You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

May 19, 2026

Thailand Tightens Telecom Registration, Data, and IP Address Rules to Combat Tech Crime

Subscribe to Updates

Thailand’s telecommunications regulator has introduced a range of new compliance obligations for telecom licensees aimed at preventing and suppressing technology crime. On May 15, 2026, the National Broadcasting and Telecommunications Commission (NBTC) published in the Government Gazette Notification on Measures for Prevention and Suppression of Technology Crime No. 2, which amends the original NBTC notification dated August 24, 2025. The amendment derives its authority from the Emergency Decree on Measures for Prevention and Suppression of Technology Crime B.E. 2566 (2023), as amended in 2025, and took effect on May 16, 2026.

SIM Card Registration Cap for Non-Thai Nationals

Persons without Thai nationality are now limited to a maximum of three SIM cards per person per service provider. Identity verification must be done primarily via passport. For those without a passport, acceptable alternatives include travel documents or certificates of identity issued by foreign governments, accompanied by additional Thai government-issued documents, as well as pink ID cards (for persons without Thai nationality) and white ID cards (for persons without registration status). Registration must be done in person at a branch or authorized dealer. Service providers must develop their identity verification systems and obtain NBTC approval before deployment.

SIM Activation Deadline and SIM Box Prohibition

Both Thai and non-Thai service users must activate their registered SIM within 60 days of registration. If they fail to do so, they must re-verify their identity in person before activation, confirming they are the same person who originally registered.

Service providers must prohibit SIM box and gateway devices capable of supporting four or more SIMs from connecting to their mobile networks unless the device has received a license under the Radio Communications Act.

Blacklist Enforcement

Service providers must refuse registration of additional mobile numbers for persons listed on a technology crime-related database maintained by the Royal Thai Police.

IP Address Restrictions

International telecommunications licensees must not use Thai-registered IP addresses to provide services in foreign countries. An exception applies to mobile devices carried abroad by users.

Data Retention Obligations

Service providers must retain the personal data of active users for at least 180 days throughout the service period, and for at least 180 days following contract expiration. The scope of retained data is limited to what is necessary for technology crime proceedings, to be jointly determined by the NBTC Office, the Royal Thai Police, and the licensee.

Key Implications

Telecom operators and mobile virtual network operators (MVNOs) face a significant compliance burden. They must build or update identity verification systems subject to NBTC preapproval, enforce the three-SIM cap for non-Thai users, implement SIM box detection mechanisms, restrict IP address usage, integrate with police blacklist databases, and comply with new data retention timelines.

Foreign nationals and expatriates will face reduced ability to register multiple SIM cards and must present a passport or specified alternative ID in person. Registered SIMs not activated within 60 days will require reverification.

The 180-day post-termination data retention obligation—and the joint determination of retained data scope with police—may raise questions about proportionality and compliance with Thailand’s Personal Data Protection Act (PDPA), particularly regarding lawful basis and data minimization.

IoT and enterprise deployments could be affected by the SIM box ban on devices supporting four or more SIMs, unless those devices are properly licensed under the Radio Communications Act.

Next Steps

Telecommunications licensees operating in Thailand should assess their current systems, processes, and contractual arrangements against the new requirements. In particular, licensees should prioritize obtaining NBTC approval for identity verification systems, implementing mechanisms to enforce the SIM registration cap, and reviewing data retention practices to ensure compliance with both the new notification and the PDPA.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

