Thailand: Implemented NCSC Standards for the Maintenance of Cybersecurity in Cloud Computing Systems B.E. 2566 (2023) including cybersecurity regulations

On 10 September 2026, the National Cyber Security Committee’s (NCSC) standards for the maintenance of cybersecurity in cloud computing systems B.E. 2566 (2023) enter into force. The standards specify that Cloud Service Providers (CSPs) must implement security measures to protect the integrity, confidentiality, and availability of cloud systems. This includes encryption, access controls, incident management, and compliance with regulations. Both Cloud Service Customers (CSCs) and CSPs share responsibility for managing cybersecurity risks. This involves collaboration in securing data and systems from unauthorised access, conducting audits, and ensuring compliance with cybersecurity standards. CSPs must undergo regular certification based on the impact level of the services they provide (low, medium, or high impact). Certifications include compliance with international standards such as ISO/IEC 27001, ISO/IEC 27017 (cloud-specific security), and ISO/IEC 27018 (protection of personal data in the cloud). CSPs are required to notify CSCs and regulatory authorities promptly in the event of a data breach or cybersecurity incident, particularly if personal data is compromised. Both CSPs and CSCs must have procedures for managing and mitigating incidents to prevent future breaches. Both CSPs and CSCs must ensure adherence to the Personal Data Protection Act B.E. 2562 (2019), with clear roles defined for securing personal data and reporting breaches.