Thai Cyber Security: Public-Private Build-Out and PDPA Enforcement
NCSA logged 1,002 cyber incidents in first 5 months of 2025; 63% of Thai orgs breached, 52% paid ransom. 2025 NCSA notification expanded CII to include cloud, data centres, managed IT. Breach costs USD 430K-1.4M. Cyber-insurance demand surged. PDPA, Cybersecurity Act now operate as coordinated enforcement stack.
Key takeaways
- 1
NCSA logged 1,002 cyber incidents in the first 5 months of 2025 per Nation Thailand β pace exceeds 2024 baseline.
- 2
of Thai organisations experienced data breaches in 2025 per Chiang Rai Times; admitted to paying ransom β both well above ASEAN regional averages.
- 3
Breach costs - per incident in Thailand. Cyber-insurance demand surged in 2025 with carriers reporting multi-fold increase in policy applications.
- 4
2025 NCSA notification (per Lexology / Silk Legal) expanded Critical Information Infrastructure (CII) classifications to include cloud platforms, data centres, and managed IT services β extending regulatory perimeter materially.
- 5
CII operator obligations: NCSA-approved cyber-control standards, periodic risk assessments and technical audits, statutory incident-reporting timeframes, cooperation with investigations.
- 6
Cybersecurity Act, PDPA = coordinated enforcement stack. PDPC issued > in fines across 5 cases in 2025 for security and breach-notification failures (see PDPA report). Combined regulatory pressure now drives material compliance-budget growth.
Questions this report answers
What's the 2025 threat-landscape picture? Per Nation Thailand: NCSA logged 1,002 cyber incidents in the first 5 months of 2025 β extrapolating implies a 2,400+ incident-volume trajectory for the full year, well above the 2024 baseline. Per Chiang Rai Times: of Thai organisations experienced data breaches in 2025; admitted to paying ransom (both well above ASEAN averages). Per Thailand Insurance: breach costs ranged - per incident, prompting a structural surge in corporate cyber-insurance demand.[, , ]
What changed in the 2025 regulatory perimeter? Per Lexology and Silk Legal: the 2025 NCSA notification replaced earlier 2023 classifications, expanding the Critical Information Infrastructure (CII) designation to include cloud platforms, data centres, and managed IT services. The structural implication is significant β many private-sector Thai operators that were previously outside CII designation are now covered. CII operators face mandatory NCSA-approved cyber-control standards, periodic risk assessments and technical audits, statutory incident-reporting timeframes, and cooperation with NCSA investigations.[, ]
How do the Cybersecurity Act and PDPA work together? Per Siam Legal and PDPA-report cross-reference: the two regimes operate as a coordinated enforcement stack. NCSA enforces the Cybersecurity Act on CII operators (and increasingly private-sector entities); PDPC enforces PDPA on data controllers and processors. Both require security measures and breach-notification timeframes; failure on either side faces enforcement consequences. PDPC's August 2025 batch of 8 fines / 5 cases / > total demonstrates the practical enforcement reality. Sector-specific regulators (BOT for banking, SEC for securities, NBTC for telecom) coordinate cyber-supervision with NCSA on standards and audits.[, ]
What's the corporate compliance cost structure? Per Formichella and Sritawat: 2025 mandatory technical and organizational website-security protocols apply to government agencies, regulatory bodies, CII operators, and designated private entities. Thai operators must invest in technical controls (firewalls, EDR, SIEM, vulnerability management), MSSP partnerships (24/7 SOC, incident response), DPO appointment, breach-response capability, and increasingly cyber-insurance to transfer residual risk. Per BSA's Cybersecurity Act amendment comments: foreign-tech vendors face additional regulatory engagement on draft amendments to the Cybersecurity Act.[, ]
