You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

March 29, 2024

Thailand Details CII Organizations’ Cybersecurity Duties

Subscribe to Updates

Thailand’s Cybersecurity Regulating Committee (CRC) released a notification under the Cybersecurity Act on February 22, 2024, setting key operational obligations for critical information infrastructure (CII) organizations. The notification takes effect on June 20, 2024.

CII organizations are state or private entities that carry out services related to national security, public services, banking and finance, information technology and telecommunications, transportation and logistics, energy and public utilities, or public health. CII organizations will be identified by the National Cyber Security Committee (NCSC) and notified of their status.

The key obligations of CII organizations are laid out below.

Reporting to the National Cyber Security Agency (NCSA)

CII organizations must provide the following to the NCSA:

  • A list of executive and operational staff, along with emergency contacts who can be reached within 60 minutes in the event of a cyber threat. The NCSA must be notified of any updates to this list within 15 days following any changes.
  • A list of internal departments or individuals who are the responsible persons, owners, and holders of the computer systems, along with emergency contacts who can be reached within 60 minutes in the event of a cyber threat. The NCSA must be notified of any updates to this list at least 7 days prior to any changes (or within 15 days after the change if there is a necessary reason).

Policies, Guidelines, and Procedures

As specified in the National Cyber Security Committee (NCSC) guidelines, CII organizations must prepare the following internal documents by June 20, 2025:

  • Cybersecurity practice guidelines, consisting of an inspection plan, risk assessment, and incident response plan.
  • Cybersecurity standards framework, consisting of measures for risk identification, risk prevention, threat detection and monitoring, incident responses, and resilience and recovery.

CII organizations must also prepare the following:

  • Mechanisms, procedures, and steps for monitoring and detecting cyber threats or incidents related to critical infrastructure cybersecurity, as well as cybersecurity resolution systems as designated by the NCSC or CRC. These must comply with the standards set by the regulators (the specific regulator depends on the characteristics of the organization) and the NCSC guidelines.
  • Internal methods and procedures for cybersecurity risk management, which must identify risk appetite, conform with the cybersecurity management policy announced by the NCSC, and be approved by the regulator before finally being submitted to the NCSA.

Ongoing Compliance

CII organizations are also responsible for the following ongoing requirements:

  • Submit an annual report covering the number and types of cyber threats that arose during the relevant reporting period, as well as the causes and effects of the cyber threats, problems and obstacles in operation, and policy recommendations. The first report must be submitted by January 31, 2025, and by January 31 of each year thereafter.
  • Review the cybersecurity guidelines and standards framework described above at least once a year, or whenever there is a significant change to cybersecurity operations.
  • Review the methods and procedures for cybersecurity risk management described above at least once a year, or when there is a significant change to cybersecurity operations.
  • Review the cybersecurity mechanisms described above at least once a year.
  • Conduct a cybersecurity risk assessment in accordance with the NCSC guidelines. The report must be submitted to the NCSA within 30 days of completion, but no later than January 31 of the following year. The report must also be submitted to the regulator. This report is distinct from the CII organization’s own risk assessment report.
  • Have a third-party or internal cybersecurity auditor conduct a cybersecurity audit at least once a year. The auditor’s report must be submitted to the NCSA within 30 days of completion, but no later than January 31 of the following year. A summary of the report must also be delivered to the regulator.
  • Organize a business continuity plan training program at least once a year to evaluate the plan’s effectiveness in addressing cyber threats.

Cybersecurity Incident Response

If a cybersecurity incident occurs, CII organizations must:

  • Run detection and analysis procedures as outlined in the NCSC guidelines.
  • Notify and submit a report to both the NCSA and the regulator within 24 hours.
  • Cooperate with the collection and investigation of evidence relating to the cybersecurity incident by officers under the Cybersecurity Act.

The penalty for a CII organization not reporting a cybersecurity incident that has a significant impact on their systems to the NCSA and the regulator without reasonable cause is a fine of up to THB 200,000 (approx. USD 5,500).