April 10, 2026
Thailand has introduced new regulatory guidance requiring digital platform operators to adopt structured, transparent, and fair fee practices. On March 16, 2026, the Electronic Transactions Development Agency (ETDA) published Announcement No. DPS 2/2569, titled “Guidelines for Transparency and Fairness in Digital Platform Service Fee Determination,” issued under the Royal Decree on Digital Platform Service Business Operations B.E. 2565 (2022). The guidelines establish a framework governing how digital platform operators should set, disclose, and adjust fees charged to users and related service providers such as logistics and payment providers. Although framed as best-practice guidance rather than legally binding rules with explicit penalties, the guidelines carry regulatory weight under the royal decree and represent a significant step toward structured governance of digital platform fee practices in Thailand. The guidelines establish various transparency principles and divide fees into two distinct categories—compulsory and additional—with specific governance principles for each. Transparency Principles The guidelines recommend that digital platform operators adopt several transparency measures to ensure that users can fully understand the costs of using a platform. Fee catalog. All fees should be consolidated into a single, accessible location, which should include the fee name, definition, scope of covered services, calculation methodology, rate, billing period, and calculation examples. Minimum service disclosure. Operators should disclose the minimum service that users can expect, such as baseline visibility, product listing capabilities, access to transaction data, and back-end dashboard access. Price structure disclosure. Operators should disclose the categories of costs underlying their fees, such as system maintenance, cybersecurity, and operational costs. While exact cost figures need not be made public, operators should be able to provide numerical data to regulators upon request. Clear fee formulas. Fee calculations should be simple and easy to understand—for example, percentage of net sales, cost per order, or cost per product listing. Operators should
Read More
April 10, 2026
As digital commerce continues to reshape consumer behavior in Thailand, the Office of the Consumer Protection Board (OCPB) has been taking steps to review and update key regulations for online platforms. The OCPB has had a particular focus on addressing the risks posed by e-marketplace businesses—from misleading product information to fraudulent online transactions. Some of the regulator’s current legislative efforts related to Thailand’s labeling regulations as well as potential changes to the country’s law on direct sales and marketing. Proposed Changes to Consumer Protection Labeling Regulations On February 24, 2026, the OCPB convened a public hearing to review the Notification of the Committee on Labels re: Specification of Goods as Controlled Label Goods B.E. 2565 (2022) and its annex issued under the Consumer Protection Act. The closed-door session, which started the OPCD’s process of seeking feedback on the proposed changes, brought together representatives from government agencies, business operators, and consumer groups. The OCPB explained that its review of the labeling regulations aims to address regulatory gaps arising from evolving commercial practices, particularly the expansion of e-commerce and cross-border transactions. Authorities highlighted recurring issues involving product information that is unclear, incomplete, or potentially misleading in digital sales channels. The proposed revisions are intended to improve consumers’ access to accurate and complete product information, ensure that label disclosures remain relevant amid the growth of e-commerce, and strengthen protections against deceptive or misleading digital advertising. The review is being undertaken pursuant to the Consumer Protection Act B.E. 2522 (1979). As part of the initiative, the OCPB signaled a potential update to the categories of “controlled label products” as well as enhanced disclosure obligations for business operators, with the broader aim of promoting greater transparency, reinforcing operator accountability, and aligning Thailand’s labeling framework with current market conditions. The OCPB secretary general emphasized that
Read More
April 9, 2026
As part of its ongoing public consultation process for the development of new practical guidelines under the Personal Data Protection Act B.E. 2562 (2019) (PDPA), Thailand’s Personal Data Protection Committee (PDPC) held a two‑day public hearing on April 1–2, 2026. The hearing followed an online questionnaire and stakeholder engagement activities conducted in March 2026 and reflects the PDPC’s continued efforts to develop guidance that aligns international regulatory standards with Thai operational realities. The public hearing provided a forum for participants from both the public and private sectors to exchange views with the PDPC on the proposed guidance so that it responds to the needs of the business community while supporting effective and balanced enforcement of the PDPA. The PDPC emphasized that the consultation process is part of a wider policy objective to build trust in the convenient, secure, and internationally aligned exchange of data. Structure of the Consultation Process According to the PDPC, the initiative to develop the draft PDPA guidelines is being implemented through three core phases: Review of international best practices. The PDPC has conducted a comparative review of data protection guidance and regulatory approaches in jurisdictions with internationally recognized standards, including Singapore, the United Kingdom, the European Union (EU), and Japan. These materials are intended to serve as a reference point for developing practical recommendations across key subject areas under the PDPA. Identification of practical issues and challenges. To ensure that the guidelines respond to real‑world compliance challenges in Thailand, the PDPC has gathered views from a broad range of stakeholders across the public sector, the private sector, and the general public. This phase included focus group discussions and questionnaires aimed at identifying areas to provide organizations with greater clarity and consistency on regulatory expectations. Preparation of draft guidelines. Insights from the comparative study and stakeholder
Read More
April 3, 2026
On March 16, 2026, Vietnam’s Ministry of Public Security released a draft version of a new Decree on the Prevention and Combating of Cybercrime and High-Tech Crime to replace the currently effective Decree 25/2014/ND-CP. In the draft, the ministry has proposed a comprehensive regulatory framework aimed at addressing violations occurring within the cybersecurity domain, including measures related to intellectual property. Acts of Online IP Infringement Article 9 of the draft decree notably introduces specific provisions addressing online intellectual property infringement, with detailed lists of acts considered to constitute infringement in the online environment. Copyright and related rights infringement includes: Uploading or sharing works, performances, sound recordings, video recordings, broadcasts, computer programs, software, research, documents, theses, or other intellectual creations on digital platforms without the consent of the rights holder. Unauthorized livestreaming of copyrighted television programs, sporting events, or artistic performances. Uploading, sharing, storing, transmitting, or providing links to infringing works or digital content via websites, social networks, applications, or digital platforms. Providing or using software, tools, devices, or access codes to circumvent technological protection measures or evade lawful control mechanisms implemented by rights holders. Using artificial intelligence (AI) tools to replicate the ideas or structure of another person’s work without significant new creativity or without proper attribution, thereby causing damage to the original author. Industrial property infringement includes: Manufacturing, trading, advertising, or distributing counterfeit goods bearing counterfeit trademarks, geographical indications, or industrial designs, as well as goods infringing industrial property rights through online platforms. Unauthorized registration, appropriation, or use of domain names, account names, or digital identifiers that create confusion regarding the rights holder or the origin of goods or services. Producing, using, or offering for sale products containing all or part of a patented invention via online platforms. Advertising or introducing products with technical features or characteristics identical
Read More