Thailand’s Digital Government Development Agency (DGA) has released drafts of two pivotal documents to guide Thai government agencies in adopting cloud technology and classifying data for cloud usage. These draft guidelines, open for public hearing through August 12, 2025, are part of the national “Go Cloud First” policy, which aims to accelerate digital transformation, improve efficiency, and ensure robust data security across the public sector. The new standards will have significant implications for both government agencies and cloud service providers operating in Thailand. Highlights of the draft guidelines are presented below. Government Cloud Usage Guidelines Cloud-first transformation: All government agencies are directed to prioritize cloud solutions for new IT projects, in line with the cabinet’s “Go Cloud First” policy. Cloud model selection: Agencies must assess their needs and select the most appropriate cloud deployment model—public, private, hybrid, or community cloud—based on the sensitivity of the data and operational requirements. Service types: The guidelines provide criteria for choosing between Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), emphasizing the importance of using standard, non-customized services where possible. Cost management: Agencies are required to plan and separate cloud-related expenses, ensuring transparency and efficient budget allocation. Cloud migration: The guidelines outline the steps for migrating to the cloud and highlight the role of cloud service providers in facilitating the process, including supporting innovation and enabling smooth exit strategies. Procurement compliance: All cloud procurement must comply with public sector procurement laws and regulations. Only providers meeting government-mandated standards can be selected. Security and shared responsibility: The guidelines clarify the division of security responsibilities between cloud providers and government agencies. While providers manage infrastructure security, agencies remain responsible for data, application, and access controls. Legal framework: Agencies must comply with the Digital Government Administration Act, Cybersecurity

On July 21, 2025, Thailand’s National Cyber Security Agency (NCSA) released a draft amendment to the Cybersecurity Act B.E. 2562 (2019) for public hearing, aiming to address the rapid evolution of technology and increasing complexity of cyber threats. The proposed changes to the country’s cybersecurity framework would extend regulatory oversight to cloud service providers and data center operators hosting data for critical information infrastructure (CII) organizations regulated under the Cybersecurity Act. The NCSA will accept comments on the draft until August 5, 2025. Following the close of the public consultation period, the draft amendment will be subject to further revision during the legislative process. Key proposed amendments are discussed below. Expanded Critical Infrastructure Scope The Cybersecurity Act currently applies only to state agencies, supervising or regulating organizations, and designated CII organizations as announced by the National Cyber Security Committee (NCSC). It defines CII organizations as public or private organizations related to or providing national security, significant public services, banking and finance, information technologies, telecommunications, transportation and logistics, energy and public utilities, or public health. The draft amendment expands the scope of CII organizations to include public and private organizations related to or providing industrial work (to be further defined in subregulations) as well as service providers that store or possess data for CII organizations, such as cloud and data center service providers. CII organizations must comply with cyber threat reporting requirements and are subject to the NCSA’s interception powers. Updated Definitions and New Terminology The draft amendment more clearly distinguishes between “cyber threats” (which have yet to occur but have the potential of causing damage or impact) and “cyber incidents” (which have already occurred and have caused or are expected to cause damage or impact). The draft amendment also expands the definition of “cybersecurity” to explicitly cover both prevention

Thai authorities have escalated efforts to block unlawful cross-border digital asset business operators. On June 19, 2025, the Ministry of Digital Economy and Society (MDES) issued a notification empowering it to ban internet access to operations or services offered by digital asset business operators who lack licenses from the Thailand Securities and Exchange Commission (SEC) under the Emergency Decree on Digital Asset Businesses B.E. 2561 (2018). This ban, issued under the 2023 Royal Decree on Measures for the Prevention and Suppression of Technology Crime, particularly aims to block Thai users’ access to services offered by unlicensed offshore digital asset providers via their own apps or websites or through public social media platforms. Compliance Requirements The notification requires internet service providers and social media platforms selected by MDES to immediately impose internet access restrictions on identified apps, websites, and IP addresses of illegal operators upon receiving MDES orders. Takedown Orders There are two tracks for competent officials at MDES to issue orders to operators: If the competent official is notified by the SEC of licensing noncompliance by a particular digital asset business operator, the competent official can issue a takedown order to the operator upon approval from the permanent secretary of MDES. If the competent official independently discovers, or receives a complaint from any third party other than the SEC, that a digital asset business operator may have violated licensing requirements, the competent official can ask the SEC to verify and confirm the relevant facts and noncompliance before seeking approval from the permanent secretary of MDES to issue the takedown order. Streamlined Enforcement Prior to this notification, the SEC could obtain takedown orders only from Thai courts under the 2007 Computer Crime Act to take down or block access to unlicensed digital asset platforms and apps. This was a relatively