NCSA Web Security Standard: Are You Ready for September 2026?
Thailand's mandatory Website Security Standard B.E. 2568 kicks in September 2026. If you're a government agency or CII operator, now is the time to prepare.
What Is the NCSA Web Security Standard?
Published in the Royal Gazette on 16 September 2025, this standard sets the minimum security bar for every website operated by a government agency, regulator, or CII organization. It was issued by the National Cybersecurity Committee (กมช.) under the Cybersecurity Act B.E. 2562 and uses a "High Water Mark" risk model built on the CIA triad. Private-sector organizations are strongly encouraged to adopt it as well.
- Issued by the National Cybersecurity Committee (กมช.) under NCSA (สกมช.) pursuant to the Cybersecurity Act B.E. 2562 (2019)
- Published in the Royal Thai Government Gazette on 16 September 2025
- Takes effect 16 September 2026, giving organizations 1 year to comply
- Applies the "High Water Mark" principle based on the CIA triad (Confidentiality, Integrity, Availability)
- Requires organizations to classify website impact levels as low, medium, or high
- Mandatory for government agencies, regulatory bodies, and CII operators; recommended for private enterprises
- Based on international standards including OWASP ASVS and NIST frameworks
Reference: Website Security Standard B.E. 2568 (Version 1.0), National Cybersecurity Committee (กมช.), Royal Thai Government Gazette, 16 September 2025
Who Must Comply?
Mandatory for government agencies, regulators, and CII operators. Private enterprises are strongly encouraged to adopt the standard as their own security baseline.
Government Agencies
All government organizations operating public-facing websites and web applications
Financial Services CII
Banks, securities firms, insurance companies, and payment service providers designated as CII
ICT & Telecom CII
Information and communication technology providers and telecommunications operators
Energy & Utilities CII
Energy providers and public utility organizations operating critical web systems
Transportation CII
Transportation infrastructure operators with web-based services and systems
Healthcare CII
Healthcare organizations operating websites handling sensitive patient information
Core Security Requirements
Six domains you must address — from penetration testing and secure development to incident response and monitoring.
Web Vulnerability Assessment & Penetration Testing
Conduct continuous vulnerability assessments scanning internet-accessible assets for known CVEs and misconfigurations. Penetration testing must be performed at least annually, targeting OWASP Top 10 vulnerabilities including XSS, SQL Injection, and broken authentication.
Secure Development Practices
Implement a Secure Software Development Lifecycle (SSDLC) including secure coding standards, code review processes, and pre-deployment security testing. Secure code review is highly recommended to eliminate OWASP Top 10 flaws at the source code level.
SSL/TLS & DNSSEC Configuration
Enforce HTTPS with TLS 1.2 or higher, strong cipher suites, valid certificates, and HSTS headers. Implement DNSSEC for DNS security across all web properties.
Access Control & Authentication
Implement robust access control mechanisms with Multi-Factor Authentication (MFA) for administrative access and sensitive systems. Enforce strong session management controls and role-based authorization.
Incident Response for Web Attacks
Establish documented procedures for detecting, responding to, and recovering from web-based security incidents including defacement, data breaches, and DDoS attacks.
Security Monitoring & Logging
Implement comprehensive logging of web application events, security monitoring systems, and regular log review processes for anomaly detection.
What Happens If You Don't Comply
The Cybersecurity Act B.E. 2562 gives NCSA real enforcement powers. While the Act itself is already in force, the Website Security Standard B.E. 2568 specifically takes effect on 16 September 2026. After that date, non-compliance triggers escalating consequences.
Under the Cybersecurity Act (already in force), NCSA can issue compliance orders requiring CII organizations to implement specific security measures. Once the Website Security Standard takes effect in September 2026, failure to meet its requirements may trigger escalated enforcement.
Organizations that fail to meet CII obligations under the Cybersecurity Act face administrative penalties. Once the Website Security Standard is enforceable (from September 2026), NCSA will have grounds to impose corrective measures and sanctions for non-compliance with its specific requirements.
Non-compliance with NCSA standards may be disclosed through regulatory reporting channels, affecting organizational reputation, public trust, and business relationships with government entities.
How Security Testing Maps to NCSA Requirements
Every testing service below addresses a specific mandate in the standard and produces the documented evidence auditors expect.
Your NCSA Compliance Checklist
Everything your organization needs in place before the September 2026 deadline.
Official References
Consult the original regulatory documents for full requirements.
Services That Get You Compliant
Testing and advisory services aligned with every NCSA requirement, from assessment to audit-ready documentation.
NCSA Web Security Standards FAQ
Common questions about the NCSA Web Application Security Standards and compliance requirements.
Don't Wait Until the Deadline
September 2026 is closer than you think. Our assessments map directly to every NCSA requirement and deliver audit-ready documentation.
Reconix is a leading cybersecurity company in Thailand, providing world-class services to businesses of all sizes.