You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

November 7, 2023

Deadline Looms for Digital Platform Notification Requirement in Thailand

Subscribe to Updates

Under Thailand’s Royal Decree on Digital Platform Services, domestic and in-scope overseas digital platform operators that are required to notify the Electronic Transactions Development Agency (ETDA) of their operations must do so by November 18, 2023 (or by August 20, 2024, for small or low-impact platforms).

This step is one of the essential requirements of the royal decree. Other key information on complying with the royal decree is as follows:

  • The royal decree aims to regulate the operation of “digital platform services,” which refers to the provision of electronic intermediary services that create a connection between consumers, merchants or businesses, or other types of users in order to create an electronic transaction in whole or in part, regardless of whether a service fee is charged.
  • The regulated digital platform services do not include digital platform services intended for offering the goods or services of a single digital platform service operator or an affiliated company that is an agent of the operator, irrespective of whether the goods or services are offered to third persons or to affiliated companies.
  • The royal decree has extraterritorial effect, whereby overseas operators targeting the Thailand market are subject to the royal decree if their services are accessible in Thailand.
  • Overseas operators are required to appoint a local coordinator in Thailand to coordinate with the ETDA.

Compliance and Enforcement

The ETDA released nine subordinate regulations under the royal decree; these took effect on August 21, 2023 (except for rules on platforms’ terms and conditions, which will take effect on January 3, 2024). Some important points on compliance and enforcement in the subordinate regulations, along with procedural guidance, are listed below.

  • The ETDA has been emphasizing that both domestic and overseas digital platform operators need to notify the ETDA of their operations within the specified timeline (i.e., by November 18, 2023).
  • Notifications must use the provided forms and must be accompanied by the required documents specified by the ETDA.
  • Notifications can be submitted through a notification portal developed by the ETDA for this purpose or directly at the ETDA office.
  • The ETDA maintains a list of the digital platforms that have already notified the ETDA on its website; the list currently exceeds 100 digital platforms from various industries and represents different types of businesses, such as AI services, marketplaces, advertising services, cloud services, gaming, and more.
  • So far, the ETDA has shown flexibility regarding compliance, but has also emphasized that it has the power to impose penalties and order business operators to comply with the law.
  • Noncompliance with the ETDA is subject to criminal fines and imprisonment.

Next Steps

Domestic and overseas operators of digital platforms need to assess their operations to determine the extent to which their digital platform service is subject to the royal decree. Once the assessment is completed, each operator should prepare the notification form and supporting documents and submit them to the ETDA before the applicable deadline. In addition, operators should complete a compliance checklist to ensure that the business is ready to comply with all other requirements of the royal decree and its subordinate laws.

For more information on compliance with the royal decree, or on any aspect of the requirements for digital platform services in Thailand, please contact Tilleke & Gibbins’ digital platform specialists Athistha (Nop) Chitranukroh at [email protected], Thammapas Chanpanich at [email protected], or Rada Lamsam at [email protected].

