You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

March 29, 2024

Thailand Details CII Organizations’ Cybersecurity Duties

Subscribe to Updates

Thailand’s Cybersecurity Regulating Committee (CRC) released a notification under the Cybersecurity Act on February 22, 2024, setting key operational obligations for critical information infrastructure (CII) organizations. The notification takes effect on June 20, 2024.

CII organizations are state or private entities that carry out services related to national security, public services, banking and finance, information technology and telecommunications, transportation and logistics, energy and public utilities, or public health. CII organizations will be identified by the National Cyber Security Committee (NCSC) and notified of their status.

The key obligations of CII organizations are laid out below.

Reporting to the National Cyber Security Agency (NCSA)

CII organizations must provide the following to the NCSA:

  • A list of executive and operational staff, along with emergency contacts who can be reached within 60 minutes in the event of a cyber threat. The NCSA must be notified of any updates to this list within 15 days following any changes.
  • A list of internal departments or individuals who are the responsible persons, owners, and holders of the computer systems, along with emergency contacts who can be reached within 60 minutes in the event of a cyber threat. The NCSA must be notified of any updates to this list at least 7 days prior to any changes (or within 15 days after the change if there is a necessary reason).

Policies, Guidelines, and Procedures

As specified in the National Cyber Security Committee (NCSC) guidelines, CII organizations must prepare the following internal documents by June 20, 2025:

  • Cybersecurity practice guidelines, consisting of an inspection plan, risk assessment, and incident response plan.
  • Cybersecurity standards framework, consisting of measures for risk identification, risk prevention, threat detection and monitoring, incident responses, and resilience and recovery.

CII organizations must also prepare the following:

  • Mechanisms, procedures, and steps for monitoring and detecting cyber threats or incidents related to critical infrastructure cybersecurity, as well as cybersecurity resolution systems as designated by the NCSC or CRC. These must comply with the standards set by the regulators (the specific regulator depends on the characteristics of the organization) and the NCSC guidelines.
  • Internal methods and procedures for cybersecurity risk management, which must identify risk appetite, conform with the cybersecurity management policy announced by the NCSC, and be approved by the regulator before finally being submitted to the NCSA.

Ongoing Compliance

CII organizations are also responsible for the following ongoing requirements:

  • Submit an annual report covering the number and types of cyber threats that arose during the relevant reporting period, as well as the causes and effects of the cyber threats, problems and obstacles in operation, and policy recommendations. The first report must be submitted by January 31, 2025, and by January 31 of each year thereafter.
  • Review the cybersecurity guidelines and standards framework described above at least once a year, or whenever there is a significant change to cybersecurity operations.
  • Review the methods and procedures for cybersecurity risk management described above at least once a year, or when there is a significant change to cybersecurity operations.
  • Review the cybersecurity mechanisms described above at least once a year.
  • Conduct a cybersecurity risk assessment in accordance with the NCSC guidelines. The report must be submitted to the NCSA within 30 days of completion, but no later than January 31 of the following year. The report must also be submitted to the regulator. This report is distinct from the CII organization’s own risk assessment report.
  • Have a third-party or internal cybersecurity auditor conduct a cybersecurity audit at least once a year. The auditor’s report must be submitted to the NCSA within 30 days of completion, but no later than January 31 of the following year. A summary of the report must also be delivered to the regulator.
  • Organize a business continuity plan training program at least once a year to evaluate the plan’s effectiveness in addressing cyber threats.

Cybersecurity Incident Response

If a cybersecurity incident occurs, CII organizations must:

  • Run detection and analysis procedures as outlined in the NCSC guidelines.
  • Notify and submit a report to both the NCSA and the regulator within 24 hours.
  • Cooperate with the collection and investigation of evidence relating to the cybersecurity incident by officers under the Cybersecurity Act.

The penalty for a CII organization not reporting a cybersecurity incident that has a significant impact on their systems to the NCSA and the regulator without reasonable cause is a fine of up to THB 200,000 (approx. USD 5,500).

Other Obligations

In addition, CII organizations must do the following:

  • Mitigate cybersecurity risks and implement plans to deal with cybersecurity incidents.
  • Collaborate with the NCSC, CRC, and NCSA to organize cyber threat response training, including supplying necessary information for the planning and execution of the training.
  • Participate in cyber threat readiness tests conducted by the NCSA to ensure preparedness for handling cybersecurity incidents.
  • Prepare a business continuity plan in accordance with the prescribed criteria to ensure the ongoing provision of critical services.
  • If evidence suggests a cybersecurity incident may have occurred, evaluate the computer systems, data, and surrounding circumstances in order to determine whether the incident occurred and its impact on the organization’s information system.
  • State CII organizations must establish a computer emergency response team (CERT) for CII organizations and CII services in their sector, or promptly notify the NCSC of the reason for its inability to do so.
  • Cooperate with the relevant sectoral CERT as well as the Thailand Computer Emergency Response Team (ThaiCERT) on cybersecurity incident responsiveness, dealing with the effects of cyber threats, and other cybersecurity issues.
  • Comply with any orders or notifications issued by the NCSC or the CRC.

The NCSA will review the obligations under this notification at least every two years, or when there is a significant change regarding cybersecurity.

