You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

Search
Close this search box.
August 1, 2025

Major Draft Amendments to Thai Cybersecurity Act Released for Public Hearing

Subscribe to Updates

On July 21, 2025, Thailand’s National Cyber Security Agency (NCSA) released a draft amendment to the Cybersecurity Act B.E. 2562 (2019) for public hearing, aiming to address the rapid evolution of technology and increasing complexity of cyber threats. The proposed changes to the country’s cybersecurity framework would extend regulatory oversight to cloud service providers and data center operators hosting data for critical information infrastructure (CII) organizations regulated under the Cybersecurity Act.

The NCSA will accept comments on the draft until August 5, 2025. Following the close of the public consultation period, the draft amendment will be subject to further revision during the legislative process.

Key proposed amendments are discussed below.

Expanded Critical Infrastructure Scope

The Cybersecurity Act currently applies only to state agencies, supervising or regulating organizations, and designated CII organizations as announced by the National Cyber Security Committee (NCSC). It defines CII organizations as public or private organizations related to or providing national security, significant public services, banking and finance, information technologies, telecommunications, transportation and logistics, energy and public utilities, or public health.

The draft amendment expands the scope of CII organizations to include public and private organizations related to or providing industrial work (to be further defined in subregulations) as well as service providers that store or possess data for CII organizations, such as cloud and data center service providers.

CII organizations must comply with cyber threat reporting requirements and are subject to the NCSA’s interception powers.

Updated Definitions and New Terminology

The draft amendment more clearly distinguishes between “cyber threats” (which have yet to occur but have the potential of causing damage or impact) and “cyber incidents” (which have already occurred and have caused or are expected to cause damage or impact). The draft amendment also expands the definition of “cybersecurity” to explicitly cover both prevention and response to cyber threats and incidents, with a broader scope that includes impact on national security, international relations, economic stability, military security, and public order. In addition to revising and expanding other key definitions, the amendment introduces new terms, such as “response,” that define the cyber incident handling process.

Strengthened Risk Management and Incident Response

The draft amendment establishes a clearer cyber incident tier classification system with three levels: non-severe, severe, and critical. Each tier carries corresponding escalation and reporting obligations for CII organizations and state agencies, including specific reporting timeframes for each level of cyber incident.

For CII organizations, the initial report of a cyber incident to the NCSA and supervising authority must be made within 24 hours upon becoming aware of the investigation results. The amendment also specifies different methods and timeframes for responding to different levels of cyber threats and cyber incidents.

Enhanced Regulatory Powers

The amendment empowers the NCSC to propose national cybersecurity policies and plans for cabinet approval and to establish security measure standards for state agencies, regulating organizations, and CII organizations, as well as minimum standards relating to computers, computer systems, and cybersecurity services or products. The latter includes guidelines for the certification of compliance with prescribed cybersecurity standards.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

