Thailand has multiple laws addressing “cyber” issues: the Cybersecurity Act protects critical infrastructure; the Computer Crime Act regulates unauthorized access and false information; and the Royal Decree on Technology Crime Prevention, enacted in 2023, strengthens responses to online fraud. Each has different objectives, regulated entities, and penalties. This article analyzes all three by their statutory provisions and explains practical implications for Japanese companies.
← Vol. 4: Thailand’s E-Commerce Regulations
Part 1: Cybersecurity Act B.E. 2562 (2019)
Purpose and Effective Date
The Cybersecurity Act B.E. 2562 took effect on May 27, 2019. Its primary objectives are to secure Thailand’s cyberspace and protect Critical Information Infrastructure (CII).
Supervisory authority: NCSA (National Cyber Security Agency), with policy set by the NCO (National Cybersecurity Committee).
CII Definition and Designated Sectors
Section 3 defines CII as “information systems and communications networks indispensable to national security, public services, and economic continuity.”
The NCO designates CII operators via the Royal Gazette. Eight sectors are currently designated:
| Sector | Example Operators |
|---|---|
| National Security | Defense agencies, intelligence agencies |
| Public Services | Water supply, waste management, government IT systems |
| Finance and Banking | Banks, securities firms, insurance companies |
| Information and Communications Technology | ISPs, data centers, cloud service providers (to be added per draft amendment) |
| Telecommunications | Telephone companies, broadcasters |
| Transportation | Airports, ports, railways |
| Energy | Electric utilities, oil and gas companies |
| Public Health | Hospitals, medical institutions |
Impact on Japanese Manufacturers
Japanese manufacturers whose factory IoT systems or industrial control systems (ICS/SCADA) are embedded in the supply chains of energy or transportation CII operators may be indirectly subject to Cybersecurity Act requirements. The possibility that a factory itself could be designated as “essential to energy supply” cannot be ruled out.
CII Operator Obligations
① Compliance with Security Standards CII operators must maintain systems compliant with the National Cybersecurity Standard set by NCSA. The specific standards are published via NCO notification in the Royal Gazette.
② Periodic Risk Assessment and Audit At least annual risk assessments must be conducted and results reported to NCSA.
③ Incident Reporting Obligation Upon becoming aware of a security incident, CII operators must report to NCSA within 72 hours — concurrent with the PDPA’s 72-hour data breach notification obligation.
④ Business Continuity and Incident Response Plans Maintaining a BCP (Business Continuity Plan) and incident response plan is mandatory.
Three-Tier Threat Level System and Authority Powers
Sections 39–48 govern threat levels and response measures:
| Level | Description | Authority Powers |
|---|---|---|
| Non-Critical | Ordinary cyber incidents | Investigation and information gathering |
| Critical | Incidents affecting CII | Broad investigation powers, directives to CII operators |
| Crisis | Serious impact on national security or economy | Emergency orders, physical system access |
Criticism and Concerns
At the “Crisis” level, authorities may be interpreted as having the power to access systems without a warrant. Human rights organizations and legal practitioners have criticized this aspect. The July 2025 Draft Amendment aimed to address some of these concerns by strengthening procedural safeguards.
July 2025 Draft Amendment — Expansion to Cloud and Data Centers
Key points of the July 2025 Draft Amendment:
- Cloud service providers and data center operators to be added as designated CII entities
- Consideration of data localization requirements (restricting offshore storage of certain data)
- Japanese companies using overseas cloud services (AWS, Azure, GCP) should monitor developments closely
Comparison with Japan’s Basic Act on Cybersecurity
| Element | Thailand Cybersecurity Act | Japan Basic Act on Cybersecurity |
|---|---|---|
| Critical infrastructure sectors | 8 sectors | 14 sectors |
| Enforcement body | NCSA (specialized agency) | NISC (Cabinet Secretariat) |
| Direct regulation of CII operators | Yes (obligations and penalties) | Best-efforts obligations (primarily voluntary) |
| Warrantless system access | Possible at Crisis level | No |
Part 2: Computer Crime Act B.E. 2550 (2007, amended 2017)
Scope of Application
The Computer Crime Act B.E. 2550 applies to all entities using computer systems in Thailand. The 2017 amendment expanded categories of cyber offenses and strengthened service provider obligations.
