Introduction
On 12 April 2025, the Thai Government announced expanded enforcement powers of government authorities, as well as a range of new obligations for relevant business operators, in order to more effectively combat technology-related crimes.
The significant legislative update, called the Emergency Decree on Measures for the Prevention and Suppression of Technology Crimes (No. 2), B.E. 2568 (2025) (“Technology Crime Decree (No. 2)“), took effect on 13 April 2025 and amended the Emergency Decree on Measures for the Prevention and Suppression of Technology Crimes, B.E. 2566 (2023) (“Technology Crime Decree“).
This Legal Update outlines the expanded scope of application under the Technological Crime Decree (No. 2) and the new obligations imposed on covered entities as part of the Thai Government’s broader strategy to strengthen its technological crime prevention framework. It also highlights key compliance risks and potential liabilities for a wide range of entities now subject to heightened requirements under the new provisions.
Features of the Technology Crime Decree
What Is Technology Crime?
The Technology Crime Decree defines the term “Technology Crime” as an act or an attempt of committing an offence under the law on commission of offences relating to computers: (i) in order to defraud, extort or blackmail any person; (ii) in a manner likely to cause injury to any other person; or (iii) in commission of an offence of fraud, extortion or blackmail using a computer system as an instrument.
Who Is Covered Under the Technology Crime Decree?
The Technology Crime Decree applies to a wide range of entities, including:
- Financial Institutions: Commercial banks and state financial institutions established under specific legislation, as defined under the law governing financial institution businesses.
- Business Operators: Entities regulated under the law governing payment systems, as well as digital asset business operators under the law pertaining to digital asset businesses (as added by the Technology Crime Decree (No. 2)).
- Mobile Network Operators, Other Telecommunications Service Providers, Other Relevant Service Providers and Social Media Service Providers: While not explicitly defined in the Technology Crime Decree, these terms are broadly construed. In particular, “other relevant service providers” may include any provider whose services are connected to the commission of technology crimes and may therefore be subject to compliance obligations or directives issued under the Technology Crime Decree.
Key Updates Under the Technology Crime Decree (No. 2)
The Technology Crime Decree (No. 2) effects important amendments to the Technology Crime Decree. This includes the following key updates:
- Establishment of a New Anti-Technology Crime Taskforce
A new division, the “Center for the Prevention and Suppression of Technology Crimes” (“CPOT“), has been established under the Office of the Permanent Secretary of the Ministry of Digital Economy and Society. CPOT operates as a joint task force with participation from representatives of various authorities, including the Royal Thai Police, the Department of Special Investigation (DSI), the Anti-Money Laundering Office (AMLO), the Bank of Thailand (“BOT“), the Office of the Securities and Exchange Commission (SEC Office), and the Office of the National Broadcasting and Telecommunications Commission (“NBTC Office“), among others.
CPOT is empowered to, among other functions: (i) receive reports from victims concerning suspected or potential technology crimes; (ii) immediately suspend transactions involving deposit accounts or electronic money accounts where there is credible evidence of a connection to a technology crime; and (iii) notify the NBTC Office of telephone numbers, SMS services, sender names, or other telecommunications service information for further action, such as ordering mobile network operators, telecommunications service providers, or other relevant service providers to suspend the associated services.
- Standards or Measures for the Prevention of Technological Crime
The Technology Crime Decree (No. 2) empowers BOT, the Securities and Exchange Commission (SEC), the National Broadcasting and Telecommunications Commission (NBTC), the NBTC Office, and the Electronic Transactions Commission (ETC) to prescribe “standards or measures for the prevention of technological crime“.
Notably, Financial Institutions, Business Operators, mobile network operators, other telecommunications service providers, other relevant service providers, and social media platform providers may be held responsible for damages arising from technology crime, unless they can prove that they have complied with the applicable standards or measures for the prevention of technology crime prescribed by the relevant regulator.
- Inclusion of Digital Asset Business Operators
The Technology Crime Decree (No. 2) amends the definition of “Business Operators” to include digital asset business operators under the law pertaining to Digital Asset Businesses. As a result, the scope of the Technology Crime Decree, as amended, now extends to operators in the digital asset sector, and all references to “Business Operators” under the amended Technology Crime Decree are deemed to include digital asset business operators.
- SMS Monitoring Requirement
Mobile network service providers and other telecommunications service providers are required to verify and filter SMS messages that may be related to technology crimes in accordance with the standards or measures to be prescribed by the NBTC Office.
