The Government Information Security Baseline (Baseline informatiebeveiliging Overheid or BIO in Dutch) is the basic standards framework for information security within all levels of government (central government, municipalities, provinces and water authorities). The use of a single standards framework for the entire government offers several advantages:
- Enhancing information security through improved coordination among government bodies and other parties.
- Reducing the administrative burden on government and businesses, including both customers and suppliers, by establishing predictable and uniform security standards.
- Alignment with international regulations and standards.
- Reducing maintenance costs.
The latest version of the BIO is available at bio-overheid.nl.
Important updates in BIO2
BIO2 aligns with international security standards (NEN-EN-ISO/IEC 27001:2023 (nl) and NEN-EN-ISO/IEC 27002:2022 (nl)). It replaces the previous classification into three basic security levels (BBNs) with a more transparent, risk-based approach. This enables government agencies to customise measures to specific risks without being limited to the three security levels.
Furthermore, the government measures have been revised, with some being eased where possible. However, the mandatory adoption of the NIS2 Directive, implemented by the Dutch Cyber Security Act (Dutch), in BIO2 has led to specific government measures being intensified.
The BIO2 and ISO standards
The BIO2 is based on NEN-EN-ISO/IEC 27001:2023 (nl) and NEN-EN-ISO/IEC 27002:2022 (nl).
- NEN-EN-ISO/IEC 27001:2023 (nl) should be applied to the definition of requirements for establishing, implementing, tracking and continual improvement of an information security management system and to the definition of the scope of this management system.
- NEN-EN-ISO/IEC 27002:2022 (nl) must be applied in a risk-driven manner to the drafting of appropriate control measures.
When control measures from the ISO standard are necessary based on the identified risk, government organisations must implement at least the government measures outlined in BIO2. This approach ensures a minimum level of information security and encourages cooperation.
Considering the risks, organisations should implement additional security measures beyond the ISO standard controls and government measures outlined in the BIO. They can choose suitable standards based on their needs. Examples include the Cybersecurity Implementation Guideline (CSIR) (Dutch) for Operational Technology (OT) security or NEN7510 for healthcare information.
The Cyber Security Act (Cbw) and BIO2
The Dutch government is integrating BIO2 into the Cyber Security Act (Cbw) to implement the NIS2 Directive, as outlined in the National Cybersecurity Strategy (NLCS). BIO2 will act as the standard framework for the government’s duty of care in information security. It ensures a consistent and coordinated approach to cybersecurity. Adopting BIO2 will raise awareness. It will also simplify the transition for the Cbw and reduce regulatory burdens across government organisations.
Including BIO2 in the ministerial regulation of the Cybersecurity Act does not alter the substance of existing measures. However, some government measures may be exempt from legal obligations. This applies if they fall outside the scope of the Cbw and its ministerial regulation, particularly those concerning the security of networks and information systems. The next version of BIO2 must align more closely with the Cbw. It should better reflect the Act’s language and legal provisions.
