On July 21, 2025, Thailand’s National Cyber Security Agency (NCSA) released a draft amendment to the Cybersecurity Act B.E. 2562 (2019) for public hearing, aiming to address the rapid evolution of technology and increasing complexity of cyber threats. The proposed changes to the country’s cybersecurity framework would extend regulatory oversight to cloud service providers and data center operators hosting data for critical information infrastructure (CII) organizations regulated under the Cybersecurity Act. The NCSA will accept comments on the draft until August 5, 2025. Following the close of the public consultation period, the draft amendment will be subject to further revision during the legislative process. Key proposed amendments are discussed below. Expanded Critical Infrastructure Scope The Cybersecurity Act currently applies only to state agencies, supervising or regulating organizations, and designated CII organizations as announced by the National Cyber Security Committee (NCSC). It defines CII organizations as public or private organizations related to or providing national security, significant public services, banking and finance, information technologies, telecommunications, transportation and logistics, energy and public utilities, or public health. The draft amendment expands the scope of CII organizations to include public and private organizations related to or providing industrial work (to be further defined in subregulations) as well as service providers that store or possess data for CII organizations, such as cloud and data center service providers. CII organizations must comply with cyber threat reporting requirements and are subject to the NCSA’s interception powers. Updated Definitions and New Terminology The draft amendment more clearly distinguishes between “cyber threats” (which have yet to occur but have the potential of causing damage or impact) and “cyber incidents” (which have already occurred and have caused or are expected to cause damage or impact). The draft amendment also expands the definition of “cybersecurity” to explicitly cover both prevention

Thai authorities have escalated efforts to block unlawful cross-border digital asset business operators. On June 19, 2025, the Ministry of Digital Economy and Society (MDES) issued a notification empowering it to ban internet access to operations or services offered by digital asset business operators who lack licenses from the Thailand Securities and Exchange Commission (SEC) under the Emergency Decree on Digital Asset Businesses B.E. 2561 (2018). This ban, issued under the 2023 Royal Decree on Measures for the Prevention and Suppression of Technology Crime, particularly aims to block Thai users’ access to services offered by unlicensed offshore digital asset providers via their own apps or websites or through public social media platforms. Compliance Requirements The notification requires internet service providers and social media platforms selected by MDES to immediately impose internet access restrictions on identified apps, websites, and IP addresses of illegal operators upon receiving MDES orders. Takedown Orders There are two tracks for competent officials at MDES to issue orders to operators: If the competent official is notified by the SEC of licensing noncompliance by a particular digital asset business operator, the competent official can issue a takedown order to the operator upon approval from the permanent secretary of MDES. If the competent official independently discovers, or receives a complaint from any third party other than the SEC, that a digital asset business operator may have violated licensing requirements, the competent official can ask the SEC to verify and confirm the relevant facts and noncompliance before seeking approval from the permanent secretary of MDES to issue the takedown order. Streamlined Enforcement Prior to this notification, the SEC could obtain takedown orders only from Thai courts under the 2007 Computer Crime Act to take down or block access to unlicensed digital asset platforms and apps. This was a relatively

On June 10, 2025, Thailand’s Supreme Administrative Court accepted for consideration a pivotal lawsuit concerning the regulatory obligations of administrative agencies over internet-based television broadcasting services, commonly referred to as over-the-top (OTT) services. This court’s decision in the case may set important precedents for how OTT platforms are regulated, especially regarding consumer protections and advertising practices. Background A user of an OTT television application initiated legal action against the National Broadcasting and Telecommunications Commission (NBTC) and related officials, alleging that the lack of clear regulatory criteria and oversight allowed OTT operators to broadcast general television content while compelling users to view advertisements before and during programming. The plaintiff argued this constituted consumer exploitation and claimed that the responsible authorities neglected or delayed their statutory duties under the Act on the Organization to Assign Radio Frequencies and Regulate Broadcasting, Television, and Telecommunications Services B.E. 2553 (2010). Initially, the Central Administrative Court declined to accept the lawsuit. However, on appeal, the Supreme Administrative Court determined that the claim fell within its jurisdiction, noting that OTT television services—defined under section 4 of the governing act—are subject to the same regulatory framework as traditional television services, regardless of the transmission method (frequency, cable, internet, or other system). Implications for OTT Services The key implications for OTT services concern the following issues: Regulatory oversight: The court recognized that OTT television services are explicitly covered under Thailand’s broadcast regulatory regime. Regulatory agencies may be compelled to establish clear operational rules and oversight mechanisms for OTT providers. Consumer protections: The plaintiff’s claim that excessive or unavoidable in-program advertising constitutes consumer exploitation was acknowledged as a matter of public interest. This may prompt stricter advertising standards for OTT platforms. Licensing requirements: The case raises the prospect that OTT operators may be required to obtain licenses from the

Now halfway through 2025, Thailand continues to advance in the realm of data privacy, with the ambitious goal of achieving zero data breaches. The Personal Data Protection Committee (PDPC), an independent government body established by the Personal Data Protection Act (PDPA), is taking a more proactive approach, having published several rulings and orders to enhance data protection measures and clarify compliance expectations for businesses. Here is a look back at Thailand’s data privacy developments in the first half of the year. Strengthening Law Enforcement and New Guidance for Compliance Enforcement of existing data protection laws and regulations has taken a step forward this year. Some of the specific initiatives include: Increased enforcement by the PDPC. A key trend to watch from the first half of 2025 is the PDPC’s active enforcement of the PDPA as it intensifies oversight through compliance orders and public warnings against noncompliant organizations while ramping up efforts to prevent and halt the illegal trading of personal data by actively monitoring emerging societal issues. Call center scams and cyber fraud control. Thailand published an amendment to the Emergency Decree on Measures for the Prevention and Suppression of Technological Crimes to strengthen measures against technological crimes, particularly targeting call center scams and cyber fraud. Orders from the Expert Committee. Several orders issued by the Expert Committee under the PDPA were announced in the first half of this year. These include directives for data controllers to take corrective actions to comply with the PDPA, as well as initiatives to raise awareness of data privacy within organizations, reflecting the regulator’s focus on promoting organizational awareness and compliance. A guideline report summarizing the Expert Committee’s decisions and orders was also published to serve as a reference for compliance. Public issue monitoring. The PDPC has been taking a more proactive approach