BIO2: the New Dutch Government Security Standard
As of January 1, 2026, the "baseline" has moved. The transition from BIO 1.04 to BIO2 (Baseline Informatiebeveiliging Overheid 2) is no longer just a technical upgrade, it is a legal evolution. For provinces, water boards, and the central government, BIO2 is now a mandatory framework for self-regulation, while for municipalities, it serves as the essential blueprint for meeting the Cyberbeveiligingswet (CbW).
At Forculus, we’ve found that the biggest hurdle isn't the technology; it's the shift from a "checklist" mentality to a risk-based culture.
The Death of BBN
The most significant change in BIO2 is the total abolition of the three Basic Security Levels (BBN1, 2, and 3).
The Old Way: You classified a system as "BBN2" and checked the corresponding boxes.
The New BIO2 Way: You perform a Risk Assessment for every critical process. You decide which measures are "appropriate and proportionate" based on the actual threat to your municipality or agency.
Forculus Pro-Tip: Don't panic about the loss of BBN levels. Use the BIV-classification (Beschikbaarheid, Integriteit, Vertrouwelijkheid) as your compass. If a process has a "High" impact on any of these three, you must implement the ISO 27002 controls plus the specific Overheidsmaatregelen labeled as "Basishygiëne."
Boardroom Responsibility (The "Bestuursaansprakelijkheid")
The BIO2 is now legally anchored in the Cyberbeveiligingswet (CbW). This means information security is officially a "Boardroom Priority."
Forget the firewall for a moment. BIO2 starts with the Board (College van B&W, Gedeputeerde Staten). Under the CbW, administrative leaders are responsible for approving and overseeing the organization's risk management strategy.
Forculus Pro-Tip: Under BIO2 Measure 5.10.1, executives are legally required to possess the skills to recognize cyber risks. At Forculus, we recommend a "Cyber-Leadership Workshop." When a Mayor or Alderman understands that they are personally accountable for the resilience of city services, security moves from an "IT cost" to a "public safety priority."
Building a Functioning ISMS
Under BIO2, having a "Plan-Do-Check-Act" cycle is no longer enough. You must have a functioning Information Security Management System (ISMS) in accordance with ISO 27001:2022.
Ketenbeveiliging (Supply Chain Security)
The overheid (government) is only as strong as its weakest supplier. BIO2 places a heavy emphasis on Ketenbeveiliging.
Accountability via ENSIA
For municipalities, the ENSIA (Eenduidige Normatiek Single Information Audit) remains the primary tool for accountability. However, in 2026, the ENSIA questions have been updated to reflect the BIO2 risk-based approach.
The "In-Control" Statement: Your board must be able to explain why certain risks were accepted and how the implemented measures protect the citizen's data.
2026 Milestones
Nulmeting - Completed Gap Analysis (BIO 1.04 vs BIO2)
Board Training - Ongoing Mandatory Governance Education
ISMS Update - Completed Transition to ISO 27001:2022
ENSIA Reporting - Annual Accountability based on BIO2
BIO2 implementation is about more than just avoiding a mention in a critical RDI report. It is about maintaining the Public Trust. When a citizen interacts with a Dutch government entity, they expect their data to be safe. BIO2 is the framework that ensures you can meet that expectation.
