You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

Search
Close this search box.
May 15, 2025

Thailand Resumes Development of AI Regulatory Framework

Subscribe to Updates

Thailand’s Electronic Transactions Development Agency (ETDA) held an explanatory session on the draft principles and regulatory approaches of the country’s planned artificial intelligence (AI) law on May 2, 2025. This came after a lull of two years following the initial release of draft legislation on AI.

In the session, the ETDA explained that the earlier drafts were modeled after the EU’s legal framework for AI, but given the evolving Thai legal and technological landscape, it is now necessary to revisit and refine the drafts to ensure they remain relevant and effective in the local context. To aid in this process, the ETDA will accept public comments on the draft principles of the AI law until June 9, 2025.

Based on gap analysis and a comparative study of how different countries have addressed AI issues, the ETDA’s draft AI law principles are structured into five key areas. These are described below.

1. Risk-Based Requirements

The draft principles outline a set of approaches that the legislation will take toward mitigating risk:

Delegation of powers to enforcement agency or sectoral regulators

The primary legislation will not directly specify a list of prohibited risks or high-risk types of AI. Instead, it will empower an enforcement agency or relevant sectoral regulators to determine and issue such lists. This approach allows regulators in each specific industry to assess the necessity of risk classifications within their respective sectors, based on the principle that sectoral regulators are best positioned to understand the specific risks in their domains. These regulators are expected to issue subordinate legislation in alignment with the overall framework. Meanwhile, the central enforcement agency will coordinate oversight across sectors and cover areas not under the jurisdiction of any specific regulator.

Duties of high-risk AI providers

Providers of AI deemed by the enforcement agency or sectoral regulators to be high-risk will have certain additional requirements:

  • Risk management frameworks: High-risk AI providers must implement risk management systems (e.g., ISO/IEC42001:2023 or NIST Risk Management Framework). The draft principles draw a “duty of care” boundary to clarify the basis for judicial discretion and to provide a reference for government agencies in their enforcement. Failure to comply with the prescribed standards does not automatically constitute a violation; however, if such failure results in harm, the provider may bear liability for a wrongful act. The framework is designed to align with international standards and support consistency across sectors, including through secondary regulations issued by the enforcement body.
  • Local legal representatives: Offshore high-risk AI providers will be required to appoint a local representative in Thailand to ensure effective enforcement of the law for all service providers. The enforcement agency must also be notified of the appointment of a legal representative.
  • Serious incident reporting: High-risk AI providers will be required to report serious incidents to the enforcement agency.

Duties of high-risk AI deployers

Entities deploying high-risk AI must ensure human oversight of AI systems, maintain operational logs, ensure the quality of input data, and notify affected individuals in cases where the AI system may have an impact on their rights or interests. Deployers must also cooperate with investigations if AI causes harm, and may be held liable if their use falls below the standard of care expected of professionals.

2. Measures in Support of Innovation

The supportive principles—most of which can be implemented without new legislation—focus on key areas:

  • Data: Introducing exceptions to permit the use of online data for purposes such as text and data mining, similar to the EU approach, while commercial use will still be subject to rightsholder reservations.
  • Sandbox: Testing in real-world conditions will be permitted under controlled environments to ensure that regulatory design aligns with practical realities. This will require an agreement between private entities and the relevant government agency overseeing the sandbox, allowing the use of personal data originally collected for other purposes to develop AI, provided it serves the public interest. Entities operating within a sandbox and acting in good faith should not be penalized for any harm that arises during the experimental phase, in line with a safe harbor principle. However, this safe harbor will not exempt participants from civil liability for damages.

3. General Principles

Some general principles guiding the development of Thailand’s legislative approach to AI include:

  • Nondiscrimination: Prohibiting the denial of legal effect to contracts or administrative decisions made using AI.
  • AI as a tool: Affirming that all actions generated by AI must be attributable to a human, regardless of human intervention. Developers and users cannot escape liability by citing unpredictability alone.
  • Protection against unexpected actions: Establishing exceptions to protect individuals from being bound by AI-generated acts that arise from unforeseeable errors. Such expectations would apply only if the affected party could not have reasonably foreseen the AI action and the counterparty either knew or could have known.
  • Right to explanation and appeal: Granting individuals the right to understand how AI systems are developed and the ability to appeal decisions made by or with AI, potentially requiring human involvement in decision making. These rights, which are under consideration and may apply only to high-risk AI, include the right to be notified when AI is used, the right to an explanation of how AI made a decision, and the right to contest the decision.

