Regulator Framework
Regulator
The role of regulators under the Cybersecurity Act relates to the development of security mechanisms to safeguard Critical Information Infrastructure and enhance the prevention and mitigation of national cyber threats.
Definition
Meaning of Regulator
Under the Cybersecurity Act B.E. 2562 (2019), a regulator refers to a government agency, private organization, or person that is legally assigned duties and authority to supervise or regulate the operation of a government agency or an organization of Critical Information Infrastructure.
Supervision
Supervision
Related sections on duties, authority, operational frameworks, and supervision of Critical Information Infrastructure organizations.Protection
Protection
Related sections on policies, plans, codes of practice, standard frameworks, prevention, and risk reduction from cyber threats.Coping
Coping
Related sections on incident reporting, examination, assessment, notification, support, and coordination when cyber threats occur.Related Sections
Related sections under the Cybersecurity Act
The related provisions are organized by supervision, protection, and coping responsibilities to make the legal framework easier to read and reference.
Supervision
Related sections on duties, authority, operational frameworks, and supervision of Critical Information Infrastructure organizations.
Assign the supervision and regulation, including the issuing of regulations, objectives, duties, powers, and operational frameworks regarding cybersecurity to the supervising or regulating organization, government agency, or organization of Critical Information Infrastructure.
Determine the duties of organizations of Critical Information Infrastructure and the duties of supervising or regulating organizations. At minimum, the supervising or regulating organization shall determine appropriate standards for each organization of Critical Information Infrastructure and government agency in coping with cyber threats.
The Committee shall have the power to prescribe, by notification, the characteristics of organizations that have a mission or provide services in the following sectors as organizations of Critical Information Infrastructure:
- National security
- Substantive public service
- Banking and finance
- Information technology and telecommunications
- Transportation and logistics
- Energy and public utilities
- Public health
- Other sectors as prescribed by the Committee
The consideration for prescribing such missions or services shall be in accordance with the rules prescribed by the Committee and published in the Government Gazette. The Committee shall consider and review such prescriptions on a case-by-case basis as appropriate.
In the operation of maintaining cybersecurity of an organization of Critical Information Infrastructure, the supervising or regulating organization shall examine the minimum cybersecurity standards of the organization of Critical Information Infrastructure under its supervision.
If it is found that an organization of Critical Information Infrastructure does not comply with the standards, the supervising or regulating organization shall notify such organization to correct and comply with the standards without delay. If the organization neglects or fails to comply within the prescribed period, the supervising or regulating organization shall notify the Cybersecurity Regulating Committee without delay.
Upon receipt of such notification, if the Cybersecurity Regulating Committee considers that there is such reason and that it may cause a cyber threat, the Committee may perform the following actions:
- In the case of a government agency, notify the chief executive of the agency to exercise administrative authority to order the agency or organization of Critical Information Infrastructure to correct and comply with the standards without delay.
- In the case of a private organization, notify the chief executive of the organization, the person possessing the computer, and the person monitoring the computer system of the organization of Critical Information Infrastructure to make correction and comply with the standards without delay.
The Secretary-General shall monitor to ensure compliance with the above actions.
An organization of Critical Information Infrastructure shall conduct a risk assessment on maintaining cybersecurity by having an examiner. The examination of cybersecurity shall include examination by an internal auditor or external independent auditor at least once per year.
The organization of Critical Information Infrastructure shall submit a summary report of the operation results to the Office within thirty days after the operation has been completed.
Protection
Related sections on policies, plans, codes of practice, standard frameworks, prevention, and risk reduction from cyber threats.
The Committee shall prepare a policy and plan for maintaining cybersecurity in accordance with Section 42 for submission to the Cabinet for approval, which shall be published in the Government Gazette.
Once published, government agencies, supervising or regulating organizations, and organizations of Critical Information Infrastructure as determined in the cybersecurity policy and plan shall take action in accordance with such policy and plan.
In preparing the policy and plan, the Office shall hold a hearing or meeting with government agencies, supervising or regulating organizations, and organizations of Critical Information Infrastructure.
