Thailand's government is systematically restructuring its digital infrastructure through new regulations on satellites, submarine cables, and data residency. The effort spans infrastructure investment, regulatory frameworks, and cybersecurity standards. How the kingdom implements these changes over the next 24 months will significantly affect internet access, business operations, and data flows for residents and businesses.
Why This Matters
• 80% of Thailand's internet traffic flows through vulnerable land borders—meaning regional conflict could disrupt connectivity. The government is investing in submarine cables to shift this ratio to 80% undersea routes and 20% terrestrial within the next several years.
• Cyberattacks on Thai targets average 3,200 per week, 164% above global norms, with ransomware incidents hitting 109,000 annually—highest in Southeast Asia. SMEs remain exposed to credential theft and data breaches.
• Foreign satellite operators like Starlink bypass Thai law entirely, beaming internet directly to consumers without NBTC approval. New licensing rules now require all satellite operators to be Thai companies or joint ventures with minimum 51% Thai ownership.
• Personal data is regularly transferred outside Thailand to servers in the US or China, often beyond the reach of Thailand's Personal Data Protection Act (PDPA). Cross-border data transfers now require proof of equivalent legal protections.
The Infrastructure Gamble: Thailand's Submarine Cable Strategy
Thailand currently sends roughly 80% of its international data across terrestrial routes—cables buried along borders with Cambodia, Laos, and Myanmar. During regional tensions, these cables represent vulnerability points. A conflict in the South China Sea or border disputes could disrupt connectivity.
The solution is to shift traffic to undersea fiber lines that traverse international waters. These submarine cables are harder to disrupt unilaterally. The National Telecom (NT), Thailand's state-owned operator, is leading this investment with a goal to flip the ratio to 80% submarine and 20% terrestrial within the next several years. For a country dependent on tourism, foreign investment, and supply-chain integration, reliable internet connectivity is critical. This cable strategy addresses that operational necessity.
Infrastructure investment alone, however, doesn't ensure regulatory control. That requires addressing satellite networks and data governance separately.
The Satellite Problem: Regulating LEO Networks
LEO satellite networks pose distinct regulatory challenges. SpaceX's Starlink can deliver broadband to a laptop-sized receiver anywhere within its footprint. Unlike traditional satellites requiring ground-based gateways, LEO systems can theoretically serve Thai customers directly, bypassing the National Broadcasting and Telecommunications Commission (NBTC) entirely.
Thailand's regulatory response, implemented in 2024, establishes a three-tiered licensing system:
• Gateway licenses govern facilities connecting to foreign satellites
• Landing rights licenses regulate uplink and downlink operations on Thai soil
• Service licenses cover commercial provision of satellite internet to consumers
All operators must be Thai companies or joint ventures with minimum 51% Thai ownership. Compliance costs include a 2 million baht one-time fee per satellite system, plus annual payments of 3.2% of revenues generated in Thailand.
In September 2025, the National Space Policy Committee expanded the framework to allow foreign satellite operators from WTO member countries to apply for authorization, subject to technical, social, economic, and national security review. Operators must now adhere to the PDPA, cross-border data transfer protocols, cybersecurity standards, and equipment type-approvals.
Starlink and other LEO providers have not yet formally applied for Thai landing rights, but the regulatory framework is in place.
What This Means for You: Immediate Implications
If you use cloud services or VPNs: Expect geoblocking and data residency requirements to increase through 2026. Services may fragment, with some content restricted to regions or requiring local hosting. Cloud providers are adapting their infrastructure to comply with Thai data localization mandates—this process may create temporary service disruptions or increased costs passed to consumers.
If you operate a business in Thailand: Cross-border data transfers now require documentation that recipient countries offer legal protections equivalent to Thailand's standards. If your business transfers customer data to US or regional servers, you must establish compliance mechanisms now. Penalties for non-compliance include fines, data seizures, and potential criminal liability for company officers. The National Committee on Digital Economy has set compliance review periods through 2026.
If you're a digital nomad or manage remote teams: VPN usage remains legal for personal purposes, but business operations relying on foreign cloud infrastructure should verify that service providers have Thai data center operations or equivalent legal arrangements. This is not an immediate threat, but long-term infrastructure changes may require operational adjustments.