Key Offenses and Penalties
Section 5: Unauthorized Access Prohibition on unauthorized access to computer systems. Penalty: Up to 6 months’ imprisonment or up to 10,000 baht fine (or both)
Section 7: Interception Unauthorized interception or receipt of computer data. Penalty: Up to 3 years’ imprisonment or up to 60,000 baht fine (or both)
Section 9: Data Tampering, Deletion, or Destruction Unauthorized modification, deletion, or destruction of computer data. Penalty: Up to 5 years’ imprisonment or up to 100,000 baht fine (or both)
Section 10: System Interference Acts that impair the functioning of a computer system. Penalty: Up to 5 years’ imprisonment or up to 100,000 baht fine (or both)
Section 14: Dissemination of False Information (Controversial Provision) Prohibition on entering false computer data “that causes public panic, or damages public order, morality, or national security.” Penalty: Up to 5 years’ imprisonment or up to 100,000 baht fine (or both)
Section 14 has been applied to news reporting and social media posts, and has drawn international criticism for potential tension with freedom of expression. Unlike Japan’s approach (where online defamation is addressed primarily through civil claims and specific criminal offenses such as defamation and obstruction of business), Section 14 enables direct criminal liability for online speech.
Attacks on Financial Systems / Critical Infrastructure Section 12: Cyberattacks on financial institution or CII systems. Penalty: Up to 10 years’ imprisonment or up to 200,000 baht fine
Service Provider Obligations
Traffic Data Retention (Section 26): ISPs and platform operators must retain user traffic data (access logs, IP addresses, connection timestamps) for a minimum of 90 days and up to 2 years.
Notice and Takedown Obligation: Upon receipt of a court order, service providers must remove or block specified content. Non-compliance: up to 5 years’ imprisonment or up to 100,000 baht fine.
Comparison with Japan’s Unauthorized Computer Access Act
| Element | Thailand Computer Crime Act | Japan Unauthorized Computer Access Act |
|---|---|---|
| Unauthorized access penalty | Up to 6 months (Section 5) | Up to 3 years or 1 million yen fine |
| False information regulation | Yes (Section 14) | No (civil law / specific criminal offenses) |
| Service provider obligations | Log retention 90 days–2 years | Primarily communications secrecy protection |
| Fake news regulation | Yes (criticized as problematic) | No (Ministry guidelines etc.) |
Part 3: Royal Decree on Technology Crime Prevention B.E. 2566 (2023, amended 2025)
Purpose — Addressing Surging Online Fraud
This Decree, enacted in 2023, imposes strong prevention obligations on financial institutions and SNS platforms in response to a surge in call center fraud, online phishing, and romance scams. It was amended in 2025 to further strengthen these obligations.
Financial Institution and Digital Asset Business Obligations
Fraud transaction reporting: Upon becoming aware of a suspected fraudulent transaction, reporting to authorities (DBD or police) within 24 hours.
Cooperation in freezing/suspension: Obligation to cooperate with account freezing or transaction suspension orders from authorities.
Mule Account Regulation
Criminalization: The sale and use of accounts in another person’s name (mule accounts) are criminalized. Penalty: Up to 3 years’ imprisonment + up to 300,000 baht fine
SNS Platform Obligations
24-hour content removal obligation: SNS platforms that receive a government request to remove fraudulent or phishing content must remove it within 24 hours. Failure to comply may expose platform executives to personal criminal liability.
January 2026 Draft Notification — Mandatory User Identity Verification: A Draft Notification published in January 2026 would require SNS platforms to implement KYC (Know Your Customer) identity verification for Thai users. If enacted, platforms such as Facebook, LINE, and TikTok would face real-name registration requirements for Thai accounts.
Connection to the Sexual Harassment Law Reform
Thailand’s sexual harassment law reform enacted in December 2025 includes a “Take It Down” procedure for online sexual images (revenge pornography, etc.). This procedure is expected to operate in conjunction with the Decree’s 24-hour content removal obligation.
Related: Thailand’s Sexual Harassment Law Reform and Online Sexual Image Regulation
Related Articles
- Thailand’s Sexual Harassment Law Reform (December 2025)
- ← Vol. 4: Thailand’s E-Commerce Regulations
- Vol. 6 (Final): Electronic Signatures, Crypto Regulation + Series Summary →
Next in the Series
Volume 6 — Final (March 27, 2026): Thailand’s Electronic Transactions Act (legal validity of electronic signatures and contracts, DocuSign in Thai law), digital asset regulation (crypto, ICO, stablecoins), and the series’ concluding digital compliance checklist for Japanese companies.
This article is for general informational purposes about Thailand’s legal system and does not constitute legal advice under Thai law. For specific matters, please consult a Thai-qualified legal professional. Our firm works in collaboration with JTJB International Lawyers’ Thai-qualified attorneys.