Effective January 18, 2025, two key subordinate regulations have been enforced by the National Cyber Security Committee (NCSC) under the Act:

• Standards for Defining the Security Category for Data and Information Systems B.E. 2566 (2023)
• Minimum Standards for Data and Information Systems B.E. 2566 (2023)

These regulations require Critical Information Infrastructure (CII) operators to classify their data and information systems according to security categories and implement minimum cybersecurity protection standards based on that classification. Organizations handling national security, public safety, economic security, or critical public infrastructure are now expected to take a proactive approach to cybersecurity governance and regulatory compliance.

Agencies and Organizations classified as Critical Information Infrastructure (CII) are required to comply with Thailand’s Cybersecurity Act. These include:

• National Security
• Information Technology and Telecommunications
• Energy & Public Utilities
• Public Health
• Banking and Finance
• Substantive Public Services
• Transportation and Logistics
• Other sectors deemed critical to national interests

While the regulatory requirements are clear, different CII sectors face different challenges – from limited visibility across systems, uncertainty about compliance readiness, to a lack of clarity on how the regulations apply to their operations. These challenges can delay action and expose critical systems to risk. At ABB, we help you navigate compliance with confidence by deepening your understanding of current cybersecurity practices and overcome industry-specific risks.

Thailand Cybersecurity Acts, along with the newly two 2025 NCSC Notification on Minimum Standards for Data and Information Systems, the obligations of CIIs have been significantly expanded by requiring them to implement a comprehensive set of cybersecurity controls aligned with confidentiality, integrity, and availability principles.

CIIs must now establish documented risk management strategies, incident response plans, asset management processes, vulnerability assessments, access controls, system hardening procedures, awareness programs, crisis communication plans, and third-party management practices. These requirements ensure that CIIs adopt a proactive and structured approach to safeguarding critical systems, enhancing national cyber resilience, and maintaining operational continuity against evolving cyber threats.

Ransomware attacks surged by 151% in 2021, costing OT environments an average of $4.82 million per incident. Yet, 48% of organizations are unaware if their systems have been compromised. Another study from Sophos found that 62% of critical infrastructures, including energy sector, were impacted by ransomware attacks as compared to 49% across other sectors such as manufacturing, construction, and IT. Hence, cybersecurity is no longer optional—it's essential for protecting operations, ensuring uptime, and maintaining business resilience.

At ABB, we provide guidance to help you prepare for ransomware attached before they happen. Our proactive cyber security approach enables early detection of vulnerabilities, real-time threat monitoring, and implementing preventive measures. Download the e-book to learn how to protect your operations and build ransomware resilience.

We have a complete portfolio of offerings that help our customers manage OT cyber security risks and support Thailand Cybersecurity Regulation.