Cybersecurity - Thailand

The Cybersecurity Act B.E. 2562 (2019) was published in the Royal Thai Gazette and took full effect on 24 May 2019, establishing a national framework to protect national security, public order, the economy and critical infrastructure from cyber threats.

The Act creates the National Cyber Security Committee (NCSC), chaired by the Prime Minister, a Cyber Security Supervisory Committee (CSSC), and the National Cyber Security Agency (NCSA) as the operational authority overseeing standards, monitoring and enforcement.

CII organizations across designated sectors (national security, public services, banking/finance, IT and telecoms, transport and logistics, energy and utilities, public health, and others) must adopt NCSC-approved security measures, run periodic risk assessments/audits, and cooperate with investigations.

A September 2025 NCSC notification (Royal Gazette, 16 Sept 2025) revised the CII sector list and requires CII operators to report significant cybersecurity incidents to both the NCSA and their sector regulator within 24 hours, with fines up to THB 200,000 for unjustified non-reporting.

Under the Personal Data Protection Act B.E. 2562 (2019), a data controller must notify the PDPC within 72 hours of becoming aware of a personal-data breach (unless unlikely to risk individuals' rights); in August 2025 the PDPC imposed THB 21.5 million in fines, partly for failures to report breaches.

The Bank of Thailand layers cyber/IT-risk requirements on financial institutions, including IT risk-governance criteria (SorNorSor 21/2562), security measures for mobile financial services (Notification No. 4/2568, effective 7 March 2025), and 2025 AI risk-management guidelines.