Thailand

Section 1 – This Act is called the “Cybersecurity Act, B.E. 2562 (2019)”
Section 2 – This Act shall come into force on the day following the date of its publication in the Government Gazette.
Section 3 – Under this Act …
Section 4 – The Prime Minister shall be in charge of this Act and shall have the power to issue notifications related hereto and appoint the Competent Official for execution of this Act.

Chapter 1: Committee
Part 1 – National Cybersecurity Committee
Section 5 – There shall be a committee named the “National Cyber Security Committee”. The English name shall be “National Cyber Security Committee” abbreviated as “NCSC.”
Section 6 – Honorary directors in the Committee must have Thai nationality and shall not possess the following prohibited characteristics …
Section 7 – An honorary director in the Committee shall have a four-year term for each office, and may be reappointed, but shall not be in the office for more than two consecutive terms.
Section 8 – Apart from the expiration of term under section 7, an honorary director vacates office upon …
Section 9 – The Committee shall have the following duties and powers to:
Section 10 – The meeting of the Committee shall be in accordance with the rules as determined by the Committee, where the meeting may proceed via electronic means or other means.
Section 11 The chairperson and the directors shall receive a meeting allowance or other compensation in accordance with the rules determined by the Cabinet.

Part 2 – Cybersecurity Regulating Committee
Section 12 – In undertaking the duty and power of the Committee in accordance with section 9, there shall be a Cybersecurity Regulating Committee abbreviated as “CRC,” comprising …
Section 13 – The CRC shall have the following duties and powers …
Section 14 – In order to act in accordance with section 13 paragraph one (2) to cope with Cyber Threats in a timely manner …
Section 15 – The provision of section 6, section 7, and section 8 shall be applied to the honorary directors in the CRC mutatis mutandis.
Section 16 – The CRC shall have the power to appoint the sub-committee to perform any tasks as assigned by the CRC.
Section 17 – The meeting of the CRC and the sub-committee shall be in accordance with the rules as determined by the CRC, where the meeting may proceed via electronic means or other means.
Section 18 – The chairperson, the chairman of the sub-committee, and the sub-committee which the CRC appointed shall receive a meeting allowance or other compensation in accordance with the criteria determined by the Cabinet.
Section 19 – In order to perform the duties in accordance with this Act, the Competent Official shall present his/her identification card to the relevant person.

Chapter 2: Office of the National Cybersecurity Committee
Section 20 – There shall be an Office of the National Cybersecurity Committee as a Government Agency …
Section 21 – The operation of the Office is not regulated by the labor protection law, labor relation law, social security law, and compensation fund law.
Section 22 – The Office shall be responsible for administrative, academic, meeting, and secretarial tasks of the Committee and the CRC, and shall also have the duties and powers to …
Section 23 – In the operation of the Office, aside from the duties and powers under section 22, the Office shall have the following general duties and powers to …
Section 24 – The capital and properties for the operation of the Office shall consist of …
Section 25 – There shall be a Committee Managing the Office of the National Cybersecurity Committee, abbreviated as “CMO,” to supervise the general administration of the Office.
Section 26 – The honorary directors of the CMO shall have a four-year term for each office.
Section 27 – The CMO shall have the following duties and powers to …
Section 28 – The chairperson and the director, the chairman of the sub-committee, and the sub-committee appointed by the CMO shall receive a meeting allowance and other compensation in accordance with the rules determined by the Committee.
Section 29 – The Office shall have a Secretary-General responsible for the operation of the Office and being a supervisor of the officers and employees of the Office.
Section 30 – A Secretary-General shall have the following qualifications …
Section 31 – A person having any of the following characteristics shall be prohibited from being a Secretary-General …
Section 32 – The Committee shall determine the salary and other compensation of a Secretary-General in accordance with the method determined by the Cabinet.
Section 33 – A Secretary-General shall have a four-year term for each office.
A Secretary-General who has vacated the office due to expiration of the term may be reappointed, but not exceeding two terms.
Section 34 – Each year, there shall be a performance evaluation of a Secretary-General in accordance with the period and method determined by the Committee.
Section 35 – Apart from the expiration of term, a Secretary-General vacates office upon …
Section 36 – A Secretary-General under the supervision of the Committee, CRC, and CMO shall comply with the orders of the Committee, CRC, and CMO under the duties and powers as follows …
Section 37 – The accounts of the Office shall be prepared in accordance with the forms and criteria determined by the CMO, taking into account international principles and accounting standards.
Section 38 – The Office shall prepare and submit a financial statement and accounting report to an auditor within ninety days from end of the fiscal year.
Section 39 – The Office shall prepare an annual report to be submitted to the Committee within one hundred and eighty days from …
Section 40 – The Cabinet shall have the power to generally supervise the operation of the Office in accordance with …

Chapter 3: Maintaining Cybersecurity
Part 1 – Policies and plans
Section 41 – Maintaining Cybersecurity shall take into consideration the unity and integration of the operation of Government Agencies …
Section 42 – The policy and plan on Maintaining Cybersecurity shall at least contain the following objectives and approaches …
Section 43 – The Committee shall prepare a policy and plan for Maintaining Cybersecurity in accordance with section 42 to propose to the Cabinet for approval, which shall be published in the Government Gazette.
Section 44 – The Government Agency, Supervising or Regulating Organization, and Organization of Critical Information Infrastructure …

