Thailand’s Digital Government Development Agency (DGA) has proposed new standards that would require government agencies to select cloud services exclusively from a preapproved shortlist of providers. The draft Digital Government Standards re: Cloud Service Provider Standards aims to strengthen procurement confidence and reduce risks associated with selecting cloud service providers that do not meet the required standards. A public hearing period on these standards concluded on December 27, 2025. The DGA will now review submitted comments and consider revising the standards accordingly.

Shortlisted Cloud Service Provider Tiers

The draft standards establish three tiers of cloud service providers based on their assessed service capability levels, core qualifications, and certifications. The DGA sets qualification requirements for each tier, and it is at the discretion of each agency to select the tier of cloud service provider that best suits its operational needs, as follows:

• Tier 1 cloud service providers are suitable for providing services involving disclosable official data.
• Tier 2 cloud service providers are suitable for handling official data and protected data, such as personal data, which requires a high-security public cloud (e.g., virtual private cloud).
• Tier 3 cloud service providers are suitable for providing services to agencies with specific regulatory and security requirements that handle highly protected data, such as the national security system. These providers must offer sovereign or hybrid cloud as stipulated by the Ministry of Digital Economy and Society.

All tiers of cloud service providers must be legal entities incorporated under Thai law and can be authorized distributors of offshore cloud service providers. However, each tier will be subject to different requirements, including infrastructure obligations. Government agencies are encouraged to select a cloud service provider appropriate for their intended use. For example, if a government agency intends to procure cloud services for operating applications that process personal data, it should select a tier 2 cloud service provider.

Shortlisting Procedure

To be endorsed for the shortlist, cloud service providers must conduct a self-assessment using the cloud service provider disclosure form and submit it to the regulatory authority for review.

The cloud service provider disclosure form includes the following sections:

• Cloud service provider contact information: General contact information for the cloud service provider, such as address and telephone number.
• Cloud service provider background: An overview of the cloud services offered, such as whether the provider offers public cloud services.
• Legal and compliance: Information regarding compliance with applicable laws and regulations.
• Certifications and standards compliance: Information on the cloud service provider’s compliance with various ISO standards, privacy law, and other necessary regulations required for operations.
• Data control: Information regarding the location where customer or organizational data is stored, whether inside or outside Thailand. This also includes data retention periods when customers discontinue cloud services.
• Provider performance: Information about the cloud provider’s performance, such as system availability, business continuity plan, and disaster recovery plan.
• Service availability and business continuity: Information about service availability, the use of other services together with cloud services, and the cloud provider’s business continuity plan.
• Service support: Information regarding notifications related to cloud service usage, assistance provided to cloud service users when issues arise, and procedures for data migration if necessary.
• Security configurations: Information on the enforcement of security configuration requirements, adjustments to security settings in public cloud environments, and modifications required for customers with special needs.
• Service elasticity: Information about temporary automatic resource scaling in cases where immediate changes to higher cloud usage tiers are not possible, as well as multi-path internet connections to support continuity in case of connectivity issues.

The regulatory authority will review and screen the information and supporting documents submitted by applicants to assess their suitability for providing cloud services to government agencies. The assessment will be based on key evaluation principles, such as measures and policies for managing and protecting users’ data, security standards and practices implemented by the service provider, and confirmation that the services comply with the applicable legal and regulatory requirements of Thailand.

In addition, the government may designate a central agency to negotiate key matters with the prescreened cloud service providers to obtain the most beneficial terms for government agencies. This may include negotiations on pricing and billing models, such as pricing structures (e.g., pay-as-you-go, reserved instances), volume discounts, and billing transparency.