On 5 March 2026, BIO2 version 1.3 was published in the Government Gazette (Staatscourant). The Government Information Security Baseline (BIO) provides the government-wide framework for information security across Central Government, municipalities, provinces, and water authorities.
Version 1.3 replaces version 1.04 for digital communications with Central Government. It also replaces version 1.2, which the Government-Wide Policy Consultation on Digital Government (OBDO) approved on 23 September 2025. This update renders the old circular 2019-0000684575 (Dutch) obsolete.
Why a new version?
Because of its connection with the ministerial regulation under the Cybersecurity Act (Cyberbeveiligingswet, Cbw, Dutch), this updated version includes several minor adjustments. These cover elimination of inconsistencies, addition of clarifications, and improved alignment with the Cybersecurity Act (Cyberbeveiligingswet, Cbw, Dutch).
Furthermore, three government measures are now exempt from Cbw requirements because they fall outside the act’s scope, which focuses solely on the security of network and information systems. However, mandatory self-regulation still applies to these measures. The government-wide Core Information Security Office (Kern-IBO), responsible for this, has approved these changes. The exempted measures are clearly marked in the text.
The ministerial regulation under the Cbw directly refers to this Staatscourant publication for the mandatory government measures outlined in BIO2.
Support and Next Steps
BIO2 version 1.3 is also available at bio-overheid.nl (Dutch). Here, you can find a variety of support materials, including the podcast series ‘BIO2 in Practice’ (Dutch) and the guide ‘Leadership in Action’ (Dutch).
The aim is to release the next version of BIO2 by the end of 2027. To prepare for this, the Centre for Information Security and Privacy Protection (CIP) will launch an evaluation with all government tiers in 2026.