August 21, 2025
On August 19, 2025, the Trade Competition Commission of Thailand (TCCT) released its draft Guidelines on the Consideration of Unfair Trade Practices and Conduct Constituting Monopoly, Reducing Competition, or Restricting Competition in Multi-Sided Platform Businesses in the Category of Digital Platforms for the Sale of Goods or Services (E-commerce). A public comment period on the guidelines is open until September 18. The draft provides the first detailed framework for how the TCCT will interpret and enforce the substantive provisions under the Trade Competition Act against digital platforms, which have a unique network effect and require complex competition analysis. This development will profoundly impact the operations of e-commerce platforms, sellers, and associated service providers in Thailand. The guidelines primarily target e-commerce digital platform business operators, which are defined as follows: E-commerce digital platform: A medium facilitating the sale, purchase, or exchange of goods or services, including any operations to create transactions or interactions between business operators via an electronic transaction system, regardless of whether service fees are charged. E-commerce digital platform business operator: A service provider of a digital platform for the sale of goods or services who acts as an intermediary facilitating the sale of goods or services, including any operations to create transactions or interactions through an electronic transaction system by receiving orders for goods or services transacted via an electronic system, whether in the form of an e-marketplace, a social marketplace, or any other form that connects purchase orders for goods or services with business operators through an electronic system. Prohibited Conduct The guidelines classify potentially anticompetitive conduct and unfair trade practices into two categories: price-related and non-price-related conduct. 1. Price-related conduct The TCCT is targeting pricing strategies that can harm competition. Key prohibited behaviors include: Price below cost: Setting prices below the average total cost without
Read More
August 21, 2025
On August 18, 2025, Thailand’s Securities and Exchange Commission (SEC), in collaboration with the Ministry of Finance, the Anti-Money Laundering Office, and the Ministry of Tourism and Sports, announced the launch of TouristDigiPay. The initiative, implemented under the SEC’s Regulatory Sandbox, allows foreign tourists to convert digital assets into Thai baht for use in everyday transactions in Thailand. Foreign tourists who opt to participate in TouristDigiPay must open two accounts once they are in Thailand: An account with a licensed digital asset operator to sell or exchange digital assets for Thai baht; and A tourist wallet account with a licensed e-money operator regulated by the Bank of Thailand. Funds from digital asset sales will be transferred into the tourist wallet, enabling tourists to make payments at participating merchants that accept e-money. Key Regulatory Requirements The TouristDigiPay project will operate for a period of up to 18 months, with the following conditions: Only licensed digital asset brokers, dealers, and exchanges integrated with licensed e-money operators are eligible to participate. Operators must implement anti-money laundering (AML) protocols that are proportionate to the assessed risk level. These include: Conducting know-your-customer and customer-due-diligence (KYC/CDD) checks on all users. For monthly transactions exceeding THB 50,000 per person, verifying the source of the digital assets and assessing AML risk using internationally recognized blockchain forensic tools or equivalent procedures. Suspending or rejecting services if digital assets are transferred from wallets flagged for AML concerns. Ensuring that conversion between digital assets and fiat includes safeguards such as matching account names and returning digital assets only to the original wallet. The following transaction limits apply to participants in the TouristDigiPay initiative: Payments to small vendors are capped at THB 50,000 per month. Payments to vendors who have completed the know-your-merchant (KYM) process are capped at THB 500,000 per
Read More
August 15, 2025
More than a decade after the issuance of Decree No. 52/2013/ND-CP (as amended by Decree No. 85/2021/ND-CP; collectively, “Decree 52”), Vietnam’s legal framework for e-commerce is under growing pressure to keep pace with the evolving digital economy. While Decree 52 has provided a foundational framework, it has shown certain limitations in keeping up with issues such as counterfeit goods, intellectual property enforcement, unqualified products, and emerging models like livestream selling and affiliate marketing. To address these regulatory gaps, the Ministry of Industry and Trade (MOIT) has released the 2025 Draft E-Commerce Law (“Draft Law”) for public consultation. The Draft Law is intended to supersede the current framework under Decree 52 and establish a more detailed and comprehensive legal foundation for the regulations of e-commerce activities in Vietnam. It is currently expected to be submitted to the National Assembly for review and potential adoption during its 10th session in October 2025. In this article, we discuss the Draft Law’s most significant updates and legal developments in comparison to existing regulations, and assess the practical challenges that businesses may face in preparing for implementation in the near future. Platform Classification: Toward a More Nuanced Framework Unlike Decree 52’s simpler structure, which broadly categorized platforms into either (i) websites selling goods and services or (ii) websites providing e-commerce services, the Draft Law introduces a more detailed framework that aims to classify platforms based on their technical functions and business models. Specifically, the Draft Law introduces a four-tier classification system for e-commerce platforms, consisting of: (i) Direct Business Platforms, (ii) Intermediary Platforms, (iii) Social Networks with E-Commerce Functions, and (iv) Multi-Service Integrated Platforms. This approach reflects an effort to more accurately capture the complexity of today’s e-commerce landscape, including hybrid platforms such as TikTok Shop. While this approach reflects the growing complexity of
Read More
August 6, 2025
Thailand’s Digital Government Development Agency (DGA) has released drafts of two pivotal documents to guide Thai government agencies in adopting cloud technology and classifying data for cloud usage. These draft guidelines, open for public hearing through August 12, 2025, are part of the national “Go Cloud First” policy, which aims to accelerate digital transformation, improve efficiency, and ensure robust data security across the public sector. The new standards will have significant implications for both government agencies and cloud service providers operating in Thailand. Highlights of the draft guidelines are presented below. Government Cloud Usage Guidelines Cloud-first transformation: All government agencies are directed to prioritize cloud solutions for new IT projects, in line with the cabinet’s “Go Cloud First” policy. Cloud model selection: Agencies must assess their needs and select the most appropriate cloud deployment model—public, private, hybrid, or community cloud—based on the sensitivity of the data and operational requirements. Service types: The guidelines provide criteria for choosing between Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), emphasizing the importance of using standard, non-customized services where possible. Cost management: Agencies are required to plan and separate cloud-related expenses, ensuring transparency and efficient budget allocation. Cloud migration: The guidelines outline the steps for migrating to the cloud and highlight the role of cloud service providers in facilitating the process, including supporting innovation and enabling smooth exit strategies. Procurement compliance: All cloud procurement must comply with public sector procurement laws and regulations. Only providers meeting government-mandated standards can be selected. Security and shared responsibility: The guidelines clarify the division of security responsibilities between cloud providers and government agencies. While providers manage infrastructure security, agencies remain responsible for data, application, and access controls. Legal framework: Agencies must comply with the Digital Government Administration Act, Cybersecurity
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2024 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Fraudulent Communications

| Legal Notice