Single Blog Title

This is a single blog caption

Tilleke & Gibbins: Thailand Issues Draft Cybersecurity Standards for Cloud Services

Tilleke & Gibbins: Thailand Issues Draft Cybersecurity Standards for Cloud ServicesTilleke & Gibbins: Thailand Issues Draft Cybersecurity Standards for Cloud Services

Tilleke & Gibbins, our corporate member, has shared news regarding Thailand’s draft cybersecurity standards for cloud services.

On May 1, 2024, Thailand’s National Cyber Security Committee (NCSC) published the draft NCSC Notification Re: Cloud Cybersecurity Standards for a public hearing period, which was open until May 14, 2024. These standards have been drafted to drive the country’s cloud-first policy with the aim of minimising risks from cyber threats to cloud services utilised by government agencies, supervising or regulating organisations, and critical information infrastructure (CII) organisations.

The key points of the draft Cloud Cybersecurity Standards are below.


  • The standards apply to government agencies, supervising or regulating organisations, and CII organisations under the Cybersecurity Act B.E. 2562 (2019), as well as cloud service providers (defined below).
  • The standards prescribe cloud system cybersecurity measures for cloud service customers (defined below) and providers only to the extent that the service is provided to the in-scope organisations outlined above.


  • Cloud service customers (CSCs):¬†In-scope organisations that have a formal contractual agreement to use cloud services provided by a cloud service provider.
  • Cloud service providers (CSPs):¬†Persons who enable cloud services to be used by a cloud service customer, responsible for maintaining infrastructure, platforms, and software that enable provision of the cloud services and for managing these resources to ensure their accessibility, security, and scalability for their cloud service customers.


  • In-scope organisations that will use or have been using cloud services must comply with the Cloud Cybersecurity Standards by taking into account their data or technology information systems‚Äô level of impact, as specified in the previously issued¬†Notification of the NCSC Re: Standards for Defining the Security Category for Data and Information Systems B.E. 2566 (2023).
  • The impact level related to personal data is to be rated as being at least at the medium level, and the minimum standards for that level specified in the draft Cloud Cybersecurity Standards must be adopted.
  • In-scope organisations must report their implementation of the Cloud Cybersecurity Standards to the National Cyber Security Agency (NCSA) within 30 days of completing the implementation.
  • The draft Cloud Cybersecurity Standards will come into force one year from their publication in the¬†Government Gazette.


The requirements in the Cloud Cybersecurity Standards are divided into two areas, (1) cloud security governance and (2) cloud infrastructure and operations:

Requirement Area 1: Cloud Security Governance

  • Information security policies
  • Organization of information security
  • External supplier relationships
  • Compliance

Requirement Area 2: Cloud Infrastructure Security and Operations  

  • Human resource security
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operational security
  • Communication security
  • System acquisition, development, and maintenance
  • External supplier relationships
  • Information security incident management

Impact Levels and Requirements

The stipulations of the Cloud Cybersecurity Standards vary depending on the data or information systems’ level of impact. The requirements for each level are summarised in the table below.

For other interesting articles from our members and chamber activities, please visit our website.