Other Obligations

In addition, CII organizations must do the following:

  • Mitigate cybersecurity risks and implement plans to deal with cybersecurity incidents.
  • Collaborate with the NCSC, CRC, and NCSA to organize cyber threat response training, including supplying necessary information for the planning and execution of the training.
  • Participate in cyber threat readiness tests conducted by the NCSA to ensure preparedness for handling cybersecurity incidents.
  • Prepare a business continuity plan in accordance with the prescribed criteria to ensure the ongoing provision of critical services.
  • If evidence suggests a cybersecurity incident may have occurred, evaluate the computer systems, data, and surrounding circumstances in order to determine whether the incident occurred and its impact on the organization’s information system.
  • State CII organizations must establish a computer emergency response team (CERT) for CII organizations and CII services in their sector, or promptly notify the NCSC of the reason for its inability to do so.
  • Cooperate with the relevant sectoral CERT as well as the Thailand Computer Emergency Response Team (ThaiCERT) on cybersecurity incident responsiveness, dealing with the effects of cyber threats, and other cybersecurity issues.
  • Comply with any orders or notifications issued by the NCSC or the CRC.

The NCSA will review the obligations under this notification at least every two years, or when there is a significant change regarding cybersecurity.

For more information on compliance with Thailand’s cybersecurity regulations, please contact Nopparat Lalitkomon at [email protected], Napassorn Lertussavavivat at [email protected], or Nitcharat Siraprapasiri at [email protected].

