On 5 March 2026, BIO2 version 1.3 was published in the Government Gazette (Staatscourant). The Baseline Information Security for Government (BIO) provides the government-wide framework for information security across Central Government, municipalities, provinces, and water authorities.
Version 1.3 replaces version 1.04 for digital communications with the central government. It also replaces version 1.2, which the Government-wide Policy Consultation on Digital Government (OBDO) approved on 23 September 2025. This update renders the old circular 2019-0000684575 (Dutch) obsolete.
Why a new version?
Because of its connection to the ministerial regulation implementing the NIS2 Directive in Dutch law, known as the Cyberbeveiligingswet (Cbw), this updated version includes several minor adjustments. These cover elimination of inconsistencies, addition of clarifications, and improved alignment with the Cbw.
Furthermore, 3 government measures are now exempt from Cbw requirements because they fall outside the Cbw’s scope, which focuses solely on the security of network and information systems. However, mandatory self-regulation still applies to these measures. The government-wide Core Information Security Office (Kern-IBO), responsible for this, has approved these changes. The exempted measures are clearly marked in the text.
The ministerial regulation under the Cbw directly refers to this publication in the Government Gazette (Staatscourant) for the mandatory government measures outlined in BIO2.
Support and next steps
BIO2 version 1.3 is also available at bio-overheid.nl (currently only in Dutch). Here, you can find a variety of support resources, including the podcast series ‘BIO2 in Practice’ (Dutch) and the guide ‘Leadership in Action’ (Dutch).
The aim is to release the next version of BIO2 by the end of 2027. To prepare for this, the Centre for Information Security and Privacy Protection (CIP) will launch an evaluation with all government tiers in 2026.
