National Cyber Security Agency (NCSA Thailand)
National Cyber Security Agency (NCSA) is the Thai government statutory body established under the Cybersecurity Act B.E. 2562 (2019). Mandated to protect critical information infrastructure (CII) across 7 designated sectors: security, public services, finance and banking, ICT, transportation, energy, and public health. Sets cybersecurity standards, conducts national threat assessments, and coordinates incident response across government agencies and CII operators. Works alongside ETDA (Electronic Transactions Development Agency) on digital-economy security and the PDPC on data-breach response. Coordinates with international CERT networks.
Snapshot
Headline numbers a buyer checks first.
Established
2019
2019
Under Cybersecurity Act B.E. 2562
CII sectors protected
7
2024
Annual budget (approx.)
THB 0.9B
FY2024
Reports to
Office of the Prime Minister / NCSC
2024
Profile overview
National Cyber Security Agency (NCSA) is the Thai government statutory body established under the Cybersecurity Act B.E. 2562 (2019). Mandated to protect critical information infrastructure (CII) across 7 designated sectors: security, public services, finance and banking, ICT, transportation, energy, and public health. Sets cybersecurity standards, conducts national threat assessments, and coordinates incident response across government agencies and CII operators. Works alongside ETDA (Electronic Transactions Development Agency) on digital-economy security and the PDPC on data-breach response. Coordinates with international CERT networks.
Mandate and functions
CII protection
7-sector critical infrastructure oversight
NCSA designates and oversees critical information infrastructure (CII) operators across 7 sectors: national security, government services, finance and banking, ICT, transportation, energy, and public health. CII operators must comply with NCSA cybersecurity standards and conduct annual cybersecurity risk assessments.
Standards
National cybersecurity framework
NCSA promulgates the National Cybersecurity Standards and requirements for CII operators. Standards are aligned with NIST Cybersecurity Framework and ISO/IEC 27001. CII operators must achieve minimum security baselines within prescribed timelines; NCSA audits compliance and can impose remediation requirements.
Incident response
ThaiCERT and national threat coordination
NCSA coordinates with ThaiCERT (Computer Emergency Response Team) for national cybersecurity incident response. Receives mandatory breach notifications from CII operators; coordinates cross-sector response for incidents affecting multiple critical-infrastructure sectors. Works with international CERT networks on shared-threat intelligence.
PDPC coordination
PDPA data-breach response integration
NCSA coordinates with the Personal Data Protection Committee (PDPC) on data-breach incidents that involve both cybersecurity attacks and personal-data exposure. Joint response frameworks ensure cybersecurity remediation and PDPA breach-notification requirements are addressed simultaneously for multi-regulator-scope incidents.
Thai digital-economy regulator comparison
Key regulators covering cybersecurity, data, digital economy
NCSA
Primary mandate
Critical information infrastructure protection, cybersecurity standards
Key legislation
Cybersecurity Act B.E. 2562 (2019)
PDPC
Primary mandate
Personal data protection, PDPA enforcement
Key legislation
Personal Data Protection Act B.E. 2562 (2019)
ETDA
Primary mandate
Electronic transactions, digital economy development
Key legislation
Electronic Transactions Act B.E. 2544 (2001)
Primary mandate
Telecom and broadcasting regulation, spectrum licensing
Key legislation
Frequency Allocation Act B.E. 2553 (2010)
| Agency | Primary mandate | Key legislation |
|---|---|---|
| NCSA | Critical information infrastructure protection, cybersecurity standards | Cybersecurity Act B.E. 2562 (2019) |
| PDPC | Personal data protection, PDPA enforcement | Personal Data Protection Act B.E. 2562 (2019) |
| ETDA | Electronic transactions, digital economy development | Electronic Transactions Act B.E. 2544 (2001) |
| NBTC | Telecom and broadcasting regulation, spectrum licensing | Frequency Allocation Act B.E. 2553 (2010) |
Key drivers 2025-2026
Ransomware
Ransomware and supply-chain attack response
Thai CII operators experienced multiple ransomware incidents in 2023-2024, including attacks on healthcare and government systems. NCSA's incident-response coordination capability is being tested by increasingly sophisticated attacks. Mandatory cybersecurity assessments for CII operators are generating demand for NCSA-approved MSSP services.
Compliance
CII operator audit and enforcement
NCSA is escalating CII-operator compliance audits following the initial registration phase. Operators that fail NCSA cybersecurity standards face remediation orders and, in critical cases, regulatory escalation to the National Cyber Security Committee chaired by the Prime Minister.
International
ASEAN cybersecurity cooperation
Thailand's ASEAN chairmanship and regional digital-economy leadership position NCSA as a key participant in ASEAN CERT cooperation and the ASEAN Cybersecurity Cooperation Strategy. Cross-border threat intelligence sharing with Singapore CSA, Malaysia CyberSecurity Malaysia, and other ASEAN CERTs is a growing operational function.
Where this profile is featured
Reports that reference this entity in their operator concentration or analysis.
Featured in
Thai Cybersecurity MSSP and Critical Information Infrastructure Act
National Cyber Security Agency; administers Critical Information Infrastructure (CII) Act 2019.
Featured in
Thai Cyber Security: Public-Private Build-Out and PDPA Enforcement
National Cyber Security Agency; administers Critical Information Infrastructure (CII) Act 2019.
Related Market profiles
Peers, parents, partners, agencies, and other Cybersecurity actors.
Partner
Personal Data Protection Committee (PDPC)
Coordinates cybersecurity-incident response with PDPC on data-breach notifications.
Open Market profile β
Sector peer
Data Protection Officer (DPO) β Thai PDPA Role
The mandatory DPO role under Thailandβs PDPA 2019, required for large-scale data processors and sensitive-data controllers.
Open Market profile β
Sector peer
Foreign Digital Service VAT Framework (Thailand RD)
Thailandβs VAT-on-foreign-digital-services regime (Section 83/6 bis), requiring non-resident digital providers to register and remit 7% VAT on B2C revenue.
Open Market profile β
Sector peer
Thai PDPA Advisory Firm Cluster
Cluster of law firms and Big 4 advisory practices providing PDPA compliance, DPO services, and data-governance advisory in Thailand.
Open Market profile β
Reports featuring this profile
Thai Cybersecurity MSSP and Critical Information Infrastructure Act
National Cyber Security Agency; administers Critical Information Infrastructure (CII) Act 2019.
Open report β
Sits alongside 4 other Atlas profilesThai Cyber Security: Public-Private Build-Out and PDPA Enforcement
National Cyber Security Agency; administers Critical Information Infrastructure (CII) Act 2019.
Open report β
Sits alongside 2 other Atlas profiles