For more information on compliance with Thailand’s cybersecurity regulations, please contact Nopparat Lalitkomon at [email protected], Napassorn Lertussavavivat at [email protected], or Nitcharat Siraprapasiri at [email protected].

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

July 24, 2024

Practical Law: Intellectual Property Transactions in Vietnam 2024

Experts from Tilleke & Gibbins’ intellectual property team have contributed an updated Intellectual Property Transactions in Vietnam to Thomson Reuters Practical Law, a high-level comparative overview of  laws and regulations across multiple jurisdictions. Intellectual Property Transactions focuses on business-related aspects of intellectual property, such as the value of intellectual assets in M&A transactions, and the licensing of IP portfolios. Key topics covered in the chapter include: IP assignment: Basis and formalities for assignments of patents, utility models, trademarks, copyright, design rights, trade secrets, confidential information, and domain names. IP licensing: Scope and formalities for licensing patents, utility models, trademarks, copyright, design rights, and trade secrets. Research and development collaborations. IP audits. IP aspects of M&A: Due diligence, warranties/indemnities, and transfer of IPRs. Employee and consultant agreements. Practical Law, a legal reference resource from Thomson Reuters, publishes a range of guides for hundreds of jurisdictions and practice areas. The Intellectual Property Transactions Global Guide is a valuable resource for legal practitioners, covering numerous jurisdictions worldwide. To view the latest version of the Intellectual Property Transactions in Vietnam overview, please visit the Practical Law website and enroll in the free Practical Law trial to gain full access.
Read More
July 24, 2024

Practical Law: Intellectual Property Transactions in Thailand 2024

Intellectual property specialists from Tilleke & Gibbins in Thailand have contributed an updated Intellectual Property Transactions in Thailand overview for Thomson Reuters Practical Law, an online publication that provides comprehensive legal guides for jurisdictions worldwide. The Thailand overview was authored by Darani Vachanavuttivong, managing partner of Tilleke & Gibbins and managing director of the firm’s regional IP practice; Titikaan Ungbhakorn, senior associate and patent agent; and San Chaithiraphant, senior associate. The chapter delivers a high-level examination of critical aspects of IP law, including IP assignment and licensing, research and development collaborations, IP in mergers and acquisitions (M&A), securing loans with intellectual property rights, settlement agreements, employee-related IP issues, competition law, taxation, and non-tariff trade barriers. Key topics covered in the chapter include: IP assignment: Basis and formalities for assignments of patents, utility models, trademarks, copyright, design rights, trade secrets, confidential information, and domain names. IP licensing: Scope and formalities for licensing patents, utility models, trademarks, copyright, design rights, and trade secrets. Research and development collaborations: Management of improvements, derivatives, and joint ownership of IP. IP aspects of M&A: Due diligence and critical considerations during mergers and acquisitions. Practical Law, a legal reference resource from Thomson Reuters, publishes a range of guides for hundreds of jurisdictions and practice areas. The Intellectual Property Transactions Global Guide is a valuable resource for legal practitioners, covering numerous jurisdictions worldwide. To view the latest version of the Intellectual Property Transactions in Thailand overview, please visit the Practical Law website and enroll in the free Practical Law trial to gain full access.
Read More
July 24, 2024

Acted for Nordic Transport Group in its Acquisition of Freightzen Logistics

Acted as lead counsel for Nordic Transport Group A/S (NTG), an international freight forwarding company based in Denmark, in its acquisition of a stake in Asia-based Freightzen Logistics Ltd., Inc. through a newly established subsidiary, NTG APAC Holding Pte. Ltd.
Read More
July 23, 2024

Tilleke & Gibbins Lawyers Recognized in Who’s Who Legal Southeast Asia Guide 2024

In the Who’s Who Legal (WWL) Southeast Asia guide for 2024, a total of 12 Tilleke & Gibbins lawyers have been distinguished as market leaders in various legal practice areas. The firm’s 12 recognized lawyers, singled out for their commitment to delivering exceptional legal services to Tilleke & Gibbins’ clients, are grouped into seven practice areas: Asset Recovery: Thawat Damsa-ard Data: Alan Adcock, Athistha (Nop) Chitranukroh Franchise: Alan Adcock, Jay Cohen Intellectual Property: Alan Adcock (Patents, Trademarks), Darani Vachanavuttivong (Patents, Trademarks), Kasama Sriwatanakul (Trademarks), Linh Thi Mai Nguyen (Trademarks), Somboon Earterasarun (Trademarks), Wongrat Ratanaprayul (Patents) Investigations: John Frangos and Thawat Damsa-ard Labor, Employment, and Benefits: Pimvimol (June) Vipamaneerut Life Sciences: Alan Adcock, Loc Xuan Le The annual WWL Southeast Asia rankings guide, published by the London-based group Law Business Research, aims to identify the foremost legal practitioners across a range of business law practice areas. The rankings are largely based on feedback and nominations received from other WWL-ranked and nominated attorneys around the world. These peer-driven recognitions highlight Tilleke & Gibbins’ dedication to maintaining the highest standards of legal service and helping clients achieve success. To read more about the WWL Southeast Asia guide, or to browse the full results, please visit the WWL website.
Read More
Load More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2023 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Legal Notice