Cybersecurity · Thailand
Cybersecurity regulation in Thailand (2026)
Thailand shaded by its cybersecurity status
Thailand has an in-force, dedicated cybersecurity regime under the Cybersecurity Act B.E. 2562 (2019), which entered full effect on 24 May 2019 and creates a national governance structure (NCSC and NCSA), a three-tier threat classification, and binding obligations on Critical Information Infrastructure (CII) operators across designated sectors. These general obligations are layered over a personal-data breach-notification duty in the PDPA (notify the PDPC within 72 hours) and sector-specific rules such as the Bank of Thailand's IT-risk and security notifications for financial institutions. Subordinate regulation is actively maturing, including a September 2025 Royal Gazette notification revising the official CII sector list and detailing CII operators' incident-reporting duties.
Key points
The Cybersecurity Act B.E. 2562 (2019) was published in the Royal Thai Gazette and took full effect on 24 May 2019, establishing a national framework to protect national security, public order, the economy and critical infrastructure from cyber threats.
The Act creates the National Cyber Security Committee (NCSC), chaired by the Prime Minister, a Cyber Security Supervisory Committee (CSSC), and the National Cyber Security Agency (NCSA) as the operational authority overseeing standards, monitoring and enforcement.
CII organizations across designated sectors (national security, public services, banking/finance, IT and telecoms, transport and logistics, energy and utilities, public health, and others) must adopt NCSC-approved security measures, run periodic risk assessments/audits, and cooperate with investigations.
A September 2025 NCSC notification (Royal Gazette, 16 Sept 2025) revised the CII sector list and requires CII operators to report significant cybersecurity incidents to both the NCSA and their sector regulator within 24 hours, with fines up to THB 200,000 for unjustified non-reporting.
Under the Personal Data Protection Act B.E. 2562 (2019), a data controller must notify the PDPC within 72 hours of becoming aware of a personal-data breach (unless unlikely to risk individuals' rights); in August 2025 the PDPC imposed THB 21.5 million in fines, partly for failures to report breaches.
The Bank of Thailand layers cyber/IT-risk requirements on financial institutions, including IT risk-governance criteria (SorNorSor 21/2562), security measures for mobile financial services (Notification No. 4/2568, effective 7 March 2025), and 2025 AI risk-management guidelines.
Timeline - major decisions & events
The National Cyber Security Committee published a new CII designation list replacing the 2023 classifications, broadening coverage to reflect technological interdependencies and formally pairing each of the seven CII sectors (national security, essential government services, banking/finance, ICT, transport/logistics, public utilities, and health) with a designated sector regulator.
Silk Legal ↗Thailand's NCSA published proposed amendments to the Cybersecurity Act B.E. 2562, seeking to extend oversight to cloud service providers and data centers hosting CII data, introduce a three-tier cyber-incident classification system, and broaden the definitions of 'cyber threat' and 'cybersecurity'; public comments closed 5 August 2025.
Tilleke & Gibbins ↗Threat actor Babuk was linked to a breach of Ministry of Finance systems in March 2025, exposing government data and underscoring persistent vulnerabilities in Thai public-sector IT infrastructure despite the Cybersecurity Act framework.
BreachSense ↗Three NCSC notifications published in the Royal Gazette on 18 January 2024 entered into force, requiring all Critical Information Infrastructure Operators (CIIOs) to classify their data/information systems into low, medium, or high risk categories and implement corresponding baseline controls aligned with confidentiality, integrity, and availability objectives.
Herbert Smith Freehills Kramer ↗The Personal Data Protection Committee imposed the statutory maximum fine of THB 7 million on JIB Computer Group Co., Ltd. for failing to appoint a DPO, implementing inadequate security measures that allowed personal data to leak to call-center fraud gangs, and delaying breach notification — marking the first private-sector penalty under the PDPA since full enforcement began in 2022.
Nishimura & Asahi ↗The National Cyber Security Committee gazetted notifications on (1) minimum baseline standards for CIIO data/information systems, (2) security category classification criteria, and (3) related requirements, giving CIIOs a one-year transition period before mandatory compliance on 18 January 2025.
Tilleke & Gibbins ↗Thailand's Personal Data Protection Committee publicly confirmed it was taking enforcement action for the first time since full PDPA implementation, targeting a Thai insurer for non-compliant handling of children's and parents' personal data in marketing activities, signaling the start of active enforcement.
Herbert Smith Freehills ↗After successive one-year postponements following enactment in May 2019, and following the establishment of the Personal Data Protection Committee in January 2022, the PDPA came into full effect on 1 June 2022, imposing mandatory cybersecurity safeguards, breach notification duties, and DPO appointment requirements on all organizations processing personal data of Thai residents.
U.S. International Trade Administration ↗The National Cyber Security Committee issued Notification B.E. 2564 designating seven sectors as Critical Information Infrastructure — national security, essential government services, banking and finance, ICT, transportation and logistics, public utilities, and health — and prescribing mandatory cybersecurity readiness plans, incident reporting channels, and responsible officer requirements for CII operators.
ThaiCERT / NCSA (official) ↗Thailand's landmark Cybersecurity Act was published in the Royal Gazette, creating the National Cyber Security Committee (chaired by the Prime Minister), the National Cyber Security Agency, and ThaiCERT, while establishing the Critical Information Infrastructure protection framework, mandatory incident reporting obligations, and broad government emergency response powers.
Ministry of Digital Economy and Society (MDES) ↗The Amendment Act B.E. 2560 was gazetted on 24 January 2017 (effective 24 May 2017), expanding criminal offenses to cover online fraud, child exploitation material, and content deemed threatening to state stability, while strengthening investigative powers — including data access provisions — and imposing compliance obligations on service providers to cooperate with authorities.
LawPlus Ltd. ↗Thailand's foundational cybercrime law was published in the Royal Gazette and took effect on 17 July 2007, criminalizing unauthorized computer access, data and system interference, dissemination of illegal content, and related offenses; it remained the primary cybersecurity criminal instrument for a decade before its 2017 amendment.
Wikipedia — Computer Crime Act (Thailand) ↗Thailand - other topics
Last verified 5/25/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →