Thailand releases draft guidelines on government cloud adoption and data classification

Thailand's Digital Government Development Agency (“DGA”) has published two sets of draft public sector-targeted guidelines intended to steer government agencies towards implementing cloud technologies and data classification systems. The drafts, which were open for public consultation until 12 August 2025, form part of Thailand's “Cloud First” policy, which aims to modernize Thailand's public services by driving the technological upgrading of government agencies. The Cloud First policy is designed to integrate cloud infrastructure across all governmental agencies, thereby propelling Thailand towards its goal of becoming a regional cloud hub. Both the Cloud and the Data Classification Guidelines (the “Guidelines”) have wide-ranging implications for government agencies, cloud service providers, and international organizations operating in Thailand or handling Thai data.

Key Features of the Guidelines:

1. Cloud guidelines

• Prioritizing Cloud Solutions: These guidelines mandate that government agencies integrate cloud solutions for new IT projects. Deployment models (e.g. public, private, hybrid, or community) should be selected based on data sensitivity, and standardized cloud services (e.g. IaaS, PaaS, SaaS) are encouraged.
• Cloud Security: A shared security model is essential, wherein providers are responsible for securing the infrastructure, while agencies retain control over their data, applications, and access.

2. Data classification guidelines

Government data should be classified into three tiers:

1. Official data: Low sensitivity; suitable for public cloud.
2. Protected data: Sensitive (e.g. tax, medical, financial); recommended for domestic public clouds with enhanced security.
3. Highly protected data: Critical or top-secret; must be stored in sovereign or state-controlled clouds within Thailand.

• Data Localization: Government data should be stored within Thailand. Any exceptions to this require DGA approval.
• Security Controls: Mandatory encryption, access restrictions, and compliance in accordance with international standards such as ISO 27001.

Compliance with the Guidelines must be considered as part of a wider compliance framework with existing laws and regulations, such as Thailand’s Official Information Act 1997, Personal Data Protection Act 2019, Cybersecurity Act 2019, and national security regulations.

Implications for stakeholders

These Guidelines indicate potential commercial impacts for both local and foreign businesses operating in Thailand.

Government agencies will be required to overhaul internal policies, implement data classification frameworks, and formally justify any deviation from the cloud-first mandate. Compliance will be a prerequisite for continued digital operations.

Cloud service providers must meet elevated thresholds for security, data localization, and legal compliance to remain eligible for public sector contracts. Providers unable to demonstrate alignment with government standards will be excluded from procurement processes.

International organizations and cloud vendors operating in Thailand must reassess their data governance strategies. The Guidelines reflect Thailand’s assertive stance on data sovereignty and localization, aligning with a broader global trend toward national control over digital infrastructure.

Broader ASEAN impact

These Guidelines are a cornerstone of Thailand’s digital modernization strategy, which is aimed at establishing the country as a leading regional hub for cloud computing and artificial intelligence within the broader ASEAN market. The evolving regulatory landscape offers a strategic opportunity for compliant businesses to pursue regional expansion and operational scale.

Commercial considerations for companies operating or seeking to operate in Thailand include:

• Market Access: Thailand’s geographic centrality and advanced digital infrastructure make it an ideal launchpad for accessing ASEAN’s 660+ million consumers.
• Scalable Infrastructure: Thailand’s rapid buildout of cloud data centres, AI ecosystems, and e-government services offers a pre-existing foundation for regional expansion.
• Cross-Border Integration: ASEAN businesses can seamlessly deploy apps, store data, and serve customers via Thai infrastructure.
• Recent examples:

1. A global technology firm has established three cloud data centres in Thailand since 2018. These facilities support Thai and regional clients, offering AI, cloud, and cybersecurity services.
2. A multinational logistics company has leveraged Thailand’s smart infrastructure, particularly in the Eastern Economic Corridor to optimize supply chains across Southeast Asia. Thailand’s digital logistics hubs enable faster, tech-enabled delivery throughout the region.
3. A major cloud provider launched a data centre in Bangkok to serve Southeast Asian businesses with localized cloud services. The data centre supports e-commerce, logistics, and fintech firms in scaling across ASEAN.