Thailand: Implemented CRC order establishing obligations for critical information infrastructure organisations

On 20 June 2024, the Cybersecurity Regulating Committee’s (CRC) order on the obligations of obligations for critical information infrastructure (CII) entered into force. In particular, the CII organisations encompass state and private entities providing essential services in sectors such as national security, finance, and public health. The CII obligations include reporting to the National Cyber Security Agency (NCSA) lists of executive staff and responsible persons, along with emergency contacts. By June 20, 2025, these organisations must develop cybersecurity guidelines, standards frameworks, and internal procedures for risk management. Ongoing compliance requires annual reporting on cyber threats, regular reviews of cybersecurity policies, and conducting audits. In the event of a cybersecurity incident, organisations must follow detection protocols and report to the NCSA within 24 hours. Additionally, CII organizations must mitigate cybersecurity risks, participate in training, and establish a computer emergency response team. The NCSA will review these obligations biannually or as needed.