Related Professionals

Industries

Fintech

Technology

Location

RELATED INSIGHTS​

June 25, 2025
Generative artificial intelligence (GenAI) is no longer a distant innovation confined to science fiction and research labs; it has become an integral part of daily business operations worldwide. Employees across industries are adopting GenAI tools at a remarkable pace—including in Southeast Asia, where a tech-savvy workforce and widespread internet and mobile access have driven early adoption. The reality facing organizations today is clear: employees are integrating GenAI into their daily work, often without official approval or clear policies. This phenomenon, often called “Bring Your Own AI,” comes out of a disconnect between organizational governance and employee behavior and reveals the urgent need for proactive AI policies and oversight. For business leaders and legal teams, GenAI is both an opportunity and a challenge. On one hand, these tools can deliver real business value and boost efficiency. On the other, the unsanctioned and unmonitored use of GenAI introduces substantial legal risks, such as data privacy violations, confidentiality breaches, and intellectual property issues. The widespread adoption of GenAI tools by employees, regardless of official organizational stance or guidelines, demonstrates that prohibition is neither practical nor effective. A more strategic approach involves establishing comprehensive governance policies that encourage responsible AI use while managing the risks. Organizations that take the lead in developing GenAI governance policies are better positioned to benefit from its transformative potential. The question isn’t whether GenAI will change how we work, but how quickly organizations can put the right safeguards in place to manage this change successfully. Risks of GenAI Use The use of GenAI in business operations, whether sanctioned or not, exposes organizations to a unique set of risks. The following are particularly relevant: Data security and confidentiality: General GenAI tools in the market may transmit data to external servers, retain conversation histories, and use inputs for model training.
Read More
June 19, 2025
The Bank of Thailand (BOT) has released draft guidelines establishing principles for managing artificial intelligence (AI) risks in the financial sector. The draft guidelines provide a structured framework for the responsible adoption of AI technologies. Financial service providers will be able to use the guidelines as a reference to appropriately manage their risks in a manner that aligns with internationally recognized best practices. The BOT is accepting public comments on the draft guidelines until June 30, 2025. Scope and Application The draft guidelines apply to all financial service providers, including financial institutions and special financial institutions under the Financial Institution Business Act, as well as payment providers under the Payment Systems Act. These guidelines supplement existing BOT risk management guidelines covering IT risk management, third-party risk management, data governance, and market conduct. The guidelines define AI systems as systems that mimic human intelligence, including machine learning, deep learning, generative AI (such as large language models), and agentic AI. This definition specifically excludes rule-based automation systems like robotic process automation and condition matching. Key Risk Management Principles The guidelines lay out two main principles in managing AI risk. Governance: Financial service providers should define and establish clear roles and responsibilities for their personnel and AI system supervision structures to uphold FEAT (fairness, ethics, accountability, and transparency) principles as follows: Stakeholder roles and responsibilities. Financial service providers should define roles and responsibilities for boards and executives on AI risk oversight. Responsibilities include establishing an AI system usage policy, designating personnel responsible for AI risk management, and building awareness of AI-related risk within the organization. AI system usage policy. The AI system usage policy should be aligned with organizational objectives, regulatory requirements, and FEAT principles. These policies should be reviewed regularly to respond to technological advancements and evolving risk profiles. Risk management
Read More
June 19, 2025
Thailand’s Electronic Transactions Development Agency (ETDA) has announced plans for increased enforcement of the Royal Decree on the Operation of Digital Platform Service Businesses That Are Subject to Prior Notification B.E. 2565 (2022). The ETDA outlined a comprehensive enforcement framework and review process during an online meeting with digital platform service operators on June 11, 2025. The ETDA’s enhanced enforcement approach includes systematic reviews of notification submissions, formal correction orders, and potential criminal penalties for noncompliance. Digital platform operators should immediately assess their current notification status and prepare for increased regulatory scrutiny. Review and Amendment of Previously Submitted Notification Data The ETDA will begin reviewing operation notification forms and annual reports submitted by digital platform service operators to assess each platform’s risk level and develop tailored regulatory obligations. In this comprehensive review process, the ETDA will: Examine the accuracy and completeness of submitted notification data; Request additional information as needed by phone or email; and Issue formal orders as needed requiring operators to correct or complete missing information. Operators who fail to comply with ETDA orders may face suspension of operations, revocation of their notification receipt, and public disclosure of their noncompliant status on the ETDA’s website. The ETDA will conduct follow-up workshops in July 2025 for operators whose data remains unclear or incomplete. Enforcement Framework and Penalties The ETDA outlined a three-tiered enforcement framework with escalating consequences for different types of violations, as follows: Failure to notify before commencing operations: Operators who begin services without proper notification may face criminal penalties under the Electronic Transactions Act, including up to one year of imprisonment, fines of up to THB 100,000 (approx. USD 3,070), or both. Additional consequences include suspension of operations and potential liability for company directors. Failure to correct or comply with official orders: Noncompliance with ETDA correction
Read More
June 13, 2025
In today’s digital age, cyberattacks have become a real threat to organizations worldwide. These attacks can range from phishing and malware to ransomware and distributed denial of service (DDoS) attacks. As the frequency and sophistication of these attacks increase, so does the importance of cybersecurity compliance. In the corporate world, compliance refers to the process of ensuring that a company and its employees adhere to all relevant laws, regulations, standards, and ethical practices—but it should not stop there. Compliance should also encompass asset recovery and disciplinary measures, which can both help organizations address incidents effectively and promote good governance. Cyberattacks are malicious attempts to access or damage a computer system or network, often carried out for financial gain, for political activism, or simply to cause disruption. For instance, a successful attack might involve an attacker creating an email address that closely resembles a legitimate one, perhaps by changing only one or two characters. That email address is then inserted into an existing conversation thread, making it appear as if the user with this email address was already part of the discussion. This tactic can easily deceive a recipient into believing the email was sent from a trusted source, thereby leading them to click on malicious links, provide sensitive information, or even make payments in accordance with the attacker’s request or instructions. Phishing attacks like these are particularly dangerous and can have a serious impact on the ongoing business of a corporation because they exploit the trust and familiarity established in the original email chain. Effective Mitigation Approaches Mechanisms for addressing the aftermath of a crisis provide important recourse to affected organizations, but effective compliance mechanisms can minimize the risk of such crises ever occurring. Companies should therefore prioritize preventative measures and implementation of effective crisis management schemes. Various legal
Read More