Critical Information Infrastructure (CII)

Under Section 49 of the Cybersecurity Act B.E. 2562 (2019), the National Cyber Security Committee (NCSC) has the authority to designate organizations in critical sectors as Critical Information Infrastructure (CII).

Critical Infrastructure Sectors

(1) National Security
(2) Critical Government Services
(3) Banking and Finance
(4) Information Technology and Telecommunications
(5) Transportation and Logistics
(6) Energy and Utilities
(7) Healthcare
(8) Other sectors designated by the committee

CII Identification Process

Identify critical processes
Assess impact of process disruption
Determine acceptable downtime
Select critical processes and information assets
Identify CII organizations

Section 43

The committee shall establish national cybersecurity policies and plans which must be followed by government agencies, regulators, and CII organizations.

Section 44

Organizations must develop cybersecurity standards and practices aligned with national cybersecurity policies.

Section 45

CII organizations must prevent, respond to, and mitigate cybersecurity risks in accordance with established standards.

Section 46

Organizations must provide contact information for cybersecurity coordination personnel.

Section 54

CII organizations must conduct cybersecurity risk assessments and audits at least annually.

Section 56

CII organizations must establish cyber threat monitoring systems and participate in cybersecurity readiness exercises.

Section 57

Significant cyber incidents must be reported to the relevant authority and regulator.

Section 58

Organizations must investigate cyber threats and implement mitigation measures.