- 27
- February
Thailand is entering a new era of technology regulation — the Ministry of Digital Economy and Society (DE) together with the Electronic Transactions Development Agency (ETDA) have unveiled the framework of the country's first AI law, aimed at balancing the promotion of innovation with the protection of citizens. This article summarizes the key provisions of Thailand's draft AI law, compares them with AI laws in other countries, and outlines how organizations should prepare.
Why Does Thailand Need an AI Law?
2026 is the year AI has rapidly taken a role in every sector — reports show that over 90% of Thais know about AI and more than 80% use it regularly. At the same time, risks from AI use have increased significantly, including Deepfakes, biased decision-making, and personal data breaches.
Previously, Thailand lacked a specific legal framework for AI, relying instead on the Personal Data Protection Act (PDPA) and other laws not designed specifically for AI. This new draft law therefore aims to:
- Establish a clear regulatory framework — so organizations know what they must do when using AI
- Protect citizens' rights and freedoms — preventing AI from being used in ways that violate rights
- Promote innovation — avoiding over-regulation that stifles development
- Build user confidence — giving Thai people assurance that AI can be used safely
Key Provisions of Thailand's Draft AI Law
This draft law uses a Risk-based Approach similar to the EU AI Act, resting on three pillars:
Pillar 1: Deregulation — Removing Legal Barriers
Unlocking legal restrictions that impede AI adoption, such as copyright exemptions for Text and Data Mining (TDM) — a critical process in training AI models.
Pillar 2: Promotion — Supporting Development
Supporting AI development through several measures:
- Regulatory Sandbox — a testing ground for AI innovation under controlled conditions
- Tax incentives — for organizations investing in AI development
- AI Governance Center (AIGC) — a center for consulting and technical support
Pillar 3: Governance — Appropriate Oversight
Regulating AI in proportion to its risk level:
| Risk Level | Characteristics | Requirements |
|---|---|---|
| Prohibited | AI that is clearly harmful to society — e.g., Social Scoring, citizen ranking systems | Absolutely prohibited to develop or deploy |
| High-risk | AI in healthcare, finance, justice, employment | Must have a risk management system, legal representative in Thailand, and incident reporting |
| General | General AI that does not fall under high-risk — e.g., Chatbots, product recommendations | Voluntary adherence to best practices |
Specifically for Generative AI
The draft law imposes additional criminal penalties for using AI to generate obscene content or false information that could harm society or the electoral process, with clear enforcement mechanisms and content governance for AI-generated material.
Comparison with AI Laws in Other Countries
Thailand is not the first country to enact an AI law — here is how other countries have approached it:
| Country/Region | Law | Approach | Status |
|---|---|---|---|
| European Union | EU AI Act | Strict risk-based regulation with heavy penalties | In force |
| South Korea | AI Basic Act | Asia's first AI law, focusing on policy framework and governance structure | Fully effective 22 January 2026 |
| Thailand | Draft AI Act | Balance between promotion and oversight — combining Soft Law and Hard Law | Under public consultation |
The distinctive feature of Thailand's draft AI law is its Soft Law + Hard Law hybrid approach — not as stringent as the EU AI Act, but not overly permissive either, emphasizing promotion alongside oversight.
How Should Organizations Prepare?
Even though the law is not yet in force, organizations that start preparing now will have an advantage — both in terms of compliance and credibility.
1. Conduct an AI Inventory
The first step is to understand where your organization is already using AI:
- Customer service Chatbot systems
- Data analytics tools with AI/ML
- Facial Recognition systems
- Generative AI tools employees use (e.g., ChatGPT, Gemini)
- AI embedded in other software (e.g., ERP, CRM systems)
2. Assess Risk Levels
Classify the AI you use according to the risk levels defined in the draft law:
- High-risk AI? — e.g., AI making decisions on loans, employee selection, medical diagnosis
- General AI? — e.g., Chatbots answering general questions, product recommendations, report analysis
3. Establish an AI Governance Policy
Build an AI Governance framework within the organization covering:
- AI Usage Policy — define who can use AI, for what, and within what limits
- Review processes — verify that AI functions correctly, without bias, and without rights violations
- Risk management — assess and manage risks from AI use
- Incident reporting channel — allow employees and users to report anomalies
4. Prepare Your Data Systems
AI requires quality data — and the law requires that the data used to train AI can be audited. Organizations should therefore:
- Organize data systematically — data scattered across multiple Excel files is difficult to audit; an ERP system consolidates everything into a single source
- Maintain an Audit Trail — record who accessed, modified, or used data and when (critical under 2FA and data security requirements)
- Comply with PDPA — ensure data used with AI has proper consent and is stored correctly
ERP Systems and AI Compliance
An ERP system is a critical foundation for AI Compliance because it consolidates data from all departments into a single system, maintains a complete Audit Trail, and supports role-based access controls — which are baseline requirements under the AI law for organizations using high-risk AI.
5. Train Personnel
The law requires organizations to have "people who understand AI" — not necessarily developers, but people who understand how AI works, its limitations, and its risks.
Expected Timeline
| Period | Expected Developments |
|---|---|
| 2025–2026 | Public consultation, consolidating multiple draft laws into a single bill |
| 2026–2027 | Legislative process, parliamentary review |
| 2027–2028 | Expected to be enacted, with a transition period for organizations to adapt |
Organizations with well-organized data systems, complete Audit Trails, and an AI Governance Policy will adapt to the new law faster than those still managing data in scattered files — so implementing an ERP system today is the best preparation for the future.
— Saeree ERP Team
Summary
Thailand's first draft AI law is an important step toward building a framework for responsible AI use. Organizations that need to prepare most urgently are those using AI to make decisions that affect people's rights — such as in finance, employment, and healthcare.
5 things to start doing now:
- Conduct an AI Inventory — survey all AI in use across the organization
- Assess risk levels — classify by the criteria in the draft law
- Establish an AI Governance Policy — define internal rules and procedures
- Prepare your data systems — consolidate data, establish an Audit Trail
- Train personnel — build understanding of AI and its risks
If your organization is planning to organize data systems and workflows to be AI law-ready, you can consult with our advisory team free of charge.
