As of 11 November 2025, an online consultation is open, allowing citizens, businesses, and government organisations to respond to new cybersecurity rules for the government sector. The new rules are part of the Government Sector Cybersecurity Regulation.
These new rules are part of the Cybersecurity Act (Dutch) and the Cybersecurity Decree. Both the Act and the Decree have been previously submitted for consultation as part of the legislative process.
Ministerial regulation for the public sector
The Government Sector Cybersecurity Regulation will add specific provisions for the public sector to the existing Cybersecurity Act and Cybersecurity Decree. This is similar to the proposed regulations for other sectors currently under consultation.
The Government Sector Cybersecurity Regulation consists of several components:
- A comprehensive overview of the duty of care regarding information, including the mandatory application of the Baseline Information Security Government 2 (BIO2).
- A clear security outline of the circumstances requiring incident reporting.
- The identification of various Computer Security Incident Response Teams (CSIRTs) assigned to different groups of government entities.
Would you like to join? Here’s how it works
Everyone is invited to provide their feedback, including governments, businesses, experts, and citizens. The consultation will be open from 11 November to 23 December 2025. Following this period, all responses will be evaluated, and adjustments will be made to the regulations where needed.
The government intends to bring the laws, decrees and regulations into force in the second quarter of 2026.
