This chapter provides an overview of the legal system and key laws for foreign companies doing business in Thailand. Presented in a question-and-answer format, the chapter examines the rules governing foreign investment, business vehicles, employment, tax, competition, intellectual property, marketing agreements, e-commerce, data protection, and product liability.
February 27, 2024
Thailand’s National Cyber Security Committee (NCSC) released three notifications under the Cybersecurity Act on January 18, 2024, setting cybersecurity-related requirements for key organizations and assets. While one of these notifications already took effect, the two most notable will take effect on January 18, 2025 (i.e., one year from their publication in the Government Gazette). These two are the NCSC Notification Re: Standards for Defining the Security Category for Data or Information Systems B.E. 2566 (2023) (“Notification on Security Category”) and the NCSC Notification Re: Minimum Standards for Data and Information Systems B.E. 2566 (2023) (“Notification on Minimum Standards”). These notifications apply to: State agencies; Supervising or regulating organizations (i.e., state organizations, private organizations, or persons designated by law to regulate or supervise the affairs of state organizations or critical information infrastructure organizations); and Critical information infrastructure organizations (i.e., organizations related to or providing national security, significant public services, banking and finance, information technologies and telecommunications, transportation and logistics, energy and public utilities, and public health). Collectively these are defined as “Organizations” under the notifications. Notification on Security Category The Notification on Security Category sets forth risk-based security classifications—or “security categories”—for Organizations’ data or information systems. For security category assessment purposes, Organizations are required to perform a self-assessment of their data or information systems based on three key security objectives: confidentiality, integrity, and availability. Each of these objectives is further categorized into three risk levels (low, medium, and high), taking into account the assessment of potential impact in the following areas: Organizations’ financial value or reputation; Organizations’ number of service users; Organizations’ ability to perform their duties; State stability or public order. The risk levels for the three objectives are determined by considering whether there are “minimal,” “severe,” or “serious severe” effects, as described below: Confidentiality (not including data classified