The Baseline Information Security for Government (Baseline informatiebeveiliging Overheid or BIO in Dutch) is the fundamental standards framework for information security across all levels of government (central government, municipalities, provinces, and water authorities). Implementing a single standards framework for the entire government provides several advantages.
- Enhancing information security through improved coordination among government bodies and other parties.
- Reducing the administrative burden on government and businesses, including both customers and suppliers, by establishing predictable and uniform security standards.
- Alignment with international regulations and standards.
- Reducing maintenance costs.
The latest Dutch-language version of the BIO is available at bio-overheid.nl, with an English-language version following.
Important updates in BIO2
BIO2 aligns with international security standards (NEN-EN-ISO/IEC 27001:2023 (nl) and NEN-EN-ISO/IEC 27002:2022 (nl)). It replaces the previous classification into 3 basic security levels (BBNs) with a more transparent, risk-based approach. This enables government agencies to customise measures to specific risks without being limited to the 3 security levels.
Furthermore, the government measures have been revised, with some being eased where possible. However, the mandatory adoption of the NIS2 Directive, implemented in the Netherlands through the law known in Dutch as the Cyberbeveiligingswet (Dutch), has strengthened certain government measures.
The BIO2 and ISO standards
The BIO2 is based on NEN-EN-ISO/IEC 27001:2023 (nl) and NEN-EN-ISO/IEC 27002:2022 (nl).
- NEN-EN-ISO/IEC 27001:2023 (nl) should be applied to define requirements for establishing, implementing, monitoring, and continually improving an information security management system, as well as to determine the scope of this management system.
- NEN-EN-ISO/IEC 27002:2022 (nl) must be implemented using a risk-based approach when drafting suitable control measures.
When control measures from the ISO standard are required based on the identified risk, government organisations must implement at least the measures outlined in BIO2. This approach guarantees a baseline of information security and promotes cooperation.
Considering the risks, organisations should implement additional security measures beyond the ISO standard controls and government measures outlined in the BIO. They can choose standards that suit their needs. Examples include the Cybersecurity Implementation Guideline (CSIR) (Dutch) for Operational Technology (OT) security or NEN7510 for healthcare information.
The Cyberbeveiligingswet and statutory self-regulation
Between the Government-wide Digital Government Policy Consultation on 23 September 2025 and the enactment of the Dutch NIS2 implementation through the Cyberbeveiligingswet (Cbw), provinces, water authorities, and the central government will adopt BIO2 as their statutory self-regulatory framework. Consequently, BIO1 v1.04zv will no longer apply to these entities.
During this period, municipalities will continue to use BIO1 v1.04zv for their statutory self-regulation while also adopting BIO2 as a guiding framework. In collaborative agreements, the involved parties will decide on the application of BIO2. The designated (principal) contracting authority will determine which version takes priority.
BIO2 version 1.3
BIO2 as a legal duty of care
In line with the National Cybersecurity Strategy, the BIO2 will be included as a duty of care in the ministerial regulation for the government sector under the Cbw, as part of the Dutch implementation of the NIS2 Directive. With the the Cbw coming into effect, the application of the government measures outlined in the BIO2 for securing network and information systems will become mandatory.
The ministerial regulation under the Cbw refers to the publication of BIO2 version 1.3 in the Government Gazette (Staatscourant).
Statutory self-regulation after the introduction of the Cbw
Even after the Cbw takes effect, the BIO2 will continue to function as statutory self-regulation for organisations not covered by the Cbw. This includes the High Councils of State, the Ministry of Defence, the General Intelligence and Security Service (AIVD), and the police. These organisations will remain bound to the BIO2 through a decision by the Council of Ministers, as announced in the Government Gazette.
The same applies to autonomous administrative bodies (ZBOs) that are exempt from the Cbw. Joint arrangements beyond the scope of the Cbw will also remain subject to the BIO2 through their contracting authority. As a result, the BIO2 effectively applies to all government organisations.
Statutory self-regulation remains in force for the application of the BIO2 to aspects of information security not covered by the Cbw, such as the security of information on paper. This also applies to 3 government measures that fall outside the scope of the Cbw; these are marked in the BIO2.
Maintenance and management of BIO2
The Intergovernmental BIO Working Group is responsible for maintaining the BIO2. Under the chairmanship of the Ministry of the Interior and Kingdom Relations (BZK), the group includes representatives from all levels of government:
- CIO of the Central Government
- Association of Netherlands Municipalities (VNG)
- Interprovincial Consultation (IPO)
- Dutch Water Authorities (UvW)
The working group further includes:
- Several large executive agencies
- Standardisation Forum (Forum Standaardisatie)
- National Cyber Security Centre (NCSC)
- Centre for Information Security and Privacy Protection (CIP)
The Core Intergovernmental Consultation Body (IBO) is responsible for decision-making regarding the BIO. The IBO comprises representatives from the 4 government tiers, meeting under the chairmanship of the Ministry of BZK.
As the BIO2 is a government-wide product, the aim is to gather feedback from all user groups. Users can provide continuous feedback via GitHub (partly Dutch). The BIO Working Group processes this feedback to develop the next version.
The goal is to release the next version of the BIO2 by the end of 2027. To achieve this, the CIP will launch an evaluation with all government tiers in 2026.
Collaboration
To assist organisations in implementing BIO2, the CIP has produced a range of guidance documents. These include a BIO self-assessment, frequently asked questions, and a ‘before and after’ list highlighting the differences between BIO2 and previous versions.
In addition, at the request of the Ministry of BZK, the CIP is running an implementation support campaign that features events and practical guidance. This helps organisations raise their information security to a higher level.
For more information on BIO2 in Dutch (an English-language version will soon follow), please visit bio-overheid.nl.