If you work in fintech, healthcare, or e-commerce: Regulatory burden is increasing measurably. Data contracts with cloud providers are tightening. Cross-border workflow complexity is rising. Budget for compliance consultation by mid-2026 if you haven't already.
The Data Sovereignty Problem: Where Your Information Lives
Infrastructure strategy addresses half the sovereignty equation. The other half concerns where data physically resides and which legal system governs it.
Thailand's Personal Data Protection Act, effective since May 2020, grants individuals rights over personal information. But enforcement against foreign firms has been inconsistent. When Thai user data sits on US or Chinese servers, Thai law becomes secondary to the host country's legal processes.
The government is tightening requirements. Cross-border data transfers now require evidence that recipient countries offer protections equivalent to Thailand's standards. Cloud service providers without local data centers face increasing friction. The Ministry of Digital Economy is investing in Thai-owned data centers and competing against AWS, Azure, and Alibaba.
For businesses handling sensitive information, compliance costs are rising. Cross-border data residency is moving from convenience to legal mandate. Non-compliance carries penalties, data seizures, and potential criminal liability for company officers.
Cyberattacks: The Growing Threat
Thailand experiences over 3,200 cyberattacks weekly. That's 164% above the global average. Over the past two years, 5 million credential records have been compromised in Thailand, representing a 6,250% increase from baseline rates. One incident involving a multinational tech company exposed 1 petabyte—roughly 2 million hours of HD video.
Ransomware is the most visible threat. Thailand recorded over 109,000 ransomware incidents in recent years, the highest count in Southeast Asia. The infection rate increased 35% year-over-year, while the global rate climbed 11%. Thai organizations, particularly SMEs, are both lucrative and poorly defended targets.
The Royal Thai Armed Forces established a cyber-command unit in 2024, dedicated to hardening military infrastructure. Civilian-side efforts include the National Cybersecurity Policy and Action Plan (2022-2027), which prioritizes threat prevention, detection capacity, workforce development, and international cooperation. Key initiatives include AI-driven threat detection, establishment of Cyber Security Operation Centers (CSOCs), and public awareness campaigns. Three cybersecurity conferences scheduled for 2026—ThaiCyberX, CYSEC THAILAND, and the Cyber Security Summit Thailand—reflect government commitment to attracting defensive innovation and talent.
Thailand's Approach in Regional Context
Thailand is not alone in reasserting digital control. Across Southeast Asia, similar mechanisms are emerging.
Indonesia enforces strict data localization for public electronic systems and sensitive government data. Vietnam's Cybersecurity Law mandates that foreign tech companies store user data locally and maintain in-country offices. Singapore imposes sector-specific localization in banking and healthcare while investing in sovereign AI infrastructure.
Five ASEAN nations—Singapore, Vietnam, Indonesia, Malaysia, and Thailand—are actively building domestic AI models and cloud infrastructure to reduce reliance on Western or Chinese platforms. Vietnam introduced an AI Law in March 2026, establishing a National AI Infrastructure prioritizing Vietnamese-language data.
For multinational firms, this regional patchwork creates operational overhead. Compliance in Vietnam does not automatically transfer to Thailand; Thai standards don't apply in Malaysia.
The Underlying Tension
Thailand's policy reflects a core contradiction: the government wants economic velocity from global digital connectivity—foreign investment, tech innovation, high-speed internet—while maintaining control over information flows and regulatory authority.
Thailand's response is interventionist. Stricter licensing, higher local ownership thresholds, mandatory data residency, cybersecurity mandates, and significant penalties for non-compliance. Critics argue this slows innovation and deters foreign investment. Proponents counter that without these guardrails, the nation risks surrendering control over its information ecosystem.
The government has committed to this path. The infrastructure and regulatory frameworks are now in place.
What Comes Next
For residents and businesses in Thailand, the practical reality is clear: the internet is no longer borderless for regulatory purposes. The new operating environment includes digital borders, national data perimeters, and government oversight through licensing, data residency mandates, and cybersecurity enforcement.
Adaptation is not optional. For those using cloud services, operating businesses, or managing digital infrastructure, the changes are already underway. The timeline for full implementation extends through 2026, but compliance decisions should be made now.
