For government organisations, compliance with the Baseline Information Security for Government (BIO) is already mandatory. Its revised version, BIO2, largely fulfils the duty of care under the Cyberbeveiligingswet (the Dutch implementation of the NIS2 Directive) for the government sector.
Compliance with existing government information security frameworks, such as BIO2, is therefore an important starting point. The BIO has been revised in parallel with the Cyberbeveiligingswet, resulting in BIO2, which aligns with the Cyberbeveiligingswet’s principles, such as the proper application of risk management.
For other obligations, additional guidance to help organisations prepare for the Cyberbeveiligingswet is available on other websites:
- For instance, the FAQ’s on the National Cyber Security Centre’s website (Dutch)
- Resources and services on the Centre for Information Security and Privacy’s website (Dutch)
- As well as our Tooling page (Dutch)
Enactment of the Cyberbeveiligingswet
The Cyberbeveiligingswet will enter into force once both the House of Representatives and the Senate have approved it. This is expected in Q2 2026, though the exact timing depends on the progress of parliamentary proceedings.
