Advance Blog

March 27, 2024

Thailand Lays Out New Cybersecurity Standards

Thailand’s National Cyber Security Committee (NCSC) released three notifications under the Cybersecurity Act on January 18, 2024, setting cybersecurity-related requirements for key organizations and assets. While one of these notifications already took effect, the two most notable will take effect on January 18, 2025 (i.e., one year from their publication in the Government Gazette).

These two are the NCSC Notification Re: Standards for Defining the Security Category for Data or Information Systems B.E. 2566 (2023) (“Notification on Security Category”) and the NCSC Notification Re: Minimum Standards for Data and Information Systems B.E. 2566 (2023) (“Notification on Minimum Standards”).

These notifications apply to:

  • State agencies;
  • Supervising or regulating organizations (i.e., state organizations, private organizations, or persons designated by law to regulate or supervise the affairs of state organizations or critical information infrastructure organizations); and
  • Critical information infrastructure organizations (i.e., organizations related to or providing national security, significant public services, banking and finance, information technologies and telecommunications, transportation and logistics, energy and public utilities, and public health).

Collectively these are defined as “Organizations” under the notifications.

Notification on Security Category

The Notification on Security Category sets forth risk-based security classifications—or “security categories”—for Organizations’ data or information systems.

For security category assessment purposes, Organizations are required to perform a self-assessment of their data or information systems based on three key security objectives: confidentiality, integrity, and availability. Each of these objectives is further categorized into three risk levels (low, medium, and high), taking into account the assessment of potential impact in the following areas:

  • Organizations’ financial value or reputation;
  • Organizations’ number of service users;
  • Organizations’ ability to perform their duties;
  • State stability or public order.

The risk levels for the three objectives are determined by considering whether there are “minimal,” “severe,” or “serious severe” effects, as described below:

  • Confidentiality (not including data classified as “secret,” which follows different criteria): The effects of unauthorized disclosure of data on Organizations’ reputation and financial value;
  • Integrity: The effects of unauthorized alteration or destruction of data on Organizations’ performance; and
  • Availability: The effects of inability to access or use the data or information system on Organizations’ performance.

If their systems handle different types of data, Organizations must assess each type and set the security category based on the highest risk level identified.

The security category should be reviewed at least once every three years, with the results properly recorded.

Notification on Minimum Standards

Once the security category is determined, Organizations are responsible for applying the minimum cybersecurity measures stipulated in the Notification on Minimum Standards. These measures are outlined in the table below, which indicates the items that are required for minimum cybersecurity measures under each security category.

For more information on compliance with these notifications under the Cybersecurity Act, or on any aspect of cybersecurity in Thailand, please contact Athistha (Nop) Chitranukroh at [email protected], Nopparat Lalitkomon at [email protected], Napassorn Lertussavavivat at [email protected], or Rada Lamsam at [email protected].

Athistha (Nop) Chitranukroh
Nopparat Lalitkomon
Napassorn Lertussavavivat
Rada Lamsam

Thailand’s Personal Data Protection Act B.E. 2562 (2019) (“PDPA”)

As the Personal Data Protection Act (PDPA) also applies to personal data collected prior to the PDPA’s entry into force, please be informed that AustCham Thailand will automatically keep your contact details including email address, name and last name, and company details, on our mailing list.

Your data was received by AustCham Thailand as a result from you either registering or attending an event, contacting our office or subscribing to regular updates via the website. However, if you would like to stop receiving emails AustCham Thailand and revoke your consent for AustCham to keep and use your data to contact you for chamber events and updates, please scroll down to the end of this email and click “Unsubscribe from this list”. Your personal data will be shortly deleted once the opt-out notice request is received.

Please note that your data is kept in AustCham’s CRM system, please see here for AustCham’s Terms of Use and Privacy Policy. AustCham uses a management software system from Wild Apricot, and emails are distributed through MailChimp.