4. Regulator

The current proposal does not call for the establishment of a new regulator; instead, it designates the existing AI Governance Center (AIGC) under the ETDA to oversee the implementation of the law. The AIGC’s roles include conducting research and development on AI governance, providing guidance to organizations on AI adoption, and supporting pilot projects and regulatory sandboxes. Additional responsibilities include monitoring global trends, compiling national AI-readiness data, and developing cooperative mechanisms both domestically and internationally.

5. Legal Enforcement

The draft AI law empowers the enforcement agency and relevant sectoral regulators to jointly issue administrative orders requiring AI providers or deployers to cease the provision or use of prohibited or high-risk AI. If such parties fail to comply and the AI service is hosted on a digital platform, authorities may order the platform provider to remove or block access to the service. For prohibited AI embedded in physical products, enforcement may extend to seizure of the items, including through entry into premises. If the noncompliant AI service is hosted outside digital platforms or a platform fails to comply, the regulators may coordinate with the Ministry of Digital Economy and Society to order internet service providers to block access within Thailand.

Status and Outlook

The ETDA will take the comments into consideration as part of the legislative revision process. After reviewing the draft legislation based on the feedback received in this round, a revised version of the draft law will be published for another public hearing.

Business operators should review the proposed principles of the draft AI law and submit their comments, if any, to the ETDA. They should also start monitoring the development of this law to ensure timely compliance. In particular, operators that develop, use, or rely on high-risk AI systems should begin assessing their current risk management structures, data governance practices, and human oversight mechanisms.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