Government agencies, supervising or regulating organizations, and organizations of Critical Information Infrastructure shall prepare a code of practice and standard framework for maintaining cybersecurity of each organization in accordance with the cybersecurity policy and plan without delay.
The code of practice for maintaining cybersecurity shall, at minimum, consist of the following:
- A plan for examining and assessing cybersecurity risks by an examiner, internal auditor, or independent external auditor at least once per year.
- A plan for coping with cyber threats.
For the benefit of preparing the code of practice for maintaining cybersecurity, the Office, upon approval of the Committee, shall prepare a code of practice and standard framework for government agencies, supervising or regulating organizations, or organizations of Critical Information Infrastructure to use as guidance or to adopt as their own code of practice.
If such organizations do not yet have, have incomplete, or have inconsistent codes of practice or standard frameworks, the code of practice and standard framework prepared by the Office shall be enforced.
Government agencies, supervising or regulating organizations, and organizations of Critical Information Infrastructure have a duty to prevent, cope with, and mitigate risks from cyber threats in accordance with the code of practice and standard framework for maintaining cybersecurity of each organization.
They shall also act in compliance with the code of practice and standard framework for maintaining cybersecurity in accordance with Section 13, paragraph one (4).
If a government agency, supervising or regulating organization, or organization of Critical Information Infrastructure cannot take action or comply with the above paragraph, the Office may grant assistance in personnel or technology to such organization as requested.
For the benefit of maintaining cybersecurity, government agencies, supervising or regulating organizations, and organizations of Critical Information Infrastructure shall notify the Office of the names of executive officials and operational officials for coordination on maintaining cybersecurity.
For the benefit of coordination, an organization of Critical Information Infrastructure shall notify the Office, its supervising or regulating organization, and the organization under Section 50 of the name and contact information of the owner, the person possessing the computer, and the person monitoring the computer system within thirty days from the date the Committee prescribes the notification in accordance with Section 49, paragraph two, and Section 50, paragraph two, or from the date the Committee issues a final judgment in accordance with Section 51.
The owner, the person possessing the computer, and the person monitoring the computer system shall at least be persons responsible for the management of such organization of Critical Information Infrastructure.
In the case of any change to the owner, the person possessing the computer, and the person monitoring the computer system, the relevant organizations shall be notified not less than seven days in advance, unless there is an inevitable reason, in which case notification shall be made without delay.
Coping
Related sections on incident reporting, examination, assessment, notification, support, and coordination when cyber threats occur.
In the event of a significant cyber threat occurring to the system of an organization of Critical Information Infrastructure, such organization shall report to the Office and the supervising or regulating organization, and shall cope with the cyber threat as prescribed in Part 4.
The Cybersecurity Regulating Committee may prescribe criteria and methods of reporting.
If there is, or may be, a cyber threat to an information system under the responsibility of a government agency or organization of Critical Information Infrastructure, such organization shall examine related information, computer data, computer systems, and surrounding circumstances to assess whether a cyber threat has occurred.
If the examination results show that there is, or may be, a cyber threat, the organization shall prevent, cope with, and mitigate risks from such cyber threat in accordance with the code of practice and standard framework for maintaining cybersecurity, and shall notify the Office and its supervising or regulating organization without delay.
If any agency, organization, or person encounters an obstacle or problem in preventing, coping with, or mitigating risks from a cyber threat, such agency, organization, or person may request assistance from the Office.
When it appears to the supervising or regulating organization, or when the supervising or regulating organization is notified of an incident under Section 58, the supervising or regulating organization, in cooperation with the organization under Section 50, shall gather information, examine, analyze the situation, and evaluate the effects related to the cyber threat, and shall perform the following actions:
- Support and grant assistance to the government agency or organization of Critical Information Infrastructure under its supervision or regulation, and cooperate and coordinate with the Office to prevent, cope with, and mitigate the risks from the cyber threat.
- Notify the government agency or organization of Critical Information Infrastructure under its supervision or regulation, including other relevant government agencies or organizations of Critical Information Infrastructure, without delay.
ThaiCERT
Follow Cyber Threat News and Advisories
Access news, guidance, and cybersecurity information to support prevention, response, and risk mitigation against cyber threats.