You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

May 15, 2024

Thailand Issues Draft Cybersecurity Standards for Cloud Services

Subscribe to Updates

On May 1, 2024, Thailand’s National Cyber Security Committee (NCSC) published the draft NCSC Notification Re: Cloud Cybersecurity Standards for a public hearing period, which was open until May 14, 2024. These standards have been drafted to drive the country’s cloud-first policy with the aim of minimizing risks from cyber threats to cloud services utilized by government agencies, supervising or regulating organizations, and critical information infrastructure (CII) organizations.

The key points of the draft Cloud Cybersecurity Standards are below.

Scope

  • The standards apply to government agencies, supervising or regulating organizations, and CII organizations under the Cybersecurity Act B.E. 2562 (2019), as well as cloud service providers (defined below).
  • The standards prescribe cloud system cybersecurity measures for cloud service customers (defined below) and providers only to the extent that the service is provided to the in-scope organizations outlined above.

Definitions

  • Cloud service customers (CSCs): In-scope organizations that have a formal contractual agreement to use cloud services provided by a cloud service provider.
  • Cloud service providers (CSPs): Persons who enable cloud services to be used by a cloud service customer, responsible for maintaining infrastructure, platforms, and software that enable provision of the cloud services and for managing these resources to ensure their accessibility, security, and scalability for their cloud service customers.

Application

  • In-scope organizations that will use or have been using cloud services must comply with the Cloud Cybersecurity Standards by taking into account their data or technology information systems’ level of impact, as specified in the previously issued Notification of the NCSC Re: Standards for Defining the Security Category for Data and Information Systems B.E. 2566 (2023).
  • The impact level related to personal data is to be rated as being at least at the medium level, and the minimum standards for that level specified in the draft Cloud Cybersecurity Standards must be adopted.
  • In-scope organizations must report their implementation of the Cloud Cybersecurity Standards to the National Cyber Security Agency (NCSA) within 30 days of completing the implementation.
  • The draft Cloud Cybersecurity Standards will come into force one year from their publication in the Government Gazette.

Structure

The requirements in the Cloud Cybersecurity Standards are divided into two areas, (1) cloud security governance and (2) cloud infrastructure and operations:

Requirement Area 1: Cloud Security Governance

  • Information security policies
  • Organization of information security
  • External supplier relationships
  • Compliance

Requirement Area 2: Cloud Infrastructure Security and Operations  

  • Human resource security
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operational security
  • Communication security
  • System acquisition, development, and maintenance
  • External supplier relationships
  • Information security incident management

Impact Levels and Requirements

The stipulations of the Cloud Cybersecurity Standards vary depending on the data or information systems’ level of impact. The requirements for each level are summarized in the table below.

For more information on the draft Cloud Cybersecurity Standards, or on any aspect of cybersecurity and cloud-related laws in Thailand, please contact Athistha (Nop) Chitranukroh at [email protected] and Thammapas Chanpanich at [email protected].