May 14, 2025
Following the amendment to the Emergency Decree on Measures for the Prevention and Suppression of Technological Crimes in mid-April 2025, new measures were introduced by the Electronic Transactions Development Agency (ETDA) in a hearing session held on May 13, 2025, to establish shared liability between online social media platform operators and other in-scope operators for damages arising from technological crimes. Stakeholders are being invited to submit their comments on the proposed new provisions directly to the ETDA by May 20, 2025. The concept of the new measures for social media platform operators is that to be released from liability for damages arising from technological crimes, social media platform operators must demonstrate compliance with the relevant technological crime prevention standards and measures prescribed by their respective regulators (“safe harbor rules”). Safe Harbor Rules Under the principles of the proposed safe harbor rules, social media platform operators and the relevant service providers would be required to comply with the following obligations: Immediate takedown and suspension of dissemination: Disable access, remove the content from the system, or suspend the relevant service within 24 hours of receiving an official notification from the Cyber Crime Investigation Bureau’s Anti-Online Scam Operation Center (AOC) that a service or social media platform is disseminating content that is or may be used to commit or support technological crimes. Establishment of notification channels: Establish a system or channel to receive notifications from the AOC. User registration and identity verification: Require user registration (including identity verification and authentication) before allowing content to be posted, with sufficient information to identify the user. Suspending dissemination of suspect advertisements: Disable access to advertisements reasonably suspected of involving or potentially involving the commission of technology-related crimes. Reporting: Report on actions taken, including details like account owner information, IP address, email, or phone number used for account
Read More
May 5, 2025
On April 29, 2025, the government of Vietnam promulgated Decree No. 94/2025/ND-CP with regulations on a controlled “sandbox” for innovative fintech solutions in the banking sector (“Decree 94”). The decree aims to promote innovation, modernize banking, and enhance financial inclusion while assessing risks and benefits of fintech solutions in a controlled testing environment. Fintech Sandbox Currently, the fintech sandbox focuses on three specific areas: Credit scoring Open API data sharing Peer-to-peer (“P2P”) lending Eligible participants for the fintech sandbox include: Credit institutions and foreign bank branches (except for P2P lending) Fintech companies operating in Vietnam Cross-border supply by foreign providers is not included in the sandbox framework. Eligible participants are permitted to provide fintech solutions only within the scope specified in the Certificate of Sandbox Participation issued by the State Bank of Vietnam in consultation with other ministries. P2P lending companies face specific restrictions within the fintech sandbox, including prohibitions against: Providing security for customer loans Operating as a customer (i.e., P2P lender or borrower) Providing P2P lending solutions to pawn shops The maximum sandbox period is two years, with the possibility of extension as permitted by law. The outcomes of the fintech sandbox will serve as a practical basis for authorities to develop and refine future fintech regulations. It is worth noting that participation in the sandbox does not guarantee that participants will meet relevant business and investment conditions that may be stipulated in future regulations. Decree 94 will take effect on July 1, 2025, signaling that the Vietnamese government intends to take a proactive approach to fostering fintech development. Implications Parties interested in participating in the fintech sandbox should begin preparing now to be ready to apply for a Certificate of Sandbox Participation when the decree takes effect.
Read More
May 2, 2025
Attorneys from Tilleke & Gibbins have updated the latest edition of Doing Business in Thailand, a Q&A-style guide from Thomson Reuters Practical Law that offers an overview of key legal considerations for companies operating in jurisdictions worldwide. The contribution outlines the country’s legal and regulatory framework for foreign investment and business operations and reflects the latest legislative developments. The chapter addresses the following core topics: Legal system: Structure of the courts and the codified nature of Thai law. Foreign investment: Business restrictions under the Foreign Business Act, sector-specific regulations, exchange control rules, and investment incentives. Business vehicles: Overview of partnerships, private and public limited companies, and other legal entities. Employment: Labor protections, employment contracts, foreign worker requirements, and termination procedures. Tax: Corporate and personal income tax, indirect taxes, and tax obligations for residents and non-residents. Intellectual property: Registration and enforcement of patents, trademarks, designs, and copyrights. Data protection: Key provisions of the Personal Data Protection Act and related compliance obligations. Competition law: Regulatory framework under the Trade Competition Act. Anti-bribery and corruption: Relevant legislation and enforcement mechanisms. E-commerce and digital business: Legal regime for online transactions and digital platforms. Marketing and advertising: Consumer protection laws and regulations affecting advertising and marketing practices. Product regulation and liability: Safety standards, liability regimes, and roles of enforcement authorities. Practical Law, a legal reference resource from Thomson Reuters, publishes a range of guides for hundreds of jurisdictions and practice areas. The insurance and reinsurance guide is a valuable resource for legal practitioners, covering numerous jurisdictions worldwide. To view the latest version of the guide, please visit the Practical Law website and enroll in the free Practical Law trial to gain full access.
Read More
April 30, 2025
With a favorable crypto climate from the Trump administration in the United States, Thailand is ready for digital asset platforms and has market appetite. This article highlights the country’s regulatory initiatives supporting the growth of digital assets like crypto, stablecoins, and smart contracts, along with efforts to establish clear oversight. Bank of Thailand Sandbox Stablecoins used as a medium of payment, particularly those pegged to the Thai baht (THB) for public use, are considered as mirroring fiat currency, which violates the Currency Act B.E. 2501 (1958). These can also be classified as e-money under the Payment Systems Act B.E. 2560 (2017). The Bank of Thailand (BOT) urges issuers to engage in preconsultation prior to implementation, due to concerns about stablecoins being used in place of THB currency. Other FX- or asset-backed stablecoins are not recognized as legal tender under Thai law, and users must bear their own risks. The BOT recognizes the potential and benefits of these technologies in reducing operational costs for financial service providers and addressing the needs of financial service users. Consequently, the BOT issued a sandbox framework in June 2024. In particular, the enhanced regulatory sandbox allows nonlicensed entities to test financial innovations in controlled conditions. These tests must have a clearly defined duration (usually under one year) and involve a limited user group with an exit strategy. Several programmable payment projects—automated transactions with predefined conditions for the payment of goods and services—were piloted under this sandbox, which closed for applications in September 2024. Eight participants are planning to launch their test runs this year, some of which include asset tokenization or exchange global stablecoins in their programmable payment projects. Thai Securities and Exchange Commission Sandbox Given that digital asset businesses fall under the Royal Decree on Digital Asset Businesses B.E. 2561 (2018), supervised by
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2024 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Fraudulent Communications

| Legal Notice