On July 21, 2025, Thailand’s National Cyber Security Agency (NCSA) released a draft amendment to the Cybersecurity Act B.E. 2562 (2019) for public hearing, aiming to address the rapid evolution of technology and increasing complexity of cyber threats. The proposed changes to the country’s cybersecurity framework would extend regulatory oversight to cloud service providers and data center operators hosting data for critical information infrastructure (CII) organizations regulated under the Cybersecurity Act.
The NCSA will accept comments on the draft until August 5, 2025. Following the close of the public consultation period, the draft amendment will be subject to further revision during the legislative process.
Key proposed amendments are discussed below.
Expanded Critical Infrastructure Scope
The Cybersecurity Act currently applies only to state agencies, supervising or regulating organizations, and designated CII organizations as announced by the National Cyber Security Committee (NCSC). It defines CII organizations as public or private organizations related to or providing national security, significant public services, banking and finance, information technologies, telecommunications, transportation and logistics, energy and public utilities, or public health.
The draft amendment expands the scope of CII organizations to include public and private organizations related to or providing industrial work (to be further defined in subregulations) as well as service providers that store or possess data for CII organizations, such as cloud and data center service providers.
CII organizations must comply with cyber threat reporting requirements and are subject to the NCSA’s interception powers.
Updated Definitions and New Terminology
The draft amendment more clearly distinguishes between “cyber threats” (which have yet to occur but have the potential of causing damage or impact) and “cyber incidents” (which have already occurred and have caused or are expected to cause damage or impact). The draft amendment also expands the definition of “cybersecurity” to explicitly cover both prevention and response to cyber threats and incidents, with a broader scope that includes impact on national security, international relations, economic stability, military security, and public order. In addition to revising and expanding other key definitions, the amendment introduces new terms, such as “response,” that define the cyber incident handling process.
Strengthened Risk Management and Incident Response
The draft amendment establishes a clearer cyber incident tier classification system with three levels: non-severe, severe, and critical. Each tier carries corresponding escalation and reporting obligations for CII organizations and state agencies, including specific reporting timeframes for each level of cyber incident.
For CII organizations, the initial report of a cyber incident to the NCSA and supervising authority must be made within 24 hours upon becoming aware of the investigation results. The amendment also specifies different methods and timeframes for responding to different levels of cyber threats and cyber incidents.
Enhanced Regulatory Powers
The amendment empowers the NCSC to propose national cybersecurity policies and plans for cabinet approval and to establish security measure standards for state agencies, regulating organizations, and CII organizations, as well as minimum standards relating to computers, computer systems, and cybersecurity services or products. The latter includes guidelines for the certification of compliance with prescribed cybersecurity standards.