The Cybersecurity Act, B.E. 2562 (2019) (“Act”) has been published on 27 May 2019, and is now effective.

Those who are monitoring the Cybersecurity Act, as discussed in our previous client alert, may like to note that the obligations under the Cybersecurity Act remain the same as the latest publicly-available version (the version available on MDES website on 11 March 2019).

In essence, private entities may have obligations under the Cybersecurity Act under two scenarios, as follows:

1. In an occurrence of cyber threats

Cyber threats are classed at three levels, with varying compliance obligations for each level. In the event of a cyber threat, private entities may be required to:

    (i) provide access to relevant computer data or a computer system, or other information related to the computer system only to the extent necessary to prevent cyber threats;
    (ii) monitor the computer or computer system; and
    (iii) allow officials to test the operation of the computer or computer system, or seize or freeze a computer, a computer system, or any equipment.

Certain orders would require a court order, while others will not. However, generally, such orders must be limited to the necessity to preventing or handling cyber threats.

2. In the event the organization fits the criteria of a Critical Information Infrastructure Organization (CII Organization)

Subject to future sub-regulation, organizations which undertake the following tasks or provide the following services may be deemed a CII Organization:

    (1) National security;
    (2) Material public service;
    (3) Banking and finance;
    (4) Information technology and telecommunications;
    (5) Transportation and logistics;
    (6) Energy and public utilities;
    (7) Public health;
    (8) Others as prescribed by the National Cybersecurity Committee (NCSC);

Private entities which are deemed CII Organizations would have compliance obligations, such as to:

    (i) provide names and contact information of the owner(s), person(s) possessing the computer and person(s) monitoring the computer system;
    (ii) comply with the code of practice and minimum cybersecurity standards;
    (iii) conduct cybersecurity risk assessment; and
    (iv) notify the authority of cyber threats.

Penalties under the Act vary from fines to imprisonment.

To prepare for compliance with the Act, private entities can prepare their IT systems, review and update relevant legal documentation (e.g., IT policies and notice of security breaches), and conduct personnel training to raise awareness on cybersecurity. In addition, organizations listed as possible CII Organizations under (2) above will benefit from familiarizing themselves with the Act, and in the meantime closely monitoring the developments of the sub-regulation to be further prescribed by the National Cybersecurity Committee (NCSC).