Reconix LogoReconix
NCSA

NCSA Website Security Standard Compliance

Thailand's National Cybersecurity Committee (กมช.) under NCSA has issued mandatory Website Security Standards B.E. 2568 (Version 1.0) under the Cybersecurity Act B.E. 2562 (2019). These standards are mandatory for government agencies and CII operators, and recommended for private enterprises.

v1.0
Standards Version
Website Security
Sep 2026
Enforcement Date
1-Year Transition Period
CII
Applies To
Critical Infrastructure
Annual
Testing Cycle
Minimum Requirement
Get NCSA Compliance Assessment

What are the NCSA Web Security Standards?

The "Website Security Standard Version 1.0" (มาตรฐานการรักษาความมั่นคงปลอดภัยสำหรับเว็บไซต์ พ.ศ. 2568) establishes mandatory security requirements issued by the National Cybersecurity Committee (กมช.) under the National Cyber Security Agency (NCSA/สกมช.), pursuant to the Cybersecurity Act B.E. 2562 (2019). Published in the Royal Thai Government Gazette on 16 September 2025, these standards set minimum security requirements for websites operated by government agencies, regulatory and supervisory bodies, and Critical Information Infrastructure (CII) organizations. The standard applies the "High Water Mark" principle, assessing risks based on the CIA triad (Confidentiality, Integrity, and Availability), and is also recommended for adoption by private enterprises.

  • Issued by the National Cybersecurity Committee (กมช.) under NCSA (สกมช.) pursuant to the Cybersecurity Act B.E. 2562 (2019)
  • Published in the Royal Thai Government Gazette on 16 September 2025
  • Takes effect 16 September 2026, giving organizations 1 year to comply
  • Applies the "High Water Mark" principle based on the CIA triad (Confidentiality, Integrity, Availability)
  • Requires organizations to classify website impact levels as low, medium, or high
  • Mandatory for government agencies, regulatory bodies, and CII operators; recommended for private enterprises
  • Based on international standards including OWASP ASVS and NIST frameworks

Reference: Website Security Standard B.E. 2568 (Version 1.0), National Cybersecurity Committee (กมช.), Royal Thai Government Gazette, 16 September 2025

Who Must Comply?

The NCSA Web Security Standards are mandatory for government agencies, regulatory and supervisory bodies, and Critical Information Infrastructure (CII) operators. Private enterprises are also encouraged to adopt the standards as a security framework.

Government Agencies

All government organizations operating public-facing websites and web applications

Financial Services CII

Banks, securities firms, insurance companies, and payment service providers designated as CII

ICT & Telecom CII

Information and communication technology providers and telecommunications operators

Energy & Utilities CII

Energy providers and public utility organizations operating critical web systems

Transportation CII

Transportation infrastructure operators with web-based services and systems

Healthcare CII

Healthcare organizations operating websites handling sensitive patient information

Version 1.0

Key NCSA Security Requirements

The standards define comprehensive security requirements for web applications across multiple domains.

Web Vulnerability Assessment & Penetration Testing

Conduct continuous vulnerability assessments scanning internet-accessible assets for known CVEs and misconfigurations. Penetration testing must be performed at least annually, targeting OWASP Top 10 vulnerabilities including XSS, SQL Injection, and broken authentication.

Secure Development Practices

Implement a Secure Software Development Lifecycle (SSDLC) including secure coding standards, code review processes, and pre-deployment security testing. Secure code review is highly recommended to eliminate OWASP Top 10 flaws at the source code level.

SSL/TLS & DNSSEC Configuration

Enforce HTTPS with TLS 1.2 or higher, strong cipher suites, valid certificates, and HSTS headers. Implement DNSSEC for DNS security across all web properties.

Access Control & Authentication

Implement robust access control mechanisms with Multi-Factor Authentication (MFA) for administrative access and sensitive systems. Enforce strong session management controls and role-based authorization.

Incident Response for Web Attacks

Establish documented procedures for detecting, responding to, and recovering from web-based security incidents including defacement, data breaches, and DDoS attacks.

Security Monitoring & Logging

Implement comprehensive logging of web application events, security monitoring systems, and regular log review processes for anomaly detection.

Consequences of Non-Compliance

The NCSA enforces these standards under the authority of the Cybersecurity Act B.E. 2562 (2019), which provides enforcement mechanisms for non-compliant organizations.

Regulatory Orders
Cybersecurity Act

NCSA can issue compliance orders requiring CII organizations to implement specific security measures within a defined timeframe. Failure to comply with orders may result in escalated enforcement actions.

Administrative Penalties
Cybersecurity Act

Organizations that fail to meet CII obligations under the Cybersecurity Act face administrative penalties. NCSA has authority to impose corrective measures and sanctions on non-compliant CII operators.

Reputational Impact
Public Disclosure

Non-compliance with NCSA standards may be disclosed through regulatory reporting channels, affecting organizational reputation, public trust, and business relationships with government entities.

How Web Application Testing Addresses NCSA Standards

Professional web application security testing maps directly to NCSA standard requirements, providing evidence of compliance across multiple domains.

Checklist

NCSA Compliance Checklist

Key actions to demonstrate compliance with the NCSA Web Security Standards.

Classify website impact levels (low, medium, high) per NCSA High Water Mark guidelines
Conduct continuous vulnerability assessments of internet-accessible web assets
Perform annual web application penetration testing covering OWASP Top 10
Implement and document a Secure Software Development Lifecycle (SSDLC)
Configure SSL/TLS with TLS 1.2 or higher, strong cipher suites, and valid certificates
Implement DNSSEC for DNS security protection
Deploy HSTS headers and enforce HTTPS across all web properties
Enable Multi-Factor Authentication (MFA) for all administrative and sensitive system access
Implement role-based access control and strong session management
Deploy Web Application Firewall (WAF) protection
Create and test incident response procedures for web-based attacks
Implement comprehensive security logging and real-time monitoring
Conduct regular cybersecurity training for development and operations teams
Maintain documented evidence of all security assessments for NCSA review
Perform remediation tracking with defined timelines for identified vulnerabilities
Review and update web security policies at least annually

Official References

Consult the original regulatory documents for full requirements.

NCSA Regulations & Standards (สกมช.)Cybersecurity Act B.E. 2562 (2019)Website Security Standard B.E. 2568 – Royal Gazette (PDF)Cybersecurity Act B.E. 2562 – Full Text (Royal Gazette PDF)

Related Security Services

Comprehensive testing services to address all aspects of NCSA web security compliance.

Back to All Compliance

NCSA Web Security Standards FAQ

Common questions about the NCSA Web Application Security Standards and compliance requirements.

Prepare for NCSA Compliance

Get ahead of the September 2026 enforcement deadline. Our expert web application security assessments align directly with NCSA standard requirements, providing compliance-ready documentation.

Reconix is a leading cybersecurity company in Thailand, providing world-class services to businesses of all sizes.