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

December 26, 2025
Thailand has granted ride-sharing platforms additional time to comply with new regulatory requirements, extending the compliance deadline to March 31, 2026 (replacing the previous deadline of October 2, 2025). The postponement was made official on December 18, 2025, when Thailand’s Electronic Transactions Development Agency (ETDA) published the second Notification Regarding Supervision of Ride-Hailing Platforms Classified as High-Impact Digital Platform Services under the Royal Decree on Digital Platform Service Businesses. The notification provides additional time for ride-sharing platforms and drivers to transition to full regulatory compliance. The extension replaces the effective date provision of the earlier notification and applies specifically to ride-hailing activities. Background The postponement responds to feedback from operators and driver groups regarding challenges converting private vehicles into legally registered public vehicles, including complex registration procedures, high compliance costs, and operational delays. The Department of Land Transport (DLT) is concurrently reforming its vehicle registration and driver verification processes to streamline operations. Given these issues, the Electronic Transactions Committee has deferred enforcement to provide an adjustment period for operators and drivers to meet compliance requirements. Ongoing Obligations While the effective date has been deferred, the substantive obligations imposed on ride-sharing platforms remain fully intact. Operators must continue preparing to comply with the additional duties applicable to high-impact digital platform services, beyond the general requirements under the digital platform services framework. Operators are expected to use the extended transition period to finalize operational and compliance readiness ahead of enforcement on March 31, 2026. Key focus areas include: Integration with DLT vehicle-registration systems Deployment of robust driver and passenger identity verification mechanisms Updates to platform terms of service, driver-onboarding standards, and internal operational policies Preparation for ETDA reporting obligations and future audit and review processes Next Steps While the postponement replaces the previous effective date with the new March 31, 2026,
Read More
December 26, 2025
The Bank of Thailand (BOT) has released the Guidelines for Digital Fraud Management, which took effect on December 17, 2025, incorporating certain amendments to the draft guidelines issued in March 2025. These official guidelines aim for end-to-end digital fraud prevention, with a particular focus on mule accounts, to enhance trust and security in Thailand’s financial system. The guidelines apply to “financial service providers,” including: Financial institutions and special financial institutions under the Financial Institution Business Act; and Operators of Inter-institutional Fund Transfer System e-money services and e-fund transfer services under the Payment Systems Act. Besides commercial banks and e-money operators that offer fund-transfer services, other providers may adopt requirements based on risk proportionality and baseline standards set out in the guidelines (for instance, an e-money operator that does not offer e-fund transfer services could consider implementing a fraud monitoring and detection system according to the risk level of its service). The guidelines establish the following key requirements: Policy and oversight. Directors and senior executives of financial service providers must adopt appropriate “end-to-end” fraud management policies and KPIs to manage digital fraud, covering prevention, monitoring, detection, management, resolution, and support for affected customers. The fraud management policy must be regularly reviewed, and whenever there is a situation or change that significantly affects the efficiency of the fraud management. Any significant update to the policy must first be approved by the board of the financial service provider. The BOT also encourages providers to collaborate in establishing industry standards aligned with applicable laws and regulations to ensure consistency and best practices across the sector. Fraud management processes. Financial service providers must establish a clear framework for managing digital fraud throughout the customer lifecycle—from customer onboarding to service termination—covering at least the following processes: Know your customer (KYC) and customer due diligence (CDD):
Read More
December 22, 2025
Tilleke & Gibbins has contributed the Vietnam chapter to Data Protection & Privacy 2026, a global guide published by Lexology Panoramic that provides comparative insights into data protection and privacy regimes across multiple jurisdictions. The Vietnam chapter offers a comprehensive overview of the country’s data protection framework, addressing both regulatory structure and practical compliance considerations for businesses operating in or engaging with Vietnam. Topics covered include: Law and the regulatory authority: Legislative framework; data protection authority; cooperation with other data protection authorities; breaches of data protection law; judicial review of data protection authority orders Scope: Exempt sectors and institutions; interception of communications and surveillance laws; other laws; personal information formats; extraterritoriality; covered uses of personal information Legitimate processing of personal information: Lawful bases for processing; grounds for legitimate processing; types of personal information Data handling responsibilities of owners of personal information: Transparency; exemptions from transparency obligations; data accuracy; data minimization; data retention; purpose limitation; automated decision-making Security: Security obligations; notification of data breaches; internal controls Accountability: Data protection officer requirements; record-keeping; risk assessment; design of personal information processing systems Registration and notification: Registration requirements; other transparency duties Sharing and cross-border transfers of personal information: Sharing with processors and service providers; restrictions on third-party disclosures; cross-border transfers; further transfers; localization requirements Rights of individuals: Right of access; other statutory rights; compensation Enforcement: Enforcement mechanisms; exemptions, derogations, and restrictions; further exemptions and restrictions Specific data processing: Cookies and similar technologies; electronic communications marketing; targeted advertising; sensitive personal information; profiling; cloud services The chapter concludes with an update on key legal and regulatory developments over the past year and emerging trends in Vietnam’s data protection landscape. The full Vietnam chapter is available as a PDF through the button below. Readers can also gain 30 days of complementary access to the full Data
Read More
December 15, 2025
Thailand is taking steps to energize its startup scene by drafting the Startup Promotion Law. This draft law aims to remove obstacles, open new funding opportunities, and provide coordinated government support. The goal is to make it easier for Thailand-based startups to grow and compete on a global stage. Why Is This Law Needed? For many years, Thai startups have operated under traditional company law frameworks that were not designed with high-growth businesses or with fundraising opportunities in mind. Restrictions on issuing bonds, offering shares to outside investors, and repurchasing shares for employee incentive programs made it challenging for emerging companies to access capital and accelerate their growth. The draft Startup Promotion Act seeks to remove these obstacles and foster a more competitive, entrepreneur-friendly environment in Thailand. Who’s in Charge? Two main organizations will oversee the startup ecosystem: Startup Promotion Committee: This group, to be appointed by the National Science, Research, and Innovation Policy Council, will set national strategies, policies, and budget; design promotional campaign and incentives; and propose further legislative amendments to promote startups. National Innovation Agency (NIA): Under the draft act, the NIA will be the main contact for startups and will serve as the secretariat office of the Startup Promotion Committee, coordinating data, advising startups, maintaining the public registry, and providing funding and investment (grants, repayable grants, loans, and equity) under committee criteria and, where applicable, cabinet approval. What Startups Are Eligible for Benefits? To be officially recognized and access benefits, a company must: Be a private limited company less than 10 years old at the time of application. Existing companies that already exceed the 10-year threshold may still apply for startup statues within one year of the law’s enactment, as long as they otherwise still qualify for the new regime. Have average annual revenue not
Read More