You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

December 4, 2025

Thailand Expands Fast-Track Cybersecurity and Defense Procurement

Subscribe to Updates
 

Thailand has expanded the circumstances under which state agencies may bypass competitive bidding procedures to address urgent security challenges. On November 28, 2025, Thailand’s Ministry of Finance published the Ministerial Regulation Determining Cases of Procurement by Specific Method (No. 6) B.E. 2568 in the Royal Gazette, introducing a new pathway for procuring supplies and services needed to address cyber and military threats that may affect the stability of government agencies or the nation. For technology vendors, cybersecurity firms, and defense contractors, this regulatory change creates immediate opportunities to engage directly with government buyers facing urgent security challenges.

New Fast-Track Category for Security Threats

The regulation amends Thailand’s Public Procurement and Supplies Management Act B.E. 2560 (2017) to add a new category of procurement that qualifies for the “specific method”—a noncompetitive, direct selection process. Previously, agencies could use this expedited method only in limited circumstances, such as emergencies, cases with proprietary technology requirements, or national security operations. The new provision explicitly covers procurement of supplies related to preventing or resolving cyber or military threats that could impact the stability of a state agency or the country.

This addition recognizes the urgent nature of modern security challenges, where competitive bidding timelines may leave agencies vulnerable during critical threat windows. State agencies dealing with active cyberattacks, preparing defensive measures against anticipated threats, or responding to military security concerns can now move directly to negotiate with qualified vendors rather than conducting lengthy public tender processes.

Vendor Considerations

Vendors offering cybersecurity solutions now have a regulatory avenue to work directly with government clients when stability concerns are present. These solutions include threat detection systems, anti-ransomware tools, incident response services, firewalls, and security consulting. Similarly, defense contractors providing military equipment or specialized security supplies can pursue direct engagement channels where traditional procurement methods would create unacceptable delays.

Procuring agencies will need to demonstrate that the procurement relates to preventing or resolving a genuine cyber or military threat to stability. Therefore, vendors should be prepared to show how their solutions address the specific security challenges the agency faces, as well as why direct engagement serves the government’s urgent needs.

Similarly, vendors approaching and building relationships with government clients should be able to emphasize response speed, proven effectiveness in similar threat environments, and the urgency factors that justify bypassing competitive procedures.

