Which organizations in Thailand are required to have a BCP under Thai law?
In previous articles, we have already explained what a BCMS is and what a BCP plan involves. This article addresses another common question raised by many organizations studying BCP: Are there any BCP-related laws in Thailand? Which business sectors or types of organizations are required to have one? In this article, we will explore these topics together.
Why Organizations are forced to establish a BCP?
Many readers may have wondered why organizations need a BCP plan or a BCM system. Why do some countries such as the UK or the United States enforce laws or regulations requiring government agencies and certain types of businesses to establish a BCP? We have summarized the key reasons and major factors that influence why BCP and BCM become legal requirements, as follows.
- To protect the stability and continuity of government operations.
- To prevent damage to the economic system and maintain financial stability.
- To strengthen the country’s critical infrastructure so it can effectively withstand crisis situations.
- Lessons learned from past major incidents.
- To protect critical data and strengthen cybersecurity.
- To ensure that private-sector organizations and their partners maintain aligned continuity requirements.
It can be seen that these factors are all major issues that are important and can lead to widespread damage when disruptions occur—whether in banking and financial systems, national critical infrastructure, or government agencies responsible for emergency response. All of this reflects that the enforcement of BCP laws is a crucial mechanism to ensure that the country is prepared and can recover quickly from all types of risks.
Laws and regulations related to BCP in Thailand
In Thailand, several sectors both private and governmental are required to develop BCP plans. These can be summarized by sector as follows:
Financial institutions and banks
According to the Bank of Thailand’s guidelines on Business Continuity Management (BCM) and the preparation of Business Continuity Plans (BCP) for financial institutions, these requirements apply to commercial banks and specialized financial institutions.
The capital market and securities business operators
The SEC requires securities companies and investment service providers to maintain business continuity systems in accordance with the Capital Market Supervisory Board Notification No. TorThor. 35/2556 and the Office of the Securities and Exchange Commission Notification No. SorNor. 45/2559
All government agencies and state-owned enterprises
According to the Cabinet resolution dated 24 April 2012, which approved the guidelines and measures requiring government agencies to implement crisis preparedness management, all types of government entities including departmental-level agencies, provinces, public organizations, state-owned enterprises, local administrative organizations, higher education institutions, independent agencies, and other government bodies are required to develop BCPs in accordance with the guidelines issued by the Office of the Public Sector Development Commission (OPDC).
Healthcare and medical businesses, especially hospitals
Hospitals are another sector that places great importance on operational continuity, as disruptions to information systems or medical equipment can directly affect patient health and safety. Public hospitals in Thailand, along with other government agencies under the Ministry of Public Health, are required to develop BCPs in accordance with the 2012 Cabinet Resolution on Crisis Preparedness.
Other sectors that are not legally mandated but commonly implement BCPs
Internet and telecommunications service providers
There is no specific law that requires private internet or telecommunications service providers to develop a BCP. However, the NBTC has imposed obligations relating to service continuity, network security, and consumer protection, which implicitly necessitate that operators maintain BCP/BCM plans particularly those holding Type 3 licenses or operating public telecommunications networks. In addition, many major service providers also adopt the ISO 22301 standard even though it is not mandated by law.
Industrial sector
In the manufacturing sector particularly factories with high supply chain risks and those operating under a Just-in-Time (JIT) production model, such as automobile manufacturers, automotive parts producers, and electronic component manufacturers. It is common to adopt the IATF 16949 standard and implement Contingency Plans or even full Business Continuity Plans (BCP) to reduce the risks associated with business disruptions.
Consult on BCP planning with InterRisk Asia
This article helps readers understand key questions regarding BCP and BCM regulations in Thailand how they are enforced, which sectors or organizations are required to comply, and which high‑risk industries are most affected by operational disruptions. Sectors such as financial institutions, banks, critical infrastructure, manufacturing (see our article on IATF 16949 and contingency planning), and hospitals all require BCPs to minimize the impact of disruptions and ensure the continuity of essential operations.
If you are interested in developing a BCP or implementing a BCM system for your organization, you can contact InterRisk’s consulting team for a free initial consultation
InterRisk Asia is a leading business continuity consulting firm in Thailand, operates under the MS&AD Group from Japan.
Experienced consultants with hands-on BCMS expertise
Customized planning tailored to your business context.
Practical tools and templates, with expert support for testing and improvement.