Executive summary
Thailand's cyber-security landscape entered 2026 in a state of structural escalation. NCSA logged 1,002 incidents in the first 5 months of 2025 (extrapolating to 2,400+ for the full year); of Thai organisations experienced data breaches and paid ransom per Chiang Rai Times; breach costs ranged - per incident per Thailand Insurance. The volume, breach rate, and ransom-payment rate are all materially above ASEAN regional averages β Thailand is now a higher-risk cyber jurisdiction than Singapore, Malaysia, or Vietnam.[, , ]
The regulatory regime expanded in parallel. The 2025 NCSA notification (per Lexology / Silk Legal) extended Critical Information Infrastructure (CII) classification to cloud platforms, data centres, and managed IT services β bringing many private-sector operators under direct NCSA jurisdiction for the first time. CII obligations include NCSA-approved cyber-control standards, periodic risk assessments and audits, statutory incident-reporting timeframes, and investigation cooperation. The Cybersecurity Act and PDPA now operate as a coordinated enforcement stack: PDPC issued more than in fines across 5 cases in 2025 for security and breach-notification failures. Sector-specific regulators (BOT for banking, SEC for securities, NBTC for telecom) coordinate with NCSA on standards and audits.[, ]
The corporate-compliance response is structural compliance-budget growth across technical controls, MSSP partnerships, DPO appointment, breach-response capability, and cyber-insurance. The cyber-insurance market saw a structural demand surge in 2025 β once a niche product, now central to corporate risk management per Thailand Insurance. The 2026 outlook is continued threat-volume growth (AI-era attacks, ransomware, supply-chain), continued regulatory expansion (CII designation likely extends further; Cybersecurity Act amendments in BSA-comment phase), and continued compliance-budget expansion across both public and private sectors. For institutional investors, Thai-listed cybersecurity service providers and MSSPs face structural demand tailwind.[, ]
Cyber-incident metrics and 2025 enforcement
NCSA incidents (first 5 months 2025)
Value
1,002
Notes
Implies 2,400+ full-year extrapolation per Nation Thailand.
Org breach rate 2025
Value
63%
Notes
Above ASEAN average per Chiang Rai Times.
Ransom-payment rate 2025
Value
Notes
Above ASEAN average; structural insurance-market driver.
Per-incident breach cost (lower)
Value
USD 430K
Notes
Thailand Insurance lower-bound estimate.
Per-incident breach cost (upper)
Value
USD 1.4M
Notes
Thailand Insurance upper-bound for high-impact incidents.
PDPA fines 2025 (Aug batch)
Value
> $623,188
Notes
8 fines / 5 cases per DLA Piper, Lexology (see PDPA report).
CII designation expansion
Value
2025 NCSA notification
Notes
Replaces 2023; adds cloud, data centres, managed IT.
| Metric | Value | Notes |
|---|---|---|
| NCSA incidents (first 5 months 2025) | 1,002 | Implies 2,400+ full-year extrapolation per Nation Thailand. |
| Org breach rate 2025 | 63% | Above ASEAN average per Chiang Rai Times. |
| Ransom-payment rate 2025 | 52% | Above ASEAN average; structural insurance-market driver. |
| Per-incident breach cost (lower) | USD 430K | Thailand Insurance lower-bound estimate. |
| Per-incident breach cost (upper) | USD 1.4M | Thailand Insurance upper-bound for high-impact incidents. |
| PDPA fines 2025 (Aug batch) | > $623,188 | 8 fines / 5 cases per DLA Piper, Lexology (see PDPA report). |
| CII designation expansion | 2025 NCSA notification | Replaces 2023; adds cloud, data centres, managed IT. |
Analyst framing
Why this report matters
Unlock the full report
Need more than the web report? Ask for a scoped export or source appendix.
Every report keeps visible citations and source metadata. Terms.
