Skip to main content

Thailand AI Act: What the 2026 Draft Law Means for Business

Thailand has taken its biggest step yet toward regulating artificial intelligence. On July 2, 2026, the Electronic Transactions Development Agency (ETDA) released a new draft of the country’s first comprehensive AI law for a public hearing of roughly 30 days. The draft Thailand AI Act borrows its risk-based architecture from the EU AI Act, yet it adds distinctly Thai features: strict liability for AI-related damage, mandatory local representatives for foreign providers, and labeling duties for AI-generated content. For international businesses, the message is clear. If your AI systems touch people in Thailand, this law will reach you — even if you have no office in the country.

Thailand is also extending AI oversight into specific sectors, including the new telecom AI guidelines in Thailand.

What Is the Thailand AI Act?

The Thailand AI Act is a draft law prepared by ETDA, the digital-law agency under the Ministry of Digital Economy and Society (MDES). It would create the first dedicated legal framework for developing and deploying AI systems in Thailand. Until now, AI activity has been governed indirectly through the Personal Data Protection Act (PDPA), consumer protection rules, and sector regulators.

The draft adopts a tiered, risk-based approach. In other words, the heavier the potential harm, the heavier the obligations. Some AI practices would be banned outright. Others would face licensing, registration, or notification duties. Most everyday business AI would remain lightly regulated, but new transparency and liability rules would still apply across the board.

The public hearing window is short. Businesses that want to shape the final text should submit comments to MDES during the consultation period.

Key Takeaway: The draft Thailand AI Act is the country’s first comprehensive AI law. It follows the EU’s risk-based model but adds strict liability, local-representative requirements, and AI-content labeling duties tailored to Thailand.

Extraterritorial Reach: Foreign Companies Are Covered

The draft applies to AI development, deployment, or any other action that affects people in Thailand, even when that action happens abroad. Consequently, a US or Singapore-based AI provider whose chatbot, scoring model, or content tool reaches Thai users falls within scope despite having no Thai presence.

Foreign AI providers that serve Thai deployers or users must appoint a local coordinator or authorized representative. For certain system types, that representative must hold full authority to act for the provider — without any limitation of liability. This mirrors, but goes beyond, the representative model many multinationals already use under the PDPA.

Several activities sit outside the law. Exemptions cover purely personal or household use, ethics-approved university research, pre-launch research and development, and further categories to be prescribed by royal decree.

The Three Risk Tiers Under the Thailand AI Act

The draft sorts AI systems into three regulatory categories. Each tier carries a different compliance burden.

Risk tierWhat it coversConsequence
Prohibited AICognitive-behavioral manipulation using subliminal techniques; systems causing unfair broad-scale discrimination by processing irrelevant data; further serious-risk categories designated by the national AI committeeBanned outright
High-risk AISystems designated by royal decree as affecting national security, health, environment, energy, telecommunications, transport, or public utilitiesFull provider and deployer obligations
Designated AI systemsSystems that a subsequent royal decree may subject to notification, registration, or licensing before deploymentRegulator approval or filing required

Providers of high-risk AI must build systems that are fit for purpose, transparent, subject to meaningful human control, fair, and aligned with foreseeable risks. Moreover, the regulator may issue oversight guidelines across 13 areas, including risk management, bias prevention, cybersecurity, human oversight, and complaint handling.

Deployers carry duties of their own. They must run risk-management systems, follow provider instructions, assign capable oversight personnel, mitigate damage from AI incidents, keep operational logs for at least six months, and notify authorities of unforeseen risks.

Key Takeaway: Compliance exposure depends on classification. Businesses should map every AI system they provide or deploy against the three tiers now, because high-risk designation triggers extensive governance, logging, and oversight duties.

Labeling Rules for AI-Generated Content

The draft introduces some of the region’s most detailed transparency rules for generative AI. Three groups face distinct duties.

First, developers of systems that generate or modify images, audio, or video must assess risks, implement mitigation measures, and embed machine-readable marks identifying content as AI-generated.

Second, anyone who publishes AI-generated content touching sensitive subjects — national security, elections, investment credibility, food or drug properties, impersonation, or illegal acts — must disclose that the material is AI-generated or AI-modified.

Third, platform providers must assess risks, offer reporting channels, verify AI content, display labels, and prepare annual operational summaries. As a result, social media, e-commerce, and content platforms serving Thai users should expect meaningful new operational costs.

Data Localization and Government AI Contracts

A forthcoming national AI planning committee would gain significant power over sensitive sectors. It may designate “contract-controlled AI businesses” for services supplied to government or critical-infrastructure agencies. For those contracts, the committee can prescribe mandatory terms on data processing, risk management, security, modification, termination, and post-termination obligations.

