Thailand’s Cybersecurity Regulating Committee (CRC) released a notification under the Cybersecurity Act on February 22, 2024, setting key operational obligations for critical information infrastructure (CII) organizations. The notification takes effect on June 20, 2024.
CII organizations are state or private entities that carry out services related to national security, public services, banking and finance, information technology and telecommunications, transportation and logistics, energy and public utilities, or public health. CII organizations will be identified by the National Cyber Security Committee (NCSC) and notified of their status.
The key obligations of CII organizations are laid out below.
Reporting to the National Cyber Security Agency (NCSA)
CII organizations must provide the following to the NCSA:
- A list of executive and operational staff, along with emergency contacts who can be reached within 60 minutes in the event of a cyber threat. The NCSA must be notified of any updates to this list within 15 days following any changes.
- A list of internal departments or individuals who are the responsible persons, owners, and holders of the computer systems, along with emergency contacts who can be reached within 60 minutes in the event of a cyber threat. The NCSA must be notified of any updates to this list at least 7 days prior to any changes (or within 15 days after the change if there is a necessary reason).
Policies, Guidelines, and Procedures
As specified in the National Cyber Security Committee (NCSC) guidelines, CII organizations must prepare the following internal documents by June 20, 2025:
- Cybersecurity practice guidelines, consisting of an inspection plan, risk assessment, and incident response plan.
- Cybersecurity standards framework, consisting of measures for risk identification, risk prevention, threat detection and monitoring, incident responses, and resilience and recovery.
CII organizations must also prepare the following:
- Mechanisms, procedures, and steps for monitoring and detecting cyber threats or incidents related to critical infrastructure cybersecurity, as well as cybersecurity resolution systems as designated by the NCSC or CRC. These must comply with the standards set by the regulators (the specific regulator depends on the characteristics of the organization) and the NCSC guidelines.
- Internal methods and procedures for cybersecurity risk management, which must identify risk appetite, conform with the cybersecurity management policy announced by the NCSC, and be approved by the regulator before finally being submitted to the NCSA.
Ongoing Compliance
CII organizations are also responsible for the following ongoing requirements:
- Submit an annual report covering the number and types of cyber threats that arose during the relevant reporting period, as well as the causes and effects of the cyber threats, problems and obstacles in operation, and policy recommendations. The first report must be submitted by January 31, 2025, and by January 31 of each year thereafter.
- Review the cybersecurity guidelines and standards framework described above at least once a year, or whenever there is a significant change to cybersecurity operations.
- Review the methods and procedures for cybersecurity risk management described above at least once a year, or when there is a significant change to cybersecurity operations.
- Review the cybersecurity mechanisms described above at least once a year.
- Conduct a cybersecurity risk assessment in accordance with the NCSC guidelines. The report must be submitted to the NCSA within 30 days of completion, but no later than January 31 of the following year. The report must also be submitted to the regulator. This report is distinct from the CII organization’s own risk assessment report.
- Have a third-party or internal cybersecurity auditor conduct a cybersecurity audit at least once a year. The auditor’s report must be submitted to the NCSA within 30 days of completion, but no later than January 31 of the following year. A summary of the report must also be delivered to the regulator.
- Organize a business continuity plan training program at least once a year to evaluate the plan’s effectiveness in addressing cyber threats.
Cybersecurity Incident Response
If a cybersecurity incident occurs, CII organizations must:
- Run detection and analysis procedures as outlined in the NCSC guidelines.
- Notify and submit a report to both the NCSA and the regulator within 24 hours.
- Cooperate with the collection and investigation of evidence relating to the cybersecurity incident by officers under the Cybersecurity Act.
The penalty for a CII organization not reporting a cybersecurity incident that has a significant impact on their systems to the NCSA and the regulator without reasonable cause is a fine of up to THB 200,000 (approx. USD 5,500).
Other Obligations
In addition, CII organizations must do the following:
- Mitigate cybersecurity risks and implement plans to deal with cybersecurity incidents.
- Collaborate with the NCSC, CRC, and NCSA to organize cyber threat response training, including supplying necessary information for the planning and execution of the training.
- Participate in cyber threat readiness tests conducted by the NCSA to ensure preparedness for handling cybersecurity incidents.
- Prepare a business continuity plan in accordance with the prescribed criteria to ensure the ongoing provision of critical services.
- If evidence suggests a cybersecurity incident may have occurred, evaluate the computer systems, data, and surrounding circumstances in order to determine whether the incident occurred and its impact on the organization’s information system.
- State CII organizations must establish a computer emergency response team (CERT) for CII organizations and CII services in their sector, or promptly notify the NCSC of the reason for its inability to do so.
- Cooperate with the relevant sectoral CERT as well as the Thailand Computer Emergency Response Team (ThaiCERT) on cybersecurity incident responsiveness, dealing with the effects of cyber threats, and other cybersecurity issues.
- Comply with any orders or notifications issued by the NCSC or the CRC.
The NCSA will review the obligations under this notification at least every two years, or when there is a significant change regarding cybersecurity.
For more information on compliance with Thailand’s cybersecurity regulations, please contact Nopparat Lalitkomon at nopparat.l@tilleke.com, Napassorn Lertussavavivat at napassorn.l@tilleke.com, or Nitcharat Siraprapasiri at nitcharat.s@tilleke.com.