Related reports
Thailand PDPA: Enforcement Trajectory and Compliance Cost
Thailand's Personal Data Protection Act B.E. 2562 (2019) reached full enforcement on 1 June 2022 after multiple deferrals. The Personal Data Protection Committee (PDPC) operating under the Ministry of Digital Economy and Society moved decisively from awareness-building to active enforcement in 2024-2025. On 1 August 2025 PDPC publicly announced 8 administrative fines across 5 non-compliance cases totalling more than THB 21.5M β including a landmark THB 7M fine for a customer-data leak that was subsequently exploited in call-centre scams per DLA Piper, HSF Kramer, and Lexology coverage. PDPA's civil-fine ceiling is THB 5M for serious violations; sensitive-data violations carry imprisonment up to 6 months and / or a THB 500K fine, doubled when undertaken for undue commercial benefit. Enforcement extends to data processors, not just controllers β the August 2025 toy-seller case fined the controller THB 500K and the processor THB 3M for failure to implement appropriate security measures. Recurring compliance failures: inadequate security (weak passwords, no risk assessment, poor system oversight), failure to appoint a Data Protection Officer (DPO) when required, failure to notify PDPC and affected individuals of data breaches within statutory timeframes, and poor handling and destruction of sensitive data.
Open report β
Data-Centre Investment: AWS, Google Cloud, and the Power-Grid Constraint
Bangkok has become Southeast Asia's second-largest data-centre market with total IT capacity above 2.5 GW. BOI approved THB 521.2B (USD 16.13B) across 28 data-centre projects in H1 2025 alone; full-year 2025 reached 36 projects worth USD 23B. Capacity is set to triple from 350 MW (2024) to 1 GW by 2027 backed by a USD 6.5B infrastructure push. AWS Asia-Pacific (Bangkok) launched early 2025 (USD 5B); Google Cloud opened Bangkok with a USD 1B Chonburi facility (2025-2029); Microsoft launched its first Thailand cloud region; TikTok is deploying USD 3.8B across three provinces; Beijing Haoyang Cloud is building a THB 72.7B / 300 MW first-international campus at WHA Eastern Seaboard 4 in Rayong. Province concentration: Rayong 33%, Chonburi 32%, Samut Prakan 12%. The binding constraint is no longer demand or BOI eligibility β it is grid power, water, and Tier-III construction labour.
Open report β
Thai AI Adoption: Enterprise Pilots and the Data-Centre Build
Thai enterprise AI adoption reached 17.8% in 2024 (up from 15.2% in 2023) per the AI Readiness Measurement 2024 report; 73.3% of organisations plan future adoption with Thailand at #2 ASEAN after Indonesia. Major hyperscaler commitments anchor the data-centre build: AWS USD 5B with the Bangkok region launched early 2025, Google Cloud USD 1B Chonburi facility, and Microsoft's first Thailand cloud region. AI workloads reached 28% of total Thai data-centre capacity in early 2025 (up from 20% the prior year); 1H 2025 BOI data-centre approvals totalled THB 521.2B (USD 16.13B) across 28 projects. Thailand targets tripling data-centre capacity from 350 MW (2024) to 1 GW by 2027 backed by a USD 6.5B infrastructure push.
Open report β
Thai Food Delivery: Grab-LINE-Foodpanda Economics and the Restaurant Take-Rate Squeeze
Thai food delivery is structurally a three-platform race between Grab, LINE MAN Wongnai, and Foodpanda β with Robinhood (SCB-launched 2020, divested 2024) historically a domestic zero-commission challenger that compressed take-rates briefly before retrenching. Restaurant take-rates run 25-35% on platform GMV across the three majors, squeezing independent-restaurant operating margins; tiered commission structures and platform-funded promotions partially offset the bite for high-volume brands. LINE MAN Wongnai, backed by Bualuang Ventures (BBL), is the structural Thai-domestic incumbent leveraging the near-universal LINE messenger app for restaurant discovery and order placement β a cross-platform funnel Grab cannot replicate. Grab leverages its super-app ride-hailing and financial-services flywheel for cross-sell economics. Foodpanda (Delivery Hero) operates as the third pillar with structural cost-pressure dynamics. Rider gig-labour structure (per-trip payouts, no-employee classification, regulatory pressure on minimum-payout rules) is the structural watch-item for 2026-2028. The structural-investor read: Thai food delivery is a duopoly-leaning-three-way market with embedded restaurant take-rate ceiling at 30-35% (regulatory and survival-pressure cap). Watch LINE MAN Wongnai gross-merchandise-value disclosures, restaurant churn rates, and rider-payout regulation as 2026-2028 leading indicators.
Open report β