- Account and Service Suspension Powers
CPOT may order Financial Institutions or Business Operators to take action with respect to individuals or digital asset wallet addresses associated with the commission of technology crimes, including refusing account openings, suspending services or transactions, or closing accounts.
Non-compliance with a CPOT order may result in a fine not exceeding THB 500,000. In addition, if the non-compliance is attributable to an act or omission of a director, managing director, or any person responsible for the operation of the legal entity – whether by actively committing the offence or by failing to act or give necessary instructions where their duty requires such action or instruction – that person shall be personally liable to imprisonment for a term not exceeding one year, a fine not exceeding THB 100,000, or both.
- Telecommunication Service Suspension
Mobile network operators, other telecommunications service providers, and other relevant service providers are obligated to suspend telecommunications services believed to be used in the commission of technology crimes upon receiving an order from the NBTC Office.
- Ban on Unlicensed Digital Asset Business
A competent officer appointed under the law governing computer-related crime is empowered to immediately order the suspension or removal of unlawful computer data, or block its dissemination from a computer system, upon becoming aware that a person is operating a regulated digital asset business without a licence as required under the law governing digital asset business operations. Such an order must be carried out in accordance with the procedures prescribed by the Minister of Digital Economy and Society.
Any person who fails to comply with an order issued by a competent officer as described above is subject to imprisonment for a term not exceeding one year, a fine not exceeding THB 100,000, or both.
Notably, the Emergency Decree on the Digital Asset Business (No. 2), B.E. 2568 (2025), issued in parallel with the Technology Crime Decree (No. 2), expands the scope of the original Emergency Decree to cover digital asset business operators operating outside Thailand. For more information, please click here.
- New Offences Concerning Personal Data and Data of the Deceased
The Technology Crime Decree (No. 2) introduces new criminal offences relating to the misuse of personal data and the data of deceased persons. The provision targets the use of such data – whether directly or indirectly identifiable – for the commission of technology crimes or any other criminal offences.
Individuals may be held criminally liable not only for using such data but also for collecting, possessing, or disclosing it with the intention of enabling criminal activity. The base penalty for such action is imprisonment for up to one year, a fine not exceeding THB 100,000, or both.
Where the offence involves a commercial or exploitative element – such as buying, selling, exchanging, or unlawfully profiting from the data – the penalty increases to imprisonment for up to five years, a fine not exceeding THB 500,000, or both.
This provision addresses enforcement gaps under the Personal Data Protection Act (PDPA) by introducing criminal liability specifically tied to the misuse of personal data in connection with technological crimes.
What This Means for Business Operators
The Technology Crime Decree (No. 2) imposes expanded obligations and heightened compliance risks for a wide range of business operators, particularly those in the financial, telecommunications, digital asset, and social media platform sectors. Operators must implement new standards for fraud prevention, data sharing, and service suspension in accordance with orders from CPOT and relevant regulators. Failure to comply may result in both corporate penalties and personal liability for responsible individuals, including the director, managing director, or any person responsible for the operation of the corporate entity.
Businesses should urgently assess and improve their internal procedures to ensure alignment with the new enforcement framework. This includes both existing and future standards and measures for the prevention of technology crimes, as will be prescribed by relevant state authorities. Taking proactive steps is essential not only to reduce regulatory and criminal exposure but also to avoid potential liability for damages resulting from such crimes.
If you have any queries or need clarifications on the above, please contact our team.
Contribution Note
This Legal Update is contributed by the listed Contact Partners, with the assistance of Kittipol Chamsawarng (Senior Associate, Rajah & Tann (Thailand) Limited) and Benjarong Roongmaneekul (Senior Associate, Rajah & Tann (Thailand) Limited).
Disclaimer
Rajah & Tann Asia is a network of member firms with local legal practices in Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Our Asian network also includes our regional office in China as well as regional desks focused on Brunei, Japan and South Asia. Member firms are independently constituted and regulated in accordance with relevant local requirements.
The contents of this publication are owned by Rajah & Tann Asia together with each of its member firms and are subject to all relevant protection (including but not limited to copyright protection) under the laws of each of the countries where the member firm operates and, through international treaties, other countries. No part of this publication may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means whether or not transiently for any purpose save as permitted herein) without the prior written permission of Rajah & Tann Asia or its respective member firms.
Please note also that whilst the information in this publication is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action as such information may not suit your specific business and operational requirements. You should seek legal advice for your specific situation. In addition, the information in this publication does not create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on the information in this publication.
