Thailand’s Cyber Security Maintenance Act of 2019

National Regulations

The Cyber Security Maintenance Act of 2019 (B.E. 2562) was promulgated by His Majesty King Maha Vajiralongkorn Phra Vajiraklaochaoyuhua to address Thailand’s increasing need for robust cybersecurity measures. Enacted on 24 May 2019, this law marks a significant milestone in the nation’s digital governance and security landscape. Recognising the evolving and potentially devastating risks posed by cyber threats, the Act establishes a comprehensive framework to safeguard national security, public order, economic stability, and critical infrastructure.

The legislation acknowledges the necessity to curtail certain personal rights and liberties as per provisions of the Thai Constitution. This restriction is justified by the pressing need to enhance the efficiency of cybersecurity maintenance and to devise preventative and remedial measures against cyber threats. Through this legal instrument, Thailand seeks to achieve a balance between maintaining national security and adhering to democratic principles.

Overview of the Cyber Security Maintenance Act, B.E. 2562 (2019)

The Act encompasses various aspects critical to the nation’s cybersecurity framework. Key highlights include:

  1. Definitions and scope:
    • It delineates terms such as ‘cybersecurity maintenance,’ ‘cyber threat,’ and ‘critical information infrastructure,’ setting the groundwork for consistent interpretation and application.
  2. Administrative framework:
    • The Act establishes the National Cyber Security Committee (NCSC), chaired by the Prime Minister, to oversee the strategic direction of cybersecurity efforts. It is supported by the Cyber Security Supervisory Committee (CSSC), which ensures policy implementation and handles critical cyber threats.
  3. Role of the office of the National Cyber Security Committee:
    • This office acts as the operational arm, facilitating coordination among state and private agencies, monitoring threats, and enforcing compliance with prescribed standards.
  4. Critical information infrastructure protection:
    • Specific provisions are designed to identify, assess, and safeguard critical sectors, including finance, energy, telecommunications, and public health, against cyber threats.
  5. Cyber threat management:
    • The Act categorises cyber threats into three levels—non-serious, serious, and critical—and outlines protocols for handling each. It empowers authorities to enforce preventative and mitigative measures, including access to and examination of affected systems.
  6. Legal and compliance measures:
    • The legislation mandates regular audits, risk assessments, and adherence to established cybersecurity codes of practice. Agencies failing to meet standards are subject to corrective directives.
  7. International cooperation:
    • Recognising the global nature of cyber threats, the Act encourages collaboration with international entities to bolster Thailand’s defensive capabilities.