Q&A - Thailand Computer Emergency Response Team (ThaiCERT)

Question : For which agencies does the Cybersecurity Code of Practice and Standard Framework apply?

Answer : It applies to government agencies (including central administration, regional administration, local administration, state enterprises, legislative bodies, judicial bodies, independent organizations, public organizations, and other state agencies), regulatory or supervisory agencies (currently 19 agencies), and Critical Information Infrastructure (CII) agencies (currently 54 agencies).

Question : Why isn’t the list of Critical Information Infrastructure (CII) agencies published on the NCSA website?

Answer : The NCSA has received recommendations from regulatory/supervisory agencies and CII agencies indicating that publicly posting the list on the website could pose a security risk. Malicious actors might use the published list to more easily identify and target those agencies for cyberattacks.

Question : Do government agencies that are not designated as Critical Information Infrastructure (CII) agencies still need to comply with the Cybersecurity Code of Practice and Standard Framework? If so, how?

Answer : Yes. All government agencies both those designated as Critical Information Infrastructure and those that are not are required to comply with the Cybersecurity Code of Practice and Standard Framework, as mandated under Section 45 of the Cybersecurity Act B.E. 2562 (2019).

Question : Are there any examples of cybersecurity operational assessment tools?

Answer : The (Draft) Cybersecurity Operations Status Assessment Form for Regulatory or Supervisory Agencies

Answer : The (Draft) Cybersecurity Operations Status Assessment Form for Government Agencies and Critical Information Infrastructure (CII) Agencies

Question : How does ThaiCERT plan to handle cybersecurity?

Answer : The National Cyber Incident Response Plan of Thailand (Draft) .

Question : Does the National Cyber Security Committee Office (NCSA Office) provide any additional support in terms of manpower, budget, or remuneration for related personnel?

Answer : The NCSA has project plans to support the development of personnel in relevant agencies, such as the NCSA Cyber Clinic, training courses for Lead Auditor/Lead Implementor, the Thailand National Cyber Academy, and the National Cyber Exercise.

Further information can be found at:

     • NCSA Cyber Clinic
     • Thailand National Cyber Academy
     • National Cyber Exercise

Question : If a Sectoral CERT is established but is unable to perform its legally mandated duties, will it be subject to legal action?

Answer : Under Section 50 of the Cybersecurity Act B.E. 2562 (2019), as well as the relevant secondary legislation, no penalties are specified for cases where an agency fails to comply.

Question : What are the responsibilities of the Thailand Computer Emergency Response Team ?

Answer : Notification of NCSC Re: Establishment, Duties, and Powers of Thailand Computer Emergency Response Team (ThaiCERT) B.E. 2564 (2021).

Question : How do agencies know whether they are designated as Critical Information Infrastructure (CII)?

Answer : Agencies are notified by their regulatory or supervisory authority, as specified under Section 49 of the Cybersecurity Act B.E. 2562 (2019).

Further information is available at:

• Regulatory or supervisory authorities under Section 49 of the Cybersecurity Act B.E. 2562 (2019)

Question: If an agency is attacked by a cyber incident, how can they get assistance?

Answer : Phone: 02-1143531 หรือ E-mail : thaicert@ncsa.or.th