Thailand’s Securities and Exchange Commission (SEC) has filed a criminal complaint against a licensed digital asset broker, its overseas trading platform, and its executives for allegedly operating an unlicensed digital asset exchange targeting Thai customers. The case marks an escalation in the SEC’s enforcement efforts against unlicensed offshore platforms that attempt to serve Thai users through local licensed entities. Criminal Complaint On February 20, 2026, the SEC filed a criminal complaint with the Economic Crime Suppression Division against a local licensed digital asset broker, its overseas global trading platform, and its executives. The SEC alleges that the parties violated the Digital Asset Business Emergency Decree B.E. 2561 (2018) by cooperatively operating a digital asset exchange business on a cross-border basis since 2023 without the required SEC license. According to the SEC, the local broker promoted the overseas platform’s services to the public through Thai-language posts on social media channels, with services available exclusively to customers residing in Thailand. Access to the global platform was provided through the local broker’s website and mobile application. Customers who registered for the local broker’s services were automatically granted access to the global platform without having to undergo a separate identity verification process. The SEC also found that the local broker provided back-office system support services to the global platform. The SEC considers these activities to constitute joint operation of an unlicensed digital asset exchange. The former executives of the local broker are being held liable as the responsible persons during the relevant period. The SEC emphasized that the complaint initiates the criminal process, and the decision to prosecute or convict the accused parties will ultimately be made by law enforcement authorities and the criminal courts. Platform Blocking The SEC has also coordinated with the Ministry of Digital Economy and Society to block public

On January 9, 2026, Thailand’s Securities and Exchange Commission (SEC) filed a criminal complaint with the Economic Crime Suppression Division (ECD) against five individuals for unauthorized operation of a digital-asset dealer business under the Emergency Decree on Digital Asset Businesses B.E. 2561 (2018). This precedent-setting case signals that the regulator is willing to pursue crypto enforcement against natural persons even in the absence of a licensed platform entity. Background and Implications The case follows the SEC’s October 2025 public warning about the use of iris-scanning technology in exchange for certain digital tokens. In its warning, the SEC cautioned that exchanging or trading these specific tokens with unlicensed service providers exposes users to heightened fraud, scam, and money laundering risks. Unlike prior regulatory enforcement matters, which involved platform-level administrative fines for operational or compliance failures, this case targets misconduct by individuals who may not be professional traders but openly advertised their willingness to buy these tokens from the public, opened individual over-the-counter (OTC) trade channels for these tokens, and facilitated off-exchange transactions in a manner resembling ordinary commercial dealing. This enforcement action establishes a clear precedent that natural persons engaging in public-facing digital-asset dealing may face criminal liability under Thai law, even without operating through a corporate or licensed platform structure. Outlook The alleged offenders may not settle this crime by payment of fines. Following the SEC’s referral, the ECD will undertake further investigation, after which prosecutors may review the case and proceed to court. The SEC has stated that it will cooperate fully with enforcement agencies throughout the criminal enforcement process.

Thailand continues to advance its legal and regulatory framework for the technology sector, with several key laws undergoing review and proposed amendments. These developments reflect Thailand’s broader efforts to ensure that its regulatory landscape keeps pace with rapid technological change and aligns more closely with international standards and best practices. The following are key legal developments and proposed legislative reforms in 2026 that are expected to impact businesses operating in the technology sector and the broader Thai business landscape. Data Privacy and Cybersecurity Personal Data Protection Act B.E. 2562 (2019) Following the full enforcement of Thailand’s Personal Data Protection Act (PDPA) in June 2022, businesses and practitioners have identified practical implementation challenges and interpretative issues. These challenges were reflected in an effectiveness assessment conducted by the Personal Data Protection Committee (PDPC) in late 2024. The PDPC published a set of principles for public consultation to identify issues and directions for potential amendments to the PDPA. Key issues: Emerging issues include clarifying the definitions of “data controller,” “data processor,” and “criminal record”; revisiting the scope of sensitive personal data to better reflect Thailand’s context; proposing amendments to the hierarchy of legal bases to avoid misconceptions of consent as the default legal basis; and clarifying the required level of expressiveness for explicit consent, as well as rules for collecting personal data from other sources. Current status: The first round of public consultation has concluded. Next steps: The proposed amendments are proceeding to a revised draft following the consultation outcomes. Cybersecurity Act B.E. 2562 (2019) Thailand is moving forward with proposed amendments to enhance the effectiveness of its national cybersecurity framework, as evolving digital technologies bring new risks such as misinformation, system intrusions, and attacks on critical infrastructure, making cybersecurity a national priority. Key issues: The amendments aim to clarify and strengthen

Thailand’s Digital Government Development Agency (DGA) has proposed new standards that would require government agencies to select cloud services exclusively from a preapproved shortlist of providers. The draft Digital Government Standards re: Cloud Service Provider Standards aims to strengthen procurement confidence and reduce risks associated with selecting cloud service providers that do not meet the required standards. A public hearing period on these standards concluded on December 27, 2025. The DGA will now review submitted comments and consider revising the standards accordingly. Shortlisted Cloud Service Provider Tiers The draft standards establish three tiers of cloud service providers based on their assessed service capability levels, core qualifications, and certifications. The DGA sets qualification requirements for each tier, and it is at the discretion of each agency to select the tier of cloud service provider that best suits its operational needs, as follows: Tier 1 cloud service providers are suitable for providing services involving disclosable official data. Tier 2 cloud service providers are suitable for handling official data and protected data, such as personal data, which requires a high-security public cloud (e.g., virtual private cloud). Tier 3 cloud service providers are suitable for providing services to agencies with specific regulatory and security requirements that handle highly protected data, such as the national security system. These providers must offer sovereign or hybrid cloud as stipulated by the Ministry of Digital Economy and Society. All tiers of cloud service providers must be legal entities incorporated under Thai law and can be authorized distributors of offshore cloud service providers. However, each tier will be subject to different requirements, including infrastructure obligations. Government agencies are encouraged to select a cloud service provider appropriate for their intended use. For example, if a government agency intends to procure cloud services for operating applications that process personal data,