You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

January 8, 2026

Thailand Drafting Standards for Government-Engaged Cloud Service Providers

Subscribe to Updates

Thailand’s Digital Government Development Agency (DGA) has proposed new standards that would require government agencies to select cloud services exclusively from a preapproved shortlist of providers. The draft Digital Government Standards re: Cloud Service Provider Standards aims to strengthen procurement confidence and reduce risks associated with selecting cloud service providers that do not meet the required standards. A public hearing period on these standards concluded on December 27, 2025. The DGA will now review submitted comments and consider revising the standards accordingly.

Shortlisted Cloud Service Provider Tiers

The draft standards establish three tiers of cloud service providers based on their assessed service capability levels, core qualifications, and certifications. The DGA sets qualification requirements for each tier, and it is at the discretion of each agency to select the tier of cloud service provider that best suits its operational needs, as follows:

  • Tier 1 cloud service providers are suitable for providing services involving disclosable official data.
  • Tier 2 cloud service providers are suitable for handling official data and protected data, such as personal data, which requires a high-security public cloud (e.g., virtual private cloud).
  • Tier 3 cloud service providers are suitable for providing services to agencies with specific regulatory and security requirements that handle highly protected data, such as the national security system. These providers must offer sovereign or hybrid cloud as stipulated by the Ministry of Digital Economy and Society.

All tiers of cloud service providers must be legal entities incorporated under Thai law and can be authorized distributors of offshore cloud service providers. However, each tier will be subject to different requirements, including infrastructure obligations. Government agencies are encouraged to select a cloud service provider appropriate for their intended use. For example, if a government agency intends to procure cloud services for operating applications that process personal data, it should select a tier 2 cloud service provider.

Shortlisting Procedure

To be endorsed for the shortlist, cloud service providers must conduct a self-assessment using the cloud service provider disclosure form and submit it to the regulatory authority for review.

The cloud service provider disclosure form includes the following sections:

  • Cloud service provider contact information: General contact information for the cloud service provider, such as address and telephone number.
  • Cloud service provider background: An overview of the cloud services offered, such as whether the provider offers public cloud services.
  • Legal and compliance: Information regarding compliance with applicable laws and regulations.
  • Certifications and standards compliance: Information on the cloud service provider’s compliance with various ISO standards, privacy law, and other necessary regulations required for operations.
  • Data control: Information regarding the location where customer or organizational data is stored, whether inside or outside Thailand. This also includes data retention periods when customers discontinue cloud services.
  • Provider performance: Information about the cloud provider’s performance, such as system availability, business continuity plan, and disaster recovery plan.
  • Service availability and business continuity: Information about service availability, the use of other services together with cloud services, and the cloud provider’s business continuity plan.
  • Service support: Information regarding notifications related to cloud service usage, assistance provided to cloud service users when issues arise, and procedures for data migration if necessary.
  • Security configurations: Information on the enforcement of security configuration requirements, adjustments to security settings in public cloud environments, and modifications required for customers with special needs.
  • Service elasticity: Information about temporary automatic resource scaling in cases where immediate changes to higher cloud usage tiers are not possible, as well as multi-path internet connections to support continuity in case of connectivity issues.

The regulatory authority will review and screen the information and supporting documents submitted by applicants to assess their suitability for providing cloud services to government agencies. The assessment will be based on key evaluation principles, such as measures and policies for managing and protecting users’ data, security standards and practices implemented by the service provider, and confirmation that the services comply with the applicable legal and regulatory requirements of Thailand.

In addition, the government may designate a central agency to negotiate key matters with the prescreened cloud service providers to obtain the most beneficial terms for government agencies. This may include negotiations on pricing and billing models, such as pricing structures (e.g., pay-as-you-go, reserved instances), volume discounts, and billing transparency.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

