Search for:

The Cybersecurity Act, B.E. 2562 (2019) (“Act”) has been published on 27 May 2019, and is now effective.

Those who are monitoring the Cybersecurity Act, as discussed in our previous client alert, may like to note that the obligations under the Cybersecurity Act remain the same as the latest publicly-available version (the version available on MDES website on 11 March 2019).

In essence, private entities may have obligations under the Cybersecurity Act under two scenarios, as follows:

1. In an occurrence of cyber threats

Cyber threats are classed at three levels, with varying compliance obligations for each level. In the event of a cyber threat, private entities may be required to:

    (i) provide access to relevant computer data or a computer system, or other information related to the computer system only to the extent necessary to prevent cyber threats;
    (ii) monitor the computer or computer system; and
    (iii) allow officials to test the operation of the computer or computer system, or seize or freeze a computer, a computer system, or any equipment.

Certain orders would require a court order, while others will not. However, generally, such orders must be limited to the necessity to preventing or handling cyber threats.

2. In the event the organization fits the criteria of a Critical Information Infrastructure Organization (CII Organization)

Subject to future sub-regulation, organizations which undertake the following tasks or provide the following services may be deemed a CII Organization:

    (1) National security;
    (2) Material public service;
    (3) Banking and finance;
    (4) Information technology and telecommunications;
    (5) Transportation and logistics;
    (6) Energy and public utilities;
    (7) Public health;
    (8) Others as prescribed by the National Cybersecurity Committee (NCSC);

Private entities which are deemed CII Organizations would have compliance obligations, such as to:

    (i) provide names and contact information of the owner(s), person(s) possessing the computer and person(s) monitoring the computer system;
    (ii) comply with the code of practice and minimum cybersecurity standards;
    (iii) conduct cybersecurity risk assessment; and
    (iv) notify the authority of cyber threats.

Penalties under the Act vary from fines to imprisonment.

To prepare for compliance with the Act, private entities can prepare their IT systems, review and update relevant legal documentation (e.g., IT policies and notice of security breaches), and conduct personnel training to raise awareness on cybersecurity. In addition, organizations listed as possible CII Organizations under (2) above will benefit from familiarizing themselves with the Act, and in the meantime closely monitoring the developments of the sub-regulation to be further prescribed by the National Cybersecurity Committee (NCSC).


Dhiraphol Suwanprateep is a partner in Baker McKenzie's Bangkok office, where he is head of the IT/Communications Practice Group and co-head of the Intellectual Property Practice Group. Mr. Suwanprateep advises clients on government initiatives, particularly Thailand's Digital Economy Initiative which promotes the local ITC sector through strategies aimed at developing related infrastructure, accelerating innovation, and transforming the country's economy into one that is based on digital technologies. His work also involves advising on the amended Computer Crime Act which increases penalties for cyber crimes. He is also a regular commentator and contributor to local, regional and global media on the government's proposed initiatives and frequently participates in local community engagements throughout the country. Dhiraphol joined Baker McKenzie in 1987 and became a partner in 1992.