and
confidentiality
observe strict secrecy respecting all matters of which such information
provided as designated as confidential, and shall not disclose any
information which may come to his knowledge in the exercise,
performance and discharge of his power, duties and functions under this
Act, except -
27
13.07.2023
conditions of employment of the Director General and
the payment of remuneration;
Regulations 37. (1) The Minister may make regulations with the concurrence
of the Authority in respect of any matter required by this Act to be
prescribed or in respect of which regulations are authorized by this Act to
be made.
28
13.07.2023
or any other relevant institution, and form and manner of
reporting such information to the Authority;
(h) specifying the fees and charges levied for any service
provided under this Act.
(4) Every regulation made under this section shall within three
months after its publication in the Gazette, be brought before Parliament
for approval.
29
13.07.2023
“computer” means an electronic, magnetic, optical,
electrochemical, or other data processing device
performing logical, arithmetic, or storage functions,
and includes any data storage facility or
communications facility directly related to or
operating in conjunction with such device;
30
13.07.2023
system or related devices that may affect the cyber
security of the that computer, computer program,
computer system or device;
31
13.07.2023
“National Information and Cyber Security Strategy” includes
Information and Cyber Security Strategies made from
time to time;
Sinhala text to 39. In the event of any inconsistency between the Sinhala and Tamil
prevail in case
of
texts of this Act, the Sinhala text shall prevail.
inconsistency
32
13.07.2023