Search for:

Along with the Thailand Personal Data Protection Act (please see our previous client alert Get Ready: The First Thailand Personal Data Protection Act Has Been Passed), the Cybersecurity Act was also approved and endorsed by the National Legislative Assembly on 28 February 2019.

Please see below a key summary of the Cybersecurity Act.

1.     Effective Date

Once the Cybersecurity Act is published in the Government Gazette, the Act will become effective. We expect that the Act will be published in the Government Gazette in a couple of months (tentatively in April or May 2019).

2.     The definitions of Cybersecurity and Cyber Threats

Under the current version of the Cybersecurity Act, “Cybersecurity” means any measure or procedure established to prevent, handle, and/or mitigate the risk of Cyber Threats from both inside and outside the country, which affect national security, economic security, martial security, and public order.

“Cyber Threats” mean any action or unlawful undertaking done using a computer, computer system, or undesirable program with an intention to cause harm to the computer system, computer data, or other relevant data, and includes imminent threats which would cause damage or affect operation of the computer, computer system, or other relevant data.

3.     Levels of Cyber Threats

The Act has classed Cyber Threats into three levels, as follows:

(1) non-critical level Cyber Threats;
(2) critical level Cyber Threats; and
(3) crisis level Cyber Threats.

The power and authority of relevant officials against private organizations will be different depending on the level of a particular Cyber Threat.

4.     Obligations of Private Organizations

Private organizations could be subject to the Cybersecurity Act, as follows:

(1)    Critical information infrastructure organizations

Private organizations using computers and computer systems in the course of their operations to maintain national security, public security, national economic security, or fundamental infrastructure for public interest could be deemed critical information infrastructure organizations under the Act.

Critical information infrastructure organizations have various obligations under the Act, including (i) providing names and contact information of the owner(s), person(s) possessing the computer and person(s) monitoring the computer system; (ii) complying with the code of practice and minimum cybersecurity standards; (iii) conducting risk assessment; and (iv) notifying of Cyber Threats.

In the event of a Cyber Threat, a critical information infrastructure organization is required to investigate related information, computer data, and the computer system of such affected organization, and protect, handle, and mitigate the risks from the Cyber Threats in accordance with the Code of Practice and cybersecurity standards. Critical information infrastructure organizations are also subject to the same obligations as private organizations.

 (2)    Private organizations

Private organizations which are not critical information infrastructure organizations are also subject to the Act.

In the event of a Cyber Threat, the relevant authorities may request cooperation from or order private organizations to perform various actions, such as (i) providing access to relevant computer data or a computer system, or other information related to the computer system only to the extent it is necessary to prevent Cyber Threats, (ii) monitoring the computer or computer system; (iii) allowing officials to test the operation of the computer or computer system, or seize or freeze a computer, a computer system, or any equipment.

Generally, such orders must be limited to the necessity to preventing or handling Cyber Threats. The extent of the orders will depend on the level of a particular Cyber Threat. Certain orders would require a court order, while others will not. The penalties vary from fines to imprisonment.

Once the Cybersecurity Act is published in the Government Gazette, any potential entities that could be deemed critical information infrastructure organizations should monitor the development of the Act closely and prepare for compliance. In addition, all other entities should prepare their IT systems and update relevant legal documents, including IT policies and breach notifications, and conduct personnel training to raise awareness on cybersecurity.

For more information, please contact our team at Baker McKenzie.

Our previous alerts on cybersecurity:

Released Title
December 2018 Cybersecurity Bill Revised and Reissued in November 2018
October 2018 Updates on the Thai Cybersecurity Bill, the Draft Amendment to the Electronic Transaction Act and the Digital ID Bill
April 2018 Revisions to the Thai Cybersecurity Bill Revealed

Dhiraphol Suwanprateep is a partner in Baker McKenzie's Bangkok office, where he is head of the IT/Communications Practice Group and co-head of the Intellectual Property Practice Group. Mr. Suwanprateep advises clients on government initiatives, particularly Thailand's Digital Economy Initiative which promotes the local ITC sector through strategies aimed at developing related infrastructure, accelerating innovation, and transforming the country's economy into one that is based on digital technologies. His work also involves advising on the amended Computer Crime Act which increases penalties for cyber crimes. He is also a regular commentator and contributor to local, regional and global media on the government's proposed initiatives and frequently participates in local community engagements throughout the country. Dhiraphol joined Baker McKenzie in 1987 and became a partner in 1992.


Pattaraphan joined Baker McKenzie in 2011 and is a Partner in the Intellectual Property and Technology practice. Before joining Baker McKenzie, she worked at the National Broadcasting and Telecommunications Commission (NBTC) as a legal officer. Pattaraphan is also one of the very few Thai lawyers that is a Certified Information Privacy Professional/Europe (CIPP/E).