Part 2 – Management
Section 45 – The Government Agency, Supervising or Regulating Organization, and Organization of Critical Information Infrastructure …
Section 46 – For the benefit of Maintaining Cybersecurity, the Government Agency, Supervising or Regulating Organization, …
Section 47 – In case the performance of the duties in accordance with this Act requires knowledge and expertise, the Committee …

Part 3 – Critical Information Infrastructure
Section 48 – The Critical Information Infrastructure is an operation which are important to national security, military security, economic security, and public order in the country.
Section 49 – The Committee shall have the power to prescribe in a notification the characteristics of the organizations …
Section 50 – The Committee has the power to prescribe the characteristics, duties, and responsibilities of the coordinating agency for maintaining the security of computer systems.
Section 51 – In the event of any inquiries or claims related to the characteristics of the organizations having the mission or providing …
Section 52 – For the benefit of coordination, the Organization of Critical Information Infrastructure shall notify the name and contact information …
Section 53 – In the operation of Maintaining Cybersecurity of the Organization of Critical Information Infrastructure …
Section 54 – The Organization of Critical Information Infrastructure shall conduct risk assessment on Maintaining Cybersecurity by …
Section 55 – In case the CRC views that the risk assessment on Maintaining Cybersecurity or the examination in the cybersecurity aspect …
Section 56 – The Organization of Critical Information Infrastructure shall establish a mechanism or process to monitor Cyber Threats or Cybersecurity Incidents …
Section 57 – In the event of a Cyber Threat significantly occurring to the system of the Organization of Critical Information Infrastructure …

Part 4 – Coping with Cyber Threats
Section 58 – In the case there is or may be a Cyber Threat to an information system that is under the responsibility of a Government Agency …
Section 59 – When it appears to the Supervising or the Regulating Organization, or when the Supervising or the Regulating organization …
Section 60 – In considering to exercise power to prevent Cyber Threats, the Committee will determine the type of Cyber Threat as classed into three levels, as follows …
Section 61 – When it appears to the CRC that there is or there may be a Cyber Threat at a critical level, the CRC shall issue an order to the Office to perform the following …
Section 62 – In operations in accordance with section 61, for the benefit of analyzing the situation and evaluating the effects from Cyber Threats …
Section 63 – In case of necessity to prevent, cope with, and mitigate risks from a Cyber Threat, the CRC shall order the Government Agency ….
Section 64 – In case there is or may be a Cyber Threat at a critical level, the CRC shall prevent, cope with, and mitigate risks from the Cyber Threat and conduct necessary measures.
Section 65 – In coping with and to remedy the damages from a Cyber Threat at a critical level, the CRC has the power to order …
Section 66 – In preventing, coping with, or mitigating the risks from Cyber Threats in a critical level, the CRC has the power to order a Competent Official …
Section 67 – In case there is a Cyber Threat at a crisis level, it shall be in the duty and power of the National Security Council in Maintaining Cybersecurity …
Section 68 – In case it is urgent and necessary and the Cyber Threat is at a crisis level, the Committee may assign to the Secretary-General the power to act …
Section 69 – A person receiving an order related to coping with a Cyber Threat may only appeal such order for Cyber Threats at a non-critical level.

Chapter 4: Penalty Provisions
Section 70 – The officers under this Act shall not disclose or send computer data, computer traffic data, other data related to the computer system, …
Section 71 – Any officer under this Act negligently causing other persons to know computer data, computer traffic data, data of the users, or other data …
Section 72 – Any person who knows computer data, computer traffic data, data of the users, or data related to the computer system that the officer …
Section 73 – Any Organization of Critical Information Infrastructure not reporting a Cyber Threat incident in accordance with section 57 …
Section 74 – Any person not complying with the summoning letter of the Competent Officials, or not sending information to the Competent Official …
Section 75 – Any person violating or not complying with an order of the CRC in accordance with section 65 (1) (2) …
Section 76 – Any person disrupting or not complying with an orders of the CRC or the Competent Official performing its duty …
Section 77 – In case the person committing an offense under this Act is a juristic person, if such offense is a result of the order or the act of a director or a manager or any person responsible for the operation of such juristic person.
Section 78 – At the beginning, the Committee shall consist of the chairperson and the committees under section 5 (1) and (2) and the Secretary-General of the National Cybersecurity Committee …
Section 79 – The CRC and the CMO shall be established within ninety days from the date of appointment of the honorary director of the Committee under section 78.
Section 80 – Establishment of the Office shall be completed in order to perform its duty in accordance with this Act within one year from the date this Act enters into force.
Section 81 – At the beginning, the Cabinet shall assign an initial funding to the Office The Minister shall propose to the Cabinet for consideration the public servant …
Section 82 – When this Act enters into effect, the Minister shall present the operating Cabinet to approve the transfer of all the duties …
Section 83 – Issuance of the regulations, rules, and notifications in accordance with this Act shall be completed within one year from the date this Act enters into force.