January 8, 2026
Thailand has enacted comprehensive sexual harassment legislation that significantly expands criminal penalties and creates new compliance obligations for online platform operators. The Act Amending the Penal Code (No. 30) B.E. 2568 (2025), enacted on December 29, 2025, and taking effect the following day, introduces a comprehensive definition of sexual harassment, establishes new criminal offenses with graduated penalties, and imposes content removal obligations on social media platforms and computer system service providers. The amendment, which establishes a comprehensive framework for addressing sexual harassment in both physical and digital environments, significantly expands legal exposure for online service operators. It also grants courts authority to order takedowns of violating data accessible to the public. Definition of Sexual Harassment The law introduces “sexual harassment” as a distinct statutory concept covering physical conduct, verbal conduct, sounds, gestures, expressions, postures, communications, surveillance, stalking, and acts committed through computer systems or electronic devices. Conduct qualifies as sexual harassment when it is sexual in nature and likely to cause the victim distress, annoyance, embarrassment, humiliation, fear, or a sense of sexual insecurity. Criminal Offenses and Penalties The amended Penal Code establishes graduated penalties based on the severity and context of the harassment—including enhanced penalties for public or online conduct. For instance: Basic sexual harassment is punishable by imprisonment for up to one year, a fine of up to THB 20,000, or both. Continuous or repeated harassment that prevents normal life escalates penalties to imprisonment for up to two years, a fine of up to THB 40,000, or both. Critically for online operators, harassment committed in public places, in the presence of the public, or through computer systems accessible to the general public triggers imprisonment for up to three years, a fine of up to THB 60,000, or both. Acts of harassment committed by supervisors, employers, or others
Read More
January 6, 2026
On December 30, 2025, Thailand’s Electronic Transactions Development Agency (ETDA) notified digital marketplace operators of a consolidated list of “high‑risk products” that are subject to strict monitoring on digital platforms. The list was jointly prepared by the Thai Industrial Standards Institute (TISI) and the Food and Drug Administration (FDA) to guide platform compliance in the initial phase of implementation of the Electronic Transaction Committee’s Notification on Other Measures for Marketplace for Goods with Specific Characteristics under Section 18(2) of the 2022 Royal Decree on Digital Platform Businesses Requiring Notification B.E.2568 (2025). The notice is addressed to operators of digital platform services that function as product marketplaces with specific characteristics laid out in the notification. The ETDA states that the TISI and the FDA are closely monitoring the high‑risk product categories on digital platforms, and the published list serves as the baseline reference for platform screening during the initial phase of the notification’s implementation. High‑Risk Product List The list aggregates categories of products that are illegal to sell online or are otherwise tightly regulated under Thai law, with an emphasis on health-related products, controlled substances, medical devices, and a wide range of industrial products that require certification or compliance with specified Thai Industrial Standards, as detailed below. Prohibited and tightly controlled health products. This includes all categories of modern medicines subject to control other than general household remedies; all categories of controlled herbal products except for over-the-counter herbal products; narcotics; psychotropic substances; and medical devices requiring use in medical facilities or a physician’s prescription. Selected industrial products requiring heightened controls. The list highlights dozens of TISI-regulated items commonly sold online. Examples include pacifiers, rice cookers, electrical wire, food wrap film, crayons, washing machines and dryers, air conditioners, electric cookers and air fryers, water heaters, microwave ovens, LED luminaires, hair dryers
Read More
January 5, 2026
On December 31, 2025, the government of Vietnam promulgated Decree No. 356/2025/ND-CP detailing and guiding the implementation of the new Personal Data Protection Law (PDPL) that was issued in June 2025. The new decree, like the PDPL, entered into force on January 1, 2026, with the previous Decree No. 13/2023/ND-CP on personal data protection ceasing effect on the same day. Some key points of the new decree include the following: Comprehensive lists of basic and sensitive personal data are provided, which will require companies to review again their existing documents and data type classification to ensure compliance. New timelines are established for responding to specific data subject requests. These timelines are more reasonable and longer than the previous 72-hour requirements. Additional consent guidelines are provided, prohibiting default consent or ambiguous instructions that confuse data subjects about giving or withholding consent. Mandatory content for data transfer agreements/clauses in particular cases is provided. This covers, among other things, (i) the legal basis for the transfer of personal data; (ii) responsibilities for personal data protection during the transfer and processing of personal data; (iii) responsibilities for ensuring the exercise of the rights of personal data subjects; and (iv) responsibilities for coordination and compliance of the parties in cases where violations of personal data protection regulations are detected. The qualifications and responsibilities of data protection officers (DPOs) and data protection departments include, among others, having been trained and fostered in legal knowledge and professional skills regarding personal data protection. There are no specific provisions governing the qualifications or requirements for organizations that provide data protection training or education. New mandatory templates and requirements are provided in relation to data processing impact assessment and data transfer impact assessment, and for cases in which companies need to re-submit assessments to the regulator. Stricter requirements are
Read More
December 30, 2025
On December 17, 2025, Laos’ Ministry of Industry and Commerce (MOIC) issued a notice introducing a new digital system that allows e-commerce businesses to obtain required certificates and licenses through an online, application-based platform. Notice No. 3988, which will take effect on February 1, 2026, introduces the E-Trust platform, a downloadable application that allows e-commerce businesses to remotely obtain acknowledgement certificates and business operating licenses. New Digital Registration Options Under the previous framework established by the Decree on E-commerce (2021), businesses were required to complete registration exclusively through paper-based submissions. The new system now offers businesses two registration options: Traditional paper-based process at the Division of E-commerce Management within the MOIC; or Electronic registration and renewal through the E-Trust platform. This change is expected to streamline procedures, reduce administrative burdens, and enhance accessibility for businesses operating outside Vientiane. The E-Trust platform facilitates compliance for both individuals and legal entities required to submit applications and renewals for required certificates and licenses. The development is particularly beneficial for businesses located in remote provinces, as it eliminates the need for physical travel and significantly accelerates processing times. Compliance Requirements and Penalties Businesses must obtain or renew the required certificates and licenses to avoid sanctions under the Decision on Fines and Other Measures for Violation of the Decree and Regulations on E-commerce (No. 2828/MOIC, dated November 11, 2025). Penalties for noncompliance may include monetary fines and other enforcement measures.
Read More