On September 23, 2025, the Government-wide Digitale Overheid Policy Consultation (OBDO) adopted the updated Government Information Security Baseline (BIO2). The BIO2 applies directly as mandatory self-regulation for provinces, water boards and the national government, and as a guiding framework for municipalities.
The BIO2 replaces the earlier version (BIO 1.04) and aligns more closely with international security standards, such as ISO/IEC 27001:2023 and ISO/IEC 27002:2022. One important change is that the division into three Basic Security Levels (BBNs) disappears. In its place will be a risk-based approach, allowing organizations to better tailor their measures to specific risks.
In addition, the government measures have been updated: some relaxed, others strengthened to comply with the European NIS2 Directive. The BIO2 will also be included in the new Cyber Security Act (Cbw), which implements the NIS2 in the Netherlands. This will make the BIO2 the standard framework for the government's duty of care in information security.
According to the Ministry of the Interior and Kingdom Relations, the use of one uniform standards framework for all levels of government offers clear advantages: stronger chain cooperation, reduced administrative burden, predictable security standards and lower maintenance costs.
To support the transition, the Center for Information Security and Privacy Protection (CIP) is launching an implementation campaign. Organizations will receive tools such as a self-assessment, frequently asked questions and an overview of the most important changes.
The BIO2 will remain in place as mandatory self-regulation for organizations outside the law, such as Defense and the AIVD, even after the Cybersecurity Act takes effect.