More significantly for cloud-based providers, the committee may require data processing to occur within Thailand for AI services of national importance. Therefore, global AI and cloud vendors serving Thai government or infrastructure clients may need to invest in local hosting or restructure their delivery models.

Strict Liability, Fines, and Enforcement

The liability regime is the draft’s sharpest edge. Providers and deployers face joint liability for AI-related damage regardless of intent or negligence — a strict liability standard. Defenses are narrow: force majeure, the victim’s own act or omission, or compliance with an official order. Contractual disclaimers will not rescue a provider whose system causes harm.

Enforcement escalates in stages. The regulator may first order rectification of insufficient measures. With ministerial approval, it may then ask the court to suspend services, recall products, or halt deployment. Finally, if providers still fail to comply, the court may order internet service providers to block the AI system in Thailand. Administrative fines range from THB 1 million to THB 5 million per violation.

The draft also offers carrots alongside sticks. It creates a regulatory sandbox for testing AI in regulated sectors, data-sharing infrastructure through Thailand’s Big Data Institute, and self-regulation frameworks. Notably, following approved best practices may count toward eligibility for government investment promotion programs.

Key Takeaway: Strict liability changes the risk calculus for every AI provider and deployer in Thailand. Insurance, indemnities, vendor due diligence, and incident-response planning become essential — negligence-based defenses will no longer be available.

Timeline: What Businesses Should Do Now

Implementation would be phased. Core measures on launching AI products take effect immediately upon publication in the Government Gazette. Risk control, supervision, and serious-incident provisions follow 180 days later, giving affected businesses a limited preparation window.

Prudent organizations should act during the hearing period rather than after enactment. We recommend five steps:

  • Inventory your AI systems. Identify every system you develop, deploy, or procure that could affect people in Thailand, and map each against the three risk tiers.
  • Assess extraterritorial exposure. Foreign groups should determine whether they need a Thai authorized representative and what liability that role carries.
  • Review generative AI outputs. Check whether your content pipelines can embed machine-readable marks and display required disclosures.
  • Revisit contracts and insurance. Strict liability and mandatory government-contract terms call for updated indemnities, caps, and coverage.
  • Participate in the hearing. Submit comments to MDES while the draft can still change.

Frequently Asked Questions

What is the Thailand AI Act?
It is Thailand’s first comprehensive draft law on artificial intelligence, released by ETDA on July 2, 2026 for public hearing. It establishes a risk-based classification system, transparency duties for AI-generated content, strict liability for AI-related damage, and an enforcement regime with fines of THB 1–5 million.
Does the Thai AI law apply to foreign companies?
Yes. The draft applies to any AI development or deployment affecting people in Thailand, even if performed abroad. Foreign providers serving Thai users or deployers must appoint a local coordinator or authorized representative, who in some cases must act with unlimited liability on the provider’s behalf.
Which AI systems would be prohibited in Thailand?
The draft bans AI that manipulates behavior through subliminal techniques and AI that causes unfair broad-scale discrimination by processing irrelevant data. A national AI committee may designate further serious-risk categories by announcement.
What are the penalties under the draft AI law?
Administrative fines range from THB 1 million to THB 5 million. In addition, the regulator may seek court orders to suspend services, recall products, or require ISPs to block a non-compliant AI system in Thailand. Providers and deployers also face joint strict liability for damages.
When will the Thailand AI Act take effect?
The draft is still at the public-hearing stage, expected to run about 30 days from July 2, 2026. If enacted, core product-launch measures take effect immediately upon publication, while risk-control and supervision provisions follow 180 days later.
How does the draft compare with the EU AI Act?
Both use a risk-based model with prohibited and high-risk tiers. However, the Thai draft adds joint strict liability for damages, potential data-localization mandates for nationally important AI services, and mandatory contract terms for government-facing AI businesses — features that go beyond the EU framework.

Conclusion

The draft Thailand AI Act signals that the era of unregulated AI in Thailand is ending. The combination of extraterritorial scope, strict liability, and content-labeling duties will affect far more businesses than the headline “high-risk” category suggests. Because core measures bite immediately upon publication, waiting for enactment is not a strategy. Companies that inventory their AI systems, engage in the hearing, and prepare governance structures now will absorb the new law at far lower cost than those that react later.

The framework also connects to Thailand’s wider digital-law agenda. It arrives alongside the redrafted Electronic Transactions Act, the new PDPA certification framework, and the courts’ own rules on AI use in Thai litigation. Primary materials are available from ETDA and the Ministry of Digital Economy and Society.

Need Guidance on AI Regulation in Thailand?

Lex Bangkok advises international technology companies, platforms, and investors on Thai digital, data, and AI regulation. Our team can classify your AI systems, structure local-representative arrangements, and prepare your compliance roadmap before the new law takes effect.

Schedule a Consultation