As of January 1, 2026, the "baseline" has moved. The transition from BIO 1.04 to BIO2 (Baseline Informatiebeveiliging Overheid 2) is no longer just a technical upgrade, it is a legal evolution. For provinces, water boards, and the central government, BIO2 is now a mandatory framework for self-regulation, while for municipalities, it serves as the essential blueprint for meeting the Cyberbeveiligingswet (CbW).

In the Dutch business landscape of 2026, ISO 27001 is no longer just a "nice-to-have" certificate for your lobby. With the Cyberbeveiligingswet (CbW) now in force, ISO 27001 has become the primary defensive shield for directors. It is the most robust way to prove you have met your legal "duty of care."

The era of "voluntary" cybersecurity for Dutch businesses has officially ended. With the Cyberbeveiligingswet (CbW), the Dutch implementation of NIS2, expected to be fully active by Q2 2026, the stakes have moved from IT departments to boardrooms.