Related Professionals

Industries

Aviation

Technology

Practices

Competition and Trade

Corporate/M&A

Location

RELATED INSIGHTS​

February 26, 2025
Tilleke & Gibbins has contributed the Thailand chapter to Data Protection 2025, a newly published comparative guide from Global Legal Post’s Law Over Borders series. This comprehensive Q&A-style resource provides insights into data protection regulations across multiple jurisdictions worldwide, offering valuable guidance for businesses navigating the complex landscape of global data privacy requirements. The Thailand chapter offers a detailed analysis of the country’s data protection framework, with particular focus on the Personal Data Protection Act (PDPA) that came into full effect in 2022. The chapter addresses key aspects of data protection in Thailand through the following topics: Regulatory framework: National laws governing personal data, scope of application, territorial reach, and regulated operations. Data categories and protection: Types of personal data covered, special categories subject to enhanced protection, and processing requirements. Compliance obligations: Requirements for lawful processing, organizational responsibilities, and data subject rights. Marketing and cross-border considerations: Rules for commercial communications and international data transfers. Enforcement mechanisms: Regulatory powers, investigation procedures, sanctions, and remedies for noncompliance. Tilleke & Gibbins also contributed the Vietnam chapter to Data Protection 2025. Readers can access the complete Data Protection 2025 guide through Global Legal Post’s Law Over Borders platform.
Read More
February 20, 2025
Vietnam’s Decree No. 147/2024/ND-CP on the management, provision, and use of internet services and online information (Decree 147) was issued on November 9, 2024, and came into effect on December 25, 2024. Decree 147 represents a more stringently regulated digital landscape in Vietnam, creating challenges not only for offshore service providers offering cross-border services but also for onshore providers. As these new regulations impose stricter requirements, particularly in areas like content control, user authentication, data storage, and service license/notification, companies will need to adapt quickly to maintain compliance and minimize legal risks. The following are some of the key topics covered by Decree 147. [Note: Shortly after the issuance of Decree 147, Vietnam began a government restructuring process, with the aim of streamlining the government by consolidating and eliminating various ministries and agencies. Thus, the decree’s references to authorities such as the Authority of Broadcasting and Electronic Information (ABEI) and the Ministry of Information and Communications (MIC) are subject to change.] 1. Cross-Border Information Provision Cross-border information provision is defined broadly as the provision by overseas organizations and individuals of information and online information content services for service users in Vietnam to access or use. This wide-ranging definition encompasses various types of cross-border services, including social network services, online game services, and app store services. However, cross-border provision of online game services remains prohibited under Decree 147 (see further details below). Offshore providers of services on a cross-border basis who lease data storage in Vietnam or meet a threshold of 100,000 or more total visits per month from Vietnam for six consecutive months (“regulated cross-border providers”) must adhere to stricter requirements. Specifically, they are required to, among other requirements: Notify the relevant authority of their contact information, including the location of the main server providing the service, within 60
Read More
February 17, 2025
Thailand’s draft Emergency Decree on Technology Crimes Suppression, which we covered in a client alert in January 2025 primarily addressed to telecom operators and financial institutions, is expected to have significant implications for a wide range of business operators.  The draft emergency decree has already been approved by the cabinet but may undergo further developments as it continues in the legislative process. In this article, we will highlight the material impacts of the draft emergency decree on overseas and local fintech operators. Expanded Definition of “Technology Crimes” The definition of “technology crimes” now includes the following acts of forgery or alteration: Forging or altering the identity of individuals and biometric characteristics by utilizing computer or communication systems or other electronic means to commit offenses. Forging or altering symbols, trademarks, or seals of groups (e.g., foundations, community enterprises) or juristic persons, including acts by juristic persons using individuals or juristic persons as nominal directors or shareholders, regardless of whether such individuals or legal juristic persons reside in Thailand. Forging or altering digital or online platforms, regardless of the platform’s location or legal status. Individuals who conspire, utilize, assist, or support the commission of these offenses will face the same penalties as the principal offender. Business Operator Definition The scope of “business operators” is now expanded to cover various fintech and digital asset operators beyond those under the Payment Systems Act (PSA). The draft emergency decree now includes the following operators, whether they are legally authorized or not: Business operators under the PSA and business operators who operate “as if” they are payment system operators Business operators under the Royal Decree on Digital Asset Businesses or business operators who operate “as if” they are digital asset business operators. Foreign exchange business operators. Disclosure and Exchange of Information Business operators must disclose
Read More
February 7, 2025
Vietnam’s political system is currently undergoing a significant reorganization to streamline government operations and improve efficiency. In this regard, Plan 141/KH-BCDTKNQ18, issued on December 6, 2024, provided guidelines on the restructuring of existing ministries, ministerial-level agencies, and government-affiliated agencies. Accordingly, the number of ministries is being reduced from 18 to 14 through mergers and consolidations and the establishment of a new Ministry of Ethnic and Religious Affairs. The number of ministerial-level agencies is being reduced to three, and government-affiliated agencies to five. Similar streamlining is happening at provincial levels. The newly consolidated state agencies will assume all functions, rights, and responsibilities of the merged entities, and will continue handling all ongoing matters previously handled by the former agencies. Some examples of these changes include the following: The Ministry of Science and Technology (MOST) will oversee telecommunications, IT applications, cybersecurity, e-transactions, and national digital transformation, which had previously been managed by the Ministry of Information and Communications (MIC). MOST will also be responsible for issuing licenses related to these areas, such as licenses for G1 online game services and telecommunication services. The Ministry of Culture, Sports, and Tourism will assume the responsibility of press management, previously under the MIC. The Ministry of Finance will assume state management functions related to investment, previously handled by the Ministry of Planning and Investment. Provincial Departments of Finance will issue Investment Registration Certificates and Enterprise Registration Certificates, a responsibility previously held by the Departments of Planning and Investment. The Ministry of Home Affairs will oversee labor and employment matters. Provincial Departments of Home Affairs will be authorized to issue work permits and will be the designated authorities for companies to register their internal labor regulations. Advantages for Businesses The restructuring aims to simplify regulations and expedite licensing processes. By reducing the number of agencies
Read More