Thailand has taken its biggest step yet toward regulating artificial intelligence. On July 2, 2026, the Electronic Transactions Development Agency (ETDA) released a new draft of the country’s first comprehensive AI law for a public hearing of roughly 30 days. The draft Thailand AI Act borrows its risk-based architecture from the EU AI Act, yet it adds distinctly Thai features: strict liability for AI-related damage, mandatory local representatives for foreign providers, and labeling duties for AI-generated content. For international businesses, the message is clear. If your AI systems touch people in Thailand, this law will reach you — even if you have no office in the country.
Thailand is also extending AI oversight into specific sectors, including the new telecom AI guidelines in Thailand.
What Is the Thailand AI Act?
The Thailand AI Act is a draft law prepared by ETDA, the digital-law agency under the Ministry of Digital Economy and Society (MDES). It would create the first dedicated legal framework for developing and deploying AI systems in Thailand. Until now, AI activity has been governed indirectly through the Personal Data Protection Act (PDPA), consumer protection rules, and sector regulators.
The draft adopts a tiered, risk-based approach. In other words, the heavier the potential harm, the heavier the obligations. Some AI practices would be banned outright. Others would face licensing, registration, or notification duties. Most everyday business AI would remain lightly regulated, but new transparency and liability rules would still apply across the board.
The public hearing window is short. Businesses that want to shape the final text should submit comments to MDES during the consultation period.
Extraterritorial Reach: Foreign Companies Are Covered
The draft applies to AI development, deployment, or any other action that affects people in Thailand, even when that action happens abroad. Consequently, a US or Singapore-based AI provider whose chatbot, scoring model, or content tool reaches Thai users falls within scope despite having no Thai presence.
Foreign AI providers that serve Thai deployers or users must appoint a local coordinator or authorized representative. For certain system types, that representative must hold full authority to act for the provider — without any limitation of liability. This mirrors, but goes beyond, the representative model many multinationals already use under the PDPA.
Several activities sit outside the law. Exemptions cover purely personal or household use, ethics-approved university research, pre-launch research and development, and further categories to be prescribed by royal decree.
The Three Risk Tiers Under the Thailand AI Act
The draft sorts AI systems into three regulatory categories. Each tier carries a different compliance burden.
| Risk tier | What it covers | Consequence |
|---|---|---|
| Prohibited AI | Cognitive-behavioral manipulation using subliminal techniques; systems causing unfair broad-scale discrimination by processing irrelevant data; further serious-risk categories designated by the national AI committee | Banned outright |
| High-risk AI | Systems designated by royal decree as affecting national security, health, environment, energy, telecommunications, transport, or public utilities | Full provider and deployer obligations |
| Designated AI systems | Systems that a subsequent royal decree may subject to notification, registration, or licensing before deployment | Regulator approval or filing required |
Providers of high-risk AI must build systems that are fit for purpose, transparent, subject to meaningful human control, fair, and aligned with foreseeable risks. Moreover, the regulator may issue oversight guidelines across 13 areas, including risk management, bias prevention, cybersecurity, human oversight, and complaint handling.
Deployers carry duties of their own. They must run risk-management systems, follow provider instructions, assign capable oversight personnel, mitigate damage from AI incidents, keep operational logs for at least six months, and notify authorities of unforeseen risks.
Labeling Rules for AI-Generated Content
The draft introduces some of the region’s most detailed transparency rules for generative AI. Three groups face distinct duties.
First, developers of systems that generate or modify images, audio, or video must assess risks, implement mitigation measures, and embed machine-readable marks identifying content as AI-generated.
Second, anyone who publishes AI-generated content touching sensitive subjects — national security, elections, investment credibility, food or drug properties, impersonation, or illegal acts — must disclose that the material is AI-generated or AI-modified.
Third, platform providers must assess risks, offer reporting channels, verify AI content, display labels, and prepare annual operational summaries. As a result, social media, e-commerce, and content platforms serving Thai users should expect meaningful new operational costs.
Data Localization and Government AI Contracts
A forthcoming national AI planning committee would gain significant power over sensitive sectors. It may designate “contract-controlled AI businesses” for services supplied to government or critical-infrastructure agencies. For those contracts, the committee can prescribe mandatory terms on data processing, risk management, security, modification, termination, and post-termination obligations.
More significantly for cloud-based providers, the committee may require data processing to occur within Thailand for AI services of national importance. Therefore, global AI and cloud vendors serving Thai government or infrastructure clients may need to invest in local hosting or restructure their delivery models.
Strict Liability, Fines, and Enforcement
The liability regime is the draft’s sharpest edge. Providers and deployers face joint liability for AI-related damage regardless of intent or negligence — a strict liability standard. Defenses are narrow: force majeure, the victim’s own act or omission, or compliance with an official order. Contractual disclaimers will not rescue a provider whose system causes harm.
Enforcement escalates in stages. The regulator may first order rectification of insufficient measures. With ministerial approval, it may then ask the court to suspend services, recall products, or halt deployment. Finally, if providers still fail to comply, the court may order internet service providers to block the AI system in Thailand. Administrative fines range from THB 1 million to THB 5 million per violation.
The draft also offers carrots alongside sticks. It creates a regulatory sandbox for testing AI in regulated sectors, data-sharing infrastructure through Thailand’s Big Data Institute, and self-regulation frameworks. Notably, following approved best practices may count toward eligibility for government investment promotion programs.
Timeline: What Businesses Should Do Now
Implementation would be phased. Core measures on launching AI products take effect immediately upon publication in the Government Gazette. Risk control, supervision, and serious-incident provisions follow 180 days later, giving affected businesses a limited preparation window.
Prudent organizations should act during the hearing period rather than after enactment. We recommend five steps:
- Inventory your AI systems. Identify every system you develop, deploy, or procure that could affect people in Thailand, and map each against the three risk tiers.
- Assess extraterritorial exposure. Foreign groups should determine whether they need a Thai authorized representative and what liability that role carries.
- Review generative AI outputs. Check whether your content pipelines can embed machine-readable marks and display required disclosures.
- Revisit contracts and insurance. Strict liability and mandatory government-contract terms call for updated indemnities, caps, and coverage.
- Participate in the hearing. Submit comments to MDES while the draft can still change.
Frequently Asked Questions
What is the Thailand AI Act?
Does the Thai AI law apply to foreign companies?
Which AI systems would be prohibited in Thailand?
What are the penalties under the draft AI law?
When will the Thailand AI Act take effect?
How does the draft compare with the EU AI Act?
Conclusion
The draft Thailand AI Act signals that the era of unregulated AI in Thailand is ending. The combination of extraterritorial scope, strict liability, and content-labeling duties will affect far more businesses than the headline “high-risk” category suggests. Because core measures bite immediately upon publication, waiting for enactment is not a strategy. Companies that inventory their AI systems, engage in the hearing, and prepare governance structures now will absorb the new law at far lower cost than those that react later.
The framework also connects to Thailand’s wider digital-law agenda. It arrives alongside the redrafted Electronic Transactions Act, the new PDPA certification framework, and the courts’ own rules on AI use in Thai litigation. Primary materials are available from ETDA and the Ministry of Digital Economy and Society.
Need Guidance on AI Regulation in Thailand?
Lex Bangkok advises international technology companies, platforms, and investors on Thai digital, data, and AI regulation. Our team can classify your AI systems, structure local-representative arrangements, and prepare your compliance roadmap before the new law takes effect.
Schedule a Consultation