Thailand’s National Cyber Security Committee (NCSC) released three notifications under the Cybersecurity Act on January 18, 2024, setting cybersecurity-related requirements for key organizations and assets. While one of these notifications already took effect, the two most notable will take effect on January 18, 2025 (i.e., one year from their publication in the Government Gazette).
These two are the NCSC Notification Re: Standards for Defining the Security Category for Data or Information Systems B.E. 2566 (2023) (“Notification on Security Category”) and the NCSC Notification Re: Minimum Standards for Data and Information Systems B.E. 2566 (2023) (“Notification on Minimum Standards”).
These notifications apply to:
- State agencies;
- Supervising or regulating organizations (i.e., state organizations, private organizations, or persons designated by law to regulate or supervise the affairs of state organizations or critical information infrastructure organizations); and
- Critical information infrastructure organizations (i.e., organizations related to or providing national security, significant public services, banking and finance, information technologies and telecommunications, transportation and logistics, energy and public utilities, and public health).
Collectively these are defined as “Organizations” under the notifications.
Notification on Security Category
The Notification on Security Category sets forth risk-based security classifications—or “security categories”—for Organizations’ data or information systems.
For security category assessment purposes, Organizations are required to perform a self-assessment of their data or information systems based on three key security objectives: confidentiality, integrity, and availability. Each of these objectives is further categorized into three risk levels (low, medium, and high), taking into account the assessment of potential impact in the following areas:
- Organizations’ financial value or reputation;
- Organizations’ number of service users;
- Organizations’ ability to perform their duties;
- State stability or public order.
The risk levels for the three objectives are determined by considering whether there are “minimal,” “severe,” or “serious severe” effects, as described below:
- Confidentiality (not including data classified as “secret,” which follows different criteria): The effects of unauthorized disclosure of data on Organizations’ reputation and financial value;
- Integrity: The effects of unauthorized alteration or destruction of data on Organizations’ performance; and
- Availability: The effects of inability to access or use the data or information system on Organizations’ performance.
If their systems handle different types of data, Organizations must assess each type and set the security category based on the highest risk level identified.
The security category should be reviewed at least once every three years, with the results properly recorded.
Notification on Minimum Standards
Once the security category is determined, Organizations are responsible for applying the minimum cybersecurity measures stipulated in the Notification on Minimum Standards. These measures are outlined in the table below, which indicates the items that are required for minimum cybersecurity measures under each security category.