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

June 27, 2024
Thailand recently made history by becoming the first country in Southeast Asia to legalize same-sex marriage. This landmark decision recognizes the equality and dignity of all people, regardless of their sexual orientation or gender identity. It also opens up new opportunities for couples who wish to start or grow their families through adoption. One of the benefits of adopting a child in Thailand is that the law does not discriminate based on the gender or sexual orientation of the adoptive parents. As long as the married couple meets the age and legal requirements, they can adopt a child and become their loving and supportive family. This means that same-sex couples who are married can also enjoy the same rights and responsibilities as any other adoptive parents and provide a caring and nurturing environment for their adopted child. One of the main reasons why same-sex couples can adopt a child in Thailand without any discrimination or prejudice is the strong and comprehensive privacy law that protects the personal data of individuals and families. Thailand’s Personal Data Protection Act (PDPA) ensures that the personal data of people, especially children, is collected, used, and disclosed only for legitimate and lawful purposes, and with respect to their rights and dignity. The PDPA also grants the right of consent and other data subject rights to the legal representatives of children, such as their parents or guardians, regardless of their gender or sexual orientation. This means that same-sex adoptive parents can decide how their adopted children’s personal data is processed and can also protect their children’s privacy and interests from any unauthorized or harmful access. The PDPA also safeguards the personal data of same-sex adoptive parents from any unlawful or discriminatory processing that may damage their reputation or violate their rights. In these ways, the
Read More
June 21, 2024
On June 4, Thailand’s Ministry of Commerce (MOC) issued a new notification on e-commerce business registration pursuant to the Commercial Registration Act B.E. 2499 (1956) (CRA), replacing a similar notification from 2010. The new notification (officially titled “Notification Re: Business Regulations that Commercial Operators Must Register and Businesses that Are Not Subject to the Commercial Registration Act, B.E. 2549 B.E. 2567”) took effect on June 5, 2024. While the previous notification required all individuals and legal entities engaged in regulated activities, such as selling goods or services online, to register their businesses with the local district office, the new notification effectively lifts this requirement for certain legal entities. The new notification clearly states that the CRA does not apply to regulated activities conducted by: Private limited companies, registered ordinary partnerships, and limited partnerships (i.e., legal entities under the Civil and Commercial Code); and Public limited companies (i.e., legal entities under the Public Limited Companies Act). Now that the new notification is in effect, limited companies and other specified legal entities are no longer required to register their e-commerce activities and obtain an e-commerce certificate from the MOC. E-commerce certificates previously issued to these legal entities are also voided by the new notification. Nevertheless, the requirement to register for direct marketing and obtain a direct marketing certificate under the Direct Sales and Direct Marketing Act B.E. 2545 (2002) remains in effect for any online sales or e-marketplace platforms administered by legal entities. Given the recent proactive enforcement of penalties for noncompliance with direct marketing registration requirements, we strongly advise business operators to assess whether their operations fall within the scope of direct marketing regulations and require a direct marketing certificate. For more information on e-commerce and direct marketing registration in Thailand, please contact Athistha (Nop) Chitranukroh at [email protected], Nopparat Lalitkomon
Read More
June 19, 2024
Vietnam’s financial landscape is set to further transform on July 1, 2024, when the government’s long-awaited Decree No. 52/2024/ND-CP dated May 15, 2024 (“Decree 52”), will officially replace Decree No. 101/2012/ND-CP dated November 22, 2012, on non-cash payments (“Decree 101”). Decree 52 marks an important milestone by introducing the country’s first-ever legal definition of e-money. In addition, the decree brings forth new updates to regulations governing payment and intermediary payment services, laying the groundwork for more comprehensive guidance that will be provided in draft circulars now being developed by the State Bank of Vietnam (SBV). Non-Cash Payment Instruments The new definition of non-cash payment instruments under Decree 52 expands upon the previous definition in Decree 101. Notably, it clearly specifies the issuing entities as payment service providers, financial companies licensed to issue credit cards, and e-wallet service providers. Additionally, the new definition further clarifies that bank cards include debit, credit, and prepaid cards, and adds e-wallets to the list of non-cash payment instruments. Unlawful non-cash payment instruments are still defined as those that are not otherwise specified. E-Money Prior to Decree 52, the concept of e-money lacked a precise legal definition, despite its growing prevalence in forms like prepaid cards and e-wallets. The absence of a clear framework for e-money led to confusion with terms like “cryptpcurrency” and “virtual currency” and left significant ambiguity on whether e-money includes certain instruments, such as online game cards and mobile money. Decree 52 addresses this issue by clearly defining e-money as value in Vietnamese dong (VND) stored electronically and prepaid by customers to banks, foreign bank branches, and e-wallet service providers. It also specifically designates e-wallets and prepaid cards as types of storage mechanisms for e-money. Non-Cash Payment Services Decree 52 categorizes non-cash payment services into services with and without client payment
Read More
June 19, 2024
On June 14, 2024, the Personal Data Protection Committee (PDPC) released a draft notification under the Personal Data Protection Act 2019 (PDPA), setting out criteria for how data controllers must delete, destroy, and de-identify personal data. According to the PDPA, a data subject can request that a data controller delete, destroy, or de-identify their personal data in any of the following circumstances: The personal data is no longer necessary for the purposes for which it was collected, used, or disclosed. The data subject has withdrawn their consent for the processing of the personal data, and no other lawful basis for processing remains. The data subject has objected to the processing of their personal data on grounds of legitimate interests or official tasks, the data controller has no other compelling grounds to refuse the request, and the data is not needed for legal claims. The data subject objects to the processing of their personal data for direct marketing purposes. The processing of personal data is unlawful. The draft stipulates that data controllers respond to a data subject’s request to delete, destroy, or de-identify personal data immediately, and within 60 days of receiving the request. If the data controller cannot fulfill the request immediately, they must take interim measures to ensure that the personal data is made difficult to collect, use, or disclose. This includes implementing measures such as preventing access to the data and applying appropriate security measures to protect the data from unauthorized use or disclosure. De-identification or Anonymization of Personal Data In certain circumstances, a data controller may opt to de-identify or anonymize personal data, rather than delete or destroy it. If doing so, the data controller must satisfy the following criteria: There must be a structured process to remove or eliminate all direct identifiers linked to the
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2024 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Legal Notice