The Government Information Security Baseline (Baseline informatiebeveiliging Overheid or BIO in Dutch) is the fundamental standards framework for information security across all levels of government (central government, municipalities, provinces, and water authorities). Implementing a single standards framework for the entire government provides several advantages.
- Enhancing information security through improved coordination among government bodies and other parties.
- Reducing the administrative burden on government and businesses, including both customers and suppliers, by establishing predictable and uniform security standards.
- Alignment with international regulations and standards.
- Reducing maintenance costs.
The latest English-language version of the BIO is available at bio-overheid.nl.
Important updates in BIO2
BIO2 aligns with international security standards (NEN-EN-ISO/IEC 27001:2023 (nl) and NEN-EN-ISO/IEC 27002:2022 (nl)). It replaces the previous classification into three basic security levels (BBNs) with a more transparent, risk-based approach. This enables government agencies to customise measures to specific risks without being limited to the three security levels.
Furthermore, the government measures have been revised, with some being eased where possible. However, the mandatory adoption of the NIS2 Directive, implemented in the Dutch Cyber Security Act (Dutch), has strengthened certain government measures.
The BIO2 and ISO standards
The BIO2 is based on NEN-EN-ISO/IEC 27001:2023 (nl) and NEN-EN-ISO/IEC 27002:2022 (nl).
- NEN-EN-ISO/IEC 27001:2023 (nl) should be applied to define requirements for establishing, implementing, monitoring, and continually improving an information security management system, as well as to determine the scope of this management system.
- NEN-EN-ISO/IEC 27002:2022 (nl) must be implemented using a risk-based approach when drafting suitable control measures.
When control measures from the ISO standard are required based on the identified risk, government organisations must implement at least the measures outlined in BIO2. This approach guarantees a baseline of information security and promotes cooperation.
Considering the risks, organisations should implement additional security measures beyond the ISO standard controls and government measures outlined in the BIO. They can choose standards that suit their needs. Examples include the Cybersecurity Implementation Guideline (CSIR) (Dutch) for Operational Technology (OT) security or NEN7510 for healthcare information.
The Cyber Security Act (Cbw) and BIO2
The Dutch government is integrating BIO2 into the Cyber Security Act (Cbw) to implement the NIS2 Directive, as outlined in the National Cybersecurity Strategy (NLCS). BIO2 will act as the standard framework for the government’s duty of care in information security. It ensures a consistent and coordinated approach to cybersecurity. Adopting BIO2 will raise awareness. It will also simplify the transition for the Cbw and reduce regulatory burdens across government organisations.
Including BIO2 in the ministerial regulation of the Cybersecurity Act does not alter the substance of existing measures. However, some government measures may be exempt from legal obligations. This applies if they fall outside the scope of the Cbw and its ministerial regulation, particularly those concerning the security of networks and information systems. The next version of BIO2 must align more closely with the Cbw. It should better reflect the Act’s language and legal provisions.
Maintenance and management of BIO2
The Intergovernmental Working Group on BIO is responsible for maintaining the BIO. Under the chairmanship of the Ministry of the Interior and Kingdom Relations (BZK), the group includes representatives from all levels of government:
- CIO Central Government (CIO Rijk)
- Association of Netherlands Municipalities (VNG)
- Interprovincial Consultation (IPO)
- Dutch Water Authorities (UvW)
The working group also includes:
- several major implementing organisations
- Standardisation Forum (Forum Standaardisatie)
- National Cyber Security Centre (NCSC)
- Centre for Information Security and Privacy Protection (CIP)
Decisions regarding the BIO are made within the Core Intergovernmental Consultation Body (IBO), where representatives from the four government tiers meet under the chairmanship of the Ministry of BZK.
As the BIO is a government-wide product, the aim is to gather experiences from all user groups. Users of the BIO can provide ongoing feedback via GitHub (Dutch). The BIO Working Group reviews this feedback to develop the next version.
Collaboration
To support organisations in implementing BIO2, the CIP has produced a range of guidance documents, including a BIO Self-Assessment, frequently asked questions, and a ‘before and after’ list highlighting the differences between BIO2 and previous versions.
In addition, at the request of the Ministry of BZK, the CIP is running an implementation support campaign that features events and practical guidance. This helps organisations raise the standard of their information security.
For more information, please visit